The Complete Guide to NDAs (Non-Disclosure Agreements) With Template — 2026 Edition
Last updated April 2026 — refreshed with current legal requirements, AI-era provisions, and a ready-to-use template.
A Non-Disclosure Agreement (NDA) is the most commonly used legal instrument for protecting confidential business information — yet most templates circulating online are either dangerously vague or missing clauses that courts now expect. This guide covers what NDAs actually are, which type to use when, what every enforceable NDA must include (including an AI-data clause that became standard practice in 2025), and closes with a plain-language template you can adapt.
Whether you are a founder sharing your pitch with an investor, a startup onboarding a remote developer, or a company negotiating a joint venture, this guide gives you the specifics — not boilerplate advice.
What changed since 2023 — 5 things every reader needs to know
- AI-data clauses are now standard. Traditional NDAs say nothing about generative AI tools. If a counterparty enters your source code or financial projections into ChatGPT, Claude, or Gemini, that data may persist in model training pipelines. New NDAs explicitly prohibit feeding confidential information into any LLM or generative AI system without written approval.
- The Defend Trade Secrets Act (DTSA) whistleblower notice is mandatory for trade secrets. Any NDA covering trade secrets — including those with employees and independent contractors — must include the statutory DTSA immunity notice or risk forfeiting exemplary damages and attorney's fee awards in litigation.
- California's Silenced No More Act (SB 331) broadened NDA restrictions in settlement agreements. Since 2022, California employers cannot use NDAs to silence workers about harassment or discrimination based on any protected characteristic (not just sex). This extends to separation agreements signed after January 1, 2022.
- The Speak Out Act (federal, December 2022) voids pre-dispute NDAs covering sexual assault and harassment claims. Any NDA clause that attempts to silence sexual harassment or assault disclosures before a dispute arises is unenforceable under federal law.
- Duration matters more than ever. Courts are increasingly skeptical of indefinite NDAs. The industry standard for most commercial relationships is now 2–3 years for general business information; trade secrets warrant indefinite protection, but that must be called out explicitly.
What Is an NDA?
A Non-Disclosure Agreement (NDA) — also called a Confidential Disclosure Agreement (CDA), Proprietary Information Agreement (PIA), or Secrecy Agreement (SA) — is a legally binding contract that creates a confidential relationship between the parties who sign it. The disclosing party shares information; the receiving party agrees not to share or misuse it.
NDAs are enforced under contract law. If a receiving party breaches the NDA, the disclosing party can seek injunctive relief (a court order to stop the disclosure), monetary damages, or both. In trade secret cases, the federal DTSA also allows recovery of attorney fees and, in cases of willful misappropriation, exemplary damages up to twice actual damages.
Types of NDA
| Type | Who discloses? | Typical use case |
|---|---|---|
| Unilateral (one-way) | One party to the other | Employee onboarding, investor pitch, vendor engagement, hiring a contractor |
| Bilateral (mutual) | Both parties to each other | Joint venture, merger discussions, strategic partnership |
| Multilateral | Three or more parties | Consortium projects, multi-company R&D, government contracts |
Unilateral NDA
One party — the disclosing party — shares information; the other — the receiving party — promises to protect it. This is the most common form. Examples: a startup disclosing its business plan to a potential investor; an employer requiring an employee to sign before accessing trade secrets; a company sharing source code with a freelance developer.
Bilateral (Mutual) NDA
Both parties expect to share confidential information with each other and both accept reciprocal confidentiality obligations. Typical in M&A due diligence, joint ventures, and technology licensing discussions where both parties expose sensitive data.
Multilateral NDA
Three or more parties sign a single agreement rather than a web of bilateral NDAs. Common in government-contracted consortium projects and multi-party R&D agreements. The negotiation is more complex, but a single document is easier to manage and audit long-term.
When to Use an NDA — Decision Guide
Not every business conversation requires an NDA. Signing one unnecessarily can damage relationships and slow down deals. Use this decision framework:
| Situation | NDA recommended? | Type |
|---|---|---|
| Presenting a new product idea to an investor | Yes | Unilateral |
| Hiring a full-time employee with access to codebase | Yes — include in employment contract | Unilateral |
| Engaging a freelance or remote developer | Yes — before onboarding | Unilateral |
| Exploratory call with a potential partner | Often no — use a lightweight CDA if needed | Unilateral or Mutual |
| M&A due diligence | Yes — both sides share financials | Bilateral (Mutual) |
| Vendor providing generic software service | Usually covered by service agreement — review before adding NDA | — |
| Conference presentation / public demo | No — information is already public | — |
Five Core Components of an Enforceable NDA
1. Definition of Confidential Information
This is the most litigated clause. Courts reject NDAs that define confidential information too broadly (e.g., "all information shared by either party") because they restrain trade unfairly. Courts also reject NDAs that are too vague to enforce.
Best practice: list categories explicitly. For a software company, a solid definition might read:
"Confidential Information" means any non-public information disclosed by Disclosing Party, including but not limited to: source code, technical documentation, product roadmaps, customer lists, pricing data, financial projections, trade secrets, and business strategies — whether disclosed in writing, verbally, electronically, or visually — that is marked as "Confidential" or that the Recipient reasonably should know is confidential given the context of disclosure.2. Standard Exclusions
Every NDA must carve out information that the receiving party cannot realistically be expected to protect. Courts expect these exclusions — omitting them signals sloppy drafting and may result in the court reading them in anyway. Standard exclusions:
- Information already publicly available (not through a breach)
- Information the receiving party already knew before signing
- Information independently developed by the receiving party without reference to the disclosed information
- Information received from a third party without a confidentiality obligation
- Information required to be disclosed by law, court order, or regulator (with notice to the disclosing party)
3. Obligations of the Receiving Party
Spell out exactly what the receiving party must and must not do:
- Keep the information strictly confidential
- Use it only for the defined purpose (e.g., "evaluating a potential partnership" — not for competing products)
- Share only on a need-to-know basis with its own employees or advisors who are also bound by confidentiality
- Return or certifiably destroy all confidential materials on request or upon termination
- 2025 addition: Not input confidential information into any generative AI tool, LLM, or third-party AI platform without prior written approval
4. Duration
Industry norms by use case:
- 1 year: Sales demos, initial exploratory discussions in fast-moving tech
- 2–3 years: Commercial negotiations, joint ventures, contractor/freelancer engagements — this is the most common range
- 5 years: Strategic partnerships, sensitive IP licensing
- Indefinite: Trade secrets only — must be called out separately, because general business info held indefinitely will often not survive a legal challenge
Important: courts in most jurisdictions will not rewrite an unenforceable duration — they may void the clause entirely. Set a specific term.
5. Remedies for Breach
Include:
- Right to seek injunctive relief without posting bond (disclosure is typically irreversible, so money damages alone are inadequate)
- Right to seek monetary damages including lost profits and unjust enrichment
- In trade secret cases covered by DTSA: right to seek exemplary damages and attorney fees if breach is willful
- Governing law and jurisdiction (critical for cross-border arrangements — pick the jurisdiction before you need it)
- Severability clause (if one clause is unenforceable, the rest survives)
The AI-Data Clause: What to Add in 2026
This is the section most NDA templates are missing. If your counterparty's developer uses GitHub Copilot, their analyst uses ChatGPT Enterprise, or their legal team uses an AI drafting tool, your confidential information may transit those systems.
For highly sensitive deals (M&A, trade secrets, source code), use a hard prohibition:
Recipient shall not, and shall ensure its representatives do not, input, upload, or otherwise transmit any Confidential Information into any generative artificial intelligence system, large language model, AI assistant, or machine learning platform — whether operated by the Recipient, a third party, or accessed via API — without the prior written consent of Disclosing Party.For standard commercial B2B relationships, a guardrails approach is more practical:
To the extent Recipient uses AI-assisted tools in connection with its obligations hereunder, Recipient shall: (a) use only enterprise-grade tools with contractual prohibitions on training models on customer data; (b) not enable any feature that sends Confidential Information to a third-party training pipeline; and (c) provide a list of authorized AI subprocessors to Disclosing Party upon request.DTSA Immunity Notice (Required for Trade Secrets)
If your NDA covers trade secrets — and most NDAs with employees and contractors do — you must include the following notice under the Defend Trade Secrets Act of 2016. Omitting it limits your recoverable damages if you ever sue for misappropriation:
NOTICE OF IMMUNITY UNDER THE DEFEND TRADE SECRETS ACT
Pursuant to 18 U.S.C. § 1833(b), an individual shall not be held criminally or civilly liable under any federal or state trade secret law for the disclosure of a trade secret that is made: (i) in confidence to a federal, state, or local government official, either directly or indirectly, or to an attorney, solely for the purpose of reporting or investigating a suspected violation of law; or (ii) in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal. An individual who files a lawsuit for retaliation by an employer for reporting a suspected violation of law may disclose the trade secret to the attorney of the individual and use the trade secret information in the court proceeding, if the individual files any document containing the trade secret under seal and does not disclose the trade secret except pursuant to court order.NDAs When Hiring Remote Developers and Freelancers
Remote developer engagements carry unique NDA considerations that a generic template will not address:
- Sign before onboarding. The NDA should be executed before the developer accesses any codebase, cloud environment, or internal documentation — not after. Retroactive NDAs create enforceability risk.
- Specify the codebase explicitly. Developers routinely build personal portfolios from their project work. Your NDA should explicitly list what constitutes confidential information: source code, architecture diagrams, database schemas, API credentials, and CI/CD configuration.
- Include an IP assignment clause. An NDA alone does not transfer ownership of work product. Add a work-for-hire / IP assignment clause — or use a separate contract that includes one. Without it, a freelance developer may retain copyright in code they wrote for you.
- Cross-border jurisdiction. If you hire a developer in another country, specify which country's law governs the NDA. Many jurisdictions will enforce a valid foreign-law NDA, but enforcement mechanisms differ. For high-value engagements, consult a local attorney in the developer's country.
- E-signature is legally valid. DocuSign, Adobe Sign, and similar platforms produce legally binding signatures under the ESIGN Act (US) and eIDAS (EU). You do not need wet ink for an NDA to be enforceable.
Codersera vets developers through a multi-step technical screening process and requires NDAs and IP assignments as standard contract terms — so if you hire a vetted remote developer through Codersera, the confidentiality framework is already in place before the developer writes a line of code.
Common Pitfalls That Make NDAs Unenforceable
- Covering "all information" without specificity. Courts treat this as an unreasonable restraint. You cannot protect what you did not clearly define.
- No exclusions clause. An NDA with no carve-outs for public or independently developed information looks one-sided and courts may void it or read in reasonable exceptions anyway.
- Indefinite duration for general business information. Trade secrets can be protected indefinitely. Ordinary business information typically cannot. Courts in many states will reject or reform unreasonably long terms.
- Missing severability clause. If one provision fails, you want the rest of the NDA to survive. Without a severability clause, a judge may void the whole agreement.
- Attempting to silence whistleblowers. Any NDA clause that purports to prevent reporting crimes, regulatory violations, or harassment to government agencies is unenforceable and may expose the drafter to regulatory sanctions. The SEC has penalized companies for using NDAs that could discourage whistleblowing under Rule 21F-17.
- No consideration. An NDA signed after work has already begun, with nothing offered in exchange, may lack consideration. Tie NDA execution to onboarding, payment terms, or the commencement of a partnership.
- Missing DTSA notice for trade secrets. If your NDA covers trade secrets and you fail to include the statutory immunity notice, you cannot recover exemplary damages or attorney fees if you win a misappropriation case.
- No AI-use restriction. As of 2025, this is a gap that practitioners now flag in NDA reviews. Add it proactively.
State-Specific Rules to Watch
- California: Non-compete agreements are entirely unenforceable. NDAs remain enforceable for trade secrets and confidential business information, but California's Silenced No More Act (SB 331, effective January 1, 2022) prohibits NDAs that prevent employees from disclosing harassment, discrimination, or retaliation in the workplace based on any protected characteristic. Settlement agreements must allow employees at least five business days to consult an attorney.
- Minnesota: Non-compete agreements are void for all agreements signed after January 1, 2023. NDAs for trade secrets remain valid.
- Federal (all states): The Speak Out Act (December 2022) voids pre-dispute NDA clauses that cover sexual assault and sexual harassment claims. The DTSA (2016) provides a federal civil cause of action for trade secret misappropriation and requires the immunity notice described above.
NDA Template — Ready to Adapt
The template below is a general-purpose unilateral NDA suitable for a startup disclosing information to a contractor, developer, or potential investor. It is not legal advice. Have a qualified attorney review any NDA before signing.
NON-DISCLOSURE AGREEMENT
This Non-Disclosure Agreement ("Agreement") is entered into as of [DATE] ("Effective Date") by and between:
Disclosing Party: [COMPANY NAME], a [STATE] [corporation/LLC] ("Company")
Receiving Party: [RECIPIENT NAME], [an individual / a [STATE] corporation] ("Recipient")
1. CONFIDENTIAL INFORMATION
"Confidential Information" means any non-public information disclosed by Company to Recipient, whether orally, in writing, electronically, or visually, including but not limited to: source code, technical documentation, product roadmaps, customer lists, pricing data, financial projections, business strategies, and trade secrets. Information disclosed in writing should be labeled "Confidential." Verbal disclosures are confidential if the disclosing party notifies the Recipient in writing within 10 days that the disclosure was confidential.
2. EXCLUSIONS
Confidential Information does not include information that: (a) is or becomes publicly available through no breach of this Agreement; (b) Recipient lawfully knew before disclosure; (c) Recipient independently developed without reference to Confidential Information; (d) Recipient lawfully receives from a third party without restriction; or (e) Recipient is required to disclose by law or court order, provided Recipient gives Company prompt written notice and cooperates with Company's efforts to seek a protective order.
3. OBLIGATIONS
Recipient shall: (a) hold Confidential Information in strict confidence using at least the same degree of care used for its own confidential information (no less than reasonable care); (b) use Confidential Information solely for [describe purpose, e.g., "evaluating a potential software development engagement"]; (c) disclose Confidential Information only to its employees and advisors with a need to know, who are bound by substantially similar confidentiality obligations; and (d) promptly notify Company of any unauthorized disclosure or suspected breach.
4. AI AND MACHINE LEARNING RESTRICTION
Recipient shall not, and shall ensure its employees, contractors, and representatives do not, input, upload, or otherwise transmit any Confidential Information into any generative artificial intelligence system, large language model, AI assistant, or machine learning platform — whether operated by Recipient, a third party, or accessed via API — without the prior written consent of Company.
5. RETURN OR DESTRUCTION
Upon Company's written request or upon termination of the business relationship, Recipient shall promptly return or certifiably destroy all Confidential Information and any copies, extracts, or derivative works. Recipient shall provide written confirmation of destruction within 5 business days of completing destruction.
6. DURATION
This Agreement is effective as of the Effective Date and continues for [2/3/5] years. Notwithstanding the foregoing, obligations with respect to information that constitutes a trade secret under applicable law shall continue for as long as such information remains a trade secret.
7. DTSA IMMUNITY NOTICE
Pursuant to 18 U.S.C. § 1833(b), an individual shall not be held criminally or civilly liable under any federal or state trade secret law for the disclosure of a trade secret made in confidence to a federal, state, or local government official or to an attorney solely for the purpose of reporting or investigating a suspected violation of law, or in a complaint filed under seal. This notice does not limit Company's rights to seek remedies for any other breach of this Agreement.
8. REMEDIES
Recipient acknowledges that breach of this Agreement may cause irreparable harm for which monetary damages are inadequate. Company shall be entitled to seek injunctive relief in addition to any other remedy available at law or in equity, without the requirement of posting a bond.
9. GOVERNING LAW AND JURISDICTION
This Agreement is governed by the laws of the State of [STATE], without regard to conflict-of-law provisions. Any dispute shall be resolved in the state or federal courts located in [CITY, STATE], and the parties consent to personal jurisdiction therein.
10. SEVERABILITY
If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.
11. ENTIRE AGREEMENT
This Agreement constitutes the entire agreement between the parties regarding its subject matter and supersedes all prior oral or written understandings.
COMPANY:
Signature: ___________________________
Name: _______________________________
Title: ________________________________
Date: ________________________________
RECIPIENT:
Signature: ___________________________
Name: _______________________________
Date: ________________________________
How to Choose the Right NDA — Quick Decision Tree
- Are you sharing information only (not receiving any)? → Unilateral NDA.
- Are both parties sharing sensitive information? → Mutual (Bilateral) NDA.
- Three or more parties involved? → Multilateral NDA.
- Sharing with a remote developer or freelancer? → Unilateral NDA + IP Assignment clause. Sign before onboarding.
- Merging with or acquiring another company? → Mutual NDA. Have your attorney tailor it to the specific deal.
- Sharing trade secrets (formulas, source code, proprietary algorithms)? → Include DTSA immunity notice + indefinite trade secret protection clause.
- Operating in California? → Ensure exclusions comply with SB 331. No non-compete clauses of any kind.
FAQ
What is the difference between an NDA and a confidentiality agreement?
None, functionally. "NDA," "confidentiality agreement," "CDA," and "proprietary information agreement" are all names for the same type of contract. Use whichever term is conventional in your industry or jurisdiction.
Can I use a free NDA template from the internet?
Generic templates are a reasonable starting point, but most lack jurisdiction-specific clauses, AI-use restrictions, and the DTSA immunity notice. Treat any template — including this one — as a draft to review with an attorney, not a final document to sign as-is.
Does an NDA need to be notarized?
No. NDAs are enforceable as standard contracts — they require offer, acceptance, and consideration. Notarization is not required in any U.S. state for an NDA to be binding. E-signatures (DocuSign, Adobe Sign) are legally equivalent to wet ink under the ESIGN Act.
Can an NDA last forever?
For trade secrets: yes, as long as the information retains its trade secret status. For general business information: courts in most jurisdictions will not enforce an indefinite NDA and may void the duration clause or the entire agreement. Set a specific term (2–5 years is standard) and call out trade secrets separately as having indefinite protection.
What happens if someone breaks an NDA?
The disclosing party can sue for breach of contract and seek: (a) injunctive relief to stop ongoing or further disclosure; (b) compensatory damages (lost profits, unjust enrichment, reasonable royalties); (c) in trade secret cases under the DTSA, exemplary damages up to twice actual damages for willful breach; and (d) attorney fees in DTSA trade secret cases where the breach was willful and malicious. The practical challenge is proving what damage the breach caused — which is why injunctive relief (stopping disclosure immediately) is often the first remedy sought.
Can an NDA prevent someone from reporting a crime or harassment?
No. Federal law prohibits NDAs from blocking disclosures to government agencies (Dodd-Frank, whistleblower protections) or from silencing sexual assault and harassment claims made before a dispute arises (Speak Out Act). California's Silenced No More Act further extends these protections to all protected-class harassment and discrimination claims. Any NDA clause that attempts to prohibit legally protected disclosures is void and unenforceable.
Do I need an NDA before talking to an investor?
Most early-stage investors (VCs, angel investors) will refuse to sign an NDA before an initial meeting — it's considered a red flag that signals the founder doesn't understand how the industry works. For follow-on due diligence where you share detailed financials, customer lists, or source code, an NDA (or a data room with terms of access) is reasonable. Use judgment about when the information is sensitive enough to warrant one.
What should an NDA for a remote developer include beyond a standard template?
For remote developer engagements, add: (a) an IP assignment / work-for-hire clause so ownership of code is clear; (b) an explicit list of what counts as Confidential Information (source code, API keys, architecture diagrams, customer data); (c) an AI-use restriction preventing the developer from entering code into LLMs without approval; (d) governing law that considers the developer's country if they are outside the US. Codersera's standard developer agreements include all four of these elements as baseline requirements.
References & Further Reading
- Cornell Law School Legal Information Institute — Non-Disclosure Agreement (NDA)
- Ironclad — Non-Disclosure Agreements: Everything You Need to Know
- SixFifty — How to Include a DTSA Notice in Your NDA
- Terms.Law — AI in NDAs: How to Stop Your Secrets From Becoming Training Data (Dec 2025)
- Pactly — 10 Common NDA Mistakes to Avoid
- Remote.com — Simple Guide to NDAs for Contractors and Remote Workers
- National Whistleblower Center — Non-Disclosure Agreements and Whistleblowers
- Wikipedia — Defend Trade Secrets Act