How to Review an NDA: A Step-by-Step Checklist for Founders
A practical 8-step checklist for founders reviewing NDAs — what to check first, which clauses to flag, and how to negotiate better terms.
NDAs cross your desk every week. Investor meetings, partnership discussions, vendor evaluations, customer pilots — each one comes with a confidentiality agreement that someone expects you to sign without argument.
Most founders sign without reading. The ones who do read often do not know what to look for.
This checklist changes that. Print it, bookmark it, or memorise it. Every NDA you review from now on gets run through these eight steps.
Step 1: Identify the parties
Sounds obvious, but read the party names carefully.
- Is your entity named correctly? An NDA addressed to you personally instead of your company can bind you individually.
- Is the other party the correct legal entity or a parent/subsidiary? If their parent company owns the NDA but their startup subsidiary shares information, you may have signed away rights with the wrong entity.
- Are there undisclosed affiliates who can claim rights under the agreement?
Green flag: Both parties named as specific legal entities with registered addresses.
Red flag: Named to "Affiliates" without definition, or addressed to an individual instead of a company.
Step 2: Check the confidentiality definition
This is the single most important clause.
Ask: What exactly is confidential?
- In writing: Information must be marked confidential at disclosure — best for you
- By context: Information that would reasonably be considered confidential — balanced
- Everything: "All information exchanged" — dangerous for you
Green flag: Narrow, category-based definition with written marking requirement.
Red flag: "Any and all information" without limitation or marking requirement.
Step 3: Verify exclusions are present
Every NDA needs these four exclusions:
1. Public information
2. Prior knowledge (with written proof)
3. Independent development
4. Third-party source without restriction
Critical for founders: The independent development exclusion protects your existing and future products. Without it, a potential investor or partner could argue your product infringes on information they shared.
Green flag: All four exclusions present with reasonable proof standards.
Red flag: Missing exclusions or requiring impossible proof standards.
Step 4: Evaluate the term
How long does the NDA last?
- 1-2 years: Standard for most business discussions
- 3-5 years: Long but defensible for strategic partnerships
- 5+ years or perpetual: Excessive for introductory conversations
Founder tip: If the NDA covers discussions before a commercial agreement, align the confidentiality term with the expected duration of the relationship, plus a reasonable tail.
Green flag: 2-3 year term with trade secret perpetual clause.
Red flag: Perpetual term for all confidential information.
Step 5: Read the IP clauses
This is where hidden landmines live.
Look for:
- Assignment of improvements or derivative works to the disclosing party
- Residual rights clauses that claim ownership of what your team learns
- Joint ownership of IP created during discussions
- Licences granted under the NDA (license to use, reproduce, or modify your materials)
Founder tip: If you share product demos, code samples, or business plans during discussions, IP clauses matter enormously. A clause granting the other party a licence to "use, modify, and create derivative works" from your materials for their internal purposes is a non-starter.
Green flag: Explicit statement that each party retains its own IP, and no licence is granted except by separate written agreement.
Red flag: Any assignment or licence of IP without separate compensation or written agreement.
Step 6: Review return/destruction obligations
When the NDA ends (or upon request), what happens?
- Reasonable time to comply: 5-30 business days
- Certification in writing: Standard
- Backups excluded: Common and practical
Founder tip: If the NDA requires immediate destruction of all materials including electronic communications, you may technically need to delete emails and messaging history. Negotiate for a reasonable compliance period and archived communication exclusion.
Green flag: 30-day compliance period, backup exclusion, written certification.
Red flag: 24-hour return requirement, no backup exclusion.
Step 7: Check governing law and jurisdiction
Where would a dispute be heard?
- Your home jurisdiction: Best
- Neutral jurisdiction (e.g., English law): Acceptable
- Their jurisdiction: Potentially expensive
Founder tip: If you are a European startup and the NDA is governed by New York law with exclusive jurisdiction in Manhattan, a dispute over a routine NDA could cost more in legal fees than your entire monthly burn.
Green flag: Your home jurisdiction or neutral arbitration.
Red flag: Their jurisdiction far from your location.
Step 8: Run it through an AI analyser
Before you send redlines or sign, run the NDA through an AI analysis tool.
NDAShield scans the entire document in under 60 seconds and produces:
- A Burn Score (0-100) showing overall risk level
- Clause-by-clause risk ratings (HIGH / MEDIUM / LOW)
- Plain-language explanations of what each clause means
- Redline-ready edits you can paste into your response
- Negotiation email snippets with rationale
AI analysis catches things humans miss — buried clauses, unusual jurisdiction choices, and IP traps hidden in boilerplate text.
Quick reference: negotiation positions
|--------|-----------|-----------|--------|
Bottom line
Reviewing an NDA does not require a law degree. It requires a systematic approach and the right tools. Follow this checklist every time, run the document through an AI analyser, and never sign a boilerplate NDA without understanding what you are agreeing to.
Your business relationships deserve better than fine print you did not read.