You've handled IP assignment. Good. Now comes policy #2.
Before you share your product roadmap with a contractor. Before you show your financials to an investor. Before your employee sees your customer list.
You need a Confidentiality/NDA Agreement.
This isn't about being paranoid. It's about being specific. Here are the questions that determine what needs to be in your agreement.
Question 1: What Information Would Destroy Your Business If It Became Public?
Make a list right now. What would kill your competitive advantage if your competitor knew it?
Common answers:
Customer lists with contact info and contract terms
Pricing strategies and margin calculations
Product roadmap and feature plans
Source code and technical architecture
Marketing strategies and conversion data
Financial projections and cap table
Partnership agreements and vendor relationships
Proprietary processes or methods
Unannounced product launches
The test: If this information showed up on your competitor's Slack tomorrow, would you be screwed?
If yes, it needs to be defined as confidential information in your agreement.
What founders get wrong: Vague language like "all proprietary information." That doesn't hold up. You need to be specific about categories.
Question 2: Who Currently Has Access to Confidential Information?
Go through your team and contractors:
Employees (all of them?)
Contractors and freelancers
Advisors
Investors and potential investors
Partners and vendors
Anyone who's ever had access to your systems
Now ask: Who signed an NDA?
If the answer is "nobody" or "some of them," you have a problem.
The exposure: Your former contractor can legally share everything they learned unless they signed something saying they can't.
Question 3: When Do People Get Access to Confidential Information?
Common scenarios:
Employee's first day (they see customer data, code, strategy)
Contractor onboarding (access to systems, documents, processes)
Investor pitch (you share financials, roadmap, metrics)
Partnership discussion (you reveal integration plans, user data)
Hiring process (candidates see your tech stack, hear about plans)
Critical timing question: Are you having them sign NDAs BEFORE or AFTER they see confidential information?
The right answer: Before. Always before.
Once they've seen your information without an NDA, you can't unring that bell.
Question 4: What Counts as "Confidential" vs. Public Information?
Your NDA needs to define what IS and ISN'T confidential.
Definitely confidential:
Trade secrets
Non-public financial information
Customer/user data
Unreleased product features
Internal processes and strategies
Anything marked "confidential"
NOT confidential (standard exclusions):
Information that's publicly available
Information they already knew before you told them
Information they learned from a third party who wasn't bound by confidentiality
Information they developed independently without using yours
Information required to be disclosed by law
Why this matters: Without clear exclusions, your NDA might be unenforceable as too broad.
Question 5: How Long Should the Confidentiality Obligation Last?
Common timeframes:
Trade secrets: Indefinite (as long as it remains a trade secret)
General confidential info: 2-5 years after disclosure
Customer lists: 2-3 years (beyond that, they might be stale anyway)
Product roadmap: 1-2 years (then it's either launched or irrelevant)
State-specific consideration: Some states limit how long post-employment restrictions can last. California is particularly strict about restraining former employees.
The balance: Long enough to protect you, short enough to be enforceable.
What your NDA should say: "Confidential Information shall remain confidential for [X years] from the date of disclosure, except for Trade Secrets which shall remain confidential for as long as they qualify as trade secrets under applicable law."
Question 6: What Are You Actually Trying to Prevent?
Be specific about prohibited actions:
Can't do:
Disclose confidential information to third parties
Use confidential information for their own benefit
Use confidential information to compete with you
Reverse engineer your products using confidential information
Share confidential information with future employers
Can do:
Use general skills and knowledge gained
Work in the same industry (unless you have a valid non-compete)
Use publicly available information
The enforceability trap: Courts won't enforce NDAs that essentially prevent someone from working in their field. You can protect specific information, but you can't prevent them from using general knowledge and skills.
Question 7: What Happens When Someone Leaves Your Company?
Critical obligations that survive termination:
Return all confidential materials (documents, code, files, devices)
Delete all confidential information from personal devices
Confirm destruction/deletion in writing
Continue confidentiality obligations for defined period
Not solicit customers using information gained (if enforceable in your state)
What your NDA needs: Clear language that obligations survive termination, plus a specific return-of-materials procedure.
The exit interview checklist:
□ All company property returned
□ All files deleted from personal devices
□ No confidential information retained
□ Written acknowledgment signed
□ Final paycheck includes statement referencing ongoing obligations
Question 8: Who Are You Sharing Information with That Hasn't Signed Anything?
Risky scenarios:
Investor pitches: "We're raising a seed round, showed our deck to 20 investors, zero signed NDAs."
Why investors often won't sign: They see dozens of similar companies and don't want to be restricted from investing in your competitors.
Your options:
Accept that investor pitches happen without NDAs (common)
Only share high-level info in initial meetings, detailed info after NDA
Have a less restrictive "evaluation NDA" specifically for investor discussions
Partnership discussions: "We were exploring a partnership with BigCo, shared our integration plans, no NDA."
The risk: They ghost you, then build what you described internally.
The fix: Standard mutual NDA before substantive discussions.
Hiring conversations: "We told candidates about our product roadmap during interviews."
The risk: Candidate doesn't get hired, shares your plans with their current employer (your competitor).
The fix: NDA as part of interview process, or don't share sensitive information until after the offer stage.
Question 9: Are You Receiving Confidential Information Too?
Mutual NDA situations:
Partnership discussions
Vendor relationships where you see their pricing/processes
Customer data you receive
Integration discussions with other companies
What you need: A mutual NDA (both parties protect each other's information) rather than a one-way NDA.
Additional consideration: If you're receiving customer data or personal information, you may have additional obligations under privacy laws (GDPR, CCPA, etc.). Your NDA should reference compliance with applicable data protection laws.
Question 10: What's Your Enforcement Strategy If Someone Violates the NDA?
Harsh truth: NDAs are only as good as your willingness to enforce them.
What your NDA should include:
Remedies for breach:
Injunctive relief (court order to stop the disclosure)
Monetary damages (actual damages plus possibly punitive)
Attorney's fees and costs (if you prevail)
Acknowledgment that monetary damages may be insufficient (sets up injunctive relief)
Jurisdiction and venue: Where disputes will be resolved (usually your home state)
But here's the reality: Enforcing an NDA means litigation. That's expensive.
Better strategy: Prevention through:
Clear communication about what's confidential
Limited access to sensitive information (need-to-know basis)
Technical controls (access logs, watermarks, restricted sharing)
Regular reminders of obligations
Exit procedures that reinforce ongoing obligations
Question 11: Are There Special Considerations for Your Industry?
Healthcare: HIPAA compliance for patient information
Finance: SEC regulations, customer financial data protection
Government contractors: Classified information handling requirements
Tech with user data: GDPR, CCPA, privacy law compliance
Your NDA may need additional provisions specific to your regulatory environment.
Question 12: What Information Do Employees Need to Do Their Jobs?
The over-restriction trap: NDAs that are so broad employees can't do their work.
Example: "Employee shall not disclose any information about the company to anyone."
Problem: They can't tell vendors what they need, can't discuss projects with teammates, can't explain what they do to their spouse.
Better approach:
Define confidential information specifically
Allow disclosure when necessary to perform job duties
Allow disclosure to service providers under confidentiality obligations
Allow disclosure with prior written approval
Question 13: Have You Considered State-Specific Restrictions?
California: Very strict about post-employment restrictions. Your NDA can't effectively prevent someone from working for a competitor and can't be used to prevent normal job mobility.
Colorado: Recent laws restrict non-competes. Your NDA must be carefully drafted not to function as a non-compete in disguise.
Washington: "Freedom to work" laws limit post-employment restrictions.
The risk: An NDA that's enforceable in Texas might be void in California.
If you have employees in multiple states: Your NDA needs to comply with the most restrictive state's laws, or you need state-specific versions.
The Bottom Line: What Your NDA Must Cover
Based on your answers above, your NDA needs:
1. Clear definitions:
What is confidential information (specific categories)
What is excluded (public info, prior knowledge, etc.)
2. Obligations:
Non-disclosure (can't share)
Non-use (can't use for own benefit or competition)
Protection standards (reasonable care to protect)
3. Duration:
How long obligations last
Different terms for different types of info (trade secrets vs. general)
4. Return of materials:
What happens when relationship ends
Destruction/deletion requirements
5. Remedies:
What happens if breached
Injunctive relief, damages, attorney's fees
6. Survival:
Obligations continue after termination
Specific surviving provisions
7. Compliance:
State-specific requirements
Industry-specific regulations
When You Need This in Place
Immediately:
Before sharing anything proprietary with anyone
Before employees start (Day 1 requirement)
Before contractor engagements begin
Before investor/partner discussions
Not negotiable for:
Anyone with system access
Anyone seeing customer data
Anyone involved in product development
Anyone seeing financial information
Anyone hearing strategic plans
Can sometimes wait:
Very limited-scope contractors with no access to sensitive info
Public-facing roles with no confidential access
Situations where all information is already public
The Question That Tells You Everything
If tomorrow, everyone who has ever worked with your company shared everything they know:
With your competitors
On social media
In job interviews at rival companies
Would your business survive?
If the answer is no, you need ironclad NDAs with everyone who has access to that information.
If you can't immediately produce signed NDAs from everyone who has seen your confidential information, you have a gap that needs fixing today.
Because once the information is out, no NDA in the world can put it back.
This content is provided for informational purposes only and does not constitute legal advice; for guidance on your specific situation, please consult with an employment attorney licensed in your state.