How to Write an NDA (Step-by-Step Guide)

Before you start writing

Writing an NDA requires clarity about three things before you draft a single word: what information you need to protect, who will be sharing and receiving information, and what happens after the confidential relationship ends.

You also need to decide whether you need a mutual NDA (both parties share information) or a unilateral NDA (only one party shares information). This choice affects the structure of the entire document.

For most standard business NDAs, you do not need a lawyer. The legal language in NDAs is well-established and standardized across industries. What matters is that you include all essential clauses and define your terms clearly. NDA generators like NDANow handle this automatically, but understanding what goes into an NDA is valuable whether you draft it yourself or use a tool.

Step 1: Identify the parties

Every NDA begins by identifying the parties to the agreement. For individuals, include the full legal name and address. For businesses, include the legal entity name (not just a trade name), the state of incorporation or organization, and the principal business address.

If the NDA is mutual, both parties are identified as both disclosing and receiving parties. If the NDA is unilateral, one party is designated as the disclosing party and the other as the receiving party.

Be precise with entity names. Using a trade name instead of the legal entity name can create ambiguity about who is actually bound by the agreement. If you are unsure of the other party's legal name, ask — it is a standard and expected part of the process.

Step 2: Define confidential information

The definition of confidential information is the most important clause in your NDA. It determines what is protected and what is not. Getting this right is critical for enforceability.

There are two approaches. A broad definition covers all information shared in connection with the business relationship. This is simpler but may be challenged as overly vague. A specific definition lists categories of protected information (financial data, customer lists, product plans, source code, etc.) and may include a catch-all provision.

The best approach is a hybrid: start with a general definition, then provide specific examples that are relevant to your industry and situation. This gives courts clear guidance about your intent while maintaining broad coverage.

Example of a good definition: Confidential Information means all non-public information disclosed by the Disclosing Party to the Receiving Party, whether orally, in writing, or in electronic form, including but not limited to: business plans, financial data, customer and supplier lists, product specifications, software code, manufacturing processes, marketing strategies, and pricing information.

Step 3: State the purpose

Every NDA should clearly state the purpose of the disclosure — why the confidential information is being shared. This limits the receiving party's use of the information to that stated purpose.

Be specific enough to be meaningful but broad enough to cover the entire scope of your business discussion. For example: The purpose of this agreement is to facilitate discussions between the parties regarding a potential strategic partnership in the cybersecurity space.

The purpose clause serves a dual function: it restricts how the receiving party can use the information, and it provides context for courts if the NDA is ever disputed. A clear purpose makes the NDA easier to enforce.

Step 4: Set obligations

The obligations clause defines what the receiving party must do (and must not do) with confidential information. Standard obligations include maintaining the information in strict confidence, using the information only for the stated purpose, limiting disclosure to employees and agents who need to know and who are bound by similar confidentiality obligations, and exercising at least the same degree of care used to protect their own confidential information.

Some NDAs also include affirmative obligations such as promptly notifying the disclosing party of any unauthorized disclosure or use, cooperating with the disclosing party in any legal proceedings related to the confidential information, and returning or destroying all confidential materials upon request or expiration of the agreement.

Avoid obligations that are impossible or impractical to fulfill. For example, requiring the receiving party to guarantee that no breach will ever occur is unrealistic. Instead, require reasonable security measures and prompt notification of any suspected breach.

Step 5: List exclusions

Every enforceable NDA includes exclusions — categories of information that are not considered confidential even if shared during the relationship. Standard exclusions protect the receiving party from unreasonable liability.

The four standard exclusions in virtually every NDA are: information that is or becomes publicly available through no fault of the receiving party, information that the receiving party already possessed before the disclosure, information that the receiving party independently develops without using the confidential information, and information that the receiving party receives from a third party who is not bound by a confidentiality obligation.

A fifth common exclusion covers legally compelled disclosures: information that the receiving party is required to disclose by law, regulation, or court order, provided they give the disclosing party prompt notice and cooperate in seeking protective orders.

Do not omit exclusions from your NDA. An NDA without standard exclusions may be considered unreasonable by a court and could face enforceability challenges.

Step 6: Choose the duration

The term of your NDA defines how long confidentiality obligations last. Most business NDAs set a fixed term of one to five years, with two to three years being the most common.

Factors to consider when choosing duration: how quickly does your industry change (fast-moving industries may warrant shorter terms), how long will the information retain its value, what is standard in your industry, and what will the other party accept as reasonable.

Some NDAs distinguish between the term of the agreement (how long the relationship lasts) and the survival period (how long confidentiality obligations continue after the agreement ends). For example, an NDA might have a two-year term with confidentiality obligations surviving for an additional three years.

For trade secrets specifically, many NDAs provide that trade secret obligations last as long as the information qualifies as a trade secret under applicable law, which can be indefinite. This is generally enforceable.

Step 7: Add remedies

The remedies clause specifies what happens if someone breaches the NDA. A well-drafted remedies clause strengthens your position and makes enforcement more practical.

Most NDAs include provisions for injunctive relief (the right to seek a court order immediately stopping further disclosure), monetary damages (compensation for financial harm caused by the breach), and equitable relief (the right to seek any other appropriate remedy from a court).

Many NDAs include a statement that the disclosing party would suffer irreparable harm from a breach that cannot be adequately compensated by monetary damages alone. This statement supports requests for emergency injunctive relief without having to prove specific financial losses upfront.

Some NDAs include liquidated damages clauses that set a predetermined penalty for breach. These can be useful but must be set at a reasonable amount — courts may refuse to enforce liquidated damages that appear to be punitive rather than compensatory.

Step 8: Specify governing law

The governing law clause determines which state's laws will be used to interpret the NDA, and the jurisdiction clause determines where disputes will be resolved.

Generally, choose the state where your business is located or incorporated. This gives you home-court advantage in any dispute and ensures the NDA is interpreted under laws you are familiar with.

Consider the other party's location as well. If the parties are in different states, the governing law choice may be a point of negotiation. Delaware and New York are commonly chosen as neutral jurisdictions because their commercial law is well-developed and predictable.

Include both a governing law clause and a jurisdiction clause. The governing law clause determines which state's laws apply. The jurisdiction clause determines which state's courts will hear any disputes. These do not have to be the same state, but they often are.

Step 9: Include miscellaneous provisions

Standard NDA boilerplate provisions include several important clauses that are easy to overlook.

Entire agreement: States that the NDA is the complete agreement between the parties regarding confidentiality, superseding any prior discussions or agreements.

Amendment: Requires any changes to the NDA to be in writing and signed by both parties.

Severability: States that if any provision is found unenforceable, the remaining provisions remain in effect.

Assignment: Specifies whether either party can transfer their rights or obligations under the NDA to a third party (typically not without consent).

No license: Clarifies that the NDA does not grant the receiving party any rights to intellectual property or other proprietary rights of the disclosing party.

Waiver: States that failure to enforce any provision does not waive the right to enforce it later.

Step 10: Execute properly

Proper execution means getting valid signatures from all parties before any confidential information is shared. Both parties should sign and date the agreement, and each party should retain a fully executed copy.

Electronic signatures are legally valid for NDAs in all 50 US states under the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and the Uniform Electronic Transactions Act (UETA). Using an e-signature service creates a clear record of when each party signed.

Never share confidential information before the NDA is fully executed. An unsigned NDA provides zero legal protection. If you need to share information urgently, use a quick NDA generator to create and sign the agreement first — a five-minute delay is a small price for legal protection.

Common drafting mistakes

The most common NDA drafting mistakes fall into several categories.

Vague definitions: Defining confidential information as all information is too broad and may not hold up in court. Be specific about what you are protecting.

Missing exclusions: Omitting standard exclusions makes the NDA appear one-sided and can invite legal challenges.

Unreasonable duration: An NDA that lasts forever (unless covering trade secrets) or extends far beyond the useful life of the information may be deemed unreasonable.

No governing law: Without a governing law clause, disputes about which state's law applies can become expensive preliminary battles.

Mixing in non-compete terms: NDAs and non-competes are separate agreements. Sneaking non-compete restrictions into an NDA can make the entire agreement vulnerable to challenge, particularly in states like California that restrict non-competes.

Failing to sign before sharing: The most common and most damaging mistake. No signature means no legal protection, regardless of how well-drafted the NDA is.