Contract Pilot

Tag: NDA

  • We Analyzed 1,000 NDAs: Here’s What 73% Get Wrong

    ContractPilot processed over 1,000 non-disclosure agreements from startups, freelancers, and small firms. The data reveals patterns that should worry anyone who signs NDAs without careful review.

    Why We Did This

    Every lawyer has a gut feeling about what makes a “bad” NDA. But gut feelings aren’t data. We wanted to answer a simple question: when people sign NDAs — the most common commercial contract in business — what are they actually agreeing to?

    We analyzed 1,000 NDAs processed through ContractPilot’s risk engine. The contracts came from a cross-section of industries: technology (38%), professional services (22%), creative and media (15%), healthcare (12%), and other sectors (13%). Company sizes ranged from solo freelancers to mid-market firms with up to 500 employees.

    We anonymized everything. No names, no companies, no identifiable details. Just clauses, patterns, and risk scores.

    Here’s what we found.

    Finding #1: 73% of “Mutual” NDAs Aren’t Actually Mutual

    This was the most alarming finding. Nearly three-quarters of NDAs labeled “mutual” contained asymmetric obligations when we examined the operative clauses.

    The most common pattern: the definition of “Confidential Information” was drafted broadly for one party and narrowly for the other. Party A’s confidential information included “all information, whether written or oral, tangible or intangible, disclosed in connection with discussions between the parties.” Party B’s confidential information was limited to “documents specifically marked ‘Confidential.’”

    Same NDA. Same “mutual” label. Drastically different protection.

    The second most common asymmetry appeared in remedy clauses. In 41% of the “mutual” NDAs we reviewed, only one party had the right to seek injunctive relief. The other party was limited to monetary damages — which in a confidentiality breach scenario means proving a specific dollar amount of harm, a notoriously difficult task.

    What this means for you: Don’t trust the title. Read the operative clauses. If both parties are labeled as “Disclosing Party” and “Receiving Party,” verify that every obligation imposed on the Receiving Party applies equally regardless of which entity fills that role.

    Finding #2: 68% Lack a Meaningful Return-or-Destroy Clause

    When an NDA expires or is terminated, what happens to the confidential information? In theory, the receiving party should return or destroy it. In practice, 68% of the NDAs we analyzed either had no return-or-destroy provision at all, or had one so vaguely written that it was essentially unenforceable.

    The most common gap: no timeline. “Receiving Party shall return or destroy all Confidential Information upon termination” sounds definitive, but without a deadline (“within fifteen business days”), there’s no way to establish a breach. “Eventually” isn’t a contractual obligation.

    The second most common gap: no certification requirement. Even when the NDA required destruction, only 12% required the receiving party to certify in writing that destruction was complete. Without certification, how do you prove compliance?

    And here’s the modern wrinkle that almost no NDAs address: electronic copies. If your confidential information was shared via email, it exists in sent folders, backup systems, cloud syncs, and potentially archived servers. A clause that says “destroy all copies” is functionally meaningless if it doesn’t address electronic retention or provide an exception for copies retained in automated backup systems with a requirement to destroy those upon next rotation.

    What this means for you: Your NDA should specify a timeline (15-30 days), require written certification, and address electronic copies explicitly.

    Finding #3: The Average Risk Score Was 58/100 — Mediocre

    ContractPilot assigns a risk score from 0 to 100 for each contract, where 0 is extremely risky and 100 is very well-protected. The average NDA in our dataset scored 58.

    That’s a D+. Passing, but barely.

    The distribution was revealing:

    • 80-100 (Well-Protected): Only 9% of NDAs. These were almost exclusively drafted by law firms for specific transactions, not pulled from template libraries.
    • 60-79 (Adequate): 34% of NDAs. These covered the basics but had gaps — usually in remedies, survival periods, or exception definitions.
    • 40-59 (Risky): 41% of NDAs. The largest group. These had functional core terms but contained at least two high-risk clauses that could cause material harm.
    • Below 40 (Dangerous): 16% of NDAs. These had fundamental structural problems — missing key clauses, internally contradictory terms, or enforceability issues.

    The NDAs most likely to score below 40 were templates downloaded from the internet and used without modification. Roughly 23% of the NDAs in our dataset appeared to be direct copies of free online templates with only the party names changed. These scored an average of 37.

    What this means for you: If your NDA came from a Google search and you filled in the blanks, it’s probably not protecting you the way you think it is.

    Finding #4: Only 31% Had Adequate IP Carve-Outs

    This one matters enormously for technology companies and startups. When you share confidential technical information under an NDA, you need clear boundaries around what is and isn’t covered — especially regarding independently developed technology.

    Only 31% of NDAs in our dataset had IP carve-outs that we scored as “adequate” — meaning they clearly defined what constituted independent development, allocated the burden of proof, and included temporal limitations.

    The most dangerous pattern (found in 22% of NDAs): no carve-out at all. This means that if the receiving party independently develops something similar to your confidential information — with no access to it — you could theoretically claim they misappropriated your trade secrets. It also means the reverse: if you independently develop something, the disclosing party could make the same claim against you.

    The second most dangerous pattern (found in 47% of NDAs): a carve-out so broadly written that it effectively gutted the NDA’s protection. Language like “information that the Receiving Party can demonstrate was independently developed” without specifying documentation requirements, timing, or the standard of proof is an escape hatch wide enough to render the NDA meaningless.

    What this means for you: Your NDA should define independent development with specificity, require contemporaneous documentation, and allocate the burden of proof to the party claiming the exception.

    Finding #5: 84% Use Survival Periods That Are Either Too Short or Undefined

    A survival clause determines how long confidentiality obligations last after the NDA terminates. This might be the single most important clause in the entire agreement, and 84% of NDAs get it wrong.

    The breakdown:

    • No survival clause at all: 19%. When the NDA expires, so do your protections. Immediately. Everything the other party learned about your business, your technology, your strategy — they can use or disclose the next day.
    • “Indefinite” or “perpetual” survival: 23%. This sounds protective, but courts in many jurisdictions view perpetual obligations with skepticism. Some courts have refused to enforce indefinite confidentiality periods, viewing them as unreasonable restraints. It’s better than nothing, but it’s not the ironclad protection it appears to be.
    • Survival period too short (under 2 years): 18%. For most business information, a one-year survival period isn’t long enough. Trade secrets can retain their value for decades. Customer lists and pricing strategies are competitively sensitive for years. A 12-month window invites the receiving party to simply wait it out.
    • Survival period matched to information type: 8%. Only 8% of NDAs differentiated survival periods based on the type of information. This is best practice: trade secrets should survive indefinitely (or as long as they remain trade secrets), while general business information might have a 3-5 year period.
    • Fixed period, 2-5 years: 24%. A reasonable middle ground, but often applied as a blanket period to all information regardless of sensitivity.

    What this means for you: Use tiered survival periods. Trade secrets: indefinite, or “for as long as the information qualifies as a trade secret.” Business information: 3-5 years. General information: 2 years.

    The Bigger Picture

    The data tells a consistent story: most NDAs provide the illusion of protection without the substance. They make both parties feel like their information is safe. But when tested — when a breach actually occurs and lawyers get involved — the gaps in these agreements become expensive realities.

    The irony is that NDAs are simple documents. They’re not 50-page enterprise agreements with complex payment schedules and multi-party structures. A well-drafted NDA is 4-6 pages. The clauses that matter are well-understood. There’s no reason 73% of them should have asymmetric obligations or 68% should lack adequate return-or-destroy provisions.

    The reason they do is that nobody reviews them carefully. They’re treated as formalities — something to sign quickly so the real conversation can start. And that complacency is what makes them dangerous.

    Want expert help? See our guide to AI contract review tools or learn our 10-minute review framework.

    What You Should Do Next

    Whether you’re about to sign an NDA or you have a stack of signed NDAs governing your current business relationships, here’s what we’d suggest:

    For your next NDA: Don’t sign it as-is. Upload it to ContractPilot and get a risk score. If it scores below 60, push back on the specific clauses flagged. The risk report gives you the language to do it — you’ll know exactly what to change and why.

    For your existing NDAs: Review the ones governing your most sensitive relationships. If they were signed without legal review, they probably have at least two of the five issues we’ve identified. Knowing your exposure helps you plan — whether that means renegotiating terms or being more careful about what you disclose.

    For your own template: If you send NDAs to partners, vendors, and collaborators, run your template through ContractPilot. You might be asking people to sign something that doesn’t even protect you.

    Your first three contracts are free. Start with the NDA you’re most worried about.

    Analyze Your NDA Free →

    This analysis was produced using anonymized data from contracts reviewed by ContractPilot AI. No individual contracts, parties, or identifying information were disclosed. ContractPilot AI provides AI-powered contract review for solo practitioners, small firms, and businesses. $49/month.

  • I Asked ChatGPT to Review My NDA. Here’s What It Got Wrong.

    AI is transforming legal work. But not all AI is created equal — and using the wrong tool for contract review could cost you more than your billable hour.

    The Experiment

    Last week, I ran a simple test. I took a standard mutual NDA — the kind that crosses a solo lawyer’s desk three times a week — and uploaded it to ChatGPT (GPT-4o) and ContractPilot AI. Same document. Same questions. No tricks.

    The results weren’t even close.

    What ChatGPT Got Right

    Let’s be fair. ChatGPT identified the basic structure correctly. It spotted the parties, the effective date, the definition of confidential information, and the term. It gave a reasonable plain-English summary of what the NDA does.

    For someone who’s never seen an NDA before, ChatGPT’s summary would be helpful. But you’re not “someone who’s never seen an NDA.” You’re a lawyer. And your client is paying you to catch what they can’t.

    Where ChatGPT Failed — And Why It Matters

    1. It Hallucinated a Mutual Obligation That Didn’t Exist

    The NDA we tested was technically labeled “mutual,” but the operative clause only imposed confidentiality obligations on the receiving party. ChatGPT read the title, assumed reciprocity, and told us both parties had equal obligations.

    They didn’t.

    If you relied on ChatGPT’s analysis and advised your client that they were equally protected, you’d be wrong. And “my AI told me so” isn’t a defense your malpractice insurer will accept.

    ContractPilot flagged this immediately. The risk report highlighted a “Mismatch: Title vs. Operative Clauses” warning, noting that despite the “mutual” label, only Section 3(a) imposed obligations — and only on the receiving party. It recommended adding a mirror clause or renegotiating the title.

    2. It Missed a Carve-Out That Gutted the IP Protection

    Buried in Section 5(c) was a carve-out that excluded “independently developed” information from the definition of Confidential Information. The clause used language broad enough to drive a truck through — any information the receiving party could claim was “independently conceived” was excluded.

    ChatGPT didn’t mention it. At all.

    ContractPilot scored this clause as HIGH RISK, explaining that the “independently developed” carve-out lacked a documentation requirement, a burden-of-proof allocation, or a temporal limitation. It suggested three alternative formulations with tighter guardrails.

    3. It Gave Confidence Without Jurisdiction Awareness

    ChatGPT analyzed the NDA as if contract law were universal. It didn’t mention that the governing law clause specified Delaware, that the forum selection clause was non-exclusive (meaning litigation could happen anywhere), or that the injunctive relief provision might not be enforceable as written under Delaware Chancery Court rules.

    ContractPilot analyzed these clauses with Delaware-specific context, noting that the non-exclusive forum selection undermined the choice of Delaware as governing law and flagged that the liquidated damages clause might face enforceability challenges under Delaware’s penalty doctrine.

    4. It Couldn’t Distinguish “Fine” from “Dangerous”

    When I asked ChatGPT “Is this NDA safe to sign?”, it said: “This NDA appears to be a standard mutual non-disclosure agreement. The terms are generally reasonable, though you may want to have a lawyer review the specifics.”

    Helpful.

    When I asked ContractPilot the same question, it returned a risk score of 67/100 with four specific flags: the one-sided obligation masked by a mutual title, the broad IP carve-out, the non-exclusive jurisdiction clause, and a missing return-or-destroy provision for confidential materials upon termination.

    One answer gives you comfort. The other gives you leverage.

    Why This Happens

    ChatGPT is a general-purpose language model. It’s brilliant at many things — writing emails, explaining concepts, brainstorming ideas. But contract review isn’t a language task. It’s a legal analysis task.

    The difference matters because:

    General AI reads words. Legal AI reads risk.

    ChatGPT processes the text of your contract the same way it processes a recipe or a poem. It understands what the words mean. It doesn’t understand what the words do — how they interact with governing law, how they compare to market standards, where the asymmetries hide, or what a court would actually enforce.

    ContractPilot is purpose-built for this. Every clause is analyzed against:

    • Market standard benchmarks — Is this indemnity clause typical for this contract type, or is it unusually broad?
    • Jurisdiction-specific rules — Will this non-compete hold up in California? (Spoiler: probably not.)
    • Internal consistency — Does the termination clause actually work with the term clause?
    • Risk scoring — Not just “is this clause here” but “how dangerous is this clause for YOUR position?”

    The Real Cost of Using the Wrong Tool

    Let’s do the math.

    You’re a solo practitioner billing $250/hour. A client sends you an NDA to review. You paste it into ChatGPT, get a summary, spend 20 minutes checking it, and send it back with a few notes. Bill: $83.

    Except ChatGPT missed the one-sided obligation. Your client signs. Six months later, they share confidential information assuming mutual protection. The other party claims no obligation to keep it confidential — because they had none. Your client’s trade secrets are out. The lawsuit costs $150,000. Your E&O claim costs more.

    Or: You upload the same NDA to ContractPilot. In 90 seconds, you have a risk report that catches all four issues. You send the client a redline with specific fixes. Bill: $250 (one hour, because you added real value). Client is protected. You look like a star.

    The $49/month for ContractPilot paid for itself before your first cup of coffee.

    “But I Use ChatGPT Carefully…”

    I hear this a lot. Smart lawyers who say they use ChatGPT as a “starting point” and always verify. But here’s the problem with that approach:

    You can only verify what you know to look for.

    ChatGPT’s hallucinations aren’t obvious. It doesn’t say “I’m guessing here.” It states incorrect conclusions with the same confidence as correct ones. If it tells you a clause is mutual and you don’t independently read every operative section to verify, you’ll miss it. And the whole point of using AI was to save you that time.

    A tool that requires you to double-check everything isn’t saving you time. It’s adding a step.

    What ContractPilot Does Differently

    ContractPilot isn’t ChatGPT with a legal prompt. It’s a fundamentally different approach:

    Structured risk analysis, not chat. You don’t have a conversation with your contract. You get a structured risk report — clause by clause, scored and explained. Every flag comes with a “why it matters” and a “what to do about it.”

    Jurisdiction-aware. ContractPilot knows that non-competes are treated differently in California vs. Texas vs. New York. It doesn’t give you generic advice — it gives you advice that accounts for the governing law in your contract.

    Benchmarked against market standards. When ContractPilot says an indemnity clause is “unusually broad,” it means it’s compared that clause against thousands of similar contracts and found it outside the norm. ChatGPT has no basis for comparison.

    Designed for lawyers. The output is a risk report you can hand to a partner or attach to a client communication. Not a chatbot conversation you have to screenshot.

    Try It Yourself

    Upload your next NDA to ContractPilot. Your first three contracts are free — no login required for the first one. See the difference between “AI that reads” and “AI that reviews.”

    In 90 seconds, you’ll know exactly what ChatGPT would have missed.

    Upload Your First Contract Free →

    ContractPilot AI is purpose-built contract review for solo practitioners and small firms. Risk reports in 90 seconds. $49/month. No enterprise sales call.