nda-review-jamie-tso

Original source / Raw SKILL.md

---
name: nda-review-jamie-tso
description: Guide to review incoming one-way (unilateral) commercial NDAs in a jurisdiction-agnostic way, from either a Recipient or Discloser perspective (user-selected), producing a clause-by-clause issue log with preferred redlines, fallbacks, rationales, owners, and deadlines.
metadata:
  author: Jamie Tso
  license: AGPL-3.0
---

# NDA Review Playbook (Commercial, Jurisdiction-Agnostic)

## Overview

| What this skill does | What it does not do |
|---|---|
| Reviews an NDA and outputs issues, risks, and suggested redlines | Provide jurisdiction-specific legal conclusions |
| Supports *Recipient* or *Discloser* perspectives (user-chosen) | Guarantee enforceability |
| Produces an executive summary + clause-by-clause markup guidance | Replace counsel for complex deals |

**Scope limitation (important):** this playbook supports **one-way (unilateral) commercial NDAs only**.

If the NDA is **mutual**, stop: this playbook is **out of scope** and you should escalate to counsel or use a separate mutual-NDA review approach.

> **Variation callouts** appear throughout:
> - **M&A / Due diligence**
> - **Employment / contractor**
> - **Investor / VC**

## LEGAL DISCLAIMER

**THIS IS NOT LEGAL ADVICE.** This skill is provided for informational and educational purposes only. Laws vary by jurisdiction and individual circumstances, and only a licensed attorney can provide advice tailored to your specific situation. When the NDA is high-risk, high-value, cross-border, or otherwise sensitive, escalate to qualified counsel.

**Remember:** All outputs from this skill must be reviewed by a qualified legal professional before being used for any legal purposes.

---

## Inputs to collect (ask before reviewing)

### A. Role and deal context (required)
- [ ] Are we reviewing as **Recipient** (we receive confidential info) or **Discloser** (we disclose confidential info)?
- [ ] Confirm the NDA is **one-way (unilateral)**. If it is **mutual**, stop: this playbook cannot be used.
- [ ] What is the **purpose** / permitted use (e.g., evaluation of partnership, vendor RFP, diligence)?
- [ ] What are the **parties** (legal names) and any **affiliates** that should be covered?
- [ ] What information types are expected (tech, pricing, customer data, product roadmap, source code)?
- [ ] Desired **timeline**: when do we need to sign?

### B. Practical constraints (recommended)
- [ ] Do we need to share with **affiliates**, advisors, contractors, auditors, or potential acquirers?
- [ ] Will we need to **export** data across borders or store in cloud tools?
- [ ] Will any **personal data** be shared? If yes, are there separate data-processing terms?

> **Jurisdiction-agnostic note:** avoid asserting “this clause is invalid” without the governing law details; focus on *commercial risk*, *operational feasibility*, and *market norms*.

## Deliverables (output format)

### Quick start (default output template)

ALWAYS output:
1) **Executive summary**
2) **Clause-by-clause issue log** (single table)

### A. Executive summary (1 page)
- [ ] Party role (Recipient or Discloser) and confirmation it is one-way (unilateral)
- [ ] Top 5 negotiation points (ranked)
- [ ] “Sign as-is” / “Sign with changes” / “Escalate” recommendation

### B. Clause-by-clause issue log (lawyer-style, thorough)
Use a single table so counsel and business owners can track issues, owners, and deadlines.

| Clause | Issue (1 line) | Risk (H/M/L) | Preferred redline | Fallback | Rationale (1–2 sentences) | Owner | Deadline |
|---|---|---:|---|---|---|---|---|
| Definition | Overbroad; includes unmarked info with no reasonableness |  |  |  |  |  |  |
| Term & survival | Perpetual confidentiality for all information |  |  |  |  |  |  |
| Use restriction | Purpose too broad; blocks internal evaluation |  |  |  |  |  |  |
| Disclosures | Representatives undefined; strict liability |  |  |  |  |  |  |
| Return/destruction | No backup carve-out |  |  |  |  |  |  |
| Remedies | One-way fees + automatic injunction |  |  |  |  |  |  |
| Liability | Indemnity + unlimited consequential damages |  |  |  |  |  |  |
| Boilerplate | Assignment prohibits change of control |  |  |  |  |  |  |

### Example (compact)

**Executive summary (example skeleton):**
- Role: Recipient (one-way NDA)
- Recommendation: Sign with changes
- Top 5 points: definition scope; term/survival; representatives; backup carve-out; remedies/fees

**Issue log (example rows):**

| Clause | Issue (1 line) | Risk (H/M/L) | Preferred redline | Fallback | Rationale (1–2 sentences) | Owner | Deadline |
|---|---|---:|---|---|---|---|---|
| Term & survival | Perpetual confidentiality for all information | H | Add 2–5 year survival; trade secret carve-out only | 5-year survival for all | Reduces indefinite operational burden while protecting truly sensitive info | Legal | Before signature |
| Return/destruction | No backup carve-out | M | Add backup/legal hold exception + continued confidentiality | Allow retention in immutable backups only | Required for standard IT operations; avoids impossible compliance | Security + Legal | Before signature |

## 5-step workflow

### Step 1 — Identify stance (Recipient vs Discloser)
- [ ] Confirm which side we are on for *this specific NDA* (titles are often misleading).
- [ ] Confirm the NDA is **one-way (unilateral)**. If it is mutual, stop (out of scope).

**Quick heuristic:**
- If we are being asked to keep their info secret → we are **Recipient**.
- If we are sharing our sensitive info → we are **Discloser** (if the NDA is mutual, stop: out of scope).

### Step 2 — Triage the NDA (fast risk scan)
Flag these immediately:
- [ ] **Perpetual** confidentiality for *all* information (no trade secret distinction)
- [ ] **Residuals clause** allowing use of “memory” or generalized knowledge
- [ ] **Injunctive relief** + **attorneys’ fees** one-way against Recipient
- [ ] **Indemnity** for breach or broad third-party claims
- [ ] **No carve-outs** for compelled disclosure or prior knowledge
- [ ] **Overbroad definition**: “all information, whether marked or not” with no reasonableness
- [ ] **Affiliate coverage** missing when we must share internally

> If any are present and the NDA matters, proceed with full review and consider escalation.

### Step 3 — Clause-by-clause review (use the reference modules)
Use these references while reviewing:
- [Key clauses](references/KEY_CLAUSES.md)
- [Party obligations](references/PARTY_OBLIGATIONS.md)
- [Duration & scope](references/DURATION_SCOPE.md)
- [Remedies & liability](references/REMEDIES_LIABILITY.md)
- [Standard exceptions](references/STANDARD_EXCEPTIONS.md)

### Step 4 — Draft redlines and negotiation positions
For each issue, produce:
- **Preferred redline** (best risk outcome)
- **Fallback position** (acceptable compromise)
- **Rationale** (1–2 sentences: business + operational feasibility)
- **Owner** (who needs to approve / negotiate: Legal, Sales, Security, Product)
- **Deadline** (by when the counterparty needs the change)

**Negotiation discipline:** do not propose 20 changes. Focus on the 5–10 that materially change risk.

### Step 5 — Finalize the package
- [ ] Ensure consistency (definitions used the same way everywhere)
- [ ] Confirm operational feasibility (can we actually comply?)
- [ ] Re-scan the Step 2 triage list and ensure each flagged item is represented in the issue log
- [ ] Provide a short “what we changed and why” summary

## Perspective-specific checklists

### A. Recipient checklist (incoming NDA — typical case)

| Topic | Red flags | Typical ask |
|---|---|---|
| Definition of Confidential Information | Overbroad; includes independently developed info; no marking/identification standard | Add reasonableness + identification standard; add exclusions |
| Purpose / Permitted Use | Any use restriction beyond evaluation; bans on internal sharing | Tie to stated purpose; allow internal need-to-know |
| Representatives | We are liable for any representative breach without control | Limit to those under written confidentiality; commercially reasonable care |
| Term & survival | Perpetual for everything; unclear start date | Fixed term; longer only for trade secrets |
| Return / destruction | Requires deletion of backups immediately | Add practical backup carve-out |
| Remedies | One-way fees + broad injunction language | Mutuality or reasonableness; clarify equitable relief scope |
| Liability / indemnity | Indemnity; unlimited damages; consequential damages | Cap or exclude categories; remove indemnity |
| Residuals | Allows use of “retained in memory” | Delete or narrow heavily |

> **M&A / Due diligence:** ensure diligence sharing (advisors, financing, affiliates) is permitted and that data room exports/notes are covered.

### B. Discloser checklist (when we are sharing sensitive info)

| Topic | Red flags | Typical ask |
|---|---|---|
| Definition | Too narrow; requires marking only; excludes oral disclosures | Add oral confirmation mechanism; broaden categories reasonably |
| Security standard | Only “reasonable” with no baseline | Add minimum safeguards, or align with internal policy |
| Exclusions | Too broad (e.g., “independently developed” with no proof) | Require written evidence of prior knowledge/independent development |
| Term & survival | Too short | Extend for sensitive categories; trade secret survival |
| Remedies | No equitable relief, no fees | Add equitable relief and/or fees (carefully) |

> **Investor / VC:** watch for standstill, solicitation, and “no contact” provisions—these are not standard in plain NDAs and may need separate agreement.

## Risk rating guide

| Rating | Meaning | Example |
|---:|---|---|
| High | Creates material, uncapped, or operationally impossible risk | Broad indemnity + unlimited damages for any breach |
| Medium | Risk is real but manageable with process controls | Strict notice deadlines for compelled disclosure |
| Low | Mostly cosmetic or market-standard | Minor notice method issues |

## Common pitfalls (issue → risk → fix)

| Issue | Risk | Suggested fix |
|---|---|---|
| “All information is confidential forever” | Operational burden; unfair risk allocation | Add fixed term + trade secret carve-out |
| No compelled disclosure carve-out | Breach if subpoenaed | Add “required by law” disclosure path |
| Return/destruction requires purge of backups | Impossible to comply | Add backup and system integrity exception |
| Recipient indemnifies discloser | Open-ended exposure | Remove indemnity; use direct damages only |
| Residuals clause | Allows de facto use of confidential info | Delete or restrict to non-trade-secret, non-source-code |

## Review prompts (copy/paste)

### A. Minimal prompt (fast)
- Role: Recipient/Discloser
- NDA type: one-way (unilateral)
- Purpose: …
- Please produce (1) exec summary, (2) clause-by-clause issue log table with: Clause, Issue, Risk, Preferred redline, Fallback, Rationale, Owner, Deadline, (3) top 5 negotiation points.

### B. Deep prompt (recommended)
- Add constraints: affiliates, advisors, contractors, cross-border sharing, personal data, cloud tools.
- Ask for: preferred redline + fallback + rationale per issue.

## Ownership & timing defaults (if the user does not specify)

Use these defaults to populate **Owner** and **Deadline** in the issue log:

| Topic | Default owner | Default deadline |
|---|---|---|
| Confidentiality scope/definition, exceptions, term/survival | Legal | Before signature |
| Security standards / audit rights | Security + Legal | Before signature |
| Return/destruction and backups | Security + IT + Legal | Before signature |
| Liability cap / damages / indemnity / fees | Legal + Finance | Before signature |
| Operational constraints (representatives, affiliates, tooling) | Legal + Business owner | Before signature |


---

## Referenced Files

> The following files are referenced in this skill and included for context.

### references/KEY_CLAUSES.md

```markdown
# Key NDA Clauses (What to Look For)

This reference supports clause-by-clause review for commercial NDAs in a jurisdiction-agnostic way. Focus on business risk allocation and operational feasibility.

## Contents
- Definition of “Confidential Information”
- Purpose / Permitted Use
- Non-disclosure / standard of care
- Term and survival
- Exclusions from confidentiality
- Compelled disclosure
- Return / destruction
- Residuals

## 1) Definition of “Confidential Information”

### What to check
- Scope: is it limited to information disclosed **in connection with the stated purpose**?
- Identification: does it require marking (“CONFIDENTIAL”) or does it cover unmarked disclosures?
- Formats: written, oral, visual, electronic, demo access, source code, samples.
- Derived information: does it include analyses, notes, compilations created by Recipient?

### Recipient red flags
- “All information of any kind, whether marked or not, is confidential” with no reasonableness.
- Confidentiality applies even if information is independently developed or already known.
- “Residuals” / “retained in memory” undermines confidentiality.

### Discloser red flags
- Definition requires strict marking only, with no mechanism for oral disclosures.

### Suggested redline language (modular)
**Reasonableness + connection to purpose**
```
“Confidential Information” means non-public information disclosed by or on behalf of Discloser to Recipient in connection with the Purpose that is identified as confidential at the time of disclosure or that a reasonable person would understand to be confidential given the nature of the information and the circumstances of disclosure.
```

**Oral disclosure confirmation (discloser-friendly but balanced)**
```
Oral or visual disclosures will be treated as Confidential Information if Discloser confirms their confidential nature in writing within [30] days after disclosure.
```

## 2) Purpose / Permitted Use

### What to check
- Purpose is specific enough (not “any business purpose”).
- Use restriction matches the transaction (evaluation vs implementation).

### Recipient red flags
- Use restriction prevents internal evaluation (e.g., bans sharing with employees who need to assess).
- Prohibits contact with customers, suppliers, or employees (non-solicit / no-contact) hidden inside NDA.

### Suggested redline language
```
Recipient may use Confidential Information solely for the Purpose and may disclose it to its Representatives who have a need to know for the Purpose and who are bound by confidentiality obligations at least as protective as this Agreement.
```

> **Employment / contractor variation:** NDAs sometimes add IP assignment, invention disclosure, non-compete, and non-solicit. Treat those as separate topics and escalate.

## 3) Non-disclosure / standard of care

### What to check
- Standard of care: “reasonable care”, “same degree as its own”, or absolute.
- Security obligations: required controls or policies.

### Recipient red flags
- Absolute obligations (“shall ensure no unauthorized disclosure”) → strict liability.
- Mandatory named security frameworks without feasibility.

### Suggested redline language
```
Recipient will protect Confidential Information using at least the same degree of care it uses to protect its own confidential information of similar sensitivity, and in any event no less than reasonable care.
```

## 4) Term and survival

### What to check
- Term of NDA (how long relationship lasts)
- Survival (how long confidentiality obligations last)
- Start date triggers (effective date vs first disclosure)

### Recipient red flags
- Perpetual confidentiality for all information.

### Balanced approach
- Fixed period for ordinary confidential information.
- Longer (potentially indefinite) protection for trade secrets, if defined.

**Suggested language**
```
Confidentiality obligations will apply during the Term and for [2–5] years thereafter; however, obligations for Trade Secrets (if any) will continue for so long as such information remains a trade secret under applicable law.
```

## 5) Exclusions from confidentiality

(See also: STANDARD_EXCEPTIONS.md)

### What to check
- Standard carve-outs exist and are workable.
- Who bears burden of proof.

### Recipient red flags
- No carve-outs.
- Carve-outs exist but require impossible proof.

## 6) Compelled disclosure

### What to check
- Ability to disclose if required by law/regulator.
- Notice requirement and timing.

### Recipient red flags
- Notice “immediately” or within 24 hours, even if prohibited.
- No permission to disclose the minimum required.

**Suggested language**
```
If Recipient is required by law, regulation, or court order to disclose Confidential Information, Recipient may do so provided that (to the extent legally permitted) it gives Discloser prompt notice and reasonably cooperates with Discloser’s efforts to seek protective treatment.
```

## 7) Return / destruction

### What to check
- Practicality: backups, archives, legal holds.

### Recipient red flags
- Requires wiping all backups immediately and certifying deletion of everything.

**Suggested language**
```
Upon written request, Recipient will return or destroy Confidential Information, except that Recipient may retain copies (i) as required to comply with law, regulation, or internal compliance requirements, and (ii) in routine backup systems that are not reasonably accessible in the ordinary course, provided such retained information remains subject to confidentiality.
```

## 8) Residuals

### Why it matters
Residuals clauses can allow Recipient to use generalized knowledge “retained in memory,” which can swallow the confidentiality obligation.

### Recipient position
- Prefer deletion.
- If unavoidable: narrow scope heavily (exclude source code, product roadmaps, customer lists, pricing).

**Suggested narrowing language**
```
Residuals do not include source code, customer-identifiable information, pricing, product roadmaps, or any information that is intentionally memorized for the purpose of circumventing this Agreement.
```

```

### references/PARTY_OBLIGATIONS.md

```markdown
# Party Obligations (Recipient vs Discloser)

This module helps you map obligations to the correct party and spot hidden risk shifts.

## Contents
- Recipient obligations
- Discloser obligations
- Mutual NDAs (out of scope)
- Operational feasibility checklist
- Non-solicit / no-contact / standstill
- Publicity and announcements

## 1) Recipient obligations (most common)

### Core obligations
- Non-disclosure: don’t disclose except as permitted.
- Use restriction: only use for the stated Purpose.
- Standard of care: protect using reasonable care (or same-as-own standard).
- Control of Representatives: limit internal/external sharing to need-to-know.

### Representative handling
**What to check**
- Are “Representatives” defined (employees, contractors, affiliates, advisors)?
- Are affiliates included? Sometimes you need them for evaluation.
- Is Recipient strictly liable for any representative breach?

**Recipient red flags**
- Unlimited liability for representatives even when not under Recipient’s control.
- Representatives include “any person” but with no “need-to-know” limitation.

**Balanced redline**
```
Recipient may disclose Confidential Information to its Representatives who have a need to know for the Purpose and are bound by confidentiality obligations at least as protective as this Agreement. Recipient is responsible for its Representatives’ compliance to the extent it has control over such Representatives.
```

## 2) Discloser obligations (often missing)

Even in unilateral NDAs, Discloser may have obligations:
- Ensure they have the right to disclose (no third-party restrictions).
- Mark or identify confidential information (depending on definition).
- Provide information “as-is” (common) — check disclaimers.

**Recipient watch-outs**
- Discloser disclaims all responsibility for accuracy while Recipient relies on it.
- NDA includes broad non-reliance language that is inconsistent with deal process.

> **M&A / Due diligence:** non-reliance clauses may be acceptable early, but confirm alignment with later transaction documents.

## 3) Mutual NDAs (two-way flow) — out of scope

This skill is designed for **one-way (unilateral)** NDAs. If the NDA is mutual, stop and escalate or use a separate mutual-NDA review playbook.

## 4) Operational feasibility checklist (Recipient)

- [ ] Can we comply with notice requirements (e.g., breach notice, compelled disclosure notice)?
- [ ] Can we restrict access in practice (shared tools, email, ticketing systems)?
- [ ] Can we return/destroy as drafted (backups, retention policies, legal holds)?
- [ ] Do we need the ability to disclose to auditors, regulators, or insurers?

## 5) Non-solicit / no-contact / standstill (hidden in NDAs)

These provisions are not purely “confidentiality” and can be high impact.

### What to check
- Any restriction on contacting Discloser’s employees/customers/suppliers.
- Standstill provisions (common in investor contexts).

### Recipient position
- Separate them into their own agreement or narrow heavily.

> **Investor / VC variation:** standstill and no-solicit may be intentionally requested; treat as business decision and escalate.

## 6) Publicity and announcements

### What to check
- Does NDA prohibit referencing the relationship?
- Does it allow required disclosures (e.g., to investors, auditors) under confidentiality?

**Balanced redline**
```
Neither party will issue public statements about the discussions without the other party’s prior written consent, except as required by law or to professional advisors under confidentiality.
```

```

### references/DURATION_SCOPE.md

```markdown
# Duration & Scope (Term, Survival, Territory)

This reference focuses on time, scope, and trigger mechanics. Keep analysis jurisdiction-agnostic: describe business impact and propose balanced language.

## Contents
- Term vs. survival
- Territory / cross-border considerations
- Scope of affiliates and corporate changes
- Retroactive coverage
- Trade secrets (practical handling)

## 1) Term vs. survival

### Definitions
- **Term:** how long the agreement governs disclosures (the “relationship window”).
- **Survival period:** how long confidentiality obligations continue after the Term ends.

### What to check
- When does the Term start? (Effective date vs. first disclosure.)
- Does the NDA cover disclosures made before signature?
- Is there a clear survival period?

### Recipient red flags
- Survival is perpetual for all information.
- Survival is unclear or tied to “until information becomes public” with no carve-outs.

### Balanced approach
- Fixed survival for ordinary confidential info.
- Longer survival for narrowly defined trade secrets.

**Suggested language**
```
This Agreement begins on the Effective Date and continues for [12–24] months (the “Term”). Confidentiality obligations survive for [2–5] years after expiration or termination, except for Trade Secrets (if any), which remain protected for so long as they remain trade secrets.
```

## 2) Territory / cross-border considerations

Commercial NDAs often include:
- A governing law / venue clause (legal).
- Practical cross-border sharing concerns (operational).

### What to check (operational)
- Will Confidential Information be accessed from multiple countries?
- Are cloud systems distributed globally?
- Does NDA require storage “only in [country]”?

### Recipient red flags
- Data residency commitments you cannot meet.

**Suggested approach**
- Avoid strict residency promises unless you have a dedicated compliant environment.
- Instead, commit to reasonable safeguards and access controls.

> **Personal data callout:** NDAs are not a substitute for data protection terms when personal data is involved. Treat separately.

## 3) Scope of affiliates and corporate changes

### What to check
- Are affiliates allowed to receive disclosures? (If needed.)
- Does “affiliate” include future acquisitions?
- Assignment clause: can obligations transfer on merger or asset sale?

### Recipient red flags
- Prohibits assignment even in change of control, risking breach in acquisition.

**Suggested language**
```
Either party may assign this Agreement in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee assumes the obligations herein.
```

## 4) Retroactive coverage

### What to check
- Does NDA cover info disclosed before signing?

**Common fix**
```
This Agreement also applies to Confidential Information disclosed within [30–90] days prior to the Effective Date.
```

## 5) Trade secrets (jurisdiction-agnostic handling)

### Why it matters
Trade secret concepts exist in many legal systems but definitions vary. Avoid making legal determinations; instead:
- Ask whether information is actually treated as secret.
- Ask what measures exist to keep it secret.

**Practical checklist**
- [ ] Is the information limited-access internally?
- [ ] Is it labeled/handled as confidential?
- [ ] Is it stored with access controls?

> **M&A / Due diligence:** “trade secret” labels may be used broadly. Focus on feasibility of compliance and proportionality.

```

### references/REMEDIES_LIABILITY.md

```markdown
# Remedies & Liability (Risk Allocation)

This module focuses on the commercial downside if something goes wrong.

## Contents
- Equitable relief / injunctive relief
- Attorneys’ fees / fee shifting
- Damages categories
- Liability caps
- Indemnities
- Non-reliance / disclaimer of warranties
- Liquidated damages / penalties
- Dispute resolution

## 1) Equitable relief / injunctive relief

### What to check
- Does NDA state that breach causes irreparable harm and entitles Discloser to injunctive relief?
- Is it one-way or mutual?
- Does it waive bond requirements or create automatic entitlement?

### Recipient red flags
- Automatic injunctive relief + fee shifting + broad confidentiality definition.

### Balanced redline
```
The parties acknowledge that unauthorized disclosure may cause harm for which monetary damages may be inadequate and that equitable relief may be appropriate, subject to applicable law and equitable principles.
```

## 2) Attorneys’ fees / fee shifting

### What to check
- One-way fees (“Recipient pays Discloser’s fees”).
- Trigger is too broad (“any dispute” vs “prevailing party”).

### Recipient position
- Prefer each party bears its own fees.
- If unavoidable, use “prevailing party” and limit scope.

**Suggested language**
```
Each party will bear its own attorneys’ fees and costs, except as a court of competent jurisdiction may award under applicable law.
```

## 3) Damages categories (direct / indirect)

### What to check
- Exclusion of consequential, incidental, special damages.
- Whether lost profits are excluded.

### Recipient red flags
- Unlimited consequential damages for any breach.

### Balanced approach
- Exclude indirect categories while preserving direct damages.

**Suggested language**
```
Neither party will be liable for any indirect, incidental, consequential, special, or punitive damages arising out of this Agreement.
```

## 4) Liability caps

### What to check
- Is there a cap? If yes, what is it tied to (fees paid, fixed amount)?
- Does the NDA carve out confidentiality breaches from the cap (common discloser ask)?

### Recipient position
- Avoid unlimited exposure.
- If Discloser insists on carve-out, narrow it (e.g., intentional breach only).

**Suggested language**
```
Each party’s aggregate liability arising out of this Agreement will not exceed [X]. This limitation does not apply to a party’s willful misconduct or intentional breach.
```

## 5) Indemnities

### What to check
- Any obligation for Recipient to indemnify Discloser for breach.
- Third-party claim indemnities.

### Recipient red flags
- Broad indemnity for “any losses” resulting from breach.

### Typical negotiation stance
- Remove indemnity; rely on direct damages.
- If must keep: narrow to third-party claims caused by Recipient’s willful misconduct.

## 6) Non-reliance / disclaimer of warranties

### What to check
- Discloser disclaims accuracy/completeness.
- Recipient agrees it will not rely on information.

### Practical guidance
- In early-stage discussions this may be acceptable.
- If Recipient must rely (e.g., diligence), ensure alignment with later transaction documents.

> **M&A / Due diligence:** NDA non-reliance clauses often sit alongside separate reliance/representation terms later.

## 7) Liquidated damages / penalties

### What to check
- Fixed penalties for breach.

### Recipient red flags
- Penalties disconnected from harm.

### Suggested approach
- Prefer actual damages + equitable relief rather than preset penalties.

## 8) Dispute resolution (arbitration, venue)

Even jurisdiction-agnostic playbooks should flag business impact:
- Travel / language burdens.
- Confidentiality of proceedings.
- Interim relief availability.

**Checklist**
- [ ] Is the forum practical?
- [ ] Are interim measures allowed?
- [ ] Are proceedings confidential?

```

### references/STANDARD_EXCEPTIONS.md

```markdown
# Standard Exceptions (Carve-outs) to Confidentiality

Most workable NDAs include clear exceptions. Missing or unworkable exceptions are a common negotiation driver.

## Contents
- The five standard carve-outs
- Suggested clause
- Burden of proof
- Compelled disclosure carve-out
- Residuals are not an exception
- Personal data and regulatory disclosures

## 1) The five standard carve-outs

| Exception | Meaning | Common drafting pitfall |
|---|---|---|
| Public domain | Already public through no fault of Recipient | Defines “public” too narrowly |
| Prior knowledge | Recipient already knew before disclosure | Requires unrealistic proof |
| Third-party right | Recipient receives from a third party without restriction | Assumes third party had rights |
| Independent development | Recipient developed without using Discloser’s info | No evidence standard |
| Compelled disclosure | Required by law/regulator/court | Notice deadlines too strict |

## 2) Suggested clause (balanced)

```
Confidential Information does not include information that Recipient can demonstrate: (a) is or becomes publicly available through no breach of this Agreement; (b) was lawfully known to Recipient prior to disclosure; (c) is lawfully received from a third party without breach of any obligation of confidentiality; or (d) is independently developed by Recipient without use of or reference to Confidential Information.
```

## 3) Burden of proof

### What to check
- Who must “prove” an exception?

### Balanced approach
- “Recipient can demonstrate” is typical.
- Avoid “contemporaneous written records only” unless necessary.

**Recipient-friendly tweak**
```
Recipient may demonstrate an exception using reasonable evidence, which may include (where appropriate) documentation, system records, or credible testimony.
```

## 4) Compelled disclosure carve-out

**Suggested language**
```
If Recipient is required by law, regulation, or court order to disclose Confidential Information, Recipient may disclose only the portion legally required and will (to the extent legally permitted) provide prompt notice to Discloser and reasonably cooperate in seeking protective treatment.
```

## 5) Residuals are not an “exception”

Residuals clauses often function like an exception by permitting use of retained information. Treat them as separate (see KEY_CLAUSES.md).

## 6) Personal data and regulatory disclosures

If personal data is involved, parties sometimes try to treat privacy compliance as an “exception” to confidentiality.

### Practical guidance
- Confidentiality and privacy can coexist.
- Ensure NDA does not prevent mandatory notices or compliance.

> **Employment / contractor variation:** carve-outs may be narrowed in employment contexts; ensure practicality and compliance with workplace obligations.

```