A business owner’s guide to confidentiality agreements in M&As

Data Room & Due Diligence Confidentiality agreements in M&A

Confidentiality agreements are critical to merger & acquisition transactions. Learn what an agreement must include to protect your business. 

3.August 2023
Written by Mari Nygaard

What are confidentiality agreements?

Confidentiality agreements, or non-disclosure agreements (NDAs), are legal contracts designed to protect sensitive information from being disclosed to unauthorised parties. They should also govern how the information can be used and by whom.

The role of confidentiality agreements in M&A

Confidentiality agreements in M&As are critical in safeguarding confidential business information from disclosure risks. M&A transactions involve the transfer of ownership or control of a company, including proprietary information such as trade secrets, customer lists, financial data, and other confidential materials. Without proper protection measures in place, the risk of damaging information or data leaks is substantially increased.

In the context of a business sale, NDAs protect the information the disclosing party will need to provide the recipient, the potential buyer. In a situation where the disclosing party plans to sell off a division or part of their business but otherwise continue trading, an NDA can provision other requirements, such as a restriction on soliciting staff for an agreed period of time. 

Protecting confidentiality in M&As helps to mitigate these risks by defining the scope and limitations of what can be shared between the parties involved. However, creating a suitable NDA for your needs requires legal expertise and advice tailored to your particular goals and situation. 

While using a ‘boilerplate’ agreement that is standardised and readily available without additional legal input may be tempting, this approach brings risks. Agreeing to unnecessary clauses or lacking critical provisions for your specific requirements can create legal disputes, resulting in delays or even a deal-breaking situation.

Manager briefing her staff on a project

What should an NDA include?

Drawing up suitable non-disclosure agreements for a business sale falls to the expertise and guidance of your legal advisors. While they will oversee the creation of an agreement and provide guidance on inclusions and exclusions, business owners must ensure they thoroughly understand what the NDA will govern and satisfy themselves that it will adequately protect their business interests. 

Here are some critical aspects to consider.

Who does the NDA apply to?

Principally, an NDA will apply to the buyer and seller. However, the advisors and representatives of both parties must be considered too. The recipient (buyer or investor) may be asked to take responsibility for the actions of lawyers, financial advisors, investment bankers and accountants who have sight of the confidential information provided. Alternatively, they may be asked to sign an agreement that confirms their adherence to the terms of the NDA itself.

Define what is confidential

An NDA should clearly list the types of information and their derivatives to be treated confidentially. Typically, this covers all business data and trade secrets but should also include the terms of the potential deal and the parties' identity. Should a deal fail to close, both parties will unlikely want information surrounding it and its terms to be made public. 

Specify actions required when sharing information

An NDA should specify the permissible process and method when exchanging confidential information. For example, documents may need to be physically labelled as confidential before disclosure. It is also essential to consider how verbal information is treated, as it is harder to ensure its confidentiality in a way that can be proven in a court of law if required. 

Of course, a recipient may have access to publicly available information, such as share prices, before data is labelled as confidential. Additionally, there may be situations where a recipient is obliged by regulatory bodies or a court to disclose confidential information. 

These are just some of the complexities of protecting confidentiality in M&As, and they require considered input from your legal advisors. These complexities are also why legal advisors use virtual data rooms, which offer advanced levels of data security. 

Data rooms encrypt data when it is ‘at rest’ (not being actively accessed or shared) and in transit during a sharing process. Should your data be leaked or stolen at this point, it would be unreadable.Therefore, it is good practice to insist on using a data room for information storage and sharing and to include this as a stipulation of your NDA. 

Permitted use of information

Specifying who can access your information and how they may use it is crucial. For example, you may only permit access to the information to evaluate the potential deal and for no other purpose. You may also identify specific people and organisations who are allowed access. 

Utilising features in your data room can help you and your advisors manage this aspect. User access control features can be determined when a data room is set up and adjusted to suit at any point after. Login features such as two-factor authentication (2FA) create an additional layer of protection, for example, while you can also specify who has access to what folders and documents. Customising user permissions down to who can print, download or save specific documents gives you complete control over how your data is used. We recommend that this is always included in a non-disclosure agreement for a business sale

From a recipient’s point of view, they will push for a broad perspective on access and, at minimum, will need to ensure they have what they need to conduct thorough due diligence. Striking a balance between sufficient access rights for due diligence while protecting information is one of the determining factors of a robust and meaningful NDA. Ultimately, since due diligence is so pivotal to the outcome of a deal, investing time and resources in clarifying the permitted use and the role of confidentiality agreements in M&As is vital.

Return or destroy information

Regardless of whether the deal closes successfully or not, an NDA should specify what happens to the confidential information once it is no longer needed for the purpose of deal negotiation.  

As the owner of the information, the disclosing party commonly requests the return of the data. However, for convenience, the recipient may prefer to have the option of destroying the information at a given point in time. This may be once negotiations between the parties have concluded, if the deal fails, or at any other point when requested by the disclosing party. 

If the destruction of the information is agreed upon, the disclosing party must ensure there is a requirement for the recipient to prove its destruction or deletion. While this may feel somewhat risky, if confidential data is protected by encryption within the secure confines of a data room and further controlled by access permissions that can be adjusted at any time, the seller can withdraw access to the documentation as needed. 

Remedies for non-compliance

What are the consequences if the terms of the confidentiality agreement are breached? An NDA should reference indemnification information and who will be responsible for costs relating to any legal disputes or hearings that arise.  

Diverse group in discussion

Common mistakes in confidentiality agreements for sellers

So far, we’ve looked at some of the inclusions of a non-disclosure agreement for a business sale. While your legal advisors will undoubtedly ensure these aspects and many more are considered thoroughly, be aware of some of the most common omissions or errors in NDAs.  

Vague definitions

One of the most fundamental and potentially costly consequences of a poorly worded or ambiguous NDA is a lack of clarity over what information is covered. While documentation exchanged during the negotiation phase may be the obvious inclusion, often, there are notes, summaries, presentation decks and more that are based on or linked to the original document. Therefore, it is crucial to word the NDA appropriately to eliminate doubt and avoid disputes that can slow down or break a deal entirely. 


While vagueness is to be avoided, being wholly rigid and inflexible is also problematic. An NDA is designed to protect both parties and establish clear ground rules, but it should not stifle meaningful exploration and deal progress. If the provisions of a confidentiality agreement requirement are too rigid, due diligence can become ineffective or incomplete, increasing the likelihood of deal failure. Finding the right balance is a skill in itself, and it’s why working with legal professionals with experience in M&A transactions is a vital ingredient. 

Relying on boilerplate agreements

It is not uncommon for a buyer or investor to suggest they have a standard NDA agreement that can be used without additional time and cost involved in creating one from scratch. These are called boilerplate agreements and serve as a standard template with minimal adjustment for individual deals or situations. While these ready-made agreements are helpful as a starting point, over-reliance on standard agreements is among the most common mistakes in confidentiality agreements for sellers.

A boilerplate agreement that has yet to be adjusted to suit your needs can mean agreeing to clauses or fine print that are inappropriate for your situation and may lead to a breach that results in legal proceedings. In addition, this type of agreement will usually be written to benefit one party, in this case, the investor or buyer, meaning the disclosing party is immediately at a disadvantage. 

As a result, it’s crucial to ensure that your legal team prepare an NDA that fits your circumstances and needs. Admincontrol provides a boilerplate NDA with our data rooms, for example. Still, we recommend that time and expertise be spent tailoring it to the requirements of both parties and the type of deal or investment in question. 

Delayed signing

Leaving the creation and signing of a confidentiality agreement until discussions progress to a point that a deal seems possible or likely is also problematic. Many business owners leave NDAs until, for example, letters of intent are discussed. However, the reality is that any information discussed or shared before this point is now at risk of disclosure. 

Ensuring all parties agree upon and sign an NDA at the very beginning of discussions, however casual they may be at that point, is critical to avoiding substantial problems later in the deal. 

In summary

Here we have looked at some of the essential components of confidentiality agreements in M&As, along with common mistakes in confidentiality agreements for sellers. 

Confidentiality agreements ensure smooth M&A transactions for both business sellers and buyers alike. These agreements set clear expectations and guidelines for handling sensitive information and protect the interests of all parties involved. 

Buyers and sellers can conduct their due diligence without fear of compromising valuable data or risking their businesses by establishing trust and maintaining confidentiality throughout the process. 

A robust and effective NDA should be drafted by a legal advisor, preferably with experience in M&A transactions, and must be tailored to suit your goals and objectives. Expect there to be back and forth with the third party and their advisors, too - it’s part of the process and is vital to ensure all sides fully understand each provision. 

Points to remember:

  • Avoid reliance on boilerplate agreements that are not adjusted to your requirements and appoint a legal advisor to draft a tailored agreement
  • Be transparent and clear about who the agreement applies to
  • Define what is considered confidential in granular detail
  • Define a process for sharing confidential information and outline it in the agreement
  • Specify who can access the information, how they can use it and for how long
  • Detail requirements for the return or destruction of confidential information
  • Outline remedies and consequences of non-compliance
  • Avoid vagueness but don’t be completely rigid either - spend time finding the balance
  • Timing is everything - start early
  • Remember that your data room has advanced features and tools designed to protect confidential data and can help you manage user permissions

Image 43