Receiving Party Obligations Email Templates

Hi [Name], The current draft requires us to protect your information using "the highest degree of care" or "the same care we would use for our most sensitive information." This standard is problematic. We use different levels of protection for different types of information. Requiring us to apply our highest security measures to all of your confidential information, regardless of its sensitivity, is operationally impractical and disproportionate. The market-standard approach is: "The Receiving Party shall protect Confidential Information using the same degree of care it uses to protect its own confidential information of like kind, but in no event less than reasonable care." This formulation: - Ties the obligation to our actual practices (which work for our business) - Establishes a floor of "reasonable care" to protect you - Is the approach used in the majority of commercial NDAs We are prepared to commit to reasonable protective measures, but not to an undefined "highest" standard. Best regards, [Your Name]

Hi [Name], The NDA specifies particular security measures including [encryption standards / access logging / specific storage requirements / security certifications]. We need to discuss these requirements. Our concerns: 1. Mandating specific technical measures may not align with our existing security infrastructure, which is designed for our business and has been independently validated. 2. Technology evolves rapidly. Specific measures that are state-of-the-art today may become outdated or be superseded by better approaches. 3. We may already have equivalent or superior protections using different technologies. We propose replacing the specific requirements with an outcomes-based approach: "The Receiving Party shall implement and maintain administrative, technical, and physical safeguards designed to protect the confidentiality and security of Confidential Information, which safeguards shall be consistent with industry standards for information of similar sensitivity." If you have specific security concerns, we are happy to discuss our actual security practices or provide documentation of our security program. We simply cannot commit to specific technical requirements that may not integrate with our systems. Best regards, [Your Name]

Hi [Name], The use restriction stating that we may only use Confidential Information "solely for the Purpose" needs clarification or modification. The "Purpose" as currently defined is narrow: "[evaluating a potential business relationship]." However, information we learn during this evaluation may inevitably inform our general business thinking, even if we do not specifically "use" it in a technical sense. For example: - Learning about market trends that affect our industry broadly - Understanding general technical approaches (not your specific implementation) - Gaining context about competitive dynamics We are not seeking to misuse your proprietary information. We are seeking clarity that incidental knowledge retention and general learning do not constitute a breach. We propose adding: "Notwithstanding the foregoing, the Receiving Party shall not be liable for the use of Residual Information, meaning general ideas, concepts, know-how, or techniques that are retained in the unaided memories of the Receiving Party's personnel who have had access to Confidential Information, provided that the Receiving Party has not intentionally memorized Confidential Information for the purpose of retaining and using it." This is commonly called a "residuals clause" and is increasingly standard in commercial agreements. Best regards, [Your Name]

Hi [Name], The breach notification clause requires us to notify you "immediately" upon becoming aware of any unauthorized disclosure. We need to modify this requirement. "Immediate" notification is impractical because: 1. We need time to investigate and confirm an actual breach occurred 2. We need to assess the scope and nature of the disclosure 3. Premature notification could create unnecessary alarm or confusion We propose: "The Receiving Party shall notify the Disclosing Party in writing within [72 hours / 5 business days] of becoming aware of any unauthorized disclosure or use of Confidential Information, or any breach of this Agreement. Such notice shall include, to the extent known: (a) a description of the nature of the breach; (b) the categories of Confidential Information affected; and (c) the steps being taken to address the breach." This approach: - Provides a specific, achievable timeframe - Allows us to provide meaningful information rather than just an alert - Aligns with data breach notification standards in most jurisdictions Best regards, [Your Name]

Hi [Name], The proposed "reasonable care" standard is insufficient for the type of information we will be sharing. We are disclosing [trade secrets / highly sensitive financial data / proprietary algorithms / personal data] that requires protection beyond general commercial standards. A breach of this information could result in [significant competitive harm / regulatory violations / reputational damage]. We need to elevate the standard of care: "The Receiving Party shall protect Confidential Information using at least the same degree of care that it uses to protect its own most valuable confidential and proprietary information, but in no event less than a high degree of care. Without limiting the foregoing, the Receiving Party shall: (a) Limit access to Confidential Information to personnel who have a need to know and who are bound by confidentiality obligations; (b) Implement technical safeguards appropriate for highly sensitive information; (c) Maintain physical security measures to prevent unauthorized access; and (d) Monitor and audit compliance with the foregoing requirements." I understand this creates additional obligations, but the nature of our information requires it. We are happy to discuss what specific measures your organization has in place that would satisfy these requirements. Best regards, [Your Name]

Hi [Name], Given the sensitivity of the information we will be sharing, we need to include specific security requirements in the NDA. We propose adding the following obligations: "The Receiving Party shall implement and maintain the following minimum security measures with respect to Confidential Information: (a) Encryption: All Confidential Information shall be encrypted using AES-256 or equivalent encryption when stored or transmitted; (b) Access Controls: Access to Confidential Information shall be restricted to authorized personnel using role-based access controls and multi-factor authentication; (c) Audit Logging: The Receiving Party shall maintain logs of access to Confidential Information and make such logs available for review upon request; (d) Security Training: Personnel with access to Confidential Information shall complete security awareness training; and (e) Incident Response: The Receiving Party shall maintain an incident response plan and notify the Disclosing Party within [24/48/72] hours of any security incident affecting Confidential Information." These requirements reflect industry best practices for sensitive information. If any specific requirement is problematic for your infrastructure, we are open to discussing equivalent alternatives. Best regards, [Your Name]

Hi [Name], We cannot accept the proposed residuals clause. Our concerns: 1. The "unaided memory" carve-out creates an enormous loophole. Your personnel could read our detailed technical specifications, memorize key elements, and then use that knowledge without restriction. 2. The distinction between "intentional" and "unintentional" memorization is subjective and unenforceable. How would we ever prove someone intentionally memorized something? 3. We are sharing [specific algorithms / proprietary formulas / unique technical approaches] that are valuable precisely because they are not generally known. Allowing use of "general concepts" derived from this information defeats the purpose of the NDA. 4. Courts have increasingly scrutinized residuals clauses, with some finding they effectively nullify confidentiality protection. If your concern is about incidental learning, we can address this more narrowly: "Nothing in this Agreement shall restrict the Receiving Party from using general skills and experience gained in its industry, provided that the Receiving Party does not use or disclose any specific Confidential Information of the Disclosing Party." This protects your ability to continue operating in your field without creating a blanket exception for information that happens to be memorable. Best regards, [Your Name]

Hi [Name], The NDA needs stronger provisions regarding the return or destruction of Confidential Information upon termination. We propose adding: "Upon termination or expiration of this Agreement, or upon request by the Disclosing Party at any time, the Receiving Party shall: (a) Promptly return to the Disclosing Party, or at the Disclosing Party's option, destroy all Confidential Information in the Receiving Party's possession or control, including all copies, extracts, and summaries thereof; (b) Permanently delete all electronic copies of Confidential Information from all systems, devices, and storage media; (c) Direct its Representatives to comply with the foregoing requirements; and (d) Certify in writing, signed by an authorized officer, that all Confidential Information has been returned or destroyed in accordance with this Section. Notwithstanding the foregoing, the Receiving Party may retain copies of Confidential Information (i) to the extent required by applicable law or regulation, or (ii) in archived backup systems, provided that all retained Confidential Information remains subject to the confidentiality obligations of this Agreement." The certification requirement is important because it provides documented assurance of compliance and creates personal accountability. Best regards, [Your Name]