Nondisclosure Agreements, or Confidential Disclsoure Agreements as they are often called in the biotech context, are some of the most common types of business contracts. Although they are often signed cursorily, they are worth thought since each one could be the basis of a trade secret lawsuit. NDAs are one of the primary ways of keeping trade secrets, for which reasonable efforts at secrecy are required to maintain that status. Although each NDA or CDA has its own language that can vary, and I would recommend having an attorney read each one, these are what I perceive as the most common variables:
(1) One-way or mutual? Are both parties disclosing information, or just one? If only one party is disclosing, and it has more bargaining power, then it should ask for a one-way.
(2) Definition of “Confidential Information”. This is perhaps the most important term that defines the scope of what might be disclosed and what should be protected. There is roughly three ways to handle this:
(a) Everything Is Confidential. This is the most frequently used, and takes the form of a lengthy list (if you are not making semiconductors and your NDA contains the phrase “mask works” you probably have this type) that essentially amounts to of “everything we tell you is confidential”. This makes life easier for the discloser(s) because they don’t have to worry about anything slipping through the cracks. It can make life difficult for the recipient, because you cannot control what the other party is disclosing to you in advance. It’s possible they might give you secret information that is similar to something you were going to develop yourself later, but (after receiving their similar confidential project) doing so might be infringing on their trade secrets. If you Google “why I won’t sign your NDA” there are many blog posts from VCs, programmers, and others about how a fear of constraints on their business causes them to avoid NDAs except in close relationships. A separate issue is that you may also not know what, of the things the discloser is giving to you, is actually meant to be confidential, a problem that is solved by (b) and (c) below. Frequently parties with less bargaining power that are primarily the receiver of information sign a super-broad NDA. If bargaining power is equal, I think it usually only makes sense in a close collaboration where the nature of all the information cannot be determined in advance.
(b) Only what’s labeled or described in writing. Another option for defining “Confidential Information” is to limit it only to those things that are labelled in writing as “CONFIDENTIAL”. This limits the possible universe of confidentiality, and puts you on notice about what those things are. It can be more burdensome on the discloser since they have to label stuff or send emails saying “that thing I sent/told you last week is confidential”. This is a good compromise where you can’t know all the information in advance, but you’re not entering into a close collaboration where the labeling gets to be burdensome. This is the default for the form NDA from David Tollen’s Tech Contracts Handbook, which is available here (the form, not the book).
(c) Specifically described secrets. If there is just a one-off thing that is confidential — a process or recipe, some source code files, a molecular structure — then you can just describe that one thing in the NDA. This probably comes up the least because it requires more legal work, but it is the best-tailored solution to a one-off exchange scenario.
(3) Time Duration of Confidentiality Obligation. The confidentiality can last for a fixed period of time, or forever. Most information will almost certainly expire in usefulness at some point: financial information goes out of date, software code is superseded by newer technology, et cetera. As the discloser, forever is always going to be the safest option. For the recipient, though, that becomes a perpetual liability of a trade secret lawsuit. You could get sued in 2035 for information that was disclosed to you in 2015. Where data gets copied and backed up to various places, laptops stolen, accounts hacked, there is always a background risk for even the most careful data custodian, and so knowing that the risk goes away after a few years is nice. Forever is probably the most frequently-seen, since NDAs are most frequently drafted by corporate disclosers, not the recipients. One year would be very short; about three years seems the next-most-common after forever; and five years or longer comes up occasionally, more often in biotechnology and other secrecy-heavy industries especially where information may not go stale that quickly. If you don’t see a termination provision in your NDA, it probably goes forever. Sometimes there is a separate duration for when information can be disclosed (a year or two or however long the business relationship is expected to last) and how long it must be kept secret (often forever or as long as trade secret protection lasts).
(4) Venue and Jurisdiction. This is where disputes are handled. Dealing with litigation outside your home state can be more inconvenient and expensive, and outside your home country can be much more inconvenient, expensive, and sometimes less predictable. You may also see arbitration provisions. In general, arbitration is considered less accurate (looser rules of procedure and evidence, no jury trial, no appeals) but faster than courts.