Non-Disclosure Agreement (NDA): Template and What Matters

Why an NDA Is More Than a Standard Form

Non-disclosure agreements (NDAs) are part of everyday business life. Before you explain your product strategy to a potential partner, before a consultant gains insight into your financial data, before a job candidate hears about internal projects during an interview — an NDA is signed. So much for theory.

In practice, NDAs are often treated as a tedious formality. A standard template is downloaded from the internet, briefly skimmed, and signed. Yet since the German Trade Secrets Act (Geschäftsgeheimnisgesetz, GeschGehG) of 2019, NDAs are far more than a formality: they are a fundamental building block of trade secret protection and a prerequisite for your confidential information to even be recognized as trade secrets.

The Trade Secrets Act: Why NDAs Are Mandatory

The GeschGehG fundamentally reformed the protection of trade secrets in Germany. Before 2019, it was sufficient to have the will to keep information secret. Since the GeschGehG, you must demonstrate that you have taken reasonable confidentiality measures. Without such measures, information does not qualify as a trade secret under the law and enjoys no protection.

What Constitutes a Trade Secret

Under § 2 GeschGehG, a trade secret is information that is not generally known or readily accessible, that has economic value precisely because it is secret, and that is subject to reasonable confidentiality measures by its rightful holder appropriate to the circumstances.

The third point is critical: you must actively do something to protect the information. NDAs are one of the most important measures that the GeschGehG recognizes as "reasonable." But they are not the only one. A complete protection concept also includes technical measures (access controls, encryption), organizational measures (classification, need-to-know principle), and contractual measures (NDAs, employment contracts with confidentiality clauses).

What Happens Without Reasonable Measures

If you do not take reasonable protective measures, your information loses its trade secret status. The consequences are dramatic: you cannot prevent anyone from using or disclosing the information because it is not legally considered protected. You cannot assert injunctive relief or damage claims, even if the information was obviously confidential. And you cannot enforce criminal consequences because § 23 GeschGehG only criminalizes the betrayal of trade secrets — and without reasonable measures, you simply do not have one.

When You Need an NDA

NDAs are useful in many situations. The most common use cases are:

Business negotiations: Before you disclose confidential information about your product, technology, or business model to a potential customer or partner.

Service provider engagement: Before an external service provider (IT consultant, management consultant, auditor, lawyer) gains access to confidential company data. Which IT security clauses additionally belong in the contract depends on the scope of services. Some professions are subject to statutory confidentiality obligations anyway, but an additional NDA does no harm and specifies the scope of protection.

Job interviews: When confidential information is disclosed during the application process (e.g., insight into internal systems, strategic plans). This is particularly relevant when the candidate comes from a competitor.

Cooperations and joint ventures: In joint product development or collaborative projects where both sides contribute confidential information.

Company sale (M&A): During due diligence, potential buyers gain deep insights into the company's finances, contracts, and structures.

Employees: Employment contracts should also contain confidentiality clauses. A separate NDA may be useful when employees gain access to particularly sensitive information (e.g., research results, prototypes, M&A plans).

Unilateral or Mutual?

Unilateral NDA

A unilateral NDA protects only the information of one party. The disclosing party shares confidential information with the receiving party, which is bound to confidentiality.

Typical use cases: service provider engagement (you disclose, the service provider protects), job interviews (you disclose, the candidate protects), and due diligence in company sales (the seller discloses, the buyer protects).

Mutual NDA

A mutual NDA protects the confidential information of both parties. Both are simultaneously disclosing and receiving parties.

Typical use cases: cooperations and partnerships, joint product development, and business negotiations where both sides exchange information.

In practice, many companies prefer mutual NDAs even when only one side discloses confidential information, because they are perceived as "fairer" and facilitate negotiations.

Core Components of an NDA

1. Parties and Preamble

Identify the contracting parties precisely (full name, legal form, registered office, commercial register number). The preamble describes the purpose of the NDA and the context of the collaboration.

Sample clause: "The parties intend to negotiate a potential collaboration in the area of [description]. In the course of these negotiations, confidential information will be exchanged. This agreement governs the protection of such information."

2. Definition of Confidential Information

The definition is the heart of the NDA. It must be broad enough to capture all information worth protecting and specific enough to be enforceable.

Sample clause: "Confidential information within the meaning of this agreement includes all information that one party (disclosing party) discloses or makes accessible to the other party (receiving party) in connection with [purpose], whether orally, in writing, electronically, or in any other form, including but not limited to: technical information (specifications, algorithms, source code, designs), business information (business plans, financial information, customer lists, pricing), organizational information (processes, structures, personnel planning), and all information derived therefrom (summaries, analyses, notes)."

Marking requirement or not? Some NDAs require that confidential information be marked as such (e.g., with a "Confidential" stamp). This has pros and cons. Advantage: clarity about what is confidential and what is not. Disadvantage: information that is not marked (e.g., oral communications) may not fall under the NDA. Recommendation: add that unmarked information is also confidential if it is recognizably confidential under the circumstances.

3. Exceptions

Certain information should be excluded from protection because it does not require confidentiality.

Sample clause: "Information shall not be considered confidential if it (a) was already publicly known at the time of disclosure or becomes publicly known thereafter without fault of the receiving party, (b) was already lawfully known to the receiving party prior to disclosure, (c) is disclosed to the receiving party by a third party without breach of confidentiality obligations, or (d) was independently developed by the receiving party without use of confidential information."

The burden of proof for the existence of an exception lies with the receiving party. This should be clarified in the NDA.

4. Obligations of the Receiving Party

The receiving party undertakes to keep the confidential information secret and to use it only for the agreed purpose.

Sample clause: "The receiving party undertakes to (a) use the confidential information exclusively for the purpose stated in the preamble, (b) protect the confidential information with at least the same degree of care it applies to its own confidential information, but in no case less than reasonable care, (c) limit access to confidential information to those employees and advisors who need it for the agreed purpose (need-to-know principle), (d) ensure that such employees and advisors are subject to a comparable confidentiality obligation."

5. Disclosure to Third Parties

Define under what conditions confidential information may be disclosed to third parties.

Sample clause: "Disclosure of confidential information to third parties requires the prior written consent of the disclosing party. Excepted from this is disclosure to advisors (lawyers, tax advisors, auditors) who are themselves subject to a statutory or contractual duty of confidentiality."

6. Term and Post-Termination Period

The term of the NDA defines the period during which confidential information is exchanged. The post-termination period defines how long the confidentiality obligation persists after the term ends.

Typical terms: The exchange phase lasts 6 to 24 months depending on the project. The post-termination confidentiality period is typically 2 to 5 years after the end of the term. For particularly sensitive information (e.g., trade secrets with long-term economic value), an unlimited post-termination period may be agreed.

Sample clause: "This agreement enters into force upon signature and shall remain in effect for a period of [X] months. The confidentiality obligations shall survive the end of this agreement for [Y] years."

7. Return and Deletion Obligations

At the end of the collaboration, confidential information must be returned or destroyed.

Sample clause: "Upon request of the disclosing party or upon termination of this agreement, the receiving party shall return all confidential information including all copies, summaries, and records, or shall verifiably destroy them. The receiving party shall confirm the return or destruction in writing. Excepted from this are copies that must be retained due to statutory retention obligations."

8. Contractual Penalty

A contractual penalty is the key to enforceability. Without one, sanctioning NDA breaches is extremely difficult because proving actual damages from confidentiality violations is exceptionally hard.

Sample clause: "For each culpable breach of the confidentiality obligations under this agreement, the receiving party undertakes to pay a contractual penalty of EUR [amount]. The assertion of further damage claims remains unaffected. Proven damages shall be credited against the contractual penalty."

The amount of the contractual penalty must be reasonable. Excessive contractual penalties can be reduced by courts (§ 343 BGB, German Civil Code). Orient yourself by the economic value of the protected information and the scope of the collaboration. Typical amounts range from EUR 10,000 to 100,000 per breach.

9. Jurisdiction and Governing Law

Sample clause: "This agreement shall be governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction for all disputes arising from this agreement shall be [city]."

Common Mistakes in NDAs

Overly vague definition of confidential information: "All information exchanged in the course of the collaboration" is too imprecise. Specify which types of information are intended.

No exceptions defined: Without exceptions for publicly known information and independent development, the NDA can be disproportionately broad and difficult to enforce.

No contractual penalty: Without a contractual penalty, you have almost no leverage in the event of a breach because you would need to prove the specific damage.

Post-termination period too short: If the confidentiality obligation ends six months after the contract expires, your trade secrets are unprotected thereafter, even though their economic value continues.

Oral information forgotten: If the NDA only protects information transmitted in writing, all oral communications (e.g., in meetings) fall outside its scope.

No provision for subcontractors: If the contracting party engages subcontractors, they must also be bound to confidentiality.

One-size-fits-all NDA: An NDA for a hiring process has different requirements than an NDA for due diligence. Tailor the NDA to the specific use case.

Enforcing an NDA: What to Do in Case of a Breach

An NDA is only as good as your willingness and ability to enforce it. When you discover or suspect a breach, you should proceed systematically.

Secure evidence: Document the breach as comprehensively as possible: what was disclosed? To whom? When? How did you learn about it? Secure emails, screenshots, witness statements, and other evidence. The fundamentals of forensically correct evidence preservation help keep evidence admissible in court.

Engage a lawyer: Before confronting the contracting party, get legal advice. A lawyer can assess whether an actual breach has occurred, what claims you have, and the best course of action.

Cease and desist: As a first step, the contracting party is typically sent a formal warning and requested to cease the breach. At the same time, the contractual penalty is asserted, if agreed.

Damages: If specific damage has occurred, you can claim damages. However, proving damages in confidentiality breaches is often difficult, which is why a contractual penalty is so important.

Injunctive relief: If there is a risk that further confidential information will be disclosed, you can apply for an injunction to immediately stop the dissemination. The court typically decides within a few days.

NDA and ISMS

In the context of your ISMS, the NDA is an element of the information classification system. Confidential information shared with third parties requires contractual protection. ISO 27001 requires in A.5.14 (Information Transfer) and A.5.19 (Information Security in Supplier Relationships) that the transfer of confidential information to third parties is protected by appropriate agreements. An overarching information security policy forms the framework into which NDA management fits.

Maintain a register of all active NDAs: who has an NDA with whom? What information is covered? When do deadlines expire? When must return obligations be fulfilled? In ISMS Lite, this register can be maintained centrally alongside the associated supplier assessments and contract documents. This register helps you maintain oversight and act in time when an NDA expires or a contracting party changes.

Integrate NDA management into your supplier management. When you engage a new service provider, the NDA is as much a part of onboarding as the data processing agreement and the review of security measures. And when a service provider relationship ends, it automatically triggers the return and deletion obligations from the NDA.

Further Reading

• IT Security Clauses in Contracts: What You Should Demand from Service Providers
• IT Law for Non-Lawyers: The Most Important Laws Surrounding Cybersecurity
• Creating an Information Security Policy: Structure, Content, and Practical Tips
• Protection Needs Assessment: Evaluating Confidentiality, Integrity, and Availability
• Reviewing DPAs and Assessing Service Providers