The NDA Playbook 7 Red Flags, and Knowing When to Walk Away

A customer sends over a "standard mutual NDA" before the first call. It looks routine, so it almost gets signed on the spot. Then someone reads to the end. Buried on page three is an eighteen-month freeze on hiring each other's employees. A few lines up, a clause quietly restricting who you are allowed to talk to. And a confidentiality obligation that never expires, ever.

“

None of that is confidentiality. All of it was sitting inside a document labeled as if it were.

We have reviewed a lot of these agreements, for our own deals and on behalf of the people we work with, and the same patterns come up again and again. This is a practical guide to using NDAs well: when to ask for one, when to sign, what to strike, and when to walk away. It is written for two groups, startups protecting their ideas and companies vetting vendors, because both get burned in similar ways.

An NDA is a contract where one or both parties agree not to disclose or misuse defined confidential information. That is all it does. It does not protect ideas. It protects specific information that you mark or describe as confidential. It does not stop someone from competing with you. It does not patent anything. And it is only as strong as your willingness and ability to enforce it in court, which is expensive and slow.

Two flavors matter. A unilateral, or one-way, NDA covers situations where only one side is disclosing secrets, like a startup pitching a potential customer or a company sharing specs with a vendor. A mutual, or two-way, NDA covers situations where both sides will exchange sensitive information, which is standard for partnerships, acquisition talks, and serious vendor integrations.

Watch the framing here. If someone calls it a "mutual" agreement but only you take on real obligations, that is not mutual, and it is worth fixing before anything else.

Half the trouble with NDAs is that people confuse them with four other agreements that often get stapled onto them. Each one restricts you in a completely different way, and an NDA should contain none of them unless you have specifically agreed to it.

When any of these last three show up inside something called an NDA, slow down. They are real, negotiable business terms with real consequences, and they should never ride in unannounced on the back of a confidentiality document.

The right time for an NDA is the moment before genuinely sensitive, specific information changes hands, and not a second earlier.

Sending an NDA before an intro call is the classic rookie move. At this stage you are describing what you do, not how you do it. The "what" is rarely defensible and rarely secret. Demanding a signature before a conversation signals inexperience, creates friction, and often kills the meeting before it starts. The other side has not even decided they are interested, and you are already asking them to take on legal liability.

There are exceptions. Highly technical due diligence, regulated industries like health data or defense, or a first meeting that genuinely involves disclosing a trade secret such as a novel process, source code, or a clinical dataset can all justify an early NDA.

Pitch decks, market sizing, and vision should be shareable without an NDA.

“

If your entire defensibility rests on no one hearing your idea, the idea probably is not your moat. Execution, team, distribution, and timing are.

When the conversation moves to architecture, proprietary algorithms, financials, customer lists, source code, or unreleased roadmaps, that is the natural trigger. By then both sides have established mutual interest, so the ask reads as professional rather than paranoid.

This deserves its own section because founders get it wrong constantly.

Most reputable VCs will not sign an NDA to hear a pitch, and you should not ask them to. The reasons are structural, not personal. VCs see hundreds of similar companies, and signing NDAs would create unmanageable legal exposure since they will inevitably fund or advise something adjacent to your space. Asking also signals that you do not understand how the industry works, which is itself a negative mark on you as a founder. And the information in a pitch is rarely the secret sauce. Investors bet on teams and execution.

An industry-standard, off-the-shelf mutual NDA is fine for the vast majority of situations. Reach for it by default. It is fast, familiar, and low friction.

Customize only when there is a specific reason. Genuinely sensitive IP may need a tighter definition of confidential information. Regulated data such as personal information, health records, or financial records may require specific handling, breach notification, or compliance language. Highly sensitive trade secrets sometimes justify a longer confidentiality term than the usual two to five years. And sometimes you want specific carve-outs, like letting a vendor use aggregate, anonymized data to improve their product.

A heavily customized NDA sent early is a double red flag. It signals both paranoia and a slow, lawyer-heavy process to come. Save the bespoke language for when the stakes actually warrant it.

This is not theoretical. A "mutual NDA" recently landed in front of us that, on a close read, was carrying a stack of terms that had nothing to do with confidentiality. It is a useful catalog of what to watch for, because none of it was flagged or called out. It was all just sitting quietly inside a document labeled routine.

If you want a quick reference, here is how the common clauses should read versus how they go wrong.

Yes, but with heavy caveats. A well-drafted NDA is enforceable in court. In practice, enforceability comes down to a few things.

Definition clarity matters most. Vague clauses that say everything discussed is confidential are hard to enforce, while specific, marked, or reasonably identifiable information holds up far better. Scope and duration need to be reasonable, since courts dislike overbroad or perpetual restrictions. A two to three year term on general confidential information is standard and defensible; an indefinite gag on everything is not. Standard carve-outs are normal and you should not fight them, including information that is public, independently developed, already known, or compelled by law. You also have to prove damages, which means showing actual harm and tracing it to the breach, and that is genuinely difficult. Finally, jurisdiction plays a role. Some states, notably California, limit non-compete-style restrictions, and courts vary in how aggressively they enforce.

Sometimes the leverage is not on your side. The customer is large, you need the deal, and the NDA is non-negotiable in their eyes. You still have moves.

• Negotiate the term down to something finite, even if you cannot get it to two years.
• Narrow the definition so it covers information that is marked or clearly identified rather than every word exchanged.
• Strike the non-solicit and non-circumvent clauses outright, and frame it plainly: those are separate business terms and do not belong here.
• Add a backup carve-out to any return-or-destroy clause.
• Make it mutual if a clause genuinely cannot be removed, so whatever burden you carry, they carry too.

A counterparty who refuses every reasonable edit is telling you something about how the rest of the relationship will go.

Default to no NDA for pitches, intros, and investor meetings. Do not ask VCs to sign, and if something is truly secret, withhold it until diligence. Use a mutual, standard NDA before exchanging real technical detail with partners or potential acquirers. Protect ideas with execution and speed rather than paper, because your moat is what you build, not what you whisper. And for things that genuinely need legal protection, file patents or practice good trade-secret hygiene. An NDA is not a substitute for either.

For early scoping calls, skip the NDA. You are describing a problem, not your crown jewels. Before sharing system architecture, customer data, internal metrics, or security details, require a mutual NDA. For vendors who will touch regulated or personal data, customize the agreement to add data handling, breach notification, and compliance terms, and check whether you also need a separate data processing agreement. Watch for vendors who resist reasonable confidentiality, because it can signal how they will treat your data. And do not let the NDA become the relationship. It is the floor, not the foundation. Diligence, references, and contract terms matter more.

Before you send or sign one, ask two things.

If the answer to both is yes, use a clean, standard, mutual NDA. If not, put it away and keep talking. And whatever you do, read every clause, because the terms that hurt you are almost never in the section you expect.

An NDA is a tool, not a security blanket. Used at the right moment with the right counterparty, it sets clear expectations and gives you legal recourse. Used too early or with the wrong audience, whether an investor, a casual intro, or a first call, it signals inexperience and creates friction that costs you more than the information was ever worth. And used as a hiding place for non-competes and non-solicits, it quietly takes far more than it gives.

“

Keep it clean, keep it mutual, keep it finite, and read the whole thing.