Ultimate Guide to NDAs in SMB Acquisitions

When buying or selling a small or medium-sized business, sharing sensitive information is unavoidable. NDAs are legal contracts designed to protect this data, ensuring confidentiality and safeguarding both parties during negotiations. Without them, leaks of financial records, customer lists, or trade secrets could lead to severe disruptions.

Key Takeaways:

• Purpose of NDAs: Protect sensitive information during business evaluations.
• Types: One-way NDAs (only one party shares info) and mutual NDAs (both parties share info).
• Critical Clauses: Define what’s confidential, restrict use of data, set confidentiality durations, and include non-solicitation clauses.
• Common Mistakes: Avoid vague definitions, missing remedies for breaches, and unclear terms.
• Enforcement: Breaches can be addressed through legal tools like injunctions and damages.

NDAs are the first step in securing trust and professionalism in SMB transactions. A well-crafted NDA not only protects your business but also sets the tone for smooth negotiations.

Day 5 - Signing an NDA | 10 Days to Buying Your First Business

Types of NDAs in SMB Acquisitions

When drafting an NDA for an SMB acquisition, you’ll typically choose between two types: one-way and mutual agreements. The choice largely depends on who is sharing sensitive information and the level of protection each party requires. Here’s a closer look at each type and when they’re most appropriate.

One-Way NDAs

A one-way NDA requires only the receiving party - usually the buyer - to keep shared information confidential. In this setup, the seller provides sensitive details, which is common in simple cash-for-asset transactions where information flows in just one direction.

"In a unilateral (or one-way) agreement, only one party is obligated to keep confidential information secret. Most M&A NDAs are unilateral, wherein the buyer is the recipient and the seller is the disclosing party."

• Jacob Orosz, President, Morgan & Westfield

This type of NDA works well when the seller isn’t receiving equity or stock as part of the payment and doesn’t need to evaluate the buyer’s financial standing. It’s also a standard choice when a small business is selling to a large public company that won’t be revealing any of its own proprietary information.

Mutual NDAs

Mutual NDAs, on the other hand, are designed for situations where both parties share sensitive information. They bind both sides to confidentiality, making them ideal for transactions involving stock payments or financial due diligence, where both parties need to disclose proprietary details.

"Mutual NDAs tend to be more balanced and reasonable than one-way agreements. If the drafting party knows that it will be bound by the same restrictions it is seeking to impose on the other... it will generally be more moderate in its approach."

• Erik Lopez, Partner, Jasso Lopez PLLC

Mutual NDAs also help streamline negotiations by encouraging fair terms on both sides. Buyers often prefer mutual NDAs to prevent sellers from leaking offer details to competitors. However, cash-rich buyers with strong leverage may bypass mutual NDAs if they have no intention of sharing their own confidential information.

What to Include in Your NDA

Once you’ve got a handle on the different types of NDAs, it’s time to focus on the specific clauses that will provide solid protection in your SMB transactions. A well-thought-out NDA doesn’t just protect both parties - it helps avoid potential disputes. Start by clearly outlining what counts as confidential information.

Defining Confidential Information

This is the cornerstone of your NDA. You’ll want to spell out exactly what qualifies as confidential, covering items like financial records, customer and supplier lists, employee data, business strategies, intellectual property (both registered and unregistered), and trade secrets. Don’t forget to include derivative materials, like summaries or analyses created using the seller’s data.

"Problems with CAs [Confidentiality Agreements] arise when the 'confidential information' the agreement is intended to protect is defined so broadly that it's practically impossible to determine what it covers."

• Jacob Orosz, President, Morgan & Westfield

It’s also essential to specify exclusions. For example, publicly available information, pre-existing knowledge, or third-party data not under confidentiality agreements should be excluded. Additionally, because the fact that discussions are happening - and the terms being negotiated - aren’t automatically covered, you’ll need a separate provision to address transaction details.

Restricting How Information Can Be Used

Your NDA must clearly state how the buyer can use the shared information. Typically, confidential data should only be used for evaluating the potential deal. This includes activities like due diligence, valuation, and integration planning. By limiting the use to these purposes, you’re ensuring the information isn’t misused.

The agreement should also set boundaries on who can access the information. Usually, access is limited to the buyer’s representatives, such as employees, legal counsel, accountants, or advisors, and only on a need-to-know basis. Many sellers go a step further by requiring these third parties to sign a joinder agreement, binding them to the NDA’s terms. Lastly, include a clause mandating the buyer to return or destroy all confidential materials if the deal doesn’t move forward or upon your request.

In addition to usage restrictions, make sure to address confidentiality duration and rules around employee, customer, and supplier interactions.

Confidentiality Duration and Non-Solicitation Clauses

Confidentiality obligations don’t last forever - except when it comes to trade secrets. For general business data, like financial statements, customer lists, and marketing plans, obligations typically last between 2 and 5 years after signing the NDA. Trade secrets, however, require indefinite protection as their value depends on remaining undisclosed.

Non-solicitation clauses are just as important. These provisions stop the buyer from poaching your employees, customers, or suppliers for a set period, usually 1 to 2 years after receiving sensitive information. Losing key people or clients can seriously impact your business, even if the deal falls through. That said, general recruitment efforts that don’t specifically target your team are usually allowed.

Clause Type	Recommended Duration	What It Protects
General Confidentiality	2–5 years	Financial data, customer lists, business strategies
Trade Secrets	Indefinite	Proprietary methods, know-how, competitive advantages
Employee Non-Solicitation	1–2 years	Prevents hiring away key talent if the deal fails
Customer Non-Solicitation	1–2 years	Prevents poaching clients using shared lists

In short, set confidentiality for general data at 2–5 years, protect trade secrets indefinitely, and limit solicitation of employees and customers to 1–2 years. These measures will help safeguard your business during and after negotiations.

How Buyers Should Negotiate and Draft NDAs

When you're a buyer, it's crucial to shape the NDA terms in a way that protects your interests. Don’t just accept the seller’s standard terms - adjust them to suit your needs. Andrew Rosell, Attorney at Winstead PC, advises:

"A broad definition might include everything from financial records and business plans to customer lists and technical data. Make sure that the definition also includes appropriate carveouts for what is not confidential information."

Use standard carveouts as a baseline, and ensure the NDA allows you to share information with legal advisors, accountants, and potential lenders without needing separate written consent.

When it comes to document retention, request a legal carveout to keep copies of documents as required by law or internal policies. Non-solicitation clauses should also be reviewed and adjusted to give you operational flexibility. Since proving monetary damages can be tricky, make sure the NDA explicitly allows you to seek injunctive relief and specific performance. By redlining the NDA - accepting favorable suggestions and rejecting unfavorable ones - you can earn the seller’s respect and set the tone for future negotiations. This approach ensures the NDA is tailored to a buyer’s perspective while reinforcing essential components.

Adapting NDAs for SMB Deals

Standard NDA terms often need tweaking for small business (SMB) transactions. Unlike large corporate deals, SMB sellers tend to hold back their most sensitive information - like customer names, employee identities, or key trade secrets - until you show serious intent, even after signing the NDA. This phased disclosure is common, so your agreement should be flexible enough to handle staged releases as the deal progresses.

Consider including a "residual knowledge" clause. This allows for the unaided recollection of general ideas, reducing the risk of accidental breaches when employees naturally remember concepts from reviewed materials. Also, pay close attention to how "transaction" is defined. Courts have sometimes interpreted this term too narrowly, so ensure it covers your specific deal structure - whether it’s an asset purchase, stock sale, or merger. For SMBs that revolve around a single trade secret or proprietary method, you might need a second, more restrictive NDA for that critical information once a firm commitment is in place.

Choosing Between One-Way and Mutual NDAs

The type of NDA you select depends on the deal structure and the nature of the information being shared. Erik Lopez, Partner at Jasso Lopez PLLC, explains:

"Mutual NDAs tend to be more balanced and reasonable than one-way agreements. If the drafting party knows that it will be bound by the same restrictions it is seeking to impose on the other... it will generally be more moderate in its approach."

If you’re paying in cash and not revealing proprietary methods, a one-way NDA can keep things simple. But if the deal involves issuing stock, a mutual NDA is better, as the seller will need access to your business details for due diligence.

Feature	One-Way NDA	Mutual NDA
Information Flow	Only the seller discloses confidential info	Both parties exchange confidential info
Best For	Cash purchases	Stock transactions or reciprocal reviews
Negotiation	Often favors the seller	More balanced and quicker to finalize
Buyer Protection	Limited protection for your data	Protects your identity and discussions

Mutual NDAs also keep the fact that you’re in discussions under wraps, which is important if you want to maintain privacy about your acquisition plans. Regardless of the type, make sure the NDA specifies the exact legal entity names (e.g., "Inc." or "LLC") and is signed by an authorized representative, like the CEO or Board Chair. These steps ensure the NDA not only safeguards confidential information but also aligns with your deal’s structure.

sbb-itb-97ecd51

Common NDA Mistakes and How to Avoid Them

When drafting an NDA, even small missteps can leave your agreement vulnerable. Jacob Orosz, President of Morgan & Westfield, highlights the risks:

"A seemingly small mistake while negotiating and signing an NDA can close off critical options later in the process..."

To safeguard your agreement, avoid these common pitfalls that can weaken its enforceability.

Unclear or Overly Broad Definitions

One frequent mistake is defining "confidential information" so broadly that it becomes hard to pinpoint what the agreement actually protects. Jacob Orosz explains:

"Problems with CAs arise when the 'confidential information' the agreement is intended to protect is defined so broadly that it's practically impossible to determine what it covers and whether that information is truly deemed confidential."

To avoid this, tie the definition of "confidential information" to a specific "Permitted Purpose", such as evaluating a potential acquisition. Be precise, and avoid vague language that could render the agreement unenforceable.

Another common error is requiring all shared information to be labeled as "confidential" or "proprietary" to qualify for protection. This creates a loophole - if sensitive information is shared without a label, it might lose its protected status. Instead, declare that all deal-related information is confidential, regardless of markings. Additionally, ensure the definition includes "Derivative Materials", such as internal notes or analyses based on the shared data, to close any gaps in protection.

Don’t forget to explicitly state that bid terms, party identities, and negotiation details are confidential. Christopher S. Harrison warns:

"Information about the transaction does not necessarily fall within the concept and protection of confidential information, since it is not necessarily provided from one party to another."

Finally, include standard carve-outs for information that is publicly available, independently developed, or lawfully obtained from a third party.

Missing Breach Remedies

An NDA without clear remedies for breaches is like a lock without a key - it fails to enforce its purpose. Many agreements overlook this critical element, leaving parties without a clear path to address violations. Andrew Rosell, Attorney at Winstead, underscores the importance of this:

"Because of the nature of proprietary information, it is extremely difficult to show actual monetary damages... therefore, injunctive relief and specific performance are likely to be specific remedies included in an NDA."

Your NDA should specify that monetary damages alone are insufficient and include equitable remedies like injunctions or specific performance. Also, clearly identify which state’s laws apply and which courts have jurisdiction to ensure predictable enforcement. To further strengthen the agreement, include procedures for returning or destroying confidential information after the deal ends, defining when retention becomes a breach.

Eric H. Wang, Partner at DLA Piper, advises caution when reviewing pre-drafted NDAs:

"In a situation where a party is presented with the other side's form NDA, a careful review is warranted – the text is 'boilerplate' that can bite!"

Consider adding provisions that hold third parties accountable for unauthorized disclosures. Additionally, include a clause specifying which party will cover attorney fees in the event of a dispute. This can deter frivolous breaches and ensure enforcement costs are manageable.

Common Mistake	Recommended Solution
Vague/Broad Definitions	Use precise language tied to a specific "Permitted Purpose".
Missing "Derivative" Info	Include notes, summaries, and analyses based on shared data.
Marking/Legending Trap	Declare all deal-related information confidential, regardless of markings.
Missing Carve-outs	Add exceptions for public domain, prior knowledge, and independent development.
Short Expiration for Trade Secrets	Specify that trade secrets remain protected as long as they retain their secret status.

Enforcing NDAs and Responding to Breaches

An NDA is only as strong as your commitment to enforce it. When a breach happens, quick action is essential to limit the damage. Neda Dadpey from the University of Maryland Francis King Carey School of Law puts it succinctly:

"Nondisclosure agreements are only as effective as they are enforceable."

The first step is verifying the breach. Gather evidence like emails, screenshots, or access logs that show confidential information was shared without authorization. Document a timeline of events and note any financial losses, such as lost revenue or unauthorized client contact. Confirm that the disclosed information qualifies as confidential under the NDA and that the agreement is still valid.

Legal Options When NDAs Are Broken

After confirming a breach, you have several legal tools at your disposal, depending on the situation. Start with a cease and desist letter to demand the breach stop immediately. If the issue continues, seek injunctive relief:

• A Temporary Restraining Order (TRO) provides immediate, short-term protection for up to 14 days.
• A Preliminary Injunction maintains the status quo while litigation is ongoing.
• A Permanent Injunction permanently stops the misuse following a final court ruling.

For breaches that cause financial harm, pursue compensatory or liquidated damages as outlined in the NDA. Liquidated damages are particularly helpful in cases where calculating exact losses, such as in SMB acquisitions, is difficult. Additionally, including a fee-shifting clause in your NDA can require the breaching party to cover your legal expenses and attorney fees.

Remedy Type	Purpose	Best Used For
Temporary Restraining Order (TRO)	Immediate short-term stop (14 days)	Preventing imminent damage before a full hearing
Preliminary Injunction	Preserve status quo during litigation	Preventing further leaks until final decision
Permanent Injunction	Final judgment to stop misuse	Permanently halting disclosure
Compensatory Damages	Financial recovery for proven losses	Recovering quantifiable revenue loss
Liquidated Damages	Pre-determined penalty	Addressing hard-to-calculate damages

Once you've addressed the breach, it’s time to focus on prevention to reduce future risks.

Reducing Breach Risk Through Buyer Screening

While enforcing NDAs is vital, preventing breaches in the first place is even better. Statistics show that 68% of data breaches are tied to human errors or social engineering, and 29% involve third parties compromised by cyberattacks. These numbers underscore the importance of thoroughly vetting buyers before sharing sensitive information.

Start by using a "teaser profile" that shares general business details without revealing your company name or requiring an NDA. This weeds out casual inquiries and ensures you're only dealing with serious buyers. For those who express genuine interest, adopt a phased information release strategy. Hold back highly sensitive details - like customer names, employee information, and trade secrets - until later stages of due diligence.

To further safeguard your data, consider tools like Kumo, which provide access to detailed buyer profiles and deal history. Such platforms can help you evaluate a buyer's credibility before signing confidentiality agreements. Additionally, use digital access controls and audit trails to monitor who views what information and when. Require users to re-accept NDA terms each time they log in to a data room, reinforcing their obligations before they access sensitive materials.

Best Practices for NDAs in SMB Acquisitions

A solid NDA is your first line of defense when safeguarding sensitive information during a business acquisition. Jacob Orosz, President of Morgan & Westfield, puts it succinctly:

"The non-disclosure agreement (NDA) is the first document to be signed in a transaction and sets the tone for negotiations."

To establish trust and professionalism, ensure the NDA is signed before any significant discussions begin. Clearly define what qualifies as confidential information - this might include proprietary data, financial records, customer lists, or any derivative information specific to your business. The document should strictly limit the use of this information to evaluating the transaction.

Once the NDA is in place, take additional steps to control the flow of information. Consider releasing details in phases, keeping sensitive data - like customer names and employee information - restricted until later in the process. Use a Virtual Data Room for added security, incorporating features like role-based access, two-factor authentication, and dynamic watermarking.

To protect your business further, include non-solicitation and no-hire clauses in the NDA. These clauses prevent potential buyers from poaching your employees or approaching your customers for one to two years. Additionally, outline specific remedies for breaches, such as injunctive relief and monetary damages, and require buyers to return or destroy all confidential data if the deal falls through. Double-check that all legal names are accurately listed in the document.

Another critical step is screening buyers before sharing sensitive information. Start with a teaser profile to gauge interest and ensure only serious parties proceed to deeper discussions. Tools like Kumo can help you vet buyers by reviewing their profiles and deal history before signing confidentiality agreements. Combining thorough buyer screening with a well-structured NDA lays a strong foundation to protect your business throughout the acquisition process.

FAQs

What’s the difference between one-way and mutual NDAs in SMB acquisitions?

When only one party - usually the seller - needs to share sensitive information, a one-way NDA (unilateral) is the go-to choice. This setup is typical in the early stages of small or medium-sized business acquisitions, where the buyer requires access to confidential details to assess the deal.

In contrast, a mutual NDA (bilateral) comes into play when both the buyer and seller exchange private information. This is particularly relevant during negotiations involving strategic, financial, or proprietary data from both sides. The type of NDA you choose hinges on the kind of information being shared and the level of trust between the parties involved.

What can I include in an NDA to address potential breaches effectively?

When drafting an NDA, it's crucial to include a remedies section to prepare for any potential breaches. This section should emphasize that a breach could result in irreparable harm and outline the rights available to the non-breaching party. These rights might include the ability to seek temporary or permanent injunctive relief, monetary damages (or liquidated damages), specific performance, and recovery of reasonable attorneys’ fees and related costs.

By clearly defining these remedies, you provide a roadmap for addressing breaches, ensuring the non-breaching party has well-defined legal avenues to safeguard their interests and recover any losses.

How can I safely screen buyers before sharing confidential business information?

Before revealing sensitive information like financial records, customer data, or trade secrets, it's essential to thoroughly vet potential buyers. Start by having them sign a non-disclosure agreement (NDA). This document should clearly define what information is protected, who is allowed to access it (e.g., advisors or financiers), and the penalties for breaches. An NDA provides a legal safety net in case any unauthorized disclosures occur.

The next step is to confirm the buyer’s identity and financial ability to complete the deal. Request proof of funds or financing commitments to ensure they have the resources to follow through. Many modern platforms now use AI tools to detect inconsistencies or flag suspicious behavior, helping you filter out unqualified buyers early in the process.

To further safeguard your business, implement a tiered disclosure process. Begin by sharing general, non-sensitive information - like an overview of your company or basic performance metrics. Only provide more detailed, proprietary data after the buyer has shown serious interest, such as by offering references or meeting specific milestones. This phased approach reduces the risk of exposing critical information to unreliable parties.

Platforms like Kumo can streamline these steps. Kumo combines business listings with AI-driven filters to connect sellers with pre-screened buyers who meet specific criteria. Its automated features, including NDA requests, help protect sensitive details while keeping the transaction process smooth and secure.

Related Blog Posts

• Ultimate Guide to Purchase Agreement Negotiations
• Contractual Risks in SMB Acquisitions
• Regulatory Risks in SMB Acquisitions
• 10 Steps to Prepare for Buyer Due Diligence