If these things are not in the NDA, you should walk away from the contract. Without these provisions you've voluntarily accepted a time bomb which could destroy your company.
A Clear Definition of what constitutes confidential materials. This definition will often be quite broad, but should prevent someone from retroactively redefining something as confidential after disclosure.
Exemptions for three things: stuff you already knew before signing, stuff made public without your involvement, and stuff you are required by law to disclose to a court or law officer. NDA-writers often forget the last, but in these Patriot Act days, you can't afford to.
A Time Limit. These will often be quite long, like five or seven years, but you don't want to sign an NDA you'll pass on to your grandchildren.
There are a couple things which you'd like to get into an NDA if you can, but aren't essential.
You'd like the NDA to be Mutual; that is, it should protect your secrets as well as the client's.
If you're going to be doing open source work, the NDA should contain an Exemption for Open Source Code release. Often you can put this in the Statement of Work if it's missing in the NDA, though.
A defined Procedure for Granting Exceptions from the NDA.
There's a bunch of stuff which often appears in NDAs, and you're not really keen on, but it's standard and you shouldn't balk over it.
Right to a Preliminary Injunction for the client. This is normal; it just means that they can slap you with a gag order if they thing you're disclosing secrets, until it goes to court.
Jurisdiction in the Client's Home State: just like you want the jurisdiction to be local to you, the client wants the same.
A "Reasonable Care" requirement for handling confidential data. This is, after all, only reasonable. Although at some point you should talk to your lawyer about what this specifically means in your state.
A Remediation Procedure if data is disclosed: this is normal for contracts tied to vendors under HIPAA, SOX, or PCI.
Any of the below appearing in an NDA is a reason to send it to your attorney for specific review. Several of them appearing together is a reason to run, not walk, away from the negotiating table.
- Indemnification for third-party suits resulting from a violation of the NDA. This requires you to have D&O insurance, among other things.
- Weird Legal Jurisdictions, such as another country, or a state which isn't yours or theirs.
- Right to Examine Your Files: they can't do this without violating your confidentiality agreements with other clients.
- "Utmost Care" or other weakly defined standards of secrecy.
- A "No Reverse Engineering" clause without an "unless required for performance of Services" clause.
- Limitations on Work for other companies, "competitors", or "companies in the same industry". If you sign these, eventually you won't be able to work at all.
- Excessive Length is a warning sign on its own; if the NDA is more than 2 pages and doesn't contain a full HIPAA or PCI agreement, then it's probably hiding something.
NOTE: Josh Berkus is not an attorney, and the above does not constitute legal advice. You should always consult your own attorney on specific contracts and agreements. Further, the above advice is heavily slanted towards California law (but then, so are dot-com NDAs).