Core Obligations and Permitted Disclosures

Reading module · approx 14 min

The heart of every NDA is a pair of obligations: the receiving party shall not disclose, and the receiving party shall not use. These are separate obligations. Treating them as one is the most common structural error in NDA drafting.

Non-disclosure and non-use: two distinct obligations

The non-disclosure obligation prohibits the receiving party from sharing confidential information with third parties. It regulates communication: who the receiving party may tell, under what circumstances, and with what safeguards.

The non-use obligation prohibits the receiving party from using confidential information for purposes beyond those permitted by the NDA. It regulates application: what the receiving party may do with the information, regardless of whether they tell anyone else.

The separation matters because the most economically significant breaches are non-use breaches, not non-disclosure breaches. A competitor who receives your pricing model in due diligence and never shares it with anyone — but uses it to restructure their own pricing — has caused serious harm without ever disclosing. An NDA that only prohibits disclosure misses this entirely. Always check that your NDA contains both obligations, expressed separately.

Standard of care

The non-disclosure obligation requires the receiving party to protect confidential information with some specified level of care. Three formulations appear in practice:

Reasonable care

The receiving party must protect the information with the care that a reasonable person would take to protect similar information of their own. This is an objective standard — it is measured against what a hypothetical reasonable actor in the receiving party's position would do, not against what the receiving party actually did. It is the most common standard in commercial NDAs and is generally enforceable in India.

Same care as own confidential information

The receiving party must protect the disclosing party's information with the same care they apply to their own confidential information of similar sensitivity. This is a subjective standard calibrated to the receiving party's actual practices. If the receiving party has lax internal security practices, the standard is correspondingly low. A disclosing party accepting this formulation should satisfy themselves that the receiving party actually has adequate information security practices before signing. The standard is often qualified — "not less than reasonable care" — to prevent the subjective floor from falling below what is objectively reasonable.

Best efforts / utmost care

The receiving party must apply its best or utmost efforts to protect the information. This is the strongest standard and is rarely agreed to in commercial practice. Receiving parties, particularly large organisations with thousands of employees, cannot realistically commit to best efforts across their entire organisation. The standard is appropriate only where the disclosed information is of exceptional sensitivity — military technology, critical health data, undisclosed M&A terms — and the receiving party has a specific, identifiable team handling the information.

Need-to-know and permitted recipients

Every NDA permits the receiving party to disclose confidential information to its own employees, contractors, advisors, and affiliates who need the information to evaluate or perform the purpose of the agreement. This is functionally necessary — a large organisation cannot review due diligence materials with only one person. But the need-to-know permission requires careful drafting.

The key elements of a well-drafted permitted recipient clause:

• The recipients must have a genuine need to know. Not all employees of the receiving party have a need to know; only those actually involved in the evaluation or transaction. The clause should say "employees who have a need to know for the Purpose," not simply "employees."
• The recipients must be bound by confidentiality obligations at least as restrictive as those in the NDA. This is typically achieved either by requiring the receiving party to ensure the recipients are bound by written confidentiality obligations, or — in the case of employees — by confirming that they are subject to employment agreements containing adequate confidentiality provisions.
• The receiving party remains responsible for its permitted recipients' compliance. If an employee of the receiving party breaches, the receiving party is in breach of the NDA. This vicarious liability for the receiving party's team is standard and important — it means the receiving party has a strong incentive to train and supervise its personnel.

In M&A NDAs, the permitted recipient clause typically extends to financing sources, co-investors, and legal and financial advisors. Each category should be listed. Including "any other person with our prior written consent" as a catch-all gives the disclosing party control over expansions of the circle.

Compelled disclosure

A receiving party that is served with a court order, regulatory demand, or other legal process requiring disclosure of confidential information is not in breach of the NDA if they comply — but only if they follow the procedure specified in the compelled disclosure clause. Without this procedure, a receiving party could theoretically be in breach of the NDA even while complying with a court order.

A well-drafted compelled disclosure clause contains four elements:

1. Prompt notice to the disclosing party. The receiving party must notify the disclosing party as soon as practicable after receiving the demand, and before complying — to the extent permitted by law. Some regulatory demands (particularly under the Income Tax Act, Companies Act, or securities regulations) prohibit the recipient from notifying any other party. The clause must carve out these legally prohibited notifications.
2. Reasonable assistance. The receiving party must reasonably cooperate with the disclosing party's efforts to obtain a protective order or other confidential treatment of the information, at the disclosing party's expense.
3. Minimum disclosure. If the receiving party is ultimately required to disclose, it must disclose only the minimum information legally required — not the entire dataset of confidential information shared under the NDA.
4. Preservation of obligations. The compelled disclosure does not release the receiving party from its confidentiality obligations as to the remainder of the confidential information not covered by the legal demand.

Affiliate disclosures

Many NDAs permit disclosure to affiliates of the receiving party. The drafting of "affiliate" matters considerably. A broad definition — any entity controlling, controlled by, or under common control with the receiving party — includes subsidiaries, parent companies, sister companies, and their subsidiaries. In a large corporate group, this could encompass hundreds of entities, some of which are competitors of the disclosing party in other markets.

For disclosing parties in commercial NDAs, the better approach is to require written consent for affiliate disclosures rather than permitting them by default. Alternatively, the affiliate permission can be limited to directly relevant entities — "affiliates directly involved in evaluating or performing the Purpose" — rather than the entire corporate group.

Security obligations

Beyond the standard of care, well-drafted NDAs for technical or sensitive information specify minimum security obligations: access controls, encryption requirements, audit log requirements, notification obligations on breach or suspected breach. These are increasingly standard in technology NDAs and are now expected in any NDA involving personal data covered by the Digital Personal Data Protection Act, 2023.

DPDP Act interaction

Where the confidential information shared under an NDA includes personal data as defined under the DPDP Act 2023 — which covers any data about an identifiable individual — the NDA must be read alongside the DPDP Act obligations. The receiving party, if they process personal data, may become a Data Processor under the DPDP Act and will be subject to its obligations independently of what the NDA says. The NDA cannot override statutory data protection obligations. For any due diligence process that involves employee data, customer data, or any other personal data, a separate Data Processing Agreement should run alongside the NDA.

Reverse engineering restrictions

Some NDAs — particularly in technology transactions — expressly prohibit the receiving party from reverse engineering disclosed products, software, or processes. This is distinct from the non-use obligation. Reverse engineering is a process of analysis, not a use of disclosed information per se. Without an express reverse engineering prohibition, a receiving party could argue that reverse engineering the disclosing party's product is not a use of "confidential information" because the product itself is not confidential (if it is publicly available) and the insights derived from analysis are independently developed.

If your disclosed information includes products, software, or technical processes that could be reverse engineered, the NDA should expressly prohibit reverse engineering of anything derived from or related to the disclosed information.

After completing Module 3, take Quiz 1 to check your understanding of Modules 1 through 3. Then continue to Module 4, which covers the frequently mishandled term and survival provisions.