Can You Really Promise "No AI" in Your NDA When You Hire Through Upwork or Fiverr?

Your NDA says "no AI tools; strict confidentiality." Your freelancer works through Upwork, which trains AI models on project messages and deliverables. Your contract says "no data sharing." Fiverr's terms treat your project history as fuel for its Personal AI Assistant. There's a gap—and it's bigger than most companies realize.

The Illusion of Control in NDAs and SOWs

Standard non-disclosure agreements and statements of work typically include language like:

Confidentiality: Contractor agrees to maintain strict confidentiality of all Client information, data, work product, and communications. Contractor shall not disclose Confidential Information to any third party without Client's prior written consent. AI and Automated Tools: Contractor shall not use artificial intelligence, machine learning, or automated decision-making tools to process, analyze, or generate any portion of the work product without Client's explicit written authorization. Data Sharing: Contractor shall not upload, transmit, or otherwise make available any Confidential Information to third-party platforms, cloud services, or SaaS tools except as necessary to perform the services and with Client's prior approval.

These clauses look protective on their face. But when your freelancer works through Upwork, Fiverr, Freelancer.com, or PeoplePerHour, platform terms sit between you and your contractual promises—and they often authorize exactly what your NDA tries to prevent.

Why This Matters Now

As platforms build AI features powered by user data:

Upwork trains models on work product and communications (if both parties opt in, default from Jan 5, 2026)
Fiverr built Fiverr Go on "billions of past interactions" and Personal AI Assistant on "past interactions"
PeoplePerHour explicitly states "messages are not confidential"
Freelancer.com treats most uploaded content as "non-personal information" outside privacy protections

Your private NDA with a freelancer doesn't control what the platform does with data uploaded to its systems. This creates a gap between what you promised your clients and what actually happens to their data.

Where Platform Terms Can Undercut Your NDA

Case Study 1: PeoplePerHour's "Not Confidential" WorkStream

🚨 The Explicit Anti-Confidentiality Clause

PeoplePerHour's privacy policy states:

"Messages are not private and are not confidential."

This applies to WorkStream—the platform's messaging tool where you and your freelancer discuss scopes, budgets, deliverables, and trade secrets.

The tension:

Your NDA with the freelancer promises strict confidentiality.
PeoplePerHour's terms explicitly say WorkStream messages are "not confidential."
PeoplePerHour encourages all communication through WorkStream for "safety" and dispute resolution.

What happens in a dispute: If your freelancer shares confidential client information through WorkStream and it leaks, you'll argue they breached the NDA. They'll argue that WorkStream messages were contractually "not confidential" per the platform terms, which you implicitly accepted by hiring through PeoplePerHour.

Case Study 2: Freelancer.com's "Non-Personal" UGC

🚨 Your Attachments May Be "Non-Personal Information"

Freelancer.com treats most "User Generated Content"—including project descriptions, bids, attachments, and messages you intend to share—as non-personal information explicitly outside the privacy policy.

Once labeled "non-personal," this content can be used for analytics, rankings, automated decision-making, and potentially AI training without the constraints of privacy law or confidentiality expectations.

The tension:

Your NDA says "no disclosure to third parties."
You upload a proprietary algorithm, design spec, or client dataset to Freelancer.com as an attachment.
Freelancer.com's terms classify that attachment as "non-personal UGC" available for internal use.

Result: Freelancer.com can legally mine your uploaded files for marketplace insights, recommendation algorithms, or future AI features—because you agreed to their terms when you posted the project.

Case Study 3: Fiverr's "Say No If You Want" Default

⚠ Burden on Buyer to Object to AI Use

Fiverr's AI guidelines state that AI use is allowed unless the buyer clearly specifies "no AI" in the order requirements. Sellers are not required to list AI tools in gig descriptions.

If you don't explicitly say "no AI" in your Fiverr order, the seller may use ChatGPT, Midjourney, or other tools on your project—even if your separate NDA prohibits it.

The tension:

Your NDA says "no AI tools without written authorization."
You hire a Fiverr seller without reading Fiverr's AI guidelines.
You don't include "no AI" in the Fiverr order form.
Seller uses AI tools, reasoning that Fiverr's terms permit it and you didn't object.

NDA enforcement problem: The freelancer can argue they followed Fiverr's rules, which you implicitly accepted by using the platform. Your "no AI" clause in a separate NDA conflicts with Fiverr's default-permissive stance, creating a gray area.

Upwork as a Partial Solution

✓ Upwork's NDA-Friendly Features

AI Preferences + Double Opt-In: You can configure your account to opt out of work product and communications training, and the freelancer must also opt out for the contract to be excluded. This aligns reasonably well with "no AI" clauses.
Prospective Scope: New AI license doesn't grab historical data, reducing retroactive exposure.
No Third-Party Training: Upwork promises not to use customer data to train third-party models, which helps with "no vendor sharing" clauses.

⚠ Where Upwork Still Falls Short

Platform-level access persists: Even with AI opt-outs, Upwork employees can access messages and files for trust & safety, support, disputes, and compliance.
Vendor data flows: Data passes through AWS, OpenAI, and other subprocessors. While contracts prohibit training, your confidential information still touches external systems.
Default opt-in: If you or your freelancer forget to configure AI Preferences, you're opted in by default from Jan 5, 2026.

NDA Promises vs. Platform Realities – Comparison Matrix

Your NDA Promise	Upwork Reality	Fiverr Reality	PeoplePerHour / Freelancer.com Reality
"Strict confidentiality; no third-party disclosure"	Messages/work product can train AI if both sides opt in (default: opted in from Jan 5, 2026). You can opt out in AI Preferences. Platform staff access data for support/disputes.	Personal AI Assistant analyzes "past interactions." No account-level opt-out. Fiverr Go built on billions of marketplace interactions. Developer platform may expose data to third parties.	PeoplePerHour: "Messages are not confidential." Freelancer.com: Most UGC treated as "non-personal" and outside privacy policy.
"No AI tools without written authorization"	AI tools (Uma) available but governed by AI Preferences. If you opt out, freelancer shouldn't use platform AI on your project. Third-party AI (ChatGPT, etc.) not directly controlled by Upwork terms.	AI use allowed unless buyer says "no AI" in order requirements. Burden on buyer to object per project.	No AI-specific policies. Freelancers may use any tools unless your NDA/SOW explicitly prohibits and you enforce directly.
"No data sharing with vendors or subprocessors"	Upwork shares data with AWS, OpenAI, and other vendors to provide services. Contracts reportedly prohibit vendor training, but data still passes through external systems.	Fiverr Go is an open developer platform. External developers can build on Fiverr's dataset. Extent of client data exposure unclear.	Privacy policies allow sharing with service providers and affiliates for analytics, research, and improvement. No clear AI-specific limits.
"Contractor owns no rights to client data"	Client retains ownership. Upwork's AI license is for training models "for your exclusive use," not transferring ownership.	Client retains IP ownership of deliverables. But platform's use of interaction data for AI is separate from ownership of final work product.	Ownership provisions in project contracts separate from platform's internal use of UGC for analytics/systems.
"Delete all client data upon project completion"	Freelancer can delete local copies. But Upwork retains data for records, disputes, and (if opted in) AI training. Opting out later doesn't delete already-trained data.	No clear data deletion pathway for historical interaction data used in Fiverr Go / AI training.	Standard privacy rights allow data deletion requests, but "non-personal" UGC (Freelancer.com) or analytics data (PeoplePerHour) may persist.

Drafting NDA and SOW Clauses That Account for Marketplace Realities

If you must hire through public marketplaces and still want enforceable confidentiality, your contracts need to explicitly address platform terms.

Clause 1: Platform AI Configuration Requirement

Platform AI and Data Use Where Contractor performs services through a freelance marketplace or platform (including but not limited to Upwork, Fiverr, Freelancer.com, PeoplePerHour), Contractor agrees to: (a) Configure all available platform settings to prevent Client data, communications, and work product from being used to train artificial intelligence models, recommendation engines, or any automated decision-making systems; (b) Opt out of any "AI Preferences," "data use for training," or similar settings that permit platform use of project data; (c) Provide written confirmation of compliance with subsections (a) and (b) within 24 hours of contract execution, including screenshots of relevant settings where available; (d) Maintain opt-out status throughout the engagement and notify Client immediately if platform terms change in ways that affect data use. Failure to comply with this section constitutes a material breach of this Agreement and may result in immediate termination and liability for damages.

Clause 2: Upload and Communication Restrictions

Restrictions on Platform Data Sharing (a) Prohibited uploads: Contractor shall not upload to any freelance marketplace or third-party platform: (i) Client's confidential information in unredacted form; (ii) production databases or datasets containing personally identifiable information (PII); (iii) proprietary source code, algorithms, or trade secrets; (iv) Client names, project details, or any information that could identify Client or Client's customers. (b) Communication channels: Routine project coordination (scheduling, status updates, general questions) may occur through platform messaging. All substantive discussions involving Confidential Information, strategic decisions, client-specific details, or proprietary methods must occur via encrypted email at [specify email] or Client's designated secure communication tool. (c) Redaction requirement: Where Contractor must share work samples or documentation through a platform for Client review, Contractor shall redact or anonymize all Confidential Information before upload.

Clause 3: Platform Terms Subordination

Conflict Between Platform Terms and This Agreement In the event of any conflict between the terms of service, privacy policy, or data use policies of any freelance marketplace or platform and the confidentiality, data protection, or AI use provisions of this Agreement, the terms of this Agreement shall control as between Client and Contractor. Contractor acknowledges that platform terms may permit the platform itself to access, analyze, or use data in ways inconsistent with this Agreement. Contractor agrees to minimize such exposure by: (i) Using platform features only to the extent necessary for contract administration; (ii) Keeping Confidential Information off-platform wherever feasible; (iii) Configuring all available privacy and AI opt-out settings as specified in this Agreement. Contractor further agrees to indemnify and hold harmless Client from any damages arising from Contractor's failure to comply with these requirements or from platform misuse of data uploaded by Contractor in violation of this Agreement.

Clause 4: Separate Channels for Privileged Work

For attorney-client, HIPAA-covered, or otherwise regulated engagements:

Privileged Communications and Regulated Data The parties acknowledge that [this engagement involves attorney-client privileged communications / HIPAA-covered protected health information / export-controlled technical data / other regulated content]. Accordingly: (a) Platform use limited to non-privileged coordination: Freelance marketplace messaging and file-sharing features may be used only for non-confidential administrative matters (invoicing, scheduling, general availability). (b) Privileged/regulated work occurs off-platform: All substantive legal advice, case strategy, client communications, [PHI / regulated data] shall be exchanged exclusively via: • Encrypted email: [attorney@lawfirm.com using PGP/SMIME] • Secure client portal: [URL] • [HIPAA-compliant platform with executed BAA] (c) No platform upload of privileged/regulated content: Contractor shall not upload case files, client information, [PHI], or any privileged documents to the freelance marketplace under any circumstances. (d) Breach consequences: Contractor acknowledges that uploading privileged or regulated content to a non-compliant platform may constitute: (i) waiver of attorney-client privilege; (ii) HIPAA violation subject to federal penalties; (iii) breach of professional ethics rules; (iv) material breach of this Agreement. Contractor agrees to indemnify Client for all damages arising from such breach.

Decision Tree: Should You Use a Marketplace for This Project?

When Marketplaces Are Acceptable (with Precautions)

✓ Public marketing content (blogs, social posts, generic graphics)
✓ Internal documentation that doesn't contain trade secrets
✓ Data entry or VA tasks using synthetic/test data
✓ Design work based on public brand guidelines

Precautions: Use Upwork with AI opt-outs configured. Include platform-aware NDA clauses. Redact sensitive details from uploads.

When to Avoid Public Marketplaces Entirely

✗ Attorney-client privileged communications or litigation work
✗ HIPAA-covered PHI or healthcare records
✗ Financial services work involving customer data or proprietary trading algorithms
✗ M&A due diligence or other highly confidential corporate transactions
✗ Source code for production systems or proprietary software
✗ Government contracts with export control or classified data restrictions

Alternative: Use vetted vendors with dedicated DPAs/BAAs, security audits, and no AI training clauses. Or hire W-2 employees with comprehensive confidentiality agreements.

Playbook for In-House Counsel and Compliance Teams

Audit current marketplace usage. Survey teams: who hires through Upwork/Fiverr/others? For what types of work? Have any uploaded client data, proprietary code, or regulated information?
Classify work by sensitivity. Create tiers: public (blog posts, generic design), internal (non-proprietary docs), confidential (trade secrets, client data), regulated (HIPAA, attorney-client, export-controlled). Set platform policies for each tier.
Update NDA and SOW templates. Add the platform-aware clauses from this article (or have counsel draft custom versions). Make AI configuration and upload restrictions explicit and enforceable.
Create approved-platform list. If Upwork is acceptable (with opt-outs), add it to the list. If PeoplePerHour's "not confidential" stance is unacceptable, ban it. Document the rationale.
Train hiring managers. Most employees don't read platform terms. Provide a one-page guide: "If you hire on Upwork, you must configure AI Preferences to opt out and verify the freelancer does too. Here's how."
Monitor platform policy changes. Assign someone (legal ops, privacy team) to track Upwork's AI Help Center, Fiverr's AI guidelines, and privacy policy update logs. Set quarterly reminders to re-check.
Require freelancer acknowledgment. Add to onboarding: "By accepting this contract, you acknowledge receipt of Client's Platform Data Use Policy and agree to configure all marketplace settings as specified therein."
Plan for breach scenarios. What happens if a freelancer uploads confidential data to a non-approved platform? Draft incident response procedures, including freelancer termination, platform notification, and client disclosure (if applicable).

Lessons from Recent Litigation

LinkedIn Private Messages Case (2025)

In 2025, a proposed class action alleged that LinkedIn used private messages of Premium customers to train generative AI models. LinkedIn denied the allegations and produced evidence that private messages weren't used; the case was voluntarily dismissed.

But the complaint highlighted key issues relevant to marketplace NDAs:

Policy ambiguity: LinkedIn's updated privacy policy language suggested that data "may be used" for AI, leading users to fear retroactive training.
Non-retroactive opt-outs: Even where "do not train" settings existed, they didn't apply to data collected before the setting was enabled—raising the question of whether past "confidential" messages were already in the training set.
Reasonable expectation of privacy: Users argued that "private messages" created a reasonable expectation that content wouldn't be used for AI. LinkedIn's position was that its terms and privacy policy disclosed potential uses.

Lesson for NDA drafting: Don't rely on platform labels like "private" or "secure" messages. Explicitly address in your NDA what happens to data uploaded to third-party tools, and require freelancers to use only approved channels for truly confidential work.

Myth vs. Reality: Common Misconceptions

❌ MYTH

"If my NDA says 'confidential,' the freelancer can't share data with anyone, including the platform."

Your NDA binds the freelancer, not the platform. Once data is uploaded to Upwork, Fiverr, or any marketplace, platform terms govern how the platform can use it—regardless of your private agreement with the freelancer.

✓ REALITY

Your NDA must explicitly address platform data use and require the freelancer to configure settings that align with your confidentiality needs.

Use clauses like the examples above to create enforceable obligations around platform AI opt-outs, upload restrictions, and communication channels.

❌ MYTH

"Upwork's 'double opt-in' for AI training means my data is safe if I opt out."

Opting out of AI training prevents future use for model training (if both sides opt out). But it doesn't stop platform employees from accessing data for support, disputes, and compliance. It doesn't prevent vendor processing (AWS, OpenAI). And it doesn't delete data that was already trained on before you opted out.

✓ REALITY

Upwork's opt-outs are the best available control on major platforms, but they're not equivalent to "data never leaves your control."

For truly sensitive work, don't rely solely on platform settings. Move confidential discussions off-platform and use end-to-end encrypted channels.

❌ MYTH

"I hired through Fiverr but signed a separate NDA, so the Fiverr AI rules don't apply."

Your separate NDA creates obligations between you and the freelancer. But Fiverr's terms govern the platform's rights. If the freelancer uploads your work to Fiverr's system (which they must, to deliver through the platform), Fiverr Go can analyze "past interactions" for its AI—because that's what Fiverr's terms allow.

✓ REALITY

Private NDAs and platform terms operate in parallel. You need both aligned.

Either (a) use platforms with strong opt-outs (Upwork) and require the freelancer to configure them, or (b) use platforms only for non-confidential coordination and move real work to direct channels covered by your NDA.

Attorney Services: Platform-Aware Contract Drafting

Most companies discover the gap between their NDAs and platform realities after a data breach or leak. By then, confidential information may have already been used for AI training or exposed through platform systems.

I help companies draft enforceable, platform-aware NDAs and SOWs before problems occur—and remediate breaches when they've already happened.

How I Can Help

Services for Companies:

NDA & SOW Review and Drafting: I draft platform-aware confidentiality agreements that explicitly address Upwork, Fiverr, and other marketplace terms, with enforceable AI opt-out requirements and upload restrictions
Contract Template Updates: I revise your existing NDA and SOW templates to add the necessary platform-specific clauses
Platform Policy Audit: I audit your current use of Upwork, Fiverr, and other platforms to identify where uploaded data may conflict with your confidentiality promises
Vendor Due Diligence: I review freelance marketplace terms and help you select platforms that align with your confidentiality requirements
Breach Response: When confidential data is exposed through platform AI training or leaks, I advise on remediation, demand letters, and potential litigation

Services for Freelancers:

Client Contract Review: I review NDAs and SOWs from clients to identify conflicts with platform terms and help you negotiate reasonable modifications
Platform Compliance Verification: I help you configure Upwork AI Preferences and other platform settings to comply with client confidentiality requirements
Defense Against Breach Claims: When clients allege you violated confidentiality through platform use, I defend you and argue that you followed platform terms they implicitly accepted

Why This Requires Specialized Counsel

Platform-aware contract drafting sits at the intersection of contract law, data privacy, and platform economics. Generic business attorneys often lack the specific knowledge required:

Platform terms expertise: Understanding how Upwork's double opt-in, Fiverr's AI guidelines, and other marketplace policies actually work—not just what the privacy policies say
Enforceable clause design: Drafting obligations that are specific enough to be enforceable but flexible enough to accommodate platform operational requirements
Risk allocation: Knowing which confidentiality promises are realistic on platforms vs which require off-platform workflows
Breach remediation: What to do when data is already exposed through platform systems and standard remedies don't apply

My Background

I am a Top Rated Plus attorney on Upwork, which gives me firsthand insight into how the platform actually works from a freelancer's perspective. I understand both sides of the marketplace relationship and how to draft contracts that protect clients while being realistic about platform constraints.

Schedule a Contract Drafting Consultation

Whether you're building platform-aware NDAs from scratch, responding to a confidentiality breach, or defending against client allegations, I provide practical, enforceable solutions.

Send me your current NDA/SOW templates, information about which platforms you use, and what types of confidential data you need to protect. I'll evaluate your exposure and draft or revise contracts to close the gaps.

Email: owner@terms.law

NDA/SOW drafting: ~$450 (typically 2 hours @ $240/hr). Template updates: $240-$480. Contract review: $240/hr. Breach response: hourly or contingency arrangements available.