Non-Disclosure Agreements: Scope, Carve-Outs, and Breach

I. Introduction

A non-disclosure agreement is the first document signed in almost every commercial relationship that involves the sharing of sensitive information. It precedes the term sheet in a funding transaction, the due diligence process in an acquisition, the vendor engagement in a technology implementation, and the preliminary discussions in a joint venture. Despite being routine in its use, the NDA is frequently drafted poorly, signed without adequate attention to its terms, and enforced inadequately when breached. The gap between what an NDA is intended to do and what it actually achieves in practice is almost always a drafting problem.

Under Indian law, an NDA is a contract governed by the Indian Contract Act, 1872. It must satisfy the basic requirements of Section 10 of the Act: offer, acceptance, lawful consideration, mutual consent, and a lawful object. The lawful object requirement is where the distinctive Indian law constraint on NDAs enters: Section 27 of the Contract Act declares void every agreement by which a person is restrained from exercising a lawful profession, trade, or business. A confidentiality obligation that is so broadly drafted that it effectively prevents the receiving party from working in their field of expertise borders on a restraint of trade under Section 27 and may not be enforced in that form. The drafting of an NDA in India must therefore balance the disclosing party's interest in protecting its information against the constraint that the obligation must be specific, reasonable, and directed at the protection of genuine confidential information rather than the restriction of the receiving party's commercial activity.

This article examines the two primary commercial contexts in which NDAs are used, the definition of confidential information as the foundational drafting decision, the standard carve-outs and why they matter, the obligations that the NDA imposes on the receiving party, the duration framework, and the remedies available upon breach.

II. Two Contexts, Different Drafting Priorities

NDAs in commercial practice arise in two distinct contexts that have different drafting requirements and different enforcement dynamics, and conflating them produces agreements that serve neither purpose well.

Commercial transaction NDAs are entered into at the beginning of a business relationship or a transaction process: M&A due diligence, joint venture discussions, technology licensing negotiations, vendor evaluations, and funding discussions. In this context, both parties are typically commercial entities of comparable sophistication, the information flow is defined by the specific purpose of the transaction, and the NDA is a temporary instrument that governs the period of negotiation and due diligence. The disclosing party's primary concern is preventing the receiving party from using the disclosed information if the transaction does not proceed, whether by competing directly, by sharing the information with a third party, or by using it to inform their own strategic decisions. The duration is usually short, two to three years after the end of discussions, and the obligation is often mutual since both parties may be sharing sensitive information with each other.

Employment and contractor NDAs arise in the context of an ongoing engagement where an individual receives access to the company's confidential information as part of their role. The concern is both during the engagement, preventing active misuse, and after termination, preventing the departing employee or contractor from using what they learned to benefit a competitor or to set up a competing business. Post-termination confidentiality obligations sit in greater tension with Section 27 of the Contract Act than obligations during employment, since a court will more readily find that a continuing restriction on a former employee's use of information they have internalised as part of their professional skill constitutes a restraint of trade. The drafting must be specific enough to identify the information being protected without inadvertently capturing the general skills and knowledge the individual has developed.

III. Defining Confidential Information

The definition of confidential information is the most important drafting decision in any NDA. An overly narrow definition leaves meaningful information unprotected. An overly broad definition captures so much that it becomes unenforceable, or produces a document that the receiving party cannot reasonably comply with because they cannot determine what is and is not covered.

The definition should cover the specific categories of information that the disclosing party has a genuine commercial interest in protecting. In a technology company context, this typically includes source code, product roadmaps, technical architecture, algorithms and models, customer data, pricing structures, and financial projections. In an M&A or funding context, it includes financial statements, cap table details, customer and supplier contracts, intellectual property details, and the fact and terms of the transaction itself. In a manufacturing context, it includes process specifications, formulations, supplier relationships, and cost structures. The definition should be tailored to what is actually being shared rather than drafted as an all-encompassing basket clause.

A tiered approach works well in practice. The first tier identifies specific categories of information that are always confidential regardless of how they are marked. The second tier covers any information that is marked or designated as confidential at the time of disclosure. The third tier, which is sometimes included, covers information that is communicated verbally and confirmed in writing within a specified number of days as being confidential. The marking or designation requirement in the second tier is important: it gives the receiving party clarity about what they need to treat carefully, and it gives the disclosing party a practical discipline of identifying sensitive materials rather than treating every communication as confidential by default.

The definition should expressly exclude certain categories of information that are not appropriate subjects of a confidentiality obligation. These exclusions, commonly called carve-outs, are examined in the next section.

IV. Standard Carve-Outs

The carve-outs define the limits of the confidentiality obligation. They identify categories of information that the receiving party is free to use or disclose even if the information technically falls within the definition of confidential information. The four standard carve-outs in commercial NDAs are well established and should be included in every agreement. Their absence creates an obligation that is broader than the disclosing party's legitimate interest and potentially unenforceable.

Public domain information. Information that is or becomes publicly available through no act or omission of the receiving party is not subject to the confidentiality obligation. The receiving party should not be restricted from using or disclosing information that the disclosing party itself has put into the public domain or that has become public through other means. The carve-out should be limited to information that is genuinely in the public domain: widely accessible, not merely disclosed to a limited audience. The phrase "through no act or omission of the receiving party" is important; if the receiving party caused the information to enter the public domain by disclosing it in breach of the NDA, the carve-out does not rescue the breach.

Prior knowledge. Information that the receiving party can demonstrate was already known to them before the disclosure was made is not subject to the obligation. This carve-out protects the receiving party from being restricted in the use of information they already independently possessed. The receiving party bears the burden of demonstrating prior knowledge, which means maintaining records of their own pre-existing information and its development. In practice, disputes about prior knowledge are common in technology contexts where the receiving party may claim that their own product roadmap independently arrived at the same solution as the disclosing party's protected technology.

Independent development. Information that the receiving party independently develops without any use of or reference to the disclosing party's confidential information is not subject to the obligation. This carve-out protects innovation and prevents an NDA from becoming a mechanism to restrict the receiving party's own research and development. It requires that the independent development genuinely not use the confidential information, and NDAs sometimes include procedural requirements such as clean room protocols or internal information barriers for sensitive technology disclosures to make this demonstrable.

Legally compelled disclosure. Where the receiving party is required by law, regulation, or court order to disclose confidential information, the NDA should permit such disclosure but require the receiving party to give the disclosing party prompt notice before making the disclosure, to the extent legally permitted, so that the disclosing party has the opportunity to seek a protective order or other relief. The carve-out should not be a blank licence to disclose whenever a regulatory authority asks; the receiving party should be required to disclose only the minimum amount necessary and to cooperate with the disclosing party's efforts to protect the information.

V. Obligations of the Receiving Party

Beyond the obligation not to disclose, a well-drafted NDA should specify the positive obligations that the receiving party must meet in relation to the confidential information. These operational obligations are frequently underdrafted, producing an NDA that prohibits disclosure without actually requiring the receiving party to do anything specific to prevent it.

The receiving party should be required to use the confidential information only for the permitted purpose specified in the NDA, which is the specific transaction, evaluation, or engagement for which the information was disclosed. A purpose limitation is the most important operational control: it prevents the receiving party from using information received in the context of a potential acquisition, for example, to inform their own product strategy if the deal does not proceed. The permitted purpose should be defined with precision and should not be drafted so broadly that it encompasses the receiving party's entire business relationship with the disclosing party.

The receiving party should be required to protect the confidential information using at least the same degree of care as it uses for its own confidential information of a similar nature, subject to a minimum standard of reasonable care. The "same degree of care" formulation is standard but has the practical limitation that a receiving party with poor internal security practices effectively sets its own standard. A minimum care standard, requiring at minimum commercially reasonable security measures, protects against this. In technology transactions, the NDA may specify specific security requirements such as encryption, access controls, and restrictions on storage in personal accounts or unsecured devices.

Access to confidential information should be restricted to those individuals within the receiving party's organisation who need to know it for the permitted purpose. The NDA should require the receiving party to ensure that each individual who receives access is informed of the confidential nature of the information and is bound by confidentiality obligations at least as protective as those in the NDA itself. In employment NDAs, this is achieved through individual employment contracts. In commercial transaction NDAs, it is typically achieved through a requirement that the receiving party bind its professional advisers, including lawyers, accountants, and financial advisers, under equivalent terms.

VI. The Disclosure Period and the Confidentiality Period

One of the most persistent drafting errors in commercial NDAs is the conflation of two conceptually distinct periods: the disclosure period and the confidentiality period. Understanding the difference between them, and expressing that difference clearly in the agreement, is essential to a NDA that operates as intended.

The disclosure period is the window during which the parties are permitted to share confidential information with each other. It begins on the date of the agreement and ends on a defined date or upon the occurrence of a defined event, such as the termination of negotiations, the execution of definitive transaction documents, or the expiry of a fixed term. The disclosure period governs when information may flow. Once the disclosure period ends, no new confidential information may be shared under the agreement. What the NDA calls "termination" in most commercial transactions is, or should be, the termination of the disclosure period, not the termination of the entire agreement.

The confidentiality period is the duration for which the receiving party's obligation to protect and not disclose the information it has already received continues. This period begins when the information is received and extends beyond the end of the disclosure period. The confidentiality period governs what the receiving party must do with information it holds. An NDA that simply says "this agreement may be terminated by either party on thirty days' written notice" without specifying that the confidentiality obligations survive termination creates a significant gap: a receiving party who terminates the agreement takes the position that all obligations have ended, while the disclosing party assumes the information it shared remains protected. Both positions have textual support in a poorly drafted agreement, which is exactly the kind of ambiguity that produces litigation.

The correct drafting approach is to keep the two periods structurally separate. The NDA should define the disclosure period as the period during which information may be shared, specify that it ends on a defined date or upon notice from either party, and separately define the confidentiality period as the period for which obligations in respect of information already received continue, typically two to three years after the end of the disclosure period. A survival clause should then expressly state which provisions of the NDA survive the end of the disclosure period, which should include at minimum the confidentiality obligations, the return or destruction of information obligations, and the remedies provisions. The termination provision should state clearly that termination brings the disclosure period to an end and does not affect any obligation that has accrued in relation to information already received.

In an employment or contractor NDA, the disclosure period is the duration of the engagement, and the confidentiality period extends beyond it. The post-termination obligation must be narrowly drafted, covering specific categories of genuinely confidential information such as trade secrets, proprietary technology, customer lists, and pricing data, and should be time-limited to a reasonable period of one to two years. An open-ended post-termination obligation covering all information received during employment is likely to conflict with Section 27 of the Contract Act and will be read down or not enforced in its full breadth. The NDA should specify the categories that survive with as much precision as the main definition of confidential information.

Trade secrets sit outside the general confidentiality period framework. Information that genuinely qualifies as a trade secret, meaning information that derives commercial value from its secrecy and in respect of which the disclosing party has taken reasonable steps to maintain confidentiality, may be protected for as long as it retains its secret character, regardless of the general duration agreed for other confidential information. India does not yet have a dedicated trade secrets statute; until such legislation is enacted, trade secret protection continues to rest on contractual confidentiality obligations, and the NDA should expressly identify trade secret information as a separate category subject to protection for as long as the information remains secret.

VII. Breach: Remedies and Their Practical Limits

The remedies available for breach of an NDA under Indian law are injunctive relief and damages. Each has practical limitations that a well-advised disclosing party should understand before relying on the NDA as their primary protection.

Injunctive relief, in the form of an interim or permanent injunction preventing further disclosure or use of the confidential information, is available under the Specific Relief Act, 2018 where the breach causes or threatens to cause irreparable harm that cannot be adequately compensated by damages. The NDA should include a clause acknowledging that breach of the confidentiality obligation would cause irreparable harm and that the disclosing party is therefore entitled to seek injunctive relief without proving actual damage. Courts in India have been willing to grant interim injunctions in NDA breach cases, particularly in technology contexts, where the disclosure of source code or proprietary algorithms to a competitor could immediately and irreversibly affect the disclosing party's competitive position. The practical challenge is speed: interim relief requires urgent application and the court must be convinced that the balance of convenience favours restraint. Delay in applying undermines the argument for urgency.

Damages for breach of an NDA are assessed under Section 73 of the Indian Contract Act, which awards compensation for loss that naturally arose from the breach or which the parties knew at the time of contracting to be a likely consequence of breach. Proving quantum of loss in an NDA breach case is notoriously difficult. The loss is often diffuse, consisting of competitive disadvantage, lost business opportunities, and reputational harm, none of which is easily quantified.

The NDA should specify that the disclosing party is entitled to seek specific performance, injunctive relief, or any other equitable remedy without being required to first establish that monetary compensation is inadequate. This preserves the full range of remedies and prevents the receiving party from arguing at the interim injunction stage that damages are an adequate alternative. The agreement should also specify the governing law and a dispute resolution mechanism, since NDA breach disputes often require urgent relief and a court of competent jurisdiction must be identifiable without additional litigation about jurisdiction.

An indemnity clause has no place in a standard NDA and should not be included. An indemnity provision typically requires the receiving party to indemnify the disclosing party for all losses arising from a breach of the confidentiality obligation. This is unnecessary: the disclosing party already has the right to claim compensation for loss flowing from breach under Section 73 of the Contract Act, and a well-drafted remedies clause already preserves injunctive relief. The indemnity creates no additional right that does not exist without it. Its only practical effect is to invite negotiation on caps, exclusions, and indemnity procedures that are entirely disproportionate to a document whose sole purpose is to protect information shared at a preliminary stage. If a counterparty insists on inserting one, the point should be made that it is redundant, and if they persist, it may be accepted without further negotiation rather than allowing it to become a drafting exercise in its own right.

VIII. Mutual versus Unilateral NDAs

An NDA may be structured as unilateral, with only one party disclosing and the other receiving, or as mutual, with both parties disclosing and each receiving the other's confidential information. The choice should reflect the actual information flow rather than a preference for symmetry.

In an M&A or investment context where a target company is sharing financial, operational, and commercial information with a potential acquirer or investor, a unilateral NDA in favour of the disclosing party is the appropriate structure. The acquirer is not typically sharing equivalent commercial secrets with the target at the preliminary stage, and a mutual NDA creates an equivalence that does not reflect the actual dynamics of the transaction. Acquirers sometimes resist unilateral NDAs and propose mutual NDAs to create the appearance of parity, but the target should insist on the form that reflects the actual information flow.

In a joint venture, technology partnership, or co-development context where both parties are genuinely sharing sensitive information with each other, a mutual NDA is appropriate. The obligations of each party as both disclosing party and receiving party should be symmetrical, and the NDA should be clear that each party's information is independently protected without the obligations of one party being contingent on the performance of the other.

IX. Why NDAs Should Be Simple

There is a tendency in commercial practice to treat the NDA as an opportunity for comprehensive risk management, resulting in agreements that run to fifteen or twenty pages and contain provisions that belong in a full commercial contract rather than in a preliminary confidentiality instrument. This tendency is commercially counterproductive. An NDA that is excessively long, complex, or one-sided delays the start of legitimate commercial discussions, signals a transactional rather than collaborative intent, and often contains provisions that are either unenforceable in the Indian context or so disproportionate to the actual risk that no court would give them full effect. The NDA should do one thing well: protect genuinely confidential information for a defined period. Every provision that does not serve that purpose should be questioned.

Representations and warranties about the accuracy or completeness of the confidential information have no place in a standard NDA. The disclosing party is sharing information to facilitate evaluation of a potential transaction; it is not warranting that everything it shares is accurate. That is the function of the representations and warranties in the definitive transaction agreement. Including accuracy warranties in an NDA creates a liability exposure for the disclosing party that it almost certainly did not intend and that a counterparty can later exploit. Similarly, provisions dealing with the ownership of intellectual property developed during the evaluation period, or with the right to use derivative works, introduce a complexity that properly belongs in the transaction documents themselves once the relationship has been defined.

Standstill provisions, which restrict the receiving party from acquiring shares in the disclosing party or from making an unsolicited offer during the evaluation period, and exclusivity provisions, which prevent the disclosing party from negotiating with other parties, are sometimes included in NDAs for convenience. These are substantive commercial commitments that are distinct from confidentiality and should be recorded in a separate letter or agreement rather than embedded in an NDA. Their inclusion in the NDA creates confusion about the scope of what the parties have agreed and makes it harder to enforce the core confidentiality obligation cleanly if a dispute arises.

A commercial transaction NDA needs the following and nothing more: a definition of confidential information, the standard carve-outs, a purpose limitation, the receiving party's operational obligations, the disclosure period, the confidentiality period with a clear survival clause, a return or destruction obligation at the end of the disclosure period, and a governing law and dispute resolution clause. An NDA drafted to this specification will fit comfortably on two to three pages, will be understood and signed promptly by both parties, and will be more readily enforced than a fifteen-page document full of provisions that neither party fully understood when they signed it.

X. Conclusion

An NDA is only as useful as its drafting allows it to be. An agreement that defines confidential information so broadly that it captures everything, that omits standard carve-outs, that imposes post-termination obligations of unlimited duration, or that specifies no practical remedies beyond a general right to sue provides its signatory with the form of protection without the substance. The drafting choices examined in this article, the definition of confidential information, the carve-outs, the purpose limitation, the operational security obligations, the duration framework, and the remedies architecture, are the provisions that determine whether the NDA achieves its commercial purpose.

The absence of a dedicated trade secrets statute in India means that contractual protection remains the primary mechanism for safeguarding confidential commercial information. Until that development occurs, the NDA remains the principal instrument available, and its effectiveness depends entirely on the care with which it is drafted and the discipline with which the disclosing party manages its own information security practices alongside the contractual framework.