Customized development is practically impossible without the transfer of confidential information (CI) to the developer. Otherwise, what is it customized.
The larger the customer, the more difficult it is to negotiate the terms of a confidentiality agreement. A standard contract with a probability close to 100% will be redundant.
As a result, along with the minimum amount of information necessary for work, you can get a bunch of responsibilities - to store and protect as your own, for many years, even after the expiration of the agreement. Keep records, organize storage, compensate for losses. Allow the disclosing party to be auditable. Pay multi-million dollar fines for the very fact of disclosure. God knows what else. This is a standard form, it is approved by the chairman of the board, it cannot be changed.
To be able to calmly do your job, you need to have the most understandable scope of obligations. This simple truth can be realized through several conditions.
- An indication that the NDA is applicable to a particular project. The temptation to extend it to all existing and future projects is great, why sign too much. But the smaller the volume, the less resources are required for its storage, fewer people can access it, and the lower the risks of disclosure.
- Confidential information - only written, with a mark like "confidential". Allowing you to unambiguously understand whether the confidentiality regime applies to specific information or not. In this case, labeling information is the responsibility of the customer. Avoid wording like "any information".
- Not all CI can be returned and destroyed. The "residual" clause is used in standard NDAs of companies like Microsoft. Secures the right to data left as a result of having access to CI that exists outside of material media (for example, in the memory of a person who had access to CI), including ideas, principles, methods. Neither party has the right to restrict or prohibit the use of "residual" information by such persons, as well as to charge a fee for its use. This condition does not apply to objects of patent and copyright lawfully owned by the disclosing party.
- Personal data - do not forget to add the obligation of the disclosing party to obtain the consent of the subject to transfer his personal data to the receiving party, and provide this consent at the request of the receiving party (for example, in the event of verification). And also notify the subject that his data has been transferred to a third party (especially relevant for European citizens).
- The right to early return of CI. If we receive something unnecessary (for example, superfluous or not related to the project at all), we do not hesitate to return the CI to its owner (material carrier), or notify about the destruction (if there is nothing to return).
- There is no double or triple liability for the same violation. Accidental data leakage cannot be used as a means of enrichment by one of the parties. We limit ourselves to direct documented damage (not losses, which would mean damage + lost profits) within 30-70% of the project cost.
Each of these conditions is logical and also protects the customer - the less CI he discloses, the lower the risk of leakage. There is no redundancy, but a clear circle of obligations. Take care of yourself and your confidential information.
Source: habr.com