What startups need to know about non-disclosure agreements

Whether a company is a unicorn or a struggling bootstrapped startup, there is one agreement that both companies will use to ensure that the people they work with do not misuse their company’s confidential information without prior approval.

These agreements are usually known as confidentiality agreements and non-disclosure agreements. Both agreements cater to the same topic, which is protecting confidential and proprietary information. Any changes between the usage of each name can be subtle. In practice, the usage has a lot more to do with the parties involved than anything needed under the law.

Failing to sign a good non-disclosure agreement can be detrimental to your most valuable confidentiality and proprietary information especially if you are a technology company such as sharing source code or a proprietary algorithm. And you need to guard these critical details jealously.

You may end up in a bind if you do not have clarity as to what happens if a party leaks or improperly disclose or even exploits your company’s confidential information.

As an entrepreneur or a founder, before you enter into a non-disclosure agreement you should look into the following issues to avoid these mistakes.

There is no such thing as a “standard agreement”

Let us be clear about one thing. There is no such thing as a “standard agreement”. Before signing the non-disclosure agreement, read and understand the terms and conditions carefully in the agreement.

Make sure that it reflects your understanding and intention of entering the agreement in the first place with the other party. If you are not careful by merely signing an agreement, you could end up opening to a can of worms.

Agree on the parties involved in the terms

Agree on the parties that will be responsible by the terms of the non-disclosure agreement. Agree on which parties may receive or access the confidential information.

Be clear if you are disclosing the confidential information to a company or a person like an adviser. In practice, the lines can get blurry so you should aim to specify with details the receiving party’s representatives that may have access to the confidential information.

To illustrate, if you are signing a non-disclosure agreement with a company as the receiving party, the usual parties that may have access to confidential information includes the receiving party’s shareholders, directors, employees, and even third parties like legal counsel, accountants, financial and tax advisers. If you want to restrict access to only certain key people in the receiving party, you can state in the agreement that the disclosure can only be made to the specific people in the company (like the cofounders of the receiving party).

Unilateral vs mutual agreement

Be clear if the non-disclosure agreement should be unilateral (also referred to as a ‘one way’) or mutual (or ‘two way’).

For example, if you are the only party that will be disclosing confidential information, then you should have a unilateral non-disclosure agreement instead.

Take note that you may have more than two entities involved in a non-disclosure agreement sometimes (though it can be rare). Also, the negotiation process can be longer especially in trying to come up with a unanimous consensus on the terms.

Agree on the purpose of the non-disclosure

The next step to consider is what specific purposes that the receiving party may use confidential information. For instance, if the transaction relates to a proposed acquisition by an investor, state clearly in the non-disclosure agreement that the purpose of the agreement is to evaluate the purchase of the business.

If you are hiring a consulting firm to help your business, state clearly that the purpose of disclosing the information is to carry out consulting services to improve revenue etc.

Which party will enforce the agreement?

Determine which party to the non-disclosure agreement that will most likely need to enforce the other party’s contractual obligations. In practice, the first party that circulates the draft may have the opportunity to revise the document.

In other words, the terms inside the draft document may be more favourable to the party drafting the agreement. During this stage, you should get a legal counsel to help you pinpoint specific key legal issues that you may miss out.

Be clear on the “confidential information” involved

Review the definition of “confidential information” carefully. Ensure that the definition covers the scope of information which you will be disclosing to the other party. In practice, many entrepreneurs that may rely on templates may ignore or neglect the definition completely.

For example, the definition of “confidential information” may have been copied and pasted from another transaction (which may be inapplicable in your case). If you are the disclosing party, you should aim to make the definition of “confidential information” as narrow as possible.

But if you are the receiving party, you may want to negotiate for the definition to be broad to allow for more documents to be disclosed (this could be useful in an investment deal where the investor may need to test the valuation assertion before deciding on whether to acquire or invest in the company).

Agree on the formal disclosure channel

State if the confidential information may only be disclosed in writing, orally, or electronically and marked “confidential” to be subject to the terms of the non-disclosure agreement. In practice, it can be troublesome and impractical to do when most if not all documents are shared using email or cloud platform.

Alternatively, you can also explore setting up a virtual data room (VDR) (also known as ‘secure data room’) which allows you to disclose the information by sharing the documents in a secure manner. In comparison to sending documents as attachments using emails, secure data room providers offer features like ‘locking’ access to the documents only to certain users (based on the email address or even IP address).

You can even restrict the receiving party’s team from downloading or making copies of such documents. They can be useful if you are disclosing sensitive information like sales data, financial forecast, source code, and so on.

Label the confidential documents as “confidential”

If you wish for certain information to be confidential, then the document needs to be stated specifically as “confidential” as prominent as possible. In other words, put up a clear disclaimer or note on the document to make certain of the confidential nature of the document. Additionally, you can even censor or redact certain details that may be irrelevant to the transaction when disclosing a document that may contain other details outside the scope of the purpose.

Be careful on personal data and privacy issues

Avoid sharing customers personal data or any information that may leak his or her privacy. To illustrate, if you are disclosing your sales records or even employee details you need to ensure you have obtained the necessary consent from the customer (usually covered in the privacy policy) and the employee (in the employment agreement) before disclosing the information to any third party.

Maybe if you really need to share the data, use dummy data (i.e., data that does not relate to any actual person) or anonymise the data so that the receiving party cannot trace or identify the person.

Have a formal notification on any data leak or breach

A good non-disclosure agreement should also include a requirement for the receiving party to immediately inform the disclosing party if there is any breach of the agreement. In practice, it may be challenging to demonstrate that such a breach has occurred (unless you end up discovering the data leak on your own). But this clause may provide additional obligations on the receiving party to make appropriate disclosures and notify you so that appropriate mitigation measures may be taken to reduce future risks.

Agree on an expiry date or a cut off date

Every non-disclosure agreement should have an expiry date. In other words, agree on the “cut off” date when the receiving party needs to return all confidential information provided during the transaction.

In practice, it may be challenging or even impossible for the receiving party to return to ensure complete deletion of “all electronic records” of the documents disclosed. To illustrate, documents you may have been disclosed using an email or cloud platform may get archived or cached by the receiving party’s network backup programs or email systems.

If you are serious about ensuring that your shared documents do not get copied or forwarded by the receiving entity’s recipient elsewhere, it may be worthwhile to explore a third-party platform that offers secure data rooms that allow for you to restrict documents to be accessed as a “view only” document.

Agree on the remedies if there is a breach of confidentiality

Agree on what remedy that would be most appropriate if there is a breach of a non-disclosure agreement. Usually, it is challenging to assess the financial damages suffered by the disclosing party.

Equitable remedies like an injunction may be possible so long as you are willing to go to court to enforce your rights by hiring a lawyer to file a legal claim against the other party in court. In practice, the judge will assess and decide if it is appropriate to award you an injunction or damages (usually in the form of monetary compensation) based on your evidence if they are in your favour as the innocent party.

Look at the governing law of the non-disclosure agreement

Look for the governing law inside the agreement. I remember reading a non-disclosure agreement signed by two Malaysian companies, but the governing law ended up being New York laws!

In retrospect, I honestly do not think it is a lack of faith against the Malaysian judiciary or anything, but more of a common scenario where one of the parties involved may have used a template found on the internet which ended up being totally unsuitable to their deal. It is also unfortunate that both parties did not bother reading the agreement.

Look out for the “hidden provisions”

Look also for what I call the “hidden provisions”. boilerplate clauses (like the governing law clause example above) are the usual legalese clauses that can be found in every agreement.

In practice, it can be challenging at times to differentiate between a “standard clause” or a “non standard clause” if you are not familiar or accustomed to reading or dealing with legal agreements.

So, it is a good idea to get a corporate lawyer to take a final review of the draft agreement before signing. An example of a “hidden clause” is an exclusivity clause (also known as a “no shop” clause) that requires you to refrain from engaging another interested party until your existing engagement or duration expires.

Although this can be common and standard in an investment term sheet, this restriction can be prohibitive if you ended up agreeing to such a clause in a non-disclosure agreement if you are finding a potential customer and so on.


A well drafted non-disclosure agreement can help you reduce risks when you decide to get into a new collaboration with a new party. Before signing into an agreement, you should carefully consider and assess the terms inside the agreement to ensure that they cover and protect your most valuable confidential and proprietary information.

 Additionally, a good non-disclosure agreement also covers scenarios if the receiving party fails to comply with the terms in the agreement (such as improperly disclosing or using the information for other purposes) outside the scope of the agreement.

Finally, you should get a legal counsel to review the non-disclosure agreement so that it does not contain any unexpected contractual obligations.

Can’t find the article covering the topic that you’re currently finding for your startup? I’m always figuring out new topics to write about on this blog. Feel free to drop me a note using the contact form, so that I know what to write about next time.