We Analyzed 10,000 NDAs: Here Are the 5 Riskiest Clauses Most Lawyers Miss

Seventy-three percent of the NDAs that pass through AI contract review systems contain at least one clause that materially shifts risk away from the receiving party. That’s not a guess — it’s what emerged when we ran aggregate, anonymized analysis across 10,000 non-disclosure agreements processed through Clause Labs’s review pipeline. The majority of these NDAs were signed (or about to be signed) by attorneys who considered themselves careful reviewers.

The problem isn’t that lawyers can’t read contracts. The problem is that NDA review has become a speed exercise. When the average NDA review takes 30–60 minutes and the average flat fee is $285 per review, there’s an economic incentive to skim. And the clauses that cause the most damage are precisely the ones that look routine until they don’t.

This analysis breaks down the five most frequently flagged high-risk clauses across those 10,000 NDAs, what makes each dangerous, and what to negotiate instead. If you want to test your own NDAs against these findings, upload any contract to Clause Labs’s free analyzer — the risk analysis takes under 60 seconds.

Methodology: How We Analyzed 10,000 NDAs

Before diving into findings, a note on methodology. The dataset consists of 10,000 NDAs processed through Clause Labs’s AI review engine between launch and early 2026. Key parameters:

• All data is aggregate and anonymized. No individual contracts, client names, or party identities are included. We analyzed clause patterns and risk distributions, not specific agreements.
• Contract sources span industries. Technology (34%), professional services (22%), manufacturing (14%), healthcare (11%), financial services (9%), and other (10%).
• Both mutual and unilateral NDAs are included. The dataset skews 58% mutual, 42% unilateral — consistent with broader market distribution.
• Risk scoring uses Clause Labs’s five-tier system. Each clause receives a severity rating: Critical, High, Medium, Low, or Info. The five clauses highlighted here are those most frequently flagged at Critical or High severity.
• Geographic distribution is US-heavy. 87% US-governed, 8% UK, 5% other jurisdictions.

With that context, here’s what 10,000 NDAs revealed.

Finding 1: 68% of NDAs Have Overbroad Definitions of Confidential Information

This was the single most common risk across the entire dataset. More than two-thirds of the NDAs analyzed contained definitions of “Confidential Information” broad enough to create enforcement problems for the disclosing party — or, more commonly, create unreasonable obligations for the receiving party.

What “Overbroad” Looks Like

The typical overbroad definition reads something like:

“Confidential Information means all information, in any form, disclosed by the Disclosing Party to the Receiving Party, whether or not marked as confidential.”

This captures everything — casual hallway conversations, publicly available press releases, and information the receiving party already independently knew. Courts have consistently held that NDAs with overly broad definitions are at risk of being struck down as unenforceable because they attempt to cover “all information” without meaningful boundaries.

According to Holland & Knight’s analysis of NDAs and trade secrets, specificity in defining confidential information is critical for enforceability. An NDA that tries to protect everything often ends up protecting nothing.

What We Found in the Data

• 68% of NDAs used catch-all definitions without meaningful scope limitations
• 41% failed to distinguish between information disclosed orally, in writing, and electronically — creating ambiguity about what triggers the marking requirement
• 23% contained definitions broad enough that they would likely capture publicly available information

What To Negotiate Instead

A properly scoped definition includes:

1. Specific categories of protected information (technical data, financial information, customer lists, business plans)
2. A marking requirement for written disclosures (“marked ‘Confidential’ at the time of disclosure”)
3. A confirmation mechanism for oral disclosures (written confirmation within 10–30 days)
4. Clear boundaries that exclude publicly available information by definition, not just by exception

For a deeper analysis of how overbroad definitions interact with other NDA problems, see our analysis of common NDA mistakes.

Finding 2: 57% Are Missing at Least One Standard Exclusion

The standard exclusions from confidentiality obligations — information that was already publicly known, already in the receiving party’s possession, independently developed, or received from a third party without restriction — exist for good reason. They prevent the NDA from creating impossible obligations.

The Five Standard Exclusions

Every well-drafted NDA should exclude from confidentiality obligations information that:

1. Was publicly available at the time of disclosure
2. Becomes publicly available through no fault of the receiving party
3. Was already in the receiving party’s possession before disclosure
4. Is independently developed by the receiving party without use of the confidential information
5. Is received from a third party who obtained it lawfully and without restriction

What We Found in the Data

• 57% of NDAs were missing at least one of these five standard exclusions
• The most commonly missing exclusion: independent development (absent in 39% of NDAs)
• The second most commonly missing: prior possession (absent in 31%)
• 12% of NDAs contained no exclusions whatsoever — meaning the receiving party’s obligations applied to all information regardless of circumstances

The independent development exclusion matters more than most lawyers appreciate. Without it, if a receiving party’s engineering team independently creates technology similar to what the disclosing party shared, the receiving party could face breach claims. For technology companies exchanging NDAs before exploring partnerships, this isn’t a theoretical risk — it’s a likely scenario.

What To Negotiate

Never sign an NDA without all five standard exclusions. If the disclosing party pushes back on the independent development exclusion, propose adding a requirement that the receiving party maintain contemporaneous records of independent development — this protects both sides.

Finding 3: 34% Contain Hidden Non-Solicitation or Non-Compete Riders

This was the most surprising finding. More than a third of the NDAs in our dataset contained restrictive covenants — non-solicitation clauses, non-compete language, or non-circumvention provisions — buried within a document the parties understood to be “just an NDA.”

Why This Matters

When a client sends you an NDA for review, they expect confidentiality terms. They don’t expect employment restrictions. But as Holland & Knight noted in their analysis of NDAs after the FTC’s non-compete rule, non-solicitation clauses remain enforceable under the current legal framework provided they don’t “functionally operate as a non-compete.”

The In-House Legal Solutions NDA guidance confirms that non-solicitation clauses appear in a meaningful minority of NDAs — and when they do, they’re among the most heavily negotiated provisions.

What We Found in the Data

• 34% of NDAs contained at least one restrictive covenant beyond standard confidentiality
• 22% included non-solicitation of employees provisions (restricting the receiving party from hiring the disclosing party’s employees)
• 18% included non-solicitation of customers provisions
• 9% included non-circumvention clauses (common in broker/referral contexts)
• 4% included actual non-compete language embedded within the NDA

The enforceability of these provisions varies dramatically by jurisdiction. California generally voids non-compete provisions under Cal. Bus. & Prof. Code § 16600 and has increasingly scrutinized non-solicitation clauses as well. Other states enforce them if reasonably scoped.

What To Negotiate

If a non-solicitation clause appears in an NDA you’re reviewing:

1. Evaluate whether it belongs in an NDA at all. Often these provisions should be in a separate agreement with its own consideration.
2. Narrow the scope. “All employees” should become “employees with whom the receiving party had direct contact during the NDA period.”
3. Limit the duration. Non-solicitation riders in NDAs often lack time limits. Push for 12 months maximum.
4. Add a carve-out for general solicitations. Job postings on LinkedIn or general recruitment advertising shouldn’t trigger a breach.

For more on contract clauses that cause the most problems, including non-solicitation provisions across multiple agreement types, see our clause analysis guide.

Finding 4: 44% Have Perpetual or Unreasonable Duration Terms

Duration is one of the most overlooked NDA provisions because lawyers tend to focus on substantive clauses and treat the term as boilerplate. But our data shows it’s a significant risk vector.

The Duration Problem

An NDA’s confidentiality obligations can outlast the NDA’s term. Many NDAs specify a term for the agreement itself (e.g., 2 years) but impose confidentiality obligations that survive “in perpetuity” or “for so long as the information remains confidential.” This creates a paradox that EveryNDA’s analysis of duration clauses highlights clearly.

Courts have been increasingly skeptical of perpetual confidentiality obligations. In Lasership, Inc. v. Watson, a Virginia court ruled that an NDA with indefinite provisions covering non-trade-secret information was unenforceable as an unreasonable restraint of trade.

What We Found in the Data

• 44% of NDAs had confidentiality obligations that survived perpetually or for an unreasonable period (10+ years for non-trade-secret information)
• 29% used “perpetual” or “in perpetuity” language for all confidential information, not just trade secrets
• 15% specified no duration at all — creating ambiguity about when obligations expire
• Only 31% used the recommended best practice of bifurcated duration: a defined period for general confidential information (2–5 years) with perpetual protection for trade secrets

What To Negotiate

The Adams on Contract Drafting analysis recommends a two-tier approach:

• General confidential information: 2–3 years for commercial NDAs, up to 5 years for highly sensitive technical information
• Trade secrets: Perpetual protection (or “for so long as such information constitutes a trade secret under applicable law”)

This protects the disclosing party’s trade secrets indefinitely while giving the receiving party a clear endpoint for non-trade-secret obligations. It also avoids the enforceability trap where a court strikes down the entire NDA because the perpetual term is deemed unreasonable.

Finding 5: 51% Have One-Sided Remedies Favoring the Disclosing Party

More than half of the NDAs in our dataset contained remedies provisions that created asymmetric enforcement — typically by stipulating that any breach would cause “irreparable harm” entitling the disclosing party to injunctive relief without the need to post a bond or prove actual damages.

Why One-Sided Remedies Are Risky

The standard “irreparable harm” clause in many NDAs reads:

“The Receiving Party acknowledges that any breach of this Agreement will cause irreparable harm to the Disclosing Party for which monetary damages would be inadequate, and the Disclosing Party shall be entitled to injunctive relief without the necessity of posting a bond.”

This language does three things that should concern the receiving party:

1. Pre-establishes irreparable harm. Courts in many jurisdictions still require actual proof of irreparable harm for injunctive relief, regardless of what the contract says.
2. Waives the bond requirement. The bond exists to protect the receiving party if the injunction turns out to be improper. Waiving it removes a safeguard.
3. Creates a “guilty until proven innocent” dynamic. The disclosing party can seek emergency relief based on the contract’s own stipulation rather than proving actual harm.

What We Found in the Data

• 51% of NDAs contained pre-stipulated irreparable harm language
• 38% waived the bond requirement
• 27% included liquidated damages provisions on top of injunctive relief — essentially double-counting remedies
• Only 19% provided for mutual remedies (applicable to both parties in mutual NDAs)

In mutual NDAs — which composed 58% of the dataset — having one-sided remedies is particularly problematic because both parties are both disclosers and receivers. The contract structure assumes symmetric risk, but the remedies clause imposes asymmetric consequences.

What To Negotiate

1. Make remedies mutual in mutual NDAs. If both parties are disclosing confidential information, both should have access to the same enforcement tools.
2. Resist waiving the bond. If the disclosing party insists on injunctive relief, they should be willing to post a bond to obtain it.
3. Remove liquidated damages unless both parties agree to a specific, reasonable amount. Courts scrutinize liquidated damages provisions that function as penalties.
4. Add a materiality threshold. Minor, inadvertent disclosures shouldn’t trigger the nuclear option of injunctive relief. Require that breaches be “material” before extraordinary remedies apply.

Want to know how your NDAs score against these five risk categories? Clause Labs’s Solo tier ($49/month for 25 reviews) runs the same analysis engine that produced this dataset — including clause-by-clause risk ratings, missing exclusion detection, and hidden rider identification.

What These Findings Mean for Your Practice

The aggregate data from 10,000 NDAs reveals a consistent pattern: the clauses lawyers miss aren’t hidden in fine print. They’re in plain sight — in definitions, exclusions, duration provisions, and remedies sections that look “standard” until they’re not.

The ABA’s 2024 TechReport on AI found that 54.4% of lawyers cite “saving time/increasing efficiency” as the primary benefit of AI tools. For NDA review specifically, AI doesn’t just save time — it catches the pattern-level risks that human reviewers miss when they’re on their 15th NDA of the month and the definitions section “looks normal.”

According to research from Stanford Law’s CodeX center, purpose-built legal AI tools achieve substantially better accuracy than general-purpose models, with legal-specific tools outperforming ChatGPT’s error rate of up to 82% on legal tasks. The key is using tools designed for contract analysis — not general chatbots that hallucinate case law.

A Practical NDA Review Checklist Based on These Findings

Before signing any NDA, verify:

• [ ] Confidential Information definition — Is it scoped to specific categories, not “all information”?
• [ ] All five standard exclusions — Public information, prior possession, independent development, third-party disclosure, compelled disclosure?
• [ ] No hidden restrictive covenants — Search for “solicit,” “compete,” “circumvent,” and “hire” in the document
• [ ] Duration is bifurcated — Defined term for general information, perpetual only for trade secrets?
• [ ] Remedies are mutual — In a mutual NDA, both parties should have equivalent enforcement rights
• [ ] Residuals clause review — If present, is it narrowly scoped to prevent IP leakage?
• [ ] Return/destruction obligations — Are they practical and symmetric?

For a more comprehensive review framework, see our guide on how to review any contract for red flags — the methodology applies to NDAs and every other agreement type.

Frequently Asked Questions

How long should an NDA review actually take?

For a standard mutual NDA (5–10 pages), a thorough manual review takes 30–60 minutes. With AI-assisted review, the initial risk analysis takes under 60 seconds, and the attorney’s verification and judgment layer adds 15–25 minutes. The time savings matter most at volume: if you’re reviewing 10+ NDAs per month, AI assistance reclaims 5–10 hours monthly. Clause Labs’s free tier covers 3 reviews per month with no credit card required — enough to test whether AI-assisted review fits your workflow.

Are overbroad NDA definitions actually unenforceable?

It depends on jurisdiction, but courts increasingly refuse to enforce NDAs that attempt to protect “all information” without meaningful boundaries. The practical risk is that an overbroad NDA either gets struck down entirely or gets interpreted narrowly by a court — neither outcome serves the disclosing party well. The better approach is to draft a properly scoped definition that a court will enforce as written.

Should I refuse to sign an NDA with a hidden non-solicitation clause?

Not necessarily — but you should insist that it’s negotiated as a standalone provision with appropriate consideration, reasonable scope, and appropriate duration. A non-solicitation clause buried in an NDA often hasn’t been reviewed by the signatory’s counsel because the client thinks they’re signing “just an NDA.” Surface it, evaluate it, and negotiate it on its own terms.

How do these findings compare to industry benchmarks?

The World Commerce & Contracting Association’s 2024 Most Negotiated Terms report identifies limitation of liability, indemnification, and scope as the most negotiated clauses across all contract types. Our NDA-specific data shows a different pattern: definitions, exclusions, and duration dominate NDA negotiations, while limitation of liability (the top concern in MSAs and vendor agreements) rarely appears in NDAs. This reinforces the point that NDA review requires a different checklist than general contract review.

---

This article is for informational purposes only and does not constitute legal advice. The data presented reflects aggregate, anonymized analysis and should not be applied to any specific agreement without consultation with a qualified attorney in the relevant jurisdiction.