Confidentiality

TL;DR:A confidentiality clause is only as strong as its definition and its exclusions. Draft the definition to capture what actually matters, set exclusions that are fair but not so wide they swallow the obligation, and include a survival period that reflects the real shelf life of the information. The best NDAs are the ones that never get litigated - because both parties understood exactly what was protected and what wasn't from day one.

‍

What is a Confidentiality Clause?

Confidentiality obligations exist in almost every commercial contract, whether as a standalone non-disclosure agreement or embedded in a larger deal. The clause defines what counts as "Confidential Information," who can see it, how it must be protected, and when the obligation ends. It sounds simple. In practice, it is one of the most frequently litigated provisions in commercial law - because what the disclosing party thought was protected often turns out not to be.

The stakes are highest in M&A, technology licensing, and joint ventures where one party hands over trade secrets, customer lists, or proprietary algorithms in exchange for a promise. If that promise is vague, overbroad, or missing a critical exclusion, the receiving party may find itself unable to operate in the market - or the disclosing party may find its most sensitive data circulating freely with no remedy.

Usually found in a standalone NDA or the Confidentiality article of commercial contracts, the clause:

• Defines what qualifies as "Confidential Information."
• Sets exclusions (publicly available info, independently developed, etc.).
• Restricts who can access the information and under what conditions.
• Imposes a survival period that outlasts the contract itself.
• Specifies remedies for breach, including injunctive relief.

Confidential Information - What Counts:

• Broad definition: Most disclosing parties want the widest possible scope - "any information, whether written, oral, visual, electronic, or otherwise, disclosed by or on behalf of the Disclosing Party." This catches everything from boardroom conversations to source code. The risk: if it's too broad, courts may refuse to enforce it on the grounds that the receiving party couldn't reasonably identify what was protected.

Standard Exclusions:

• Every enforceable confidentiality clause carves out information that: (a) was already publicly available at the time of disclosure; (b) becomes publicly available through no fault of the receiving party; (c) was already known to the receiving party before disclosure; (d) is independently developed without reference to the confidential information; or (e) is disclosed pursuant to a legal or regulatory requirement (with notice to the disclosing party). These exclusions exist because courts won't enforce obligations over information the receiving party has a legitimate right to use.

A well-drafted Confidentiality clause contains:

1. Definition of Confidential Information: Clear, specific, and ideally tied to a marking or designation requirement. Oral disclosures should be confirmed in writing within a set period (typically 10-30 days) to qualify.
2. Permitted Disclosures: Who inside the receiving party's organization can see the information - employees, directors, advisors, affiliates, auditors - and on what basis (need-to-know, bound by equivalent obligations). The disclosing party will want this list tight; the receiving party will want it practical.
3. Standard of Care: The receiving party must protect confidential information with at least the same degree of care it uses for its own confidential information, but no less than a reasonable standard. This dual formulation prevents a careless company from arguing that it treats all its own information carelessly.
4. Survival Period: How long the obligation lasts after the contract ends. Standard commercial NDAs run 2-5 years. Trade secrets should be protected indefinitely (or "for so long as the information remains a trade secret"). Getting this wrong is one of the most common drafting mistakes.
5. Return or Destruction: What happens to confidential material when the relationship ends. The disclosing party wants everything returned or destroyed, with written certification. The receiving party needs a carve-out for copies retained in automated backup systems or required by law or regulation.
6. Remedies: An express acknowledgment that breach may cause irreparable harm for which damages are inadequate, and that the disclosing party is entitled to seek injunctive relief without proving actual damages. Without this language, getting a court to issue an emergency injunction is harder.
7. Compelled Disclosure: A procedure for when the receiving party is legally required to disclose (subpoena, regulatory investigation). Best practice: the receiving party must give prompt notice to the disclosing party, cooperate in seeking a protective order, and disclose only the minimum required.

Market Position & Benchmarks

Where Does Your Clause Fall?

• Receiving-Party Favorable: Narrow definition requiring written marking on all materials, broad exclusions (including residuals clause permitting use of information retained in unaided memory), short survival period (1-2 years), broad permitted-disclosure list (employees, contractors, affiliates, advisors without prior approval), return/destruction with generous carve-outs for backup systems and regulatory retention, no injunctive relief presumption.
• Market Standard: Broad definition covering written, oral, and visual disclosures with a 10-day written confirmation requirement for oral disclosures, standard five exclusions (public domain, prior knowledge, independent development, third-party disclosure, compelled disclosure), 3-5 year survival period (indefinite for trade secrets), permitted disclosures limited to need-to-know employees and advisors bound by equivalent obligations, return/destruction within 15 business days with backup-system carve-out, express injunctive relief language.
• Disclosing-Party Favorable: Broad definition with catch-all for information a reasonable person would consider confidential (no marking requirement), narrow exclusions with burden of proof on the receiving party, no residuals clause, 5-7 year survival (indefinite for trade secrets and personal data), tight permitted-disclosure list requiring prior written approval for any third-party access, return/destruction within 10 business days with officer certification and limited backup carve-out, express injunctive relief without bond, liquidated damages for breach.

Market Data

• Confidentiality or NDA provisions appear in over 95% of commercial contracts across all industries, making them the single most common contractual obligation.
• Median survival period for confidentiality obligations in commercial NDAs is 3 years; M&A NDAs average 2-3 years for general information and indefinite for trade secrets. Technology licensing agreements average 5 years.
• Approximately 60-65% of negotiated NDAs include a marking or designation requirement for written materials, but only 30-35% include a written-confirmation mechanism for oral disclosures, creating a significant coverage gap.
• Residuals clauses (permitting use of information retained in unaided memory) appear in approximately 20-25% of technology-sector NDAs, predominantly in agreements where the receiving party has superior bargaining power.
• Return-or-destruction provisions with officer certification appear in approximately 70% of M&A NDAs, compared with only 40% of standard commercial NDAs.
• Post-2020 data protection regulation (GDPR, CCPA, state privacy laws) has driven a 30-40% increase in the inclusion of specific data-handling obligations within confidentiality clauses, blurring the line between NDA and data processing agreement.

Sample Language by Position

Receiving-Party Favorable: "'Confidential Information' means information that is (a) disclosed in writing and clearly marked 'Confidential' at the time of disclosure, or (b) disclosed orally and confirmed as confidential in writing within thirty (30) days of disclosure. Confidential Information does not include information that: (i) is or becomes publicly available; (ii) was known to Receiving Party prior to disclosure; (iii) is independently developed; (iv) is received from a third party without restriction; or (v) is retained in the unaided memory of Receiving Party's personnel who had access to such information, provided such personnel do not intentionally memorize the information for purposes of this exception. Obligations under this Section expire two (2) years after disclosure."

Market Standard: "'Confidential Information' means any information, whether written, oral, visual, or electronic, disclosed by or on behalf of the Disclosing Party that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure. Oral disclosures must be confirmed in writing within ten (10) business days. Confidential Information excludes information that: (i) is publicly available through no fault of Receiving Party; (ii) was in Receiving Party's possession before disclosure, as documented by written records; (iii) is independently developed without use of or reference to Confidential Information; (iv) is lawfully received from a third party without restriction; or (v) is disclosed pursuant to legal requirement, provided Receiving Party gives prompt notice and cooperates in seeking a protective order. Obligations survive for five (5) years following disclosure, except that obligations with respect to trade secrets survive for so long as such information remains a trade secret under applicable law."

Disclosing-Party Favorable: "'Confidential Information' means all information of any kind disclosed by or on behalf of the Disclosing Party, whether before or after the Effective Date, including trade secrets, business plans, financial data, customer information, product roadmaps, source code, algorithms, and any analyses, summaries, or derivative works prepared by the Receiving Party that contain or reflect such information. No marking or designation is required; information need only be of a nature that a reasonable business person would consider confidential. Receiving Party bears the burden of proving applicability of any exclusion. Obligations survive indefinitely with respect to trade secrets and personal data, and for seven (7) years following disclosure with respect to all other Confidential Information."

Example language:

• M&A Due Diligence NDA: The buyer agrees that all information accessed in the virtual data room is confidential, that it will restrict access to a named deal team, and that if the transaction doesn't close, all materials (including notes, analyses, and derivative works) must be destroyed within 10 business days with an officer's certificate confirming destruction. A standstill provision may also be included to prevent hostile action if negotiations fail.

"The Receiving Party shall hold in confidence all Confidential Information of the Disclosing Party and shall not disclose such information to any third party except as expressly permitted herein. The Receiving Party shall protect the Confidential Information using the same degree of care it uses to protect its own confidential information of a similar nature, but in no event less than reasonable care."

‍

• SaaS Vendor Agreement: The vendor's confidentiality obligations cover all customer data processed through the platform. The clause requires encryption at rest and in transit, limits access to authorized personnel, and mandates breach notification within 72 hours. The vendor's obligation survives termination indefinitely with respect to customer data that constitutes personal information under applicable data protection laws.

"Upon termination of this Agreement or upon written request by the Disclosing Party, the Receiving Party shall promptly return or destroy all Confidential Information, including all copies, summaries, and derivative works, and shall provide written certification of such return or destruction within fifteen (15) business days. Notwithstanding the foregoing, the Receiving Party may retain copies of Confidential Information to the extent required by applicable law or regulation, or stored in automated backup systems, provided that such retained information remains subject to the confidentiality obligations of this Agreement."

Contexts where confidentiality is critical:

Common confidentiality structures:

Negotiation Playbook

Key Drafting Notes

• Match the definition scope to the transaction type. An M&A due diligence NDA should cover everything in the data room without a marking requirement, because the sheer volume of disclosed materials makes marking impractical. A commercial vendor NDA, by contrast, benefits from a marking requirement to give the receiving party clear notice. Using the same template for both contexts creates either over-protection (vendor deals) or under-protection (M&A deals).
• Always include a written-confirmation mechanism for oral disclosures. The most common gap in confidentiality clauses is unprotected oral disclosures. If the definition requires marking and the disclosing party shares sensitive pricing information verbally during a meeting, that information may fall outside the clause entirely. Require the disclosing party to confirm oral disclosures in writing within 10-15 business days, or include a catch-all provision covering information a reasonable person would consider confidential regardless of format.
• Resist residuals clauses aggressively if you are the disclosing party. A residuals clause allows the receiving party to use any information retained in the "unaided memory" of personnel who had access. In practice, this guts the NDA for experienced professionals who naturally absorb and retain technical details, pricing structures, and strategic plans. If you must accept a residuals clause, carve out trade secrets, source code, customer data, and financial information explicitly.
• Set the survival period based on the information's actual shelf life. A 2-year survival period is inadequate for trade secrets that may remain valuable for decades. Conversely, a 10-year survival period for routine commercial information imposes unnecessary compliance burden on the receiving party. Use a tiered approach: 3-5 years for general confidential information, indefinite for trade secrets, and compliance with applicable data protection law for personal data.
• Coordinate the confidentiality clause with data protection obligations. Post-GDPR and post-CCPA, confidentiality clauses that cover personal data must work in tandem with data processing agreements, cross-border transfer mechanisms, and breach notification requirements. A standalone NDA that fails to address data protection creates regulatory risk for both parties. At minimum, include a provision stating that the confidentiality clause does not limit either party's obligations under applicable data protection law.

Common Pitfalls

• Relying solely on a marking requirement without a catch-all. If the clause requires materials to be marked "Confidential" to qualify, every unmarked email, every whiteboard discussion, and every demo falls outside the definition. The disclosing party's legal team may understand the requirement, but its engineers, salespeople, and executives will not consistently mark materials. Include a reasonable-person catch-all as a safety net.
• Omitting the written-confirmation window for oral disclosures. Many NDAs protect only written information or require oral disclosures to be confirmed in writing within a specified period. If the disclosing party forgets to send the confirmation letter, the oral disclosure is unprotected. This is one of the most frequently exploited gaps in NDA litigation.
• Failing to address derivative works and analyses. The receiving party will create internal memos, financial models, and technical analyses based on disclosed information. If the definition of Confidential Information does not explicitly cover "analyses, compilations, summaries, studies, and other materials prepared by or on behalf of the Receiving Party that contain, reflect, or are derived from Confidential Information," those derivative works may fall outside the clause, even though they contain the disclosing party's most sensitive data in synthesized form.
• Accepting a return-or-destruction obligation without a backup-system carve-out. Modern IT infrastructure creates copies automatically: email servers, cloud backups, disaster recovery systems, archived Slack messages. A strict return-or-destruction requirement without a carve-out for automated copies is impossible to comply with literally. The receiving party needs language permitting retention of copies in automated systems, subject to continued confidentiality obligations.
• Ignoring the interaction between confidentiality and intellectual property rights. A confidentiality clause protects information from disclosure but does not grant or restrict rights to use that information. If the disclosing party shares proprietary technology under NDA, the receiving party may argue that the NDA permits internal use for evaluation purposes, even if the disclosing party intended otherwise. Address use restrictions explicitly: "Receiving Party shall use Confidential Information solely for the Purpose and for no other purpose."

Key drafting notes for a Confidentiality clause:

• The Marking Trap: If the clause requires information to be marked "Confidential" to qualify, oral disclosures and visual demonstrations fall outside the definition unless there's a follow-up-in-writing mechanism. Many parties forget to send the follow-up letter. Fix: include a catch-all that covers information a reasonable person would understand to be confidential, regardless of marking.
• Residuals Clauses: Some receiving parties push for a "residuals" provision allowing them to use any information retained in the unaided memory of their personnel. Disclosing parties should resist this aggressively - it effectively guts the NDA for anyone with a good memory. If you must accept it, limit it to general knowledge and exclude trade secrets, source code, and customer data explicitly.
• Non-Solicitation and Non-Compete Riders: Many NDAs include non-solicitation clauses (don't poach my employees or customers) alongside confidentiality. These are separate obligations with separate enforceability standards. Don't assume a court will enforce a non-solicitation clause just because it's embedded in an otherwise reasonable NDA.
• Regulatory Overlap: In data-heavy industries, confidentiality clauses interact with GDPR, CCPA, HIPAA, and other data protection regimes. The NDA alone may not satisfy regulatory requirements for data processing, cross-border transfers, or breach notification. Make sure the confidentiality clause works alongside (not instead of) any required data processing agreement.
• Third-Party Beneficiary Risk: If the disclosing party shares information belonging to its own customers or partners, the NDA should address whether those third parties have any rights under the agreement. Without clarity, a data breach could trigger claims from parties who aren't even signatories.

Historic note:

The legal protection of trade secrets dates back to Roman law, where remedies existed for slaves who were induced to reveal their master's business secrets. The modern framework emerged in England with Morison v. Moat (1851), which recognized a duty of confidence arising from the relationship between the parties. In the United States, trade secret protection was codified first by the Restatement of Torts (1939) and later by the Uniform Trade Secrets Act (1979, amended 1985), now adopted in some form by 48 states. The Defend Trade Secrets Act (2016) added a federal civil cause of action, allowing trade secret owners to bring claims in federal court. The EU Trade Secrets Directive (2016/943) harmonized trade secret protection across EU member states. Despite these statutory frameworks, contractual confidentiality obligations remain the primary tool because they can be broader, more specific, and easier to enforce than statutory protections alone.

Jurisdiction specific notes:

• U.S.: Trade secret claims can be brought under state law (UTSA) or federal law (DTSA). The DTSA provides for ex parte seizure orders in extraordinary cases - a powerful remedy that allows a court to order the seizure of misappropriated trade secrets before the other side is even notified. Confidentiality clauses are generally enforceable, but overly broad or indefinite restrictions may be narrowed by courts. Non-compete provisions embedded in NDAs face state-by-state scrutiny - California bans most non-competes entirely (Business & Professions Code Section 16600), while states like Delaware and New York apply reasonableness tests.
• U.K.: Confidential information is protected under the common law duty of confidence (developed through cases like Coco v. A.N. Clark (1969)), supplemented by contract. Courts will enforce NDAs provided the information has the "necessary quality of confidence" and was shared in circumstances importing an obligation. Post-employment restrictions are subject to the restraint of trade doctrine - they must be reasonable in scope, duration, and geographic reach. The UK also implemented the EU Trade Secrets Directive via the Trade Secrets (Enforcement, etc.) Regulations 2018, which remains in force post-Brexit.

Drafting tip:

Always include a standalone survival clause for confidentiality obligations that extends beyond the main contract term. Don't rely on a general survival provision - spell out exactly how long confidentiality lasts. For trade secrets, use "for so long as the information qualifies as a trade secret under applicable law." For everything else, pick a fixed term and make sure it's long enough to matter.