Most founders treat NDAs as a tax — a burdensome formality to sign before getting to the "real" conversation. The assumption is simple: NDAs keep information secret. But that is the wrong focus. The most critical question isn't whether your information remains private; it’s whether the agreement actually controls how your information can be used once it leaves your hands.
This distinction is the source of significant, often silent, business risk. Many NDAs focus exclusively on confidentiality — the promise not to talk about what was shared — while remaining silent on permitted use. If you are sharing proprietary data to evaluate an AI vendor or a partnership, this gap matters. In practice, the risk depends heavily on the vendor’s architecture and whether your NDA interacts with broader data processing terms. However, without an explicit restriction, data shared during a pilot — such as a proprietary customer dataset used to train a workflow prototype — can, in some cases, be incorporated into model training pipelines, effectively turning your IP into the vendor's training set. The most effective NDAs do more than define confidential information; they establish clear boundaries around how disclosed data may be used.

To stop "boilerplate drift," we advise our clients to anchor the purpose of disclosure in the preamble — e.g., 'solely for the purpose of evaluating a potential commercial partnership regarding [X]' — and ensure the 'Permitted Use' section restricts the recipient to that narrow scope. While the logic is straightforward, the nuances of 'No-Training' language often determine whether your data remains segregated from a vendor's training environment. The challenge is that no-training restrictions rarely operate in isolation. Their effectiveness often depends on how they interact with data processing agreements, product terms, ownership provisions, and model-improvement clauses elsewhere in the contract.
Many vendor agreements contain broadly drafted data-use provisions that may permit analytics, service improvement, or model training activities beyond what customers initially expect. Because these issues often depend on a vendor's technical architecture and contractual framework, effective drafting requires more than inserting a standard no-training clause. Even well-drafted no-training provisions can be undermined by analytics, service-improvement, derivative works, or model-enhancement language elsewhere in the agreement.
Ultimately, an NDA should be a bridge to a deal, not an unintended license to your intellectual property. If the text does not clearly define how your data is processed, the bridge is missing guardrails.
At General Legal, we help companies build commercial agreements that account for the realities of AI development, data governance, and model training. If you want to ensure your data rights are protected from day one, reach out for a review of your commercial agreements.
