Clause Guide

Confidentiality clause: meaning, risks, and what to negotiate

A confidentiality clause (often called an NDA provision) governs how sensitive information is defined, used, disclosed, stored, and protected during and after a business relationship.

What it means

Confidentiality clauses are foundational to commercial relationships, protecting trade secrets, business strategy, customer data, and intellectual property. However, overly broad or poorly drafted clauses can impose significant legal, operational, and compliance burdens—especially around internal workflows, data retention, regulatory obligations, and employee conduct. A well-balanced clause protects legitimate interests without restricting normal business operations or exposing you to unnecessary liability.

Common risks

10 risks identified

Overly broad definitions may classify nearly all shared information as confidential, including trivial or non-sensitive material.

Lack of clear exclusions can mean you are liable for using information you already knew or that becomes public through no fault of your own.

Strict use limitations may unintentionally prevent normal internal use (e.g., sharing with affiliates, contractors, or advisors).

Unclear or burdensome data handling obligations (e.g., deletion, return, tracking) may create operational and technical challenges.

Indefinite or excessively long confidentiality periods can create long-term compliance risks.

No carve-out for legally compelled disclosure (e.g., courts, regulators) can put you in conflict with the law.

Inadequate security standard definitions may expose you to claims even when acting reasonably.

Joint development scenarios may create ambiguity over ownership vs. confidentiality.

Residual knowledge restrictions may prevent employees from using general know-how gained during the relationship.

One-sided clauses may impose obligations on you without reciprocal protections.

What to check before signing

Checklist

Definition scope: Does 'Confidential Information' include only non-public, commercially sensitive information, or everything shared?

Marking requirements: Must information be labeled confidential, or is everything automatically covered?

Oral disclosures: Are they only confidential if confirmed in writing within a set timeframe?

Standard exclusions: Are public, pre-existing, independently developed, and third-party lawful disclosures excluded?

Permitted use: Is use limited strictly to the contract purpose, and is that purpose clearly defined?

Who can access: Are disclosures allowed to employees, affiliates, contractors, and advisors on a need-to-know basis?

Security obligations: Are you required to use 'reasonable care' or a higher standard (e.g., industry best practices)?

Data handling: Are there obligations to return, destroy, or certify deletion of information?

Retention exceptions: Can you retain copies for legal, regulatory, audit, or backup purposes?

Duration: How long do confidentiality obligations last (fixed term vs. indefinite)?

Trade secrets: Are they treated differently (e.g., protected indefinitely)?

Compelled disclosure: Is there a clear process for responding to legal or regulatory demands?

Liability: Are there indemnities, penalties, or strict liability tied to breaches?

Injunctive relief: Does the clause allow immediate court action without proof of damages?

Cross-border issues: Are there data transfer or jurisdictional compliance implications?

Negotiation ideas

Actionable

Limit the definition of confidential information to non-public, commercially sensitive information that is clearly identified.

Require written confirmation for oral disclosures within a reasonable timeframe (e.g., 30 days).

Add standard exclusions: information that is public, already known, independently developed, or lawfully received from a third party.

Expand permitted recipients to include affiliates, employees, contractors, and professional advisors under confidentiality obligations.

Align the security standard to 'reasonable care' or 'industry standard practices' rather than strict or undefined obligations.

Clarify that use is limited to a clearly defined business purpose—avoid vague or overly narrow descriptions.

Include explicit carve-outs for legal, regulatory, and court-ordered disclosures with notice obligations where possible.

Negotiate a reasonable duration (e.g., 2–5 years), with separate treatment for true trade secrets.

Allow retention of archival copies for compliance, audit, and backup systems.

Remove or soften residual knowledge restrictions so employees can use general skills and experience.

Ensure obligations are mutual (apply equally to both parties).

Limit liability exposure by excluding indirect damages and capping total liability where possible.

Clarify that inadvertent disclosure is not a breach if reasonable safeguards were in place.

Example clause

Each party agrees to keep confidential all non-public, proprietary, or commercially sensitive information disclosed by the other party ('Confidential Information') and to use such information solely for the purpose of performing this Agreement. Confidential Information shall not include information that (i) is or becomes publicly available without breach, (ii) was known prior to disclosure, (iii) is independently developed without use of the Confidential Information, or (iv) is lawfully obtained from a third party. Each party may disclose Confidential Information to its employees, affiliates, contractors, and advisors on a need-to-know basis, provided they are bound by similar confidentiality obligations. Confidentiality obligations shall survive for a period of three (3) years from disclosure, except for trade secrets, which shall be protected for as long as they remain confidential.

Frequently asked questions

9 questions

How long should confidentiality obligations last?

Most commercial agreements use 2 to 5 years. However, trade secrets are typically protected indefinitely as long as they remain confidential.

What qualifies as confidential information?

Generally, non-public information that provides a business advantage—such as financial data, customer lists, product plans, source code, and strategies. The definition should not include publicly available or trivial information.

Do confidentiality clauses apply to employees and contractors?

Yes, typically through a 'flow-down' obligation. The receiving party must ensure anyone they share information with is bound by equivalent confidentiality duties.

Can I disclose confidential information if required by law?

Yes, but the clause should explicitly allow this. It usually requires giving prior notice (where legally permitted) and limiting disclosure to what is strictly required.

What happens if confidentiality is breached?

Consequences may include damages, injunctive relief (court orders to stop disclosure), reputational harm, and potential termination of the agreement.

Is a confidentiality clause the same as an NDA?

A confidentiality clause is a provision within a broader contract, while an NDA (Non-Disclosure Agreement) is a standalone contract focused entirely on confidentiality obligations.

What are 'residual knowledge' clauses?

These allow individuals to use general knowledge, skills, and experience retained in memory, even if originally exposed to confidential information—without deliberately memorizing protected data.

Should confidential information always be marked?

Ideally yes, especially for written materials. This reduces disputes. For oral disclosures, written follow-up confirmation is recommended.

Can confidentiality obligations conflict with data protection laws?

Yes. For example, obligations to retain or delete data must align with legal requirements such as data protection, audit, or regulatory retention rules.

Related clauses

Want help reviewing the full contract?

A single clause rarely tells the whole story. Scan the full agreement to spot risks, missing protections, and negotiation points across the whole document.

Scan a Contract