NDA and protection of confidential information
1) Goals and principles
NDA (Non-Disclosure Agreement) and internal policies protect:- business secrets (anti-fraud algorithms, bonus profiles, ML models, RNG mathematics);
- negotiation materials (price tags, offers, M&A, due diligence);
- technical processes and sources (architecture, IaC, API diagrams, keys);
- partner data (SDK, roadmaps, beta);
- personal/business data (within DPA/DSA).
Principles: need-to-know, traceability, encryption by default, separation of roles/responsibilities, "clean room" for joint development.
2) Classification and marking of information
Recommended classification level and contact rules:Marking: '[CONFIDENTIAL]', data owner, release date, link to ticket/access reason.
3) Trade secrets mode
Legal act/policy: list of information, protection measures, responsibility.
Technical measures: RBAC/ABAC, access logs, DLP, watermarking, print/screenshot control.
Organizational: onboarding/offboarding checklists, training, non-disclosure agreements, prohibition to bring/take out media without registration.
Dock discipline: versions, artifact registry, labeling, "secret" channels (closed spaces/repositories).
4) Types of NDA
One-way: exposes one side (typically the SDK provider).
Mutual: exchange of confidential information in both directions (negotiations, integrations).
Multilateral: consortia, joint pilots.
NCA/NDA + NCA: Non-circumvention (prohibition to bypass the intermediary) is added to the NDA.
NDA with developer/contractor: combine with Inventions/Assignment (rights to results).
5) Key sections of NDA (which is mandatory)
1. Definition of Confidential Information: incl. oral (upon further written confirmation), electronic, tangible media; List typical examples (code, schemes, prices, dashboards).
2. Exceptions: (i) publicly known without violation; (ii) was already in legal possession; (iii) developed independently (provably); (iv) disclosed legally to government agencies (with notice).
3. Purpose of disclosure: specific (partnership evaluation, pilot, audit).
4. Obligations of the recipient: the level of protection is not lower than their own; need-to-know, prohibition of copying beyond the target, prohibition of reverse engineering/benchmarking without consent.
5. Term and "survival": contract term (e.g. 2-5 years) + post-term protection of secrets (e.g. 5-10 years/indefinite for secrets).
6. Return/destruction: upon request or completion - return/deletion with confirmation; backups - under storage mode until auto-term.
7. Audit and incident notifications: speed of notification (e.g. ≤72 hours), cooperation in investigation.
8. Legal remedies: injunctive relief, compensations, limits do not apply to intentional violations.
9. Applicable Law/Arbitration: Jurisdiction/Forum, Language, ADR/Arbitration.
10. Export/sanctions: prohibition of transfer to sub-sanctions/jurisdictions; compliance with export control (cryptography).
11. "Residual Knowledge" (as agreed): it is possible/impossible to use "unrecorded knowledge" of employees (usually - to exclude or limit).
12. Subcontractors/Affiliates: only allowed with similar obligations and written consent.
13. Data protection (if PII): reference to DPA/DSA, role of parties (controller/processor), objectives/legal basis, cross-border transfers, retention period.
6) Linking NDAs to privacy and security
If personal data is transferred, NDA is not enough - DPA/DSA and GDPR/analogue measures are required (legal grounds, rights of subjects, DPIA for high-risk).
Technical control: encryption in transit (TLS 1. 2 +), at-rest (AES-256), secret management, key rotation, MDM for devices, 2FA, SSO, minimizing PII logs.
7) Access and exchange procedures
Channels: domain mail, protected rooms (VDR), SFTP/mTLS, encrypted archives (AES-256 + out-of-band password).
Ban: instant messengers without corporate integration, personal clouds, public links, unmanaged devices.
Control of printing/export, prohibition of personal flash media, geo-restrictions (geofenses).
8) Clean-room and co-development
Separate the commands "seeing" and "clean," store one-sided artifacts separately.
Document sources and provenance.
For joint PoCs: agree on the rights to the results (joint/assignment) who owns Derived Data.
9) RAG Risk Matrix
10) Checklists
Before exchanging information
- Signed by NDA (right/forum/term/exceptions/sanctions).
- Do I need a DPA/DSA? If yes, signed.
- Set owner and classification level are assigned.
- The exchange channel and encryption are consistent.
- Need-to-know list, VDR access/folders configured.
During the exchange
- File marking and version, watermarks.
- Access logs, no re-sharing without consent.
- Hash sums/artifact register.
After completion
- Return/deletion and written confirmation.
- Accesses revoked, tokens/keys rotated.
- Post-audit: What to improve in processes/templates.
11) Templates (fragments of contractual clauses)
A. Definition and Exceptions
B. Commitments and Access
C. Term/Survival
D. Return/Destruction
E. Legal remedies
F. Export/Sanctions
G. Residual Knowledge (optional)
> The Parties agree that the unsubstantiated general skills and knowledge of the Recipient's employees are not considered confidential information, provided that there is no intentional memorization and use of source code/secret formulas. (It is recommended to exclude or severely restrict in high-risk projects.)
12) Recommended registries (YAML)
12. 1 NDA Register
yaml nda_id: "NDA-2025-0142"
counterparty: "GameProvider X Ltd"
type: "mutual"
purpose: "SDK integration and technical support"
term_months: 36 survival_years: 7 includes_dpa: true export_sanctions_clause: true residual_knowledge: "excluded"
owner: "Legal"
vault_folder: "vdr/providers/gpx"12. 2 Artifact Exchange Registry
yaml exchange_id: "XCH-2025-009"
nda_id: "NDA-2025-0142"
classification: "Confidential"
channel: "VDR"
files:
- "api_specs_v3. pdf" # sha256:...
- "kpis_q1. xlsx" # sha256:...
recipients: ["a. smith@gpx. com","techlead@gpx. com"]
access_start: "2025-11-05"
access_end: "2026-01-31"
destroy_confirmed: false13) Security Policies and Practices (Brief)
Devices: corporate, full disk encryption, MDM, BYOD ban for "Secret."
Access: SSO/2FA, conditional access (geo/device), temporary roles (just-in-time).
Logs: storage and monitoring of accesses; alerts for mass unloading/non-standard hours.
DLP: block of attachments outside the domain/without encryption, watermarks in PDF.
Convenience: secure room templates (VDR), ready-made archive encryption scripts, standard NDA/DPA.
14) Incident Management (in context of NDA)
1. Fixation: what, when, who, what files/repositories; freezing sessions.
2. Isolation: revocation of accesses/keys, temporary "freezer" in the cloud.
3. Notices: data owner, lawyers, partners; PII - by DPA/GDPR.
4. Investigation: collection of logs, forensics, determination of the amount of damage.
5. Remediation: replacing secrets, patches, updating playbooks, learning.
6. Legal measures: claims/claim work on NDA, compensation.
15) Mini-FAQ
Is NDA enough for personal data? No, you need DPA/DSA and privacy measures.
Is it possible to send confidential to the messenger? Only in enterprise-approved and end-to-end, with DLP/logs enabled.
How much to store materials? As much as required by the objective/contract; upon completion - return/deletion with confirmation.
Do I need to encrypt internal drives? Yes, full disk + file/secret encryption.
16) Conclusion
The NDA is just the tip of the iceberg. Real protection is based on trade secrets, privacy (DPA), strict technical and organizational controls, exchange discipline and quick incident response. Standardize templates, create registers and playbooks - and your secrets, code and negotiations will remain an asset, not a vulnerability.