Negotiation Principles for Tech NDAs
Software NDAs require a different negotiation approach than standard business NDAs. Technical teams often care more about practical access controls than legal language, while legal teams focus on liability caps and indemnification. This playbook bridges that gap with battle-tested negotiation strategies.
The key is understanding which provisions are critical (source code ownership, breach notification), which are negotiable (residuals clauses, term length), and which are deal-breakers worth walking away over (unlimited liability, broad IP assignments).
Protect Your Core IP
Source code, algorithms, and architecture are non-negotiable. Never accept broad residuals clauses or weak derivative work provisions.
Balance Risk & Access
More restrictive NDAs slow down collaboration. Find the right balance between protection and practical development workflows.
Time-Box Everything
Indefinite confidentiality is unreasonable for most tech. Push for 2-5 year terms with automatic renewal for truly proprietary information.
Source Code Ownership & Derivative Works
Never concede ownership of your source code. Ensure derivative work provisions are clear and favor the disclosing party.
Credential Access Scope & Revocation Rights
Maintain absolute right to revoke credentials immediately. Never accept provisions requiring notice before revocation.
Breach Notification Timeline
Push for immediate (1-4 hour) notification of suspected breaches. 24-48 hours is too long for credential compromises.
Residuals Clause Scope
Residuals are necessary but must exclude specific algorithms, data structures, and architectural patterns.
Indemnification Caps
Uncapped indemnification is unreasonable. Negotiate caps tied to contract value or specific dollar amounts.
Governing Law & Venue
Usually not worth fighting over unless you have specific jurisdiction concerns. Focus on substantive provisions.
Negotiating Source Code Access Terms
Derivative Works Clause
Protect ownership of all code created during engagement
Problematic Language
Better Alternative
Residuals Clause
Balance developer rights with IP protection
Too Broad (Risky)
Properly Scoped
Reverse Engineering
Absolute prohibition - never concede
Non-Negotiable
Reverse engineering prohibitions should be comprehensive and without exceptions. Any carve-outs create exploitable loopholes.
Access Duration
Acceptable concession area
Negotiation Tip
Duration is often negotiable without significant risk. If they push back on 90-day access, offering 180 days with milestone checkpoints is reasonable.
Negotiating Credential Handling Terms
Unacceptable Terms
"Disclosing Party shall provide 48 hours notice before revoking any credentials, allowing Receiving Party to complete in-progress work and extract necessary data."
Required Protection
"Disclosing Party may revoke any and all credentials immediately, without notice, for any reason or no reason. Receiving Party acknowledges that access may be terminated at any time without liability."
Revocation Rights
Never accept notice requirements for credential revocation
Red Line Issue
Any delay in credential revocation creates security vulnerabilities. A bad actor with 48 hours notice can exfiltrate massive amounts of data.
Audit Rights
Essential for credential usage monitoring
Require Full Audit Access
You must retain the right to audit credential usage, request logs, and investigate any suspicious activity without prior notice.
Negotiating API Access Restrictions
Pro Tip: Rate Limits as Negotiation Leverage
API rate limits and usage quotas are excellent negotiation chips. They cost you little to increase but have high perceived value to the receiving party. Use generous rate limits as a concession when you need to hold firm on more important provisions like breach notification timelines or indemnification caps.
Rate Limiting Terms
Negotiable - use as leverage
Negotiation Strategy
Start with conservative limits (1,000 requests/day) and use increases as concessions. Moving to 10,000/day costs you nothing but feels like a win for them.
Concession: "We can increase to 10,000 requests/day if you accept our breach notification timeline."
API Documentation Confidentiality
Protect internal API specs
Critical Protection
Internal API documentation often reveals system architecture and security patterns. Treat it as highly confidential even if the API itself is semi-public.
Responding to Common Pushback
"Your breach notification timeline is unreasonably short"
Response: "In software development, credential compromises can cause catastrophic damage within hours. 24-48 hours is standard for most NDA breaches, but credential and source code breaches require immediate action. We can tier the timeline: 1 hour for credential/access breaches, 24 hours for other confidential information."
"The residuals clause is too restrictive - our developers will be unable to work"
Response: "We're protecting specific implementations, not general programming knowledge. Your developers can use standard patterns and techniques learned elsewhere. We're only restricting our proprietary algorithms and architectural approaches that give us competitive advantage. Let's enumerate specific exclusions so there's no ambiguity."
"We need joint ownership of derivative works"
Response: "Joint ownership creates enforcement nightmares - neither party can license without the other's consent. If you need rights to improvements you make, we can discuss a license-back provision for specific documented enhancements, but ownership must remain clear."
"Unlimited indemnification is our standard term"
Response: "Unlimited indemnification is disproportionate to the engagement value and creates existential risk. We propose capping indemnification at 2x the contract value, with carve-outs for willful misconduct and gross negligence which would remain uncapped."
Ready to Generate Your Tech NDA?
Create a comprehensive software development NDA with all the negotiation-tested clauses you need.
Start Free Generator