← All guides
Legal Basics8 min read14 May 2026

NDA Template for SaaS Founders: Mutual vs One-Way NDAs Explained

When do you need an NDA? What's the difference between mutual and one-way NDAs? Which clauses matter for SaaS founders — and which are just fluff? A practical guide.

Why NDAs matter for SaaS founders

If you're building a SaaS product, you'll sign NDAs constantly — before investor calls, when evaluating contractors, during partnership discussions, before acquisition conversations, and when hiring staff. Getting them wrong can mean your confidential information isn't actually protected, or that you've signed away rights you didn't know you were giving up.

The good news: NDAs are among the more standardised legal documents. Once you understand the core structure, you can evaluate any NDA quickly and know what you're agreeing to.

This guide covers the practical things SaaS founders need to know. What's the difference between mutual and one-way NDAs? Which clauses are standard vs. negotiable? And what do you actually need before handing over your pitch deck, source code, or customer list?

Mutual vs one-way NDAs: which do you need?

One-way NDA (unilateral)

A one-way NDA flows in one direction: only the disclosing party shares confidential information, and only the receiving party is bound to keep it confidential.

Use one-way NDAs when:

  • You're sharing your idea, product roadmap, or code with a contractor before engagement
  • You're pitching to a potential investor and they're just evaluating your business
  • You're providing access to a vendor who will see your customer data or internal systems
  • You're hiring an employee who will have access to proprietary information

In these scenarios, only you're disclosing — the contractor, investor, or vendor isn't sharing confidential information of their own. A one-way NDA is simpler and makes the obligations clearer.

Mutual NDA (bilateral)

A mutual NDA binds both parties equally. Both parties may share confidential information, and both are obligated to protect the other's information.

Use mutual NDAs when:

  • You're in discussions with a potential business partner or co-founder
  • You're exploring a merger, acquisition, or joint venture
  • You're in a technical integration or API partnership where both sides are sharing architecture details
  • Two companies are evaluating a commercial relationship where both will share sensitive pricing, customer, or product information

Most early-stage founders default to mutual NDAs for simplicity — it feels fair. That's fine in most cases. Just be aware that a mutual NDA means you're also bound by confidentiality obligations, not just the other party.

The anatomy of an NDA: clause by clause

1. Definition of confidential information

This is the most important clause. It defines what's protected. A good definition is broad and includes:

  • All information disclosed in writing, orally, visually, or in tangible form
  • Technical data, trade secrets, source code, product roadmaps
  • Business plans, financial information, customer lists
  • The fact that discussions are taking place (important for M&A and fundraising)

Watch out for definitions that are too narrow — if the definition only covers information marked "Confidential" in writing, an oral conversation about your product roadmap might not be covered.

Also watch out for carve-outs that are too broad. Standard exclusions are reasonable: information already in the public domain, information the receiving party already knew, information independently developed, information from a third party without restrictions, and legally required disclosures. But if someone tries to exclude entire categories you're sharing, push back.

2. Obligations of the receiving party

The core obligations: protect the confidential information with at least the same care as the receiving party uses for its own confidential information (minimum: reasonable care); use it only for the agreed purpose; don't disclose it to third parties without consent; limit access to employees/contractors on a need-to-know basis, under equivalent obligations.

"Reasonable care" is the standard in most jurisdictions. Some NDAs say "industry standard care" or "no less than reasonable care" — these are equivalent. Watch out for "best efforts" language which sets a higher and vaguer bar.

3. Duration of confidentiality obligations

How long does the other party have to keep your information confidential? Common options:

  • 2–3 years from signing — standard for most commercial NDA scenarios
  • Indefinitely — common for trade secrets; courts in some jurisdictions may not enforce indefinite clauses
  • Duration of the relationship + 2 years — common for employment or long-running contractor relationships

For genuinely sensitive technical IP or trade secrets, argue for longer periods (5 years or indefinite). For standard business discussions, 2–3 years is reasonable.

4. Purpose limitation

The NDA should specify exactly why confidential information is being shared (e.g., "for the purpose of evaluating a potential partnership"). This matters because it restricts how the receiving party can use your information. If you share financials for a partnership discussion, a purpose-limited NDA prevents the receiving party from using that information to compete with you or disclose it to a third party for a different reason.

5. Return or destruction of information

On termination of the agreement or on request, the receiving party should be required to return or destroy confidential information and confirm they've done so in writing. In practice, this clause is hard to enforce with digital information, but it creates a clear legal obligation and establishes a baseline for damages if violated.

6. No licence or IP transfer

Disclosure of confidential information does not grant any rights in it. This clause is often glossed over but is critical: without it, a creative lawyer could argue that sharing your source code under an NDA implies a licence to use it. The no-licence clause closes that door.

7. Injunctive relief

NDA breaches are hard to quantify in monetary damages — how do you price the damage from a competitor learning your roadmap? This clause establishes that the disclosing party is entitled to seek an injunction (court order to stop the breach) without having to prove specific financial harm. Essential. Standard in every well-drafted NDA.

Optional clauses: non-solicitation and non-compete

Non-solicitation clause

A non-solicitation clause prevents the other party from poaching your employees, contractors, or clients during the engagement and for a specified period afterward (typically 12 months).

This is reasonable and common — especially when engaging contractors or partners who will be introduced to your team. It's distinct from a non-compete: non-solicitation only restricts them from actively targeting your people or clients, not from operating in your market generally.

Enforceability: Generally enforceable across most EU jurisdictions and US states if the scope and duration are reasonable.

Non-compete clause

A non-compete clause restricts the other party from operating a competing business for a specified period and within a specified territory.

The catch: Non-competes are heavily restricted or unenforceable in many jurisdictions:

  • California (US): Non-competes are effectively unenforceable for employees and broadly for contractors under SB 699 (2024).
  • EU: Non-competes in employment context are regulated by labour law in each member state. In Estonia, non-competes require compensation. In Germany, post-contractual non-competes require at least 50% of the employee's last salary.
  • UK: Enforceable if "reasonable" in scope, duration, and geographic area.
  • India: Post-employment non-competes are generally unenforceable.

If you're asking a contractor or partner (not an employee) to sign a non-compete as part of an NDA, keep it narrow: 6–12 months, specific geographic area, specific product category. Courts will not enforce overly broad non-competes even where they are technically legal.

When you don't need an NDA

Not every conversation needs an NDA. Founders often over-NDA early-stage discussions, which can slow things down and signal inexperience to investors.

You probably don't need an NDA for:

  • Initial investor meetings — VCs and angel investors rarely sign NDAs for first calls; your idea is not your moat
  • General sales conversations with prospects — unless you're sharing pricing models or proprietary tech
  • Public marketing materials or demos
  • Conversations where you're not sharing anything genuinely confidential

You should always have an NDA for:

  • Sharing source code, architecture diagrams, or internal technical documentation with contractors
  • Sharing customer lists, financial data, or revenue figures in any commercial context
  • Acquisition or investment due diligence (a data room without an NDA is a serious mistake)
  • Partnerships where both parties will share proprietary processes or customer introductions

Practical tips for SaaS founders

  • Get it signed before sharing anything sensitive. Retroactive NDAs are harder to enforce and signal sloppy process.
  • Use e-signatures. DocuSign, Adobe Sign, or even a PDF confirmation email with both parties explicitly accepting creates a binding record in most jurisdictions.
  • Keep a signed copy. Sounds obvious. Many founders don't. Create a folder in Google Drive and keep every signed contract there.
  • Don't rely on your NDA alone. Technical controls, limited access, and need-to-know sharing reduce the blast radius if an NDA is breached.
  • Review jurisdiction-specific advice. If you're based in Estonia and the other party is in the US, make sure the governing law and dispute resolution clauses are explicit.

👉 Generate your NDA free — mutual or one-way, with optional non-solicitation and non-compete clauses, pre-filled for your company and jurisdiction.

Key takeaways

  • Use a one-way NDA when only you're sharing confidential information. Use a mutual NDA when both parties will share.
  • The definition of confidential information is the most important clause — make sure it's broad enough to cover what you're actually sharing.
  • Standard exclusions are reasonable; watch for exclusions that are too broad.
  • Non-competes are unenforceable in some jurisdictions — keep them narrow and get local legal advice.
  • Sign the NDA before sharing anything sensitive, not after.

More guides