NDA framework — decisions, alternatives, and sourcing

ATTORNEY REVIEW REQUIRED BEFORE USE. This document is research-only, produced by a non-lawyer. It surfaces decisions, tradeoffs, and primary-source citations so the user can walk into a consult with a contract attorney (SaaS / technology-transactions background, licensed in the chosen governing state) and get to judgment calls quickly. None of the positions taken here are legal advice. The companion template (nda-template.md) is NOT a finished contract — it's the strawman the attorney will review, modify, and bless.

Status: research-only. Last updated: 2026-04-22. Verify all citations and cost figures at decision time.

TL;DR

• NDA kind: one-way (disclosing party = Raxx) for v1, per epic #161 scope. Mutual NDA is out-of-scope until an explicit v2 driver appears (e.g., investor sharing their own term-sheet).
• Term length: [TERM_YEARS] not yet chosen; 3 years + trade-secret-tail is the defensible middle. 2 is aggressive for a SaaS where roadmap value decays fast; 5 is aggressive for receiving-party burden. Strong recommendation: whatever the headline term, include the "trade secrets remain protected so long as they remain trade secrets" survival clause (tracks 18 U.S.C. § 1836 et seq. and state UTSA/DTSA law).
• Governing law: [GOVERNING_STATE] not yet chosen; Pennsylvania is the clean default once the PA LLC is formed (entity home, likely forum of any dispute). Delaware is the convention pick but offers little NDA-specific advantage; it adds a layer if Raxx isn't a DE entity.
• Digital-signature framework: ESIGN (federal, 15 U.S.C. § 7001) + UETA (state, enacted in 49 states + DC; NY is the lone holdout and uses ESRA). Enforceability hinges on consent, intent, attribution, record retention, and ability to retrieve — operationalized in esign-compliance-checklist.md.
• Remedies: standard injunctive-relief acknowledgment + two-way attorneys' fees is the middle position. Arbitration not recommended for this template — a small NDA dispute is faster and cheaper in state court with a narrow injunction than in arbitration; attorney to confirm.
• Open questions for attorney: consolidated at the bottom and in nda-template.md; ready to carry into the #151 consult.

1. What kind of NDA — one-way vs mutual

Decision: one-way for v1

Epic #161 scopes v1 as one-way (Disclosing Party = Raxx; Receiving Party = signer). This is appropriate because the three v1 use-cases — alpha access gating, investor conversations (early-stage, pre-term-sheet), and contractor onboarding — all have a one-directional information flow: Raxx shares proprietary material; the counterparty is receiving it in exchange for consideration (access, evaluation opportunity, payment).

When mutual becomes necessary (v2 trigger)

A mutual NDA becomes necessary when the counterparty will disclose their own confidential information in a substantive way. Typical triggers:

• Investor due diligence past the deck stage — when the investor shares a draft term sheet or their own portfolio analysis.
• Acquisition / partnership discussions — when a counterparty shares their own financials, customer lists, or roadmap.
• Co-development — joint product work where both sides contribute IP.

For v1, none of these are expected. If one arises, software-architect + product-manager should scope a v2 mutual template as a separate engagement and not force-fit v1.

Asymmetry notes (tradeoff to flag to attorney)

A one-way NDA where the Disclosing Party (Raxx) grants injunctive relief and attorneys' fees to itself but not to the signer is common and defensible, but it is signer-unfriendly. Sophisticated counterparties (VCs, corporate-dev teams) will push back and demand mutuality at least on remedies and governing-law convenience. The template as drafted uses two-way attorneys' fees ("prevailing Party") as a middle position — attorney should advise whether to soften further or accept pushback on a case-by-case basis.

2. Carve-out philosophy — what counts as Confidential Information

Two ends of the spectrum

• Loose ("everything shared"): Confidential Information = any non-public information disclosed, whether marked or not. Favorable to Disclosing Party. Imposes broader burden on Receiving Party to treat everything carefully.
• Strict ("marked only"): Confidential Information = only material marked "Confidential" or summarized in writing as such within N days of oral disclosure. Favorable to Receiving Party. Lower burden, clearer scope, but Disclosing Party can easily fail to mark something and lose protection.

Template position: loose + reasonable-person standard

The drafted §1.1 uses the loose approach with a reasonable-person backstop ("that a reasonable person would understand to be confidential or proprietary given the nature of the information and the circumstances of disclosure"). This is the dominant pattern in tech / SaaS NDAs because:

1. Pre-launch startups rarely have the discipline to mark every email, Figma frame, or Zoom conversation.
2. Courts are generally comfortable with the reasonable-person test for breach analysis.
3. Receiving parties have less leverage to negotiate for strict marking when the context is alpha-access or early investor exposure.

Standard four exclusions (tracks industry consensus)

Section 1.2 uses the standard four carve-outs:

• (a) publicly known (at time of disclosure or subsequently, through no fault of Receiving Party)
• (b) prior knowledge (Receiving Party already had it, with written records pre-dating disclosure)
• (c) independent development (Receiving Party built it without reference to Confidential Information)
• (d) third-party disclosure (received rightfully from a third party without a confidentiality duty)

The "compelled by law / subpoena" category is placed in §2.5 (permitted disclosure with notice) rather than as an exclusion, which is the more modern pattern — compelled disclosure is not a carve-out from what counts as confidential, it's a permitted disclosure channel.

Industry framing

Common confidentiality terms can range between 2, 3 and 5 years, with two to five years commonly accepted as a reasonable period for safeguarding most confidential information. Five years is a common length in nondisclosure agreements that involve business negotiations and product submissions, although some companies prefer three or two years. — EveryNDA, "Duration Clauses in Non-Disclosure Agreements" [2]

3. Trade-secret-tail clause (DTSA + state UTSA)

Rather than a flat term, the template uses a dual-track approach in §5.2:

• Headline term of [TERM_YEARS] years applies to all Confidential Information.
• Trade secrets survive for as long as they remain trade secrets under applicable law — including the federal Defend Trade Secrets Act (18 U.S.C. § 1836 et seq.) and the trade-secret law of the governing state (all 50 states have a Uniform Trade Secrets Act variant except NY, which uses common-law trade-secret protection).

This avoids the "perpetual NDA = unenforceable" problem in states that disfavor indefinite restrictions, while preserving indefinite protection for genuine trade secrets.

A recommended approach is a standard 3-5 year term with a carve-out stating that information qualifying as a trade secret remains protected "for so long as such information constitutes a trade secret under applicable law." This approach avoids problems with perpetual NDAs while protecting genuine trade secrets indefinitely. — EveryNDA, synthesized industry position [2]

4. Term length — 2 / 3 / 5 years

Quick-compare

Industry context

Short-term NDAs (1–2 years) are common in vendor and agency partnerships, mid-term NDAs (3–5 years) are used in tech collaborations and licensing talks. In technology and software, where things change rapidly, NDAs tend to be for one to three years because tomorrow's breakthrough concept may become obsolete in a matter of moments. In contrast, in pharmaceuticals or manufacturing, where research and product development can take decades, NDAs can be for 10 years or more. — mydock365 / EveryNDA / Certinal synthesis [1][2][3]

Recommendation to carry into consult

3 years + trade-secret tail is the defensible middle for Raxx's profile:

• Pre-launch SaaS where alpha-access material becomes stale faster than 5 years.
• Investor conversations where projections are typically 24–36 months.
• Contractor work where the engagement is usually <12 months but work product (code, designs) may reference still-current trade-secret material years later — the trade-secret tail handles that.

Attorney to confirm the specific value for [TERM_YEARS]. No strong reason to deviate from 3 unless attorney identifies a jurisdiction-specific concern.

5. Governing law — PA vs DE (or other)

The conventional picks

Pennsylvania:

• Pro: Matches entity home (pending #148-#160; PA LLC + CA foreign-qualification path per docs/business/state-of-formation.md on research branch). Courts of the entity's home state are the most likely practical forum for any NDA enforcement — picking PA aligns law-and-venue, which is cleanest for litigation.
• Pro: PA has adopted the Pennsylvania Uniform Trade Secrets Act (PUTSA, 12 Pa.C.S. § 5301 et seq.), giving a clean state-law analog to DTSA.
• Pro: PA's 4-year statute of limitations for written contracts (42 Pa.C.S. § 5525) is long enough to enforce against most breach scenarios, especially combined with the trade-secret tail.
• Con: Less-developed case law on technology NDAs than DE or CA. Fewer boilerplate-blessed precedents.

Delaware:

• Pro: Neutral-jurisdiction convention. Sophisticated counterparties expect it.
• Pro: Chancery Court is fast for injunctive relief. DE case law is well-developed on contract interpretation generally.
• Con: If Raxx is a PA LLC, picking DE law creates a forum mismatch — any PA-filed enforcement action will apply DE law in a PA court, which is doable but adds cost and uncertainty.
• Con: Delaware's NDA-specific case law advantage is less meaningful than its corporate-governance case law. For a simple one-way NDA, DE law ≈ PA law in practical outcome.

Delaware is great for corporate law governing company structure and shareholder rights, but those laws don't govern IT transactions, which are governed by state contract law and federal IP law, where Delaware has no special advantage. — Tech Contracts, "Don't Choose Delaware Law Unless You're in Delaware" [4]

Less-common alternatives to flag

• California: Not recommended. CA disfavors non-solicitation and has strong employee-mobility protections; mixing CA law into an NDA that references non-solicitation (§2.2(c) in the template) creates enforceability risk on that provision.
• New York: Reasonable for investor-facing NDAs if the signer is NY-based. NY does not have UETA (uses ESRA instead); this affects digital-signature mechanics — see §6.
• Signer's home state: Common ask from sophisticated signers. Disclosing Party usually resists; if a deal requires it, attorney should review that specific state's NDA enforcement posture before conceding.

Recommendation to carry into consult

Pennsylvania, once the PA LLC is formed. Pre-formation (if the portal launches before [ENTITY_NAME] exists), attorney should advise on whether to:

• Delay the portal until post-formation, or
• Use "Commonwealth of Pennsylvania" as [GOVERNING_STATE] with Kris Henderson personally as Disclosing Party (with a post-formation assignment clause), or
• Something else.

[GOVERNING_COUNTY] will follow from the entity's registered-office county.

6. Digital-signature legal framework — ESIGN + UETA

Federal baseline: ESIGN Act (15 U.S.C. § 7001)

Enacted in 2000. Core rule in § 7001(a):

A signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form ... [or] solely because an electronic signature or electronic record was used in its formation. — 15 U.S.C. § 7001(a), via Cornell LII [5]

Applies: nationwide, to transactions "in or affecting interstate or foreign commerce" — which Raxx's web-based NDA flow is.

Does not apply to: wills, codicils, testamentary trusts, divorce / adoption / family-law matters, court orders, utility cancellation notices, health-insurance / life-insurance cancellations, product-recall notices, and documents required by law to accompany hazardous material transport. None of these affect Raxx NDA scope.

§ 7001(c) consumer-consent requirements (applicable context matters)

ESIGN § 7001(c) imposes specific consumer-consent disclosures when a law otherwise requires that the record be provided in writing to a consumer. For commercial-context NDAs (between a business and an alpha-user/investor/contractor), § 7001(c) is usually not directly triggered because no separate law requires the NDA itself to be in writing to a consumer — the NDA is the first instrument creating the relationship. But:

• Attorney should confirm whether any of the three v1 use-cases (alpha-user, investor, contractor) pulls in a statutory writing requirement that would trigger § 7001(c).
• Cheap insurance: implement the § 7001(c) disclosures (hardware/software requirements, right to paper copy, withdrawal-of-consent procedure, contact info for updates) regardless. They're in esign-compliance-checklist.md. Belt-and-suspenders.

The consumer-consent requirements per § 7001(c)(1) include:

(A) the consumer ... has affirmatively consented to such use and has not withdrawn such consent; (B) the consumer, prior to consenting, is provided with a clear and conspicuous statement ... (C) the consumer ... consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used ... — 15 U.S.C. § 7001(c)(1), via Cornell LII [5]

State layer: UETA

Enacted in 49 states + DC + USVI. Illinois adopted UETA in June 2021, replacing its prior Electronic Commerce Security Act [6]. Washington adopted UETA in 2020 (SB 6028). New York is the lone remaining holdout and relies instead on the Electronic Signatures and Records Act (ESRA) [7][8].

UETA's key operative sections for NDA enforceability:

• § 7 — electronic records and signatures have legal effect; a signature cannot be denied legal effect solely because it is electronic.
• § 9 (attribution): "An electronic record or electronic signature is attributable to a person if it was the act of the person. The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable." [9]
• § 12 (record retention): electronic records satisfy statutory record-retention requirements if they accurately reflect the information in the record and remain accessible for later reference.

Practical ESIGN+UETA elements the portal must implement

For the signed NDA to hold up:

1. Intent to sign — clear "I Agree" / "Sign" action separated from mere site navigation.
2. Consent to electronic records — affirmative checkbox or equivalent unambiguous action before the signer is presented with the NDA.
3. Attribution — email verification, IP, user-agent, timestamp captured and stored.
4. Record retention — tamper-evident storage (SHA-256 content hash at sign-time); retrievable on signer request.
5. Ability to retrieve — signer can download their own signed copy at any time.
6. Consent withdrawal mechanism — for future records (not the signed NDA, which remains binding); see ESIGN § 7001(c)(1)(B)(ii).

All six are operationalized in esign-compliance-checklist.md.

New York exception (if signer is NY-based)

New York's ESRA is substantively similar to UETA but uses different statutory language. The ESIGN Act preempts contrary state law except where UETA (or a substantially-similar state statute) has been adopted, so ESIGN applies as the federal floor in NY regardless. Practically: NY signers are fine under ESIGN.

Despite not adopting UETA, New York ... [is] nevertheless governed by the E-SIGN Act pursuant to federal law. — ZapSign state-level compilation of eSignature laws [7]

Attorney to confirm if Raxx plans to gate significant NY-based signer volume and whether NY-specific consent-flow language is worth adding.

7. DTSA whistleblower-immunity notice (18 U.S.C. § 1833(b))

The DTSA, enacted in 2016, requires employers to include a notice of whistleblower immunity in contracts with employees, contractors, or consultants that restrict use/disclosure of trade-secret information [10][11].

An employer that fails to provide the mandated notice may not be awarded exemplary damages or attorney fees in trade secret litigation against an individual to whom such notice was not provided. — Katten / Troutman Pepper Locke synthesis of 18 U.S.C. § 1833(b)(3)(C) [10][12]

Does it apply to Raxx's NDA use-cases?

• Contractors: Yes, clearly. § 1833(b)(4) defines "employee" to include contractors and consultants.
• Alpha users / investors: Unclear. Neither is the "employee" archetype the statute contemplates, but the statutory language ("contracts ... that govern the use of a trade secret or other confidential information") is broad enough that a court could read it in.
• Low-cost insurance: The template includes the notice verbatim in §7. Inclusion costs nothing; omission forfeits exemplary damages and attorney fees against any signer to whom it should have been provided. Attorney should confirm inclusion is appropriate — but the default is include.

8. Remedies — injunctive, damages, attorneys' fees, arbitration

Injunctive relief

Template §6.1 acknowledges irreparable harm and entitles Disclosing Party to seek injunctive relief. This acknowledgment lowers the bar for obtaining a TRO/preliminary injunction — in many states (including DE), stipulations to irreparable harm are generally sufficient to establish that element of the injunction standard [13].

"Without posting a bond" language: the template drafts it in favor of Disclosing Party. Courts vary on whether this waiver is enforceable; some require a nominal bond regardless. Attorney to advise.

Attorneys' fees

Template §6.3 uses "prevailing Party" (two-way). Alternatives:

• One-way (only Disclosing Party if it prevails): signer-unfriendly; common pushback in negotiations.
• None (each bears own): default American rule; removes fee-shifting as a deterrent to signer breach.

Two-way is the balanced pick. Attorney should confirm PA / [GOVERNING_STATE] enforceability of prevailing-party clauses generally.

Arbitration — not recommended for v1

Arbitration is not included in the template. Reasoning:

• Injunctive-relief speed: state-court TROs / preliminary injunctions are typically faster than assembling an arbitration panel for emergency relief. Losing that speed defeats the main NDA enforcement tool.
• Cost asymmetry: arbitration filing fees are often higher than court filing fees for small-to-medium disputes; pushing signers into arbitration over an NDA breach may look heavy-handed.
• Privacy: the common pro-arbitration argument (private process) is weaker for NDAs because the underlying dispute is already about confidentiality; a court case over an NDA can often proceed under seal if the Confidential Information itself would be exposed.

Attorney to confirm. If Raxx ever needs to swap in arbitration (e.g., for investor-facing v2 NDA where the investor prefers AAA commercial arbitration), it's a surgical replacement of §8.2 + addition of an arbitration clause.

Liquidated damages — not included

Liquidated damages (a fixed dollar amount per breach) are common in some industries but tricky:

• Must be a reasonable pre-estimate of actual damages, not a penalty, to be enforceable.
• For a pre-launch SaaS, pre-estimating actual damages is nearly impossible.
• Actual damages + injunctive relief + attorneys' fees is the safer combination.

Attorney to confirm.

9. Dispute-resolution flow (informal)

Not in the template, but worth flagging as an optional add the attorney may want:

• 30-day cure period for non-material breaches before Disclosing Party can file suit. Pro: gives signer a chance to remediate, reduces nuisance litigation. Con: in a trade-secret-leak scenario, 30 days is too long — the leak has already happened.
• Meet-and-confer obligation before filing. Similar pro/con calculus.

Recommendation: do NOT include cure-period or meet-and-confer as a condition precedent to injunctive relief. Confidentiality breaches are time-sensitive; any precondition on court access weakens the primary remedy. If included at all, carve out injunctive relief from the precondition.

10. Open questions for the attorney consult (aggregated)

These roll up all questions from this doc + nda-template.md. Intended to be taken as a single agenda into the #151 consult.

Engagement + scope

1. Can you handle NDA template review + revision as part of the entity-formation / trademark package (from docs/business/questions-for-attorney.md), or is this a separate scope / flat fee?
2. Fee for reviewing, marking up, and signing off this template as Raxx's production version?
3. Turnaround time?

Structural decisions

4. Term length: 3-year headline + trade-secret tail — agree, or prefer 2 / 5?
5. Governing state: PA (once LLC is formed) vs. DE — agree with PA, or reasons to prefer DE?
6. Pre-formation naming: if portal launches before [ENTITY_NAME] exists, use Kris personally with post-formation assignment, or delay portal until formation lands?

Drafting specifics

7. Carve-out philosophy: loose + reasonable-person standard (current §1.1) vs. marked-only. Which matches standard attorney practice for this context?
8. Non-use §2.2: non-solicitation subclause (§2.2(c)) — keep standalone, move to a separate agreement, or strike? (Question sharpens if any alpha users are CA-resident.)
9. Section 5.2 trade-secret tail — confirm formulation matches PA UTSA / DTSA language.
10. Section 6.1 "no bond" language — keep, soften, or strike?
11. Section 6.3 attorneys' fees — two-way ("prevailing Party") vs. one-way in favor of Disclosing Party?
12. Section 7 DTSA notice — confirm inclusion is appropriate for all three v1 use-cases.
13. Section 8.3 jury-trial waiver — keep, strike, condition on jurisdiction?
14. Section 10 ESIGN language — sufficient for commercial-context NDA, or should § 7001(c)(1)(A)-(D) consumer-consent disclosures be added to the portal consent flow as belt-and-suspenders?

Use-case coverage

15. Should v1 bifurcate into distinct templates for (a) alpha users, (b) investors, (c) contractors? Or is one template with the same language fine for all three?
16. v2 mutual-NDA trigger — confirm that v1 one-way only is appropriate and flag any v1 use-case that secretly needs mutuality.
17. Contractor use-case — is a plain NDA sufficient, or does it need to be paired with a contractor IP-assignment agreement (tying into docs/business/questions-for-attorney.md §E)?

Portal mechanics (for architect handoff)

18. Section 10.4 record retention — is "commercially reasonable time" acceptable, or should we commit to a specific SLA (e.g., "within 5 business days")?
19. Section 10.3 attribution — is IP + UA + email + timestamp sufficient attribution, or do we need additional factors (e.g., SMS 2FA, device fingerprint) to meet UETA § 9 for higher-value signers (investors)?
20. Record retention period — template is silent; epic #161 calls for NDA term + 6 years. Confirm 6-year buffer is appropriate for PA (4-year § 5525 SoL + 2-year buffer).

11. Sources

Primary sources:

• [5] 15 U.S.C. § 7001 — ESIGN Act text (general rule of validity, consumer-consent requirements). Via Cornell Legal Information Institute: https://www.law.cornell.edu/uscode/text/15/7001
• [9] UETA § 9 — Attribution and Effect of Electronic Record and Electronic Signature. Uniform Law Commission 1999 model text: https://www.uniformlaws.org/committees/community-home?CommunityKey=2c04b76c-2b7d-4399-977e-d5876ba7e034
• 18 U.S.C. § 1836 et seq. — Defend Trade Secrets Act, federal trade-secret cause of action.
• 18 U.S.C. § 1833(b) — DTSA whistleblower-immunity notice requirement.
• 42 Pa.C.S. § 5525 — Pennsylvania 4-year statute of limitations for written contracts.
• 12 Pa.C.S. § 5301 et seq. — Pennsylvania Uniform Trade Secrets Act (PUTSA).
• 815 ILCS 333/ — Illinois UETA (adopted June 25, 2021, replacing ECSA).

Secondary / explainers:

• [1] mydock365, "How Long Do Non-Disclosure Agreements Last?" — industry-norm ranges. https://www.mydock365.com/how-long-do-non-disclosure-agreements-last
• [2] EveryNDA, "Duration Clauses in Non-Disclosure Agreements" — term-length industry norms + trade-secret-tail pattern. https://www.everynda.com/blog/duration-clauses-non-disclosure/
• [3] Certinal, "Do NDAs Expire?" — practical framing of expiration and trade-secret survival.
• [4] Tech Contracts, "Don't Choose Delaware Law Unless You're in Delaware" — Mike Dunlap's analysis of DE governing-law for non-DE entities. https://www.techcontracts.com/2011/08/22/dont-choose-delaware-law-unless-youre-in-delaware/
• [6] DLA Piper, "With Illinois's adoption of UETA, United States near full adoption" (2021) — IL UETA adoption confirmation + replacement of ECSA. https://www.dlapiper.com/en/insights/publications/2021/07/with-illinoiss-adoption-of-ueta-united-states-near-full-adoption
• [7] ZapSign, "Legal Validity of Electronic Signatures in the United States" — NY as the lone UETA holdout, ESRA framing.
• [8] NYC Bar Association, "Modernizing New York's Electronic Signatures Law (ESRA & UETA)" (2026) — committee report recommending NY adopt UETA. https://www.nycbar.org/reports/modernizing-new-york-electronic-signatures-esra-ueta/
• [10] Katten Muchin Rosenman, "The Notice Provision of the Defend Trade Secrets Act (DTSA)" — notice-requirement framework. https://katten.com/The-Notice-Provision-of-the-Defend-Trade-Secrets-Act
• [11] American Bar Association, "Explaining the Defend Trade Secrets Act" (2016) — statute overview. https://www.americanbar.org/groups/business_law/resources/business-law-today/2016-september/explaining-the-defend-trade-secrets-act/
• [12] Troutman Pepper Locke, "How Safe Is That Harbor? The Impact Of The Defend Trade Secrets Act's Whistleblower Immunity Provision ...".
• [13] Sterlington PLLC, "Non-Disclosure Agreements: The Ubiquitous Remedies Provision" — injunctive-relief acknowledgment practice. https://www.sterlingtonlaw.com/key-provisions-of-non-disclosure-agreements-2/
• Cooley Go — startup-template explainer (general reference for NDA industry norms).
• Y Combinator SAFE / standard forms — referenced as the dominant startup-template convention (general reference).

ATTORNEY REVIEW REQUIRED BEFORE USE. Carry this document and nda-template.md into the #151 consult with a contract attorney (SaaS / technology-transactions background, licensed in [GOVERNING_STATE]). The #10 open-questions list is the consult agenda.