NDA Review Checklist for Non-Lawyers: What Every Clause Actually Does

Most non-disclosure agreements are two to six pages. Most non-lawyers sign them without reading past the first paragraph, because the language is dense and the consequences of being wrong feel abstract. This is a clause-by-clause walkthrough of what every standard NDA provision actually does, the language that should make you slow down, and the handful of things that are genuinely negotiable even when the other side says the document is standard.

If you need a faster triage tool before getting here, the 60-second Green / Yellow / Red framework covers the quick classification. This post is for when you have the document in front of you and need to understand what you are actually reading.

Start here: one-way or mutual?

Before reading a single clause, check the structure of the agreement. An NDA is either one-way (unilateral) or mutual (bilateral), and this shapes the entire document.

In a one-way NDA, one party is designated the Disclosing Party and the other is the Receiving Party. Only the Receiving Party has confidentiality obligations. This structure shows up when a company is pitching to investors, sharing proprietary information with a contractor, or allowing a vendor to see internal systems. The Receiving Party carries all the risk.

In a mutual NDA, both parties are simultaneously Disclosing Parties and Receiving Parties. The obligations are symmetric, at least on paper. This is typical for partnership discussions, joint ventures, and business development conversations where both sides will share sensitive information.

The trap with mutual NDAs is that "mutual" does not mean equal. One party may be sharing genuinely sensitive proprietary technology while the other is sharing nothing more sensitive than their pricing sheet, but both parties carry identical confidentiality obligations. Symmetry in the contract does not guarantee symmetry in the actual risk.

Clause-by-clause: what you are actually reading

Clause 1

Definition of Confidential Information

This is the most important clause in the document, and it is the one most people skip because it looks like boilerplate. The definition determines what information is actually protected. If something is not covered by this definition, the agreement does not protect it, no matter what the rest of the document says.

Definitions fall on a spectrum from narrow to extremely broad. A narrow definition lists specific categories: "trade secrets, customer lists, financial projections, and source code." A broad definition covers "any information disclosed by one party to the other, in any form, whether or not marked confidential." Most templates lean broad because broad definitions benefit the drafter.

Watch for: Definitions that include information you already knew before the NDA, information you developed independently, or information that was already public. These should be excluded, not included. If the definition does not have carveouts for prior knowledge and independent development, push for them.

Negotiable: Scope of the definition, the carveouts for prior knowledge, independent development, and public information.

Clause 2

Exclusions from Confidentiality

Standard NDA exclusions protect the Receiving Party from obligations around information that does not actually need protecting. The four standard exclusions, which should be present in any fair NDA: information that was already publicly known before disclosure; information that becomes public through no fault of the Receiving Party; information the Receiving Party already knew before the NDA was signed; and information the Receiving Party independently developed without using the disclosed information.

A fifth exclusion is also common and important: information disclosed to the Receiving Party by a third party who had the legal right to disclose it.

Watch for: An NDA that has a broad definition of Confidential Information but thin or missing exclusions. These two clauses work together. If Clause 1 is broad and Clause 2 is narrow, you are accepting obligations that go well beyond protecting genuinely sensitive information.

Negotiable: Any exclusion that is missing from the standard set. Adding "information independently developed" or "information already known to Receiving Party" to a sparse exclusions clause is a reasonable ask.

Clause 3

Obligations of the Receiving Party

This clause describes what the Receiving Party must actually do: keep the information confidential, use it only for the specified purpose, and limit internal disclosure to employees or contractors who need it and who are bound by equivalent obligations. These are the core obligations and they are largely standard across NDAs.

Where this clause varies is in the standard of care required. Most NDAs use "reasonable care" or "the same degree of care used to protect your own confidential information, but not less than reasonable care." Some NDAs require a specific higher standard, such as "strict confidence" or "best efforts." Higher standards are harder to meet and create more exposure if something goes wrong.

Watch for: "Best efforts" or "strict confidence" language. These create a higher bar than "reasonable care" and can be difficult to demonstrate if confidential information is ever disclosed. Also watch for obligations to notify immediately upon any potential breach, which can create strict timelines you may not be able to meet.

Negotiable: The standard of care. "Reasonable care" is the market standard and reasonable to request if the draft says something stricter.

Clause 4

Permitted Disclosures

Most NDAs allow disclosure to employees, contractors, legal counsel, and financial advisors who need the information and are bound by confidentiality. Some also permit disclosure required by law or court order, typically with a carveout requiring the Receiving Party to give notice to the Disclosing Party before complying so the Disclosing Party has an opportunity to seek a protective order.

The scope of permitted disclosures matters if your business structure involves third parties who will legitimately need to see the information: outside counsel, accountants, advisors, or affiliated entities. If these parties are not covered by the permitted disclosures clause, you may technically be in breach by sharing information with them even for legitimate business purposes.

Watch for: Permitted disclosures limited only to "employees" when you work with contractors, outside counsel, or affiliated companies. Also watch for the legal-compulsion carveout: if it requires you to notify before disclosing pursuant to a court order but does not give you a reasonable window to do so, the obligation may be impossible to meet.

Negotiable: Expanding permitted disclosures to cover your actual business structure, including contractors, affiliated entities, and professional advisors.

Clause 5

Term and Duration

NDAs have two durations that are often confused: the term of the agreement (how long the NDA is active and new disclosures are protected) and the confidentiality period (how long the obligations last after the agreement ends or after each disclosure is made). These are not the same thing.

A two-year NDA with a three-year confidentiality period means new disclosures can only be made during the two-year term, but obligations for information disclosed during that term survive for three years after each disclosure, or three years after the agreement terminates, depending on the drafting.

Common confidentiality periods: one to three years for general business information, five years for more sensitive commercial information, and perpetual for trade secrets. Perpetual obligations for anything beyond actual trade secrets are aggressive.

Watch for: Perpetual confidentiality obligations applied to information that is not a trade secret. Also watch for ambiguity about when the confidentiality period starts: from each disclosure date, from the effective date, or from the termination date? Ambiguity here favors the Disclosing Party.

Negotiable: The confidentiality period, particularly for general business information. Two to three years is standard. Perpetual obligations on non-trade-secret information are a reasonable pushback point.

Clause 6

Return or Destruction of Information

At the end of the agreement or on request, most NDAs require the Receiving Party to return or destroy confidential information and certify in writing that it has done so. In practice, complete destruction is often impossible: information lives in email, backup systems, and documents created in reliance on the disclosed information.

Most sophisticated parties negotiate a carveout for information that must be retained for legal or regulatory compliance purposes, and for information that has been incorporated into documents that cannot practically be destroyed. Without these carveouts, the destruction obligation is technically impossible to fulfill.

Watch for: Destruction obligations that require certification without carveouts for backup systems, legal holds, or information incorporated into other documents. A written certification that information has been "destroyed" when you know it lives in your email archive is a false statement.

Negotiable: Adding carveouts for backup retention policies, regulatory compliance holds, and practically irrecoverable information.

Clause 7

No License or Rights Granted

This clause clarifies that the NDA does not give the Receiving Party any license or ownership rights in the confidential information disclosed. It is almost always present and almost always non-negotiable. Its main function is to prevent a Receiving Party from arguing that disclosure of proprietary information constitutes an implied license to use it.

The clause sometimes also states that neither party is obligated to disclose any particular information, enter into any business relationship, or proceed with any transaction discussed. This is a standard limitation that protects both sides.

Watch for: Any language that could be read as granting rights. The clause should be clean: no license, no transfer, no obligation to proceed. If the language is ambiguous, the ambiguity favors the party asserting a right.

Typically not negotiable. Standard language here protects both parties.

Clause 8

Non-Solicitation and Non-Compete Provisions

This is the clause most non-lawyers miss, because non-solicitation and non-compete obligations often appear in NDAs without being prominently labeled. You can sign what you think is a standard confidentiality agreement and discover afterward that you agreed not to hire the other party's employees, not to solicit their clients, or not to compete in a defined market for a defined period.

Non-solicitation of employees: you agree not to recruit or hire the other party's employees (and sometimes contractors) for a specified period, usually one to two years. This is common and often reasonable.

Non-solicitation of customers: you agree not to solicit or contact the other party's customers or prospects. This is a much more significant restriction, particularly for businesses in overlapping markets.

Non-compete: you agree not to compete with the other party in a defined market, geography, or for a defined period. The enforceability of non-competes varies enormously by state. California, for instance, renders most non-competes void as a matter of public policy. Other states enforce them if they are reasonable in scope, geography, and duration. An unenforceable non-compete can still have a chilling effect if you do not know it is unenforceable.

Watch for: Any of these provisions appearing in an NDA rather than in a standalone agreement. The structure matters: these obligations should be clearly labeled and separately discussed, not embedded in confidentiality boilerplate. If your NDA has a non-compete, its enforceability depends entirely on your state's law and the specific scope.

Stop and get legal review if: the NDA contains a non-compete, a non-solicitation of customers, or any restriction on your business operations beyond the confidentiality obligations themselves.

Clause 9

Remedies and Injunctive Relief

Most NDAs include a clause stating that breach of the confidentiality obligations would cause irreparable harm not adequately compensated by money damages, and that the non-breaching party is entitled to seek injunctive relief (a court order to stop the breach) without posting bond and without proving actual damages.

This language is standard and courts generally honor it. Its practical effect is that a breach of an NDA can result in a temporary restraining order or injunction against you very quickly, often within days, before you have had a full opportunity to defend yourself in court. The injunction standard is loosened by this clause, because the Disclosing Party does not have to prove irreparable harm, only that you signed the agreement and they believe it was breached.

Watch for: Language that waives your right to contest whether a bond should be required, or that waives any requirement for the Disclosing Party to prove actual harm. These are significant procedural rights you are surrendering. Standard injunctive relief language is one thing; a clause that pre-authorizes extraordinary remedies without any showing of harm is another.

Partly negotiable: The "without bond" and "without proof of actual damages" elements are worth flagging, though they appear in most commercial NDAs.

Clause 10

Governing Law and Dispute Resolution

This clause specifies which state's law governs the agreement and, often, where any disputes must be resolved. For a small business, the governing law matters for two reasons: it determines the enforceability of non-competes and other restrictive covenants, and it determines the procedural rules that apply if a dispute arises.

A California company signing an NDA governed by Delaware law, for instance, may find that a non-compete that would be void under California law is enforceable under Delaware law. Governing law and non-compete clauses interact in ways that can produce unexpected results.

The venue clause (where disputes are litigated) matters practically: an agreement that requires disputes to be resolved in courts in a different state effectively makes it prohibitively expensive for a small business to defend itself, even if the dispute is legitimate.

Watch for: Governing law that is different from your state, particularly if the document contains non-compete or non-solicitation provisions. Also watch for mandatory venue in a distant jurisdiction with no practical nexus to the relationship.

Negotiable: Venue. Requesting that disputes be resolved in your state or the state where the relationship is primarily conducted is a reasonable ask.

The quick review checklist

Before signing any NDA, work through this list:

Is this one-way or mutual? Does the structure match the actual relationship?
Does the definition of Confidential Information include the four standard exclusions: prior knowledge, independent development, public information, and third-party disclosure?
Are my contractors, advisors, and affiliated entities covered by the permitted disclosures?
Is the standard of care "reasonable care" or something higher?
What is the confidentiality period? Is it proportionate to the sensitivity of the information being shared?
Does the destruction obligation have carveouts for backup systems and regulatory retention?
Is there a non-solicitation or non-compete clause anywhere in the document?
Is the remedies clause standard, or does it waive procedural rights I should keep?
What state governs the agreement? Is that different from where I operate?
If there is a non-compete, is it enforceable under the governing state's law?

The `nda-triage` skill walks through this checklist automatically.

The Legal Ops Bundle includes an nda-triage skill that reviews an NDA clause by clause, flags deviations from market standard, classifies the document as Green / Yellow / Red, and generates a summary you can use to brief your team or escalate to counsel. Works with Claude, ChatGPT, or any chat AI.

See the Legal Ops Bundle → Read: the 60-second triage framework

What is actually negotiable (and what isn't)

One of the most common mistakes non-lawyers make when reviewing an NDA is treating the entire document as fixed. Most commercially drafted NDAs have a handful of provisions that are genuinely standard and non-negotiable, and a handful that are routinely adjusted in negotiation. Knowing which is which saves time and signals competence.

Generally non-negotiable: The no-license clause, the core confidentiality obligation itself, and the permitted disclosure for legal compliance. These are structural and removing them changes the nature of the agreement.

Often negotiable: The confidentiality period (particularly if it is long or perpetual), the scope of permitted disclosures (particularly for businesses with contractors and advisors), carveouts to the destruction obligation, the venue for disputes, and the standard of care if it exceeds "reasonable care."

Always worth flagging: Non-solicitation of customers, non-compete provisions, "best efforts" standards, injunctive relief language that waives procedural rights, and governing law that is different from your state when restrictive covenants are involved.

The other side saying the document is "standard" does not mean it is non-negotiable. It means they are starting the negotiation with you. Most commercial parties expect at least minor pushback on NDAs, and a targeted, specific ask ("Can we add independent contractors to the permitted disclosures?" or "Can we change the confidentiality period from perpetual to three years?") signals that you read the document. That matters in a business relationship.

When to stop and get a lawyer

Most NDAs in an ordinary business context can be reviewed and handled without legal counsel if you know what you are looking at. The exceptions are specific and clear:

The NDA contains a non-compete or non-solicitation of customers that would materially restrict your business.
The information being shared is highly sensitive: source code, formulas, clinical data, regulatory submissions.
The relationship involves significant money or a long-term commitment tied to the confidentiality terms.
The governing law is a state you do not operate in and the document contains restrictive covenants.
The remedies clause includes provisions you do not understand.
The other side has lawyers involved and you do not.

For everything else, the goal is not to get every NDA perfect. It is to understand what you are signing, flag what is non-standard, push back on the things worth pushing back on, and escalate the ones that require more expertise than a checklist provides.

Emily Clark

Compliance Analyst · Founder, ParClark Tech Solutions LLC

Emily builds AI skill files for regulated workflows, real estate compliance, legal ops, financial investigations. The skills are built from real client files and the compliance edges people actually trip on.

This post is for educational purposes only and is not legal advice. NDA enforceability, non-compete law, and contract interpretation vary significantly by jurisdiction and specific facts. Nothing in this post creates an attorney-client relationship. Consult qualified legal counsel before making decisions about specific agreements or legal obligations.

NDA review checklist for non-lawyers: what every clause actually does

Start here: one-way or mutual?

Clause-by-clause: what you are actually reading

Definition of Confidential Information

Exclusions from Confidentiality

Obligations of the Receiving Party

Permitted Disclosures

Term and Duration

Return or Destruction of Information

No License or Rights Granted

Non-Solicitation and Non-Compete Provisions

Remedies and Injunctive Relief

Governing Law and Dispute Resolution

The quick review checklist

The `nda-triage` skill walks through this checklist automatically.

What is actually negotiable (and what isn't)

When to stop and get a lawyer

The Legal Ops Bundle walks through every clause, classifies the risk, and flags what to push back on. Ready to use with any AI today.

NDA review checklist for non-lawyers: what every clause actually does

Start here: one-way or mutual?

Clause-by-clause: what you are actually reading

Definition of Confidential Information

Exclusions from Confidentiality

Obligations of the Receiving Party

Permitted Disclosures

Term and Duration

Return or Destruction of Information

No License or Rights Granted

Non-Solicitation and Non-Compete Provisions

Remedies and Injunctive Relief

Governing Law and Dispute Resolution

The quick review checklist

The nda-triage skill walks through this checklist automatically.

What is actually negotiable (and what isn't)

When to stop and get a lawyer

The Legal Ops Bundle walks through every clause, classifies the risk, and flags what to push back on. Ready to use with any AI today.

The `nda-triage` skill walks through this checklist automatically.