7 NDA Red Flags That Could Cost You Millions
The most dangerous NDA clauses hiding in plain sight — from IP assignment traps to perpetual confidentiality. Learn what to flag and how to fix it.
Most NDAs look harmless. Two to five pages, standard boilerplate language, a signature block at the end. The problem is not what the NDA says on the surface — it is what the standard boilerplate actually means.
Here are seven red flags that show up in NDAs every day. Each one has cost real companies real money.
Red flag 1: "Any and all information" — the unbounded definition
What it says: "Confidential Information means any and all information, materials, or data disclosed by either party in connection with this Agreement."
What it means: Every conversation. Every email. Every whiteboard sketch. Every offhand comment at dinner. It is all confidential.
Why it is dangerous: When everything is confidential, nothing is safe. Your normal business operations — talking to customers, hiring employees, developing products — become potential breaches because you cannot know what counts as "Confidential Information."
The classic example: A startup shares market research with a potential partner under an unlimited-definition NDA. Two years later, the partner sues claiming the startup's entire product line was derived from that research. Even if the claim is meritless, the defence costs alone can be crippling.
How to fix it: Limit confidential information to specific categories identified in writing at the time of disclosure, plus information that would reasonably be considered confidential given the context. Add a materiality threshold — trivial information does not count.
Red flag 2: Perpetual confidentiality obligation
What it says: "The obligations of confidentiality shall survive indefinitely."
What it means: You must protect this information forever.
Why it is dangerous: Forever is a long time in business. Information that is commercially sensitive today may be irrelevant in three years — but under a perpetual NDA, you remain liable. Employee training, data handling procedures, and record-keeping must account for obligations that never expire.
Trade secrets are a legitimate exception — most legal systems protect them indefinitely. But ordinary business information should not carry the same burden.
How to fix it: 2-3 years for standard confidential information. Trade secrets remain protected until they enter the public domain.
Red flag 3: IP assignment of improvements
What it says: "Any improvements, modifications, or derivative works based on Confidential Information shall be the exclusive property of the Disclosing Party."
What it means: If you use their information to build something better, they own it.
Why it is dangerous: This is the most expensive clause in a standard NDA. In technology companies especially, this clause can transfer ownership of your core product.
The scenario: Your startup shares code samples or architecture diagrams during a technical evaluation. The potential partner suggests an improvement. Under this clause, that improvement belongs to them — even if it ends up as a core feature of your product.
How to fix it: Each party retains all rights to its own IP. No licence or assignment is granted except by a separate written agreement with consideration. If the other party insists on some IP protection, limit it to specific deliverables created under a separate SOW.
Red flag 4: Missing independent development exclusion
What it says: Nothing. The clause is simply absent.
What it means: If your product happens to resemble something you learned about during NDA discussions, you cannot prove independent development.
Why it is dangerous: Without an independent development exclusion, any similarity between your product and information shared under the NDA creates legal exposure. You are forced to prove a negative — that you did not use their information — which is nearly impossible without meticulous records.
How to fix it: Add a standard exclusion: "Confidential Information does not include information that the Receiving Party can demonstrate was independently developed without use of or reference to Confidential Information."
Red flag 5: Jurisdiction far from home
What it says: "This Agreement shall be governed by the laws of the State of Delaware. The parties submit to the exclusive jurisdiction of the courts located in Wilmington, Delaware."
What it means: If there is a dispute, you are going to Delaware.
Why it is dangerous: Litigation costs scale with distance. A Delaware lawyer charges Delaware rates. Travel costs, document handling, local counsel — all add up. For a small or medium business, the cost of defending even a weak claim in a foreign jurisdiction can force settlement regardless of merit.
How to fix it: Your home jurisdiction, or a neutral venue with arbitration. For smaller deals, mutual jurisdiction (either party can sue in the other's home court) is a reasonable compromise.
Red flag 6: Non-compete or non-solicit in disguise
What it says: "The Receiving Party agrees not to engage in any business that competes with the Disclosing Party for a period of 12 months following disclosure."
What it means: You cannot do business in their space for a year.
Why it is dangerous: NDAs protect information. Non-competes restrict competition. When a non-compete is buried in an NDA with no separate consideration, it may be unenforceable — but that does not stop the other party from threatening litigation.
The same applies to non-solicitation clauses that prevent you from hiring the other party's employees.
How to fix it: Remove these clauses entirely. If the other party insists on post-employment restrictions, they belong in a separate agreement with clear limits and appropriate consideration.
Red flag 7: Strict liability for any disclosure
What it says: "The Receiving Party shall be liable for any disclosure of Confidential Information, whether authorised or not."
What it means: You bear 100% of the risk, even if your systems are secure and the breach was beyond your control.
Why it is dangerous: No security system is perfect. Employees make mistakes. Cyber attacks happen. Strict liability means you pay for any breach regardless of fault — making you an insurer for the disclosing party's information.
How to fix it: Standard of care should be "reasonable care" — the same degree of care you use for your own confidential information. Add a carve-out for disclosures required by law or court order.
How to handle these red flags
Not every NDA needs to be perfect. The key is prioritising based on context:
High priority — must fix:
- IP assignment clauses
- Missing independent development exclusion
- Unreasonable jurisdiction
Medium priority — should fix:
- Overbroad confidentiality definition
- Strict liability standard
Low priority — nice to fix:
- Perpetual term for non-trade-secret information
- Non-solicit clauses (if unenforceable in your jurisdiction)
The 60-second triage
Before you spend time negotiating, run the NDA through NDAShield. You will get a Burn Score that tells you exactly how risky the document is, with specific clause-level flags for each of these seven red flags — plus any others hiding in the fine print.
An NDA is a tool for collaboration. When you know what to look for, you can keep it that way.