Non-Disclosure Agreement for IT Companies (NDA)

Companies use all possible tools to prevent outsiders from accessing trade secrets. For example, Google keeps search algorithms secret, and Election Systems & Software has restricted access to information about e-voting algorithms in US elections.

Legal tools help maintain this level of security, one of which is a Non-disclosure agreement (NDA).

Stalirov&Co IT lawyers prepare a guide on how to draw up the NDA and avoid mistakes.

What is a non disclosure agreement, and why is it needed?

A non-disclosure agreement is a guarantee for a business against the dishonest behavior of a partner, contractor and client. Document signing is a crucial part of employment. There are many conflicts in the process of cooperation between the parties. What prevents an employee from going to a competitor and carrying away the work results?

Is it better to add the NDA as a contract clause or sign a separate agreement?

The non-disclosure agreement may be part of a contract or a separate agreement. We advise including a particular clause in the main contract that will protect your privacy and set out detailed aspects in a separate agreement.

Let's take an example. The company signs an agreement with IT specialists to create a software product. Then the main agreement with the developers will contain clauses obliging them to observe the confidentiality regime, and such details as the list of confidential information, methods of its transfer and storage, and tools for proving violations are described in a separate NDA.

How to write an NDA and what to include in it?

Here is a list of clauses that should be in every agreement.

• A definition and list of data that relate to confidential information.
• A list of information that is not considered confidential and disclosure or use of it will not harm the company.
• Cases of lawful information disclosure. For example, by parties’ permission or at the state authorities request.
• Ways of information transfer: choose actual and technological options, thanks to which communication takes place in the company.
• Penalties for breach of agreement and obligation to pay damages.
• Ways to prove violations of the confidentiality regime.
• Jurisdiction to hear the dispute.

Let's talk about each of them in more detail.

A confidential information definition (scope of confidential information)

Confidential information is hard-to-reach information that is not known to the general public. It includes personal data, trade secrets, know-how, customer databases and other objects.

For example, you signed a software development contract. To provide services, IT specialists need access to the site, ideas and concepts. They may also need access to team accounts or CRM systems. To maintain confidentiality, it is necessary to specify in detail what the confidential information definition includes. For example:

• correspondence and financial data;
• project's budgets;
• lists of contractors, suppliers, customers and partners, licensors or licensees with whom the party works;
• employees' salaries;
• information about marketing and promotion of goods, about market policy;
• programs or codes;
• trademarks and other objects of intellectual property rights;
• plans for future projects: to create new intellectual property rights and invented names for new products;
• plans to open legal entities to enter new markets;
• drawings, templates, formulas;
• methods, techniques;
• presentations, diagrams, illustrations;
• databases and other objects in the IT business.

The list of information objects in the document must correspond to the processes in the company and the team. But don't limit the list. To do this, add a disclaimer stating that the list of confidential information is non-exhaustive. Such a clause will be helpful if it turns out that not all objects are mentioned in the NDA.

In 2021, Netflix released The Billion Dollar Code. There is a story about two geniuses, Carsten Schlüter and Juri Müller. The case shows how important it is to enter into the NDA and describe the objects of confidential information. Carsten and Juri developed Terra Vision, software for a virtual rendering of the world using satellite imagery and architectural data. To attract investment, the developers turned to Google. They talked about features, algorithms, and business plans and showed a product prototype. But instead of financing, Google stole the idea and introduced a similar software to the world - the Google Earth. Today this product is called Google Maps.

It would have been possible to avoid this situation if the developers had signed the NDA before sharing information with a Google representative. The list of confidential data should have included information about free navigation through the data warehouse, a quadtree as a map layout, a floating coordinate system, and an address in memory. But the developers didn’t sign the NDA, so they lost the rights to the technology and the opportunity to earn millions of dollars a year.

What information is not considered confidential?

The NDA should include a list of data that can be disclosed. These are:

• Well-known information (for example, industry-standard information).
• Information is already known to the party before signing the agreement.
• Information that may be disclosed after the party consent.

What kind of disclosure is considered legal?

Although the information is confidential, there are situations where it can be disclosed. For example:

• Disclosure of data that is not directly indicated and not listed in the agreement.
• To provide additional services and transfer information to accountants, auditors, lawyers and other consultants.
• With the written consent of the confidential information owners.
• At the government authorities' request. It is worth writing to the NDA about the disclosure procedure in case of a request from a government agency. When a party to an agreement receives a request, it communicates it to the other party and does so before it sends a response.

Information transfer methods

The list of communication tools should be relevant for your company. For example:

• email;
• messengers: Whatsapp, Telegram, Slack;
• cloud data storages;
• web services for hosting IT projects and their joint development;
• remote conferencing programs: Skype, ZOOM, Google meet;
• task managers;
• providing access to databases, repositories, and libraries.

A fine for breach of agreement and obligation to pay damages

The fine must be commensurate with the damage, and the amount of the fine must be justified. We recommend setting it in the liability section, with a clear list of actions that lead to penalties. And to simplify the procedure for repaying the fine, indicate the terms and methods of payment.

How to prove the violation and the amount of damage?

As evidence of the amount of damage, we suggest using:

• Financial auditor's reports.
• The examination conclusions help to establish copyright infringement and intellectual proprietary object theft.
• Conclusions of independent IT specialists. For example, a game programmer left for a competing company. An IT specialist has diagnosed that a competitor's game uses a feature developed by your company. Such a conclusion will confirm that the development was stolen.
• Witnesses testimonies on disclosure.
• Written evidence: non-disclosure agreement; digital utilities that generate and transmit confidential information: Jira, Asana, Confluence.
• Audio and video conversations recordings that indicate disclosure.
• Electronic evidence: business correspondence via email, instant messengers; voice messages; screenshots; publications in social networks; information from websites or mobile applications, cloud storage and others.

The case of Elon Musk and Twitter is a relevant example of how even tweets become evidence in court. Throughout 2022, the world has been following the deal between Elon and Twitter. In mid-April, the billionaire offered to buy the social network for US$44 billion. But already in May, he suspended the deal. Elon felt that Twitter had hidden false information about spam and fake accounts. In his opinion, about 20% of Twitter users are spam bots. But social network representatives said that it is only 5%.

Then Twitter filed a lawsuit against the billionaire in Delaware, which will decide whether Elon Musk should close the deal at the agreed price. Moreover, Elon violated the NDA. Here is one of the tweets that goes against the privacy regime. Here, Elon shares information on Twitter's sample size for spam evaluation.

But the most interesting thing is that the billionaire himself admitted that he violated the NDA.

Likely, he didn’t plan that the case would go to court, and his tweets would be used as evidence of his dishonest behavior.

What is considered an NDA violation?

The document text should contain a list of actions considered a confidentiality violation: non-compliance with the company's rules on the storage and transfer of confidential information, transfer of information to competitors, posting data in open sources, poaching employees or creating competing products.

For example, in Sirona Dental Systems Inc. v. Jian Lu, the plaintiff received $6.8 million in compensation. Sirona Dental Systems is a global manufacturer of dental technology. The company developed the Apollo DI product, which combines optical imaging software and hardware. In 2013, employee Jian Lu left Sirona Dental Systems Inc. In 2014, Sirona learned that two companies owned by Jian Lu in China had created a copy of Apollo DI and brought the product to market. Sirona's lawyers sued for misappropriation of trade secrets and an NDA agreement violation. The company won the case in a California court.

In May 2022, Tesla accused engineer Alexander Yatskov of stealing Dojo technology. There is a Tesla training computer with a neural network that processes the data needed to train artificial intelligence in Tesla self-driving cars. The company accuses the employee of downloading information to his devices and refusing to return it. In addition, the engineer sent emails with classified Tesla information to his email.

As you can see in the cases of Sirona Dental Systems and Tesla, employees performed different actions, but all of them are considered a violation of the NDA.

The practice of American courts clearly shows that, next to NDA obligations, there are often others: non-competition agreement (NCA) and non-poaching agreement (NSA). In addition, the confidentiality regime violation leads to criminal proceedings. The Office of the United States Attorney charged Ishan Wahi, a former product manager at Coinbase, with revealing confidential information about new cryptocurrency assets listing.

Ishan Wahi was a member of a channel for Coinbase employees who participated in the listing process. Here, staff discussed the new listings of digital assets, including the timing and dates of the announcement. Due to the popularity of exchanges, cryptocurrencies often rise in value after Coinbase announces their listing. Traders call this the "Coinbase effect." Therefore, the exchange prohibits employees from distributing any non-public information. According to Nasdaq media, Ishan was transmitting his brother and friend information about at least 25 cryptocurrencies that Coinbase planned to list. They bought digital assets through anonymous crypto wallets. In total, the scam generated approximately $1.5 million in profits. Ishan Wahi tried to flee the US but was arrested before he could board a flight to India. He faces up to 20 years in prison.

Jurisdiction - where will the dispute be considered?

The contract parties choose the court of which country will consider the dispute.

Why do you need to decide on jurisdiction before you draft the NDA?

Each country has local laws that govern the signing of the NDA. For example, you have chosen the jurisdiction of Washington. Then you should know that the Silenced No More Act has been in effect in this state since June 2022. The law allows employees to disclose any facts of discrimination and violation of rights. It includes speaking freely about illegal recruitment practices and work conditions violations.

Similar laws have been passed in California, Maine, Oregon, and Hawaii. In addition, this practice extends beyond the United States. In May 2022, the province of PEI in Canada passed a similar law.

In January 2022, the court made the first decision in California based on the NDA restriction act. The Google was the defendant in the case. The court ruled that the company's NDA was too broad and violated labor laws. Namely, Google prohibited employees from discussing past experiences in interviews with potential employers.

IT lawyers' recommendations

• Focus on the IT company product when defining the concept of confidential information in the NDA.
• Retain ownership of the skills, development methodology, internal software solutions and approaches, and know-how you use to create a product.
• Provide the right to publish cases in the portfolio. It is crucial to describe the information that is acceptable to use in press releases.
• Make sure the NDA with the team includes the obligation not to disclose clients' confidential information.

Such terms are the basis of the non-disclosure agreement, which provides for potential violations cases. It is essential to detail the provisions, responsibilities, confidentiality retention periods, penalties, and how such information is shared. The ability to recover fines and damages, compensate for the damage caused to the company, and protect the business from financial losses and conflicts depend on this.