What Lawyers Miss in Vendor NDAs (And Why It's Not Their Fault)

Contract Risk Benjamin Clarke
What Lawyers Miss in Vendor NDAs (And Why It's Not Their Fault)

The average vendor NDA gets somewhere between 8 and 15 minutes of associate attention. That's not negligence — it's triage. A mid-size in-house legal team might see 20 to 40 vendor NDAs in a month, layered on top of everything else. So you read for the definition of Confidential Information, check the exclusions, skim the term and survival, and move on.

The problem isn't that lawyers are careless. The problem is that NDA review at volume is structurally designed to miss things. The clauses that cause real trouble later are rarely the obvious ones.

The Definition of "Permitted Purpose" Is Doing a Lot of Work

Most NDAs define what the receiving party can do with confidential information. That definition — often called "Permitted Purpose" or "Authorized Purpose" — is routinely too narrow, too broad, or both at once depending on how the relationship evolves.

Consider a scenario that's become increasingly common: a mid-size software company signs an NDA with a new analytics vendor. The Permitted Purpose is defined as "evaluating the Vendor's software for potential procurement." Six months later, the vendor is integrated into the product stack, data is flowing both directions, and the original NDA still governs because no one executed a full MSA. The Permitted Purpose hasn't been updated. Technically, the vendor is using your confidential information in ways the original definition didn't authorize.

This happens because Permitted Purpose clauses feel safe when you sign them. They only become a problem when the relationship outgrows the document.

Residuals Clauses: The Exception That Swallows the Rule

Residuals clauses are probably the most misunderstood provision in vendor NDAs. A residuals clause typically says something like: the receiving party may use, in the ordinary course of business, any information retained in the unaided memory of its personnel who have had access to the disclosing party's confidential information.

That sounds reasonable. In practice, it creates a gap wide enough to drive a truck through. If a vendor's engineer reviews your pricing model, your internal processes, or your technical architecture during the evaluation, that engineer's memory isn't bound by the NDA once the engagement ends. The residuals exception means they can build on anything they retained.

We're not saying residuals clauses are uniformly unreasonable — they exist for legitimate reasons, and fighting every one of them will kill relationships before deals start. What we are saying is that residuals clauses need to be flagged, read carefully, and evaluated against what's actually being disclosed. A residuals exception in an NDA covering general pricing discussions is different from one covering source code architecture or customer lists.

Return or Destruction Provisions Are Almost Never Enforced

Every NDA has a provision requiring the receiving party to return or destroy confidential information upon request or at the end of the term. Almost none of these provisions are actually complied with in the way they're written.

The structural problem is that "return or destroy" was drafted for a world of physical documents and structured file systems. In reality, confidential information gets embedded in email threads, Slack messages, shared drives, and backup systems that the receiving party's IT team can't selectively purge. Most NDAs now include a carve-out for information retained in standard backup systems — but not all of them, and the carve-outs vary widely.

When we look at the NDAs that surface in post-breach disputes, a consistent pattern appears: the receiving party technically violated the return-or-destroy clause years before the breach because no one ever tracked what was actually sent and where it ended up. The clause creates an obligation that no one has a system to fulfill.

The fix isn't to delete the clause — it's to either narrow the definition of what "confidential" means (so the return/destruction obligation attaches to fewer materials) or to add a specific carve-out for information embedded in backup systems and ordinary course business records.

The Injunctive Relief Provision Often Isn't What It Seems

Most NDAs include a boilerplate acknowledgment that breach would cause irreparable harm, and that the disclosing party is entitled to seek injunctive relief without posting bond. Associates often read this as standard and move on.

Two things to check: First, is this mutual or one-directional? A vendor NDA drafted by the vendor often makes the injunctive relief right available only to the vendor, not to you. If it's one-directional and you're the disclosing party, that's a problem. Second, is it in a jurisdiction where preliminary injunctions are routinely granted in commercial disputes? The enforceability of injunctive relief varies considerably by state — and the governing law clause (often the last clause anyone reads) controls which state's standard applies.

Tail Periods Without Specificity

The "term" of an NDA — how long confidentiality obligations last — gets reviewed. The tail period — how long confidentiality obligations survive after the agreement terminates — often doesn't get the same scrutiny. Survival periods of two, three, or five years are common. But the key question isn't just how long the tail is; it's what information the tail applies to.

If an NDA has a five-year survival period but the confidential information includes trade secrets, the survival period may effectively be irrelevant. Trade secret protection under the Defend Trade Secrets Act (DTSA) and state law analogues doesn't expire just because an NDA term does. You're protected for as long as the information qualifies as a trade secret. But if the NDA's survival period is shorter than your jurisdiction's trade secret protection window, you may have inadvertently signaled that you're treating certain information as non-trade-secret.

This is a subtle point, and most associates reviewing NDAs at speed won't catch it because it requires cross-referencing the NDA terms against the company's IP classification framework. That cross-referencing almost never happens at the NDA stage.

Why Review Volume Creates Systematic Gaps

There's a structural reason these issues surface in vendor NDAs specifically rather than in other contract types. NDAs get reviewed fast because they're perceived as low-stakes. They're the handshake before the real conversation. But they're often the longest-lived contract in a vendor relationship — companies sign an NDA, run a pilot, decide not to proceed, and years later the NDA is the only document governing the disclosure that happened during diligence.

The clauses listed above — Permitted Purpose drift, residuals carve-outs, unenforced return obligations, one-directional injunctive relief, tail period misalignment — are all things that take 30 to 90 seconds each to check if you know what you're looking for. They're not obscure. They're just not what gets flagged when review time is tight.

When we built the clause-flagging logic for Winpathio, vendor NDAs were one of the first document types we trained on, specifically because the gap between "commonly reviewed" and "commonly missed" is so wide for this document class. The goal isn't to turn every NDA into a two-hour negotiation — it's to make the 30-second checks happen consistently, at scale, without relying on whoever happens to have bandwidth that week.

If your team is processing vendor NDAs at volume, the question isn't whether your associates are skilled enough. They are. The question is whether your review process is structured to catch the non-obvious provisions every time, not just when someone has the time to look carefully.

More from The Winpathio Brief

Start reviewing contracts faster.

Join legal teams who've cut review time by 80%.

Request Access See How It Works