Understanding mutual NDAs: the eight clauses every good one has

A non-disclosure agreement (NDA) is usually the first document two parties sign when they start talking about something sensitive. It is also, surprisingly often, the first place a deal quietly goes wrong. Not because NDAs are complicated — they are not — but because the people signing them rarely read past the first page, and the people drafting them often reuse a template that does not match the conversation about to happen.

This article walks through the difference between mutual and unilateral NDAs, the clauses that every well-drafted NDA contains, and the common pitfalls that turn a two-page document into a source of future disputes.

Mutual vs. unilateral: the simple distinction

A unilateral NDA protects information flowing in one direction. One party is the discloser; the other is the recipient. The recipient agrees not to share what they learn. These are common when a company is telling a contractor, vendor, or job candidate about internal systems, customer data, or source code.

A mutual NDA (sometimes called a two-way or bilateral NDA) protects information flowing in both directions. Both parties are simultaneously discloser and recipient. Mutual NDAs are the default for early-stage partnership conversations, M&A exploration, and any scenario where both sides expect to share something sensitive.

The choice matters because the protections, obligations, and remedies in a mutual NDA must be symmetric. A mutual NDA that has been lightly edited from a unilateral template almost always has asymmetries hiding inside — one party owes more, or has fewer carve-outs, than the other.

The eight clauses a good NDA contains

A serviceable NDA does not need to be long. It does need to cover the following ground:

1. Definition of confidential information. What counts as confidential? Is it only information marked "confidential," or anything a reasonable person would understand to be sensitive? Overbroad definitions are unenforceable; too-narrow definitions leave real secrets outside the agreement.
2. Permitted use. The recipient may use the information only for a specific, stated purpose — usually "evaluating a potential business relationship." This is the clause that prevents information shared during due diligence from being repurposed later.
3. Standard-of-care. The recipient must protect the information at least as carefully as they protect their own confidential information, and in no event with less than reasonable care.
4. Carve-outs. Information is not confidential if it was already public, already known to the recipient, independently developed, or lawfully received from a third party. These exclusions are standard and should not be negotiated away.
5. Permitted disclosures. Courts, regulators, and subpoenas can compel disclosure. A good NDA says what the recipient must do when that happens — usually notify the discloser and cooperate in seeking a protective order.
6. Term and survival. The agreement itself might run for two years, but the confidentiality obligations should survive longer — typically three to five years after termination, and indefinitely for trade secrets.
7. Return or destruction. On request, the recipient returns or destroys the information and confirms in writing. Some agreements allow one archival copy for legal compliance.
8. Remedies and governing law. Because damages are hard to prove after a leak, most NDAs entitle the discloser to seek injunctive relief without posting a bond. Governing law and venue should be named explicitly.

Common pitfalls

Even careful drafters trip on the same few issues. Watch for these:

• "All information is confidential." A definition this broad invites a court to narrow it or invalidate the clause entirely. Be specific: categories of information, or information marked or identified as confidential within a reasonable window.
• No residuals clause — when there should be one. A residuals clause lets the recipient use general skills and memories retained after returning documents. Without it, legitimate know-how can technically be "covered" by the NDA years later.
• Perpetual terms. Courts in many jurisdictions are reluctant to enforce indefinite confidentiality obligations for anything other than trade secrets. A clear time limit is more enforceable than a vague "forever."
• Assignment without consent. If the NDA can be assigned freely, a recipient could sell or spin off a division and drag your information with it. Require consent for assignment, with a narrow carve-out for successors.
• Conflict with later agreements. The NDA almost always gets superseded by a master services agreement or a definitive deal document. Check that the later document either preserves the NDA or contains its own, stricter confidentiality language.

When a template is enough — and when it isn't

A clean, well-drafted mutual NDA template is fine for the majority of early conversations. It is not fine when the information crosses regulated categories — health data, payment card data, EU personal data, or classified information — because those disclosures trigger their own rules that a general NDA cannot satisfy.

It is also not fine when the relationship is clearly going to evolve into a commercial deal within weeks. In that case, a short NDA to cover the interim period is fine, but the real work is the commercial agreement, and the confidentiality terms should be rewritten there with the specific context of the deal in mind.

NDAs feel like boilerplate because, compared to the agreements that follow, they are. That is why a small amount of care up front — matching the right structure to the conversation, using a complete set of clauses, and avoiding the standard pitfalls — returns a lot of peace of mind later.

This article is for general information only and is not legal advice.