5 Red Flags in Every NDA (And What They Actually Mean)

NDAs are supposed to be simple. You agree not to share someone's secrets. They agree not to share yours. Handshake. Move on.

But the NDA sitting in your inbox right now almost certainly contains language that goes far beyond protecting trade secrets. Buried in the boilerplate are clauses that can restrict your career, expose you to lawsuits over public information, and bind you to obligations that last longer than most marriages. And unlike a marriage, there's no divorce court for a bad NDA -- just attorneys billing $400/hour to argue over what "any and all information" means.

The good news: once you know what to look for, these red flags take about five minutes to spot. Here are the five that show up in nearly every NDA, what they actually mean in plain English, and exactly what to demand instead.

1. Overly Broad Definition of "Confidential Information"

This is the single most common red flag and the one that causes the most damage. It usually looks something like this:

"Confidential Information shall mean any and all information, in any form or medium, whether written, oral, electronic, or otherwise, disclosed by the Disclosing Party to the Receiving Party, including but not limited to business plans, financial data, customer lists, marketing strategies, technical specifications, trade secrets, and any other proprietary information of any kind."

Read that "any and all information" opener. Then read "including but not limited to." Then read "any other proprietary information of any kind." This definition covers literally everything the other party has ever communicated to you. The weather at their office. The name of their receptionist. The font on their business card. All of it is now "confidential."

Why this is dangerous: When everything is confidential, you can't prove that anything isn't. If you use a common industry practice that the other party also happens to use, they can claim you learned it from them. If you pitch an idea to another client that remotely resembles something discussed in a meeting, you're exposed. The broader the definition, the larger the target on your back.

What this actually costs: A marketing consultant signed an NDA with a broad confidential information definition before a strategy engagement with a regional bank. Six months later, she pitched a similar social media approach to a credit union -- using strategies she'd been recommending for years before meeting the bank. The bank's legal team sent a cease-and-desist claiming she'd used their "confidential marketing strategy." Defending herself cost $8,500 in legal fees, even though the case had no merit. The NDA's language was broad enough that her attorney couldn't get it dismissed quickly.

What to demand instead: The definition should be specific and bounded. Confidential information should be limited to information that is clearly marked as confidential in writing, or if disclosed orally, identified as confidential within a reasonable window (10-14 days is standard). Push for language like: "Confidential Information means information specifically designated as confidential by the Disclosing Party in writing at the time of disclosure." If they won't narrow the definition, make sure the exclusions clause (Red Flag #3) is airtight.

2. Perpetual or No-Expiration Confidentiality

Most people skim right past the term length. It's usually a single sentence near the end, and it often says something like this:

"The obligations of confidentiality set forth herein shall survive the termination or expiration of this Agreement and shall remain in full force and effect in perpetuity."

In perpetuity. Forever. You are agreeing to keep this information confidential until you die, and depending on the jurisdiction, your estate might be bound after that.

Why this is dangerous: Information has a shelf life. A company's Q3 2026 revenue projections are sensitive today but meaningless by 2028. A product roadmap is confidential before launch and public knowledge after it. A perpetual NDA doesn't distinguish between information that's genuinely sensitive long-term (like a proprietary algorithm or trade secret) and information that becomes stale or public within months. You're carrying the legal obligation of secrecy on information that the disclosing party has probably already forgotten about.

What this actually costs: A software developer signed a perpetual NDA with a fintech startup in 2020. The startup pivoted twice, got acquired, and dissolved as a separate entity by 2023. In 2025, the developer discussed some general architectural patterns from that era in a conference talk. A former founder -- now at a competing company -- claimed the talk disclosed "confidential technical approaches." The NDA was still technically in force because it had no expiration. The developer spent $6,200 negotiating a resolution for discussing five-year-old architecture decisions from a company that no longer exists.

What to demand instead: A specific expiration window tied to the type of information. For general business information, 2-3 years from disclosure is standard. For genuine trade secrets (formulas, proprietary algorithms, source code), 5 years is reasonable, and perpetual terms can be justified. The key is that the NDA should distinguish between categories: "Confidential Information other than trade secrets shall be subject to the obligations of this Agreement for a period of three (3) years from the date of disclosure. Trade secrets shall be protected for so long as they qualify as trade secrets under applicable law." That's fair. "Forever on everything" is not.

3. No Exclusions Clause

A well-drafted NDA always includes a section listing what doesn't count as confidential information. These are called exclusions or carve-outs, and they exist to prevent absurd outcomes. Standard exclusions cover:

• Information that was already publicly available at the time of disclosure
• Information that becomes publicly available through no fault of yours
• Information you already knew before signing the NDA
• Information you independently developed without using the other party's data
• Information you received from a third party who had the right to share it

When an NDA has no exclusions clause at all, every single one of those situations becomes a potential lawsuit.

"The Receiving Party acknowledges that all information disclosed by the Disclosing Party constitutes Confidential Information and agrees to maintain its confidentiality without exception."

Why this is dangerous: Without exclusions, the disclosing party can claim confidentiality over information you learned in college, read in a trade publication, or developed through your own independent work. It eliminates your ability to defend yourself with the most basic factual argument: "I already knew that."

What this actually costs: A data analyst signed an NDA with a healthcare company that had no exclusions. During the engagement, the company shared their patient intake workflow, which used a standard industry framework the analyst had implemented at three previous clients. When she later recommended the same framework to another healthcare client, the first company threatened legal action. She had to hire an attorney to document that the framework was industry-standard and predated her engagement. Cost: $3,800 in legal fees for a dispute that would have been impossible if the NDA had included a basic exclusions clause.

What to demand instead: Insist on all five standard exclusions listed above. This is non-negotiable. Any attorney drafting a fair NDA would include them. If the other party pushes back on including exclusions, they're either using a terrible template or they're intentionally creating a weapon. Either way, do not sign an NDA without exclusions. Add them yourself in a redline and send it back. The language is boilerplate -- you can find it in any NDA template from a reputable legal resource.

4. Hidden Non-Compete or Non-Solicitation Clauses

This is the sneakiest red flag on the list because it doesn't announce itself. There's no heading that says "Non-Compete." Instead, the restriction is woven into the confidentiality obligations or the definition of prohibited conduct. It looks like this:

"The Receiving Party agrees that during the term of this Agreement and for a period of twenty-four (24) months following its termination, the Receiving Party shall not directly or indirectly engage in any business that competes with the Disclosing Party, solicit any of the Disclosing Party's clients, customers, or employees, or provide services to any entity that is a competitor of the Disclosing Party."

That's not an NDA. That's a non-compete and non-solicitation agreement hiding inside an NDA's trench coat. The document is labeled "Non-Disclosure Agreement," so you read it expecting confidentiality terms. Instead, you're signing away your right to work with competitors, approach any of their clients, or hire from their talent pool -- for two years after the relationship ends.

Why this is dangerous: Non-competes and non-solicitations have their own legal standards, enforceability rules, and negotiation norms. When they're embedded in an NDA, they bypass all of that. You don't scrutinize them the same way because you're not expecting them. You might not even notice the clause until a former client's attorney sends you a letter 14 months later telling you to stop working with your current client because they're a "competitor."

What this actually costs: A freelance copywriter signed what she thought was a standard NDA with an e-commerce brand. Buried in paragraph 7 was a non-solicitation clause preventing her from working with "any entity in the direct-to-consumer retail space" for 18 months after the engagement. She didn't catch it. Three months later, she took on a DTC skincare brand as a client. The e-commerce company sent a demand letter and threatened to sue. She lost the new client (who didn't want the legal exposure), turned down two other DTC leads during the restriction period, and estimated $27,000 in lost revenue from an NDA clause she never intended to agree to.

What to demand instead: Read every paragraph of the NDA, not just the ones with obvious headings. If you find non-compete or non-solicitation language, call it out explicitly and negotiate it separately. A fair non-solicitation limits the restriction to specific individuals you directly worked with (not entire client rosters or industries). A reasonable duration is 6-12 months, not 24. And if the other party wants a non-compete, that should be a separate, clearly labeled agreement with compensation for the restriction -- not a clause smuggled into a confidentiality agreement.

5. One-Sided Obligations

Mutual NDAs protect both parties. One-sided NDAs protect only the disclosing party. You'd be surprised how many "mutual" NDAs are actually one-sided once you read the operative language.

"The Receiving Party shall hold in strict confidence all Confidential Information of the Disclosing Party and shall not disclose such information to any third party without the prior written consent of the Disclosing Party. The Disclosing Party shall have no obligations of confidentiality with respect to any information received from the Receiving Party."

That second sentence is the gut punch. It says your information -- your proprietary methods, your client data, your pricing, your trade secrets that you might share during the engagement -- gets zero protection. They can share your proposal with their other vendors to get competitive bids. They can discuss your rates with your competitors. They can take your process documentation and hand it to the person they hire to replace you.

Why this is dangerous: In most business relationships, both parties share sensitive information. You share your methodologies, pricing structures, and sometimes proprietary tools or frameworks. If the NDA only runs one direction, you're exposed every time you share something valuable. And because you signed an NDA, you might assume your information is protected when it's not -- creating a false sense of security that's worse than having no NDA at all.

What this actually costs: A consulting firm signed a one-sided NDA with a Fortune 500 prospect during a sales process. During the pitch, they shared their proprietary assessment framework -- a methodology they'd spent three years developing. The prospect passed on the engagement but shared the framework with their internal team, who implemented a version of it. The consulting firm had no legal recourse because the NDA explicitly excluded any obligation to protect the receiving party's information. They estimated the stolen methodology cost them $50,000+ in competitive advantage.

What to demand instead: Make the NDA mutual. Both parties should have identical obligations. If you're sharing any proprietary information -- processes, tools, pricing, methodologies -- during the engagement, your data deserves the same protection as theirs. The fix is simple: replace "Receiving Party" and "Disclosing Party" with "each Party" and apply the same obligations symmetrically. If the other side refuses to make the NDA mutual, ask yourself why they need to be able to share your information freely. The answer is rarely good.

The Pattern Behind the Red Flags

These five red flags share a common thread: they all shift risk onto you while giving the other party maximum flexibility. An overly broad definition means they can claim anything is confidential. A perpetual term means you carry that risk forever. No exclusions means you can't defend yourself. A hidden non-compete means you can't work. One-sided obligations mean they have no skin in the game.

Individually, each flag is a negotiation point. Together, they create a contract that's less about protecting secrets and more about controlling you. The worst NDAs contain all five -- and they're more common than you'd think, especially in contracts sent by larger companies to smaller vendors and freelancers.

The thirty-minute fix: Before you sign any NDA, check for all five red flags. Read the definition of confidential information. Look for the term length. Find the exclusions clause (or note that it's missing). Search every paragraph for work restrictions. And verify that the obligations are mutual. If you can clear all five, the NDA is probably fine. If you can't, you know exactly what to negotiate.

For a complete guide to reading NDAs clause by clause, including what's standard and what's negotiable, check out our detailed NDA reading guide.

Frequently Asked Questions

What are the biggest red flags in an NDA? The five most dangerous NDA red flags are: an overly broad definition of confidential information (covering everything including publicly available information), a perpetual term with no expiration, missing exclusions that leave you unable to defend legitimate disclosures, a hidden non-compete or non-solicitation clause buried inside the confidentiality section, and one-sided obligations that only protect the disclosing party while leaving your information completely exposed.

What is a reasonable NDA duration? Most commercial NDAs run 1–3 years, with trade secrets sometimes protected longer. A 5-year term is aggressive but not uncommon for high-sensitivity deals. "Perpetual" or "unlimited" duration is a clear red flag — it means you carry the obligation forever, even after the information becomes public knowledge. A reasonable NDA matches the duration to how long the information actually needs to stay secret.

Can an NDA include a non-compete clause? Legally, yes — but it should be a separate, clearly labeled agreement. Hiding non-compete or non-solicitation restrictions inside a confidentiality agreement is a known tactic to get you to sign restrictions you'd reject in a standalone document. Always read every paragraph of an NDA, not just the sections with obvious headings like "Confidentiality" or "Term."

What is the difference between a mutual NDA and a one-sided NDA? A mutual NDA imposes identical obligations on both parties — your information and their information receive the same protection. A one-sided NDA only protects the disclosing party. If you share proprietary processes, pricing, or methodologies during an engagement, a one-sided NDA leaves your information completely unprotected. Always push for mutual obligations in any substantive business relationship.

What exclusions should every NDA include? Standard exclusions cover: information already publicly known at the time of signing, information you already had before the NDA, information disclosed to you independently by a third party with no confidentiality obligation, and information you developed independently without using the other party's disclosures. Without these exclusions, you could technically be in breach for discussing something that is public knowledge. Missing exclusions are a negotiation point — add them.

Every one of these red flags is something Clausely catches automatically. Upload your NDA, and within sixty seconds you'll see exactly which clauses are standard, which are aggressive, and which are the kind that cost people thousands of dollars. No legal background needed -- just the document and a minute of your time. Because the best time to find a red flag is before your signature is on the page.