Confidentiality scope
High risk
The check
Is the definition specific and limited to real confidential categories?
The risk
Broad definitions like all information increase accidental breach risk by covering public or trivial knowledge.
Why NDA clauses matter in the UK
UK NDAs usually fail for predictable reasons: the definition is too broad, the purpose is unclear, disclosures are not permitted to advisers, or the remedies are drafted to intimidate rather than protect real confidentiality.
Who this checklist is for
Founders, freelancers, agencies, and operators signing NDAs during early conversations.
Anyone doing a self check before asking for a legal review.
How to use it fast
1. Run the 2 minute safety check table and circle the red flags.
2. Jump to the deep dive sections for negotiation language and risk patterns.
3. Scan your NDA with Vordex to flag the exact clauses in seconds.
Related guides: NDA review toolMutual vs one way NDANDA duration and scope
2 minute safety check table
Use this quick table to spot the highest risk NDA clauses before you sign.
| Clause | What to look for (Safe) | Red flags (Risky) | Action |
|---|---|---|---|
| 1. Definition of confidential information | Specific categories (pricing, roadmaps, customer lists) plus standard exclusions. | All information disclosed, retroactive coverage, no exclusions. | Narrow the scope. |
| 2. Purpose limitation | Limited to one clear purpose (for example evaluating the partnership). | Any business purpose, unclear affiliate use, missing purpose. | Rewrite the purpose. |
| 3. Disclosure exceptions | Carve outs for lawyers, regulators, and court orders. | No carve outs, consent required to get legal advice. | Add standard UK carve outs. |
| 4. Duration and survival | Fixed term (2 to 5 years) plus separate trade secret protection. | Perpetual for everything, unclear survival clauses. | Set a fixed term. |
| 5. Return or destruction | Practical return period plus backup and legal hold carve outs. | Immediate deletion of all backups, 24 hour certification. | Make it workable. |
| 6. IP and derivative works | No transfer of IP. Discloser keeps their IP. You keep yours. | Discloser owns ideas or improvements you create. | Remove IP assignment. |
| 7. Non solicitation add ons | None. Restrictive covenants should be separate and narrow. | Hidden non solicit, non compete, or non circumvent clauses. | Remove or narrow. |
| 8. Remedies and injunctions | Standard equitable relief and balanced costs. | Automatic injunctions, indemnity for alleged breaches. | Remove overreach. |
| 9. Governing law | Matches the deal reality (England and Wales for UK deals). | One sided jurisdiction or unrelated country. | Align law and courts. |
High impact clauses to check first
If you only have 60 seconds, start here. These clauses create the most disputes and the most leverage if they are drafted aggressively.
Duration and survival
Medium risk
The check
Is there a fixed end date like 2 to 5 years for general information?
The risk
Perpetual confidentiality is rarely appropriate for everyday business information.
Permitted disclosures
High risk
The check
Can you speak to your lawyer, accountant, investors, or regulator?
The risk
Missing carve outs are a classic gotcha. You must be able to disclose to advisers and where required by law.
IP and derivatives
High risk
The check
Who owns improvements, feedback, and derived work?
The risk
Derived from language can quietly assign your independent ideas or know how to the discloser.
Want the clause by clause explanation? Jump to the deep dive section.
Clause by clause breakdown
Each section explains what the clause does, why it matters, common abuse patterns, an example of risky wording, and how Vordex flags it in a scan.
Clause 1
Definition of confidential information
What it does
Defines exactly what information is protected. For example commercial plans, know how, pricing, source code, and customer lists.
Why it matters
In the UK, an NDA should protect genuinely confidential information, not everything. Overbroad definitions increase the risk of accidental breach and can chill normal business activity.
Common abuse patterns
- Defines confidential information as any and all information disclosed by any means.
- Applies retroactively to information shared before the NDA was signed.
- Omits standard exclusions like public domain, prior knowledge, independent development, or third party sources.
Example risky wording
Confidential Information means any and all information disclosed at any time whether oral, written, or otherwise.
Safer approach
Use a clear definition with examples and include standard exclusions for public domain, prior knowledge, independent development, and lawful third party receipt.
How Vordex flags it
- Highlights phrases like any and all, whether oral or otherwise, at any time, and including but not limited to.
- Detects missing exclusions and prompts a narrow scope edit.
Clause 2
Purpose limitation clause
What it does
Limits how the recipient can use the confidential information. For example solely to evaluate a potential partnership or investment.
Why it matters
This is a key risk control. If the purpose is vague, the discloser can argue your ordinary internal use breached the NDA. A single clear purpose reduces dispute leverage.
Common abuse patterns
- Purpose defined as any business purpose or for the relationship.
- Affiliate use is unclear or unlimited.
- No purpose clause at all.
Example risky wording
Recipient may use Confidential Information for any purpose relating to its business.
Safer approach
Write the purpose in one sentence. Solely to evaluate the specific project named in the NDA.
How Vordex flags it
- Flags vague purpose phrases like any business purpose, for the relationship, or for any purpose.
- Checks for missing purpose language and recommends a rewrite.
Clause 3
Disclosure exceptions
What it does
Sets out when you are allowed to disclose info, such as to lawyers, regulators, or police.
Why it matters
Under the Victims and Prisoners Act 2024Gov.uk, NDAs cannot be used to prevent crime reporting. Old templates often fail to reflect this, creating void clauses.
Common abuse patterns
- No exceptions at all, or exceptions only with prior written consent.
- Consent required to disclose to your lawyers or accountants.
- Attempts to block reporting of criminal conduct or whistleblowing.
Example risky wording
Disclosure required by law is permitted only with the Discloser's prior written consent.
Safer approach
Ensure explicit carve-outs for professional advisers, regulatory compliance, and disclosures protected by the Victims and Prisoners Act 2024Gov.uk.
How Vordex flags it
- Detects missing adviser carve outs.
- Flags clauses that attempt to override statutory reporting rights.
Clause 4
Duration and survival
What it does
States how long confidentiality lasts and which obligations continue after the NDA ends.
Why it matters
A fixed term reduces long tail risk. Perpetual confidentiality is rarely appropriate for general business information. Trade secrets can be protected longer if properly defined.
Common abuse patterns
- Perpetual confidentiality for everything.
- Survival clause that keeps all obligations alive forever.
- No clear start or end date.
Example risky wording
The obligations in this Agreement shall continue in perpetuity.
Safer approach
Use a fixed term, commonly 2 to 5 years for general information, and separate trade secrets protected for as long as they remain secret.
How Vordex flags it
- Flags perpetual and in perpetuity wording.
- Detects missing end dates and unclear survival language.
Clause 5
Return or destruction
What it does
Explains what happens to confidential materials when the deal ends.
Why it matters
You need a clause you can actually comply with. Immediate deletion of all copies is often impossible because of automated backups and compliance retention.
Common abuse patterns
- Requires immediate deletion of all backups and disaster recovery systems.
- Unrealistic certification windows like 24 hours.
- No carve out for legal hold or regulatory retention.
Example risky wording
Recipient shall immediately destroy all copies including all backups, archives, and disaster recovery systems.
Safer approach
Allow reasonable steps and time to delete, plus carve outs for secure routine backups and legally required records.
How Vordex flags it
- Detects immediate deletion requirements and backup capture clauses.
- Prompts a practical retention and deletion carve out.
Clause 6
IP and derivative works
What it does
Clarifies ownership of intellectual property and anything created using the confidential information, such as improvements, feedback, and derivative works.
Why it matters
This is a frequent ambush point. The discloser should own their information, but they should not own your independent ideas or improvements just because you saw their data.
Common abuse patterns
- Assigns ownership of ideas, improvements, or derivatives to the discloser.
- Uses derived from language to claim your independent know how.
- Grants a broad licence beyond what is needed for the purpose.
Example risky wording
All derivatives, modifications, improvements, and ideas arising from the Confidential Information shall be owned by the Discloser.
Safer approach
No licence or transfer of IP is granted except as necessary for the purpose. Each party keeps their existing and independently developed IP.
How Vordex flags it
- Flags phrases like owned by the discloser, arising from, derived from, improvements, and ideas.
- Marks this as a high risk IP assignment pattern.
Clause 7
Non solicitation add ons
What it does
Restricts you from approaching staff, customers, suppliers, or contacts. These terms are often buried inside confidentiality sections.
Why it matters
These clauses change the commercial deal. In the UK, restrictive covenants must be reasonable and limited to be enforceable. Broad wording creates needless exposure.
Common abuse patterns
- Non solicitation of all employees, even people you never met.
- Non compete language disguised as non circumvention.
- Long durations like 24 months without a clear justification.
Example risky wording
Recipient shall not solicit or hire any employee of the Discloser for 24 months.
Safer approach
Remove these add ons or limit them to named individuals you interacted with, for a short period, with clear scope.
How Vordex flags it
- Detects non solicit, non compete, and non circumvention patterns embedded in NDAs.
- Flags overbroad scope like any employee and excessive durations.
Clause 8
Remedies and injunctions
What it does
Describes consequences for breach such as damages, injunctions, and cost shifting.
Why it matters
Aggressive remedies try to bypass legal tests by claiming any breach automatically entitles an injunction or full indemnity. This can create leverage even when the underlying claim is weak.
Common abuse patterns
- Automatic injunction language without need to prove loss.
- Indemnity for any alleged breach, even if unproven.
- One sided legal costs clauses.
Example risky wording
Any breach shall entitle the Discloser to an immediate injunction without the need to prove loss.
Safer approach
Keep remedies standard. Avoid indemnities for mere allegations and avoid one sided cost shifting.
How Vordex flags it
- Flags automatic injunction and no need to prove loss wording.
- Detects indemnity triggers tied to allegations rather than findings.
Clause 9
Governing law
What it does
States which law and courts apply to disputes.
Why it matters
If the NDA points to a jurisdiction you do not operate in, enforcement becomes slow and expensive. Misaligned governing law is often used as pressure rather than practicality.
Common abuse patterns
- Governing law unrelated to either party.
- One sided jurisdiction where they can sue anywhere and you cannot.
- Foreign venue clauses that increase cost and delay.
Example risky wording
This Agreement shall be governed by the laws of a jurisdiction unrelated to the parties.
Safer approach
Align law and courts with the deal reality. For UK deals, English law and courts of England and Wales is common.
How Vordex flags it
- Flags foreign governing law and one sided forum selection.
- Prompts a jurisdiction alignment recommendation.
Ready to check your own NDA?
Scan your NDA to flag these clauses automatically, then use the checklist above to negotiate with precision.
FAQs about NDA clauses in the UK
QAre NDAs enforceable in the UK?
Are NDAs enforceable in the UK?
Often, yes, if they are properly drafted and protect genuine confidential information. Problems arise when the NDA is vague, unlimited, or tries to restrict lawful disclosures.
QCan an NDA stop me reporting a crime or whistleblowing?
Can an NDA stop me reporting a crime or whistleblowing?
No. Under the Victims and Prisoners Act 2024Gov.uk, any NDA clause attempting to prevent a victim from reporting a crime or accessing support is legally void. It is a major red flag if an NDA tries to restrict this.
QHow long should an NDA last in the UK?
How long should an NDA last in the UK?
Commonly 2 to 5 years for general confidential information. Trade secrets can be protected for longer, provided they remain secret and are properly defined.
QWhat is a purpose limitation clause?
What is a purpose limitation clause?
It limits the use of the information to one named purpose, such as evaluating an investment or partnership. This prevents disputes about whether ordinary business activity breached the NDA.
QShould I agree to a return or destroy clause?
Should I agree to a return or destroy clause?
Yes, but make it practical. Ensure it allows a reasonable timeframe and includes carve outs for routine IT backups and legally required retention.
Need a clause level scan? Use the NDA review tool.
Vordex is a decision support tool and does not provide legal advice.