Confidentiality Agreement When Selling a Business: What It Covers and What It Doesn't

The NDA is the moment the buyer’s identity becomes real to you, and your business’s identity becomes real to them.

Up until the NDA is signed, they’ve seen a blind teaser with no name attached. Once they sign — and only then — do they learn what they’re actually looking at. Everything that follows: the business name, the Confidential Information Memorandum, the financials, the customer relationships, the employee situation, the operational details — all of it flows through the protection created by that signed document.

Getting the NDA right matters. A weak NDA provides paper protection that fails when it’s tested. A strong NDA creates genuine deterrence and real legal recourse.

What a business-sale NDA needs to cover

1. Definition of confidential information

The NDA should define what’s protected broadly and explicitly. Don’t rely on “all information disclosed.” Courts have held that vague definitions narrow the scope in unpredictable ways.

A strong definition covers:

• Business name, identity, and ownership
• Financial information: revenue, profit, margins, debt, customer values
• Customer and supplier names, terms, and relationships
• Employee information: compensation, roles, performance, tenure
• Intellectual property, trade secrets, and proprietary methods
• Strategic plans, pricing strategies, and operational systems
• The fact that the business is for sale at all

That last point matters. The NDA should make explicit that the existence of a potential transaction is itself confidential. A buyer who tells someone “I’m looking at buying a company in your industry — do you know [business name]?” has already caused harm, even without disclosing financials.

2. Permitted use restriction

The buyer may use confidential information only for one purpose: evaluating whether to acquire the business. This restriction is critical because it prevents a buyer — particularly a competitor or strategic buyer — from using disclosed information for any other purpose, even if they decide not to proceed with the acquisition.

Permitted use clauses should also restrict disclosure to the buyer’s advisors (attorneys, accountants, lenders) on a need-to-know basis, and require that those advisors be bound by equivalent confidentiality obligations.

3. No-contact and no-solicitation provisions

These provisions protect two of your most valuable assets:

No direct contact with employees. The buyer agrees not to approach, interview, recruit, or hire any employee of the business outside the formal sale process without seller consent. This provision is especially important if the deal falls through — you don’t want a buyer who walked through your operations to cherry-pick your best people.

No solicitation of customers. The buyer agrees not to approach your customers for any purpose — competitive or otherwise — based on information learned through the sale process. This is not just a post-closing protection; it applies during the process itself.

Both provisions typically run for one to two years from the date of signing, regardless of whether a transaction closes.

4. Return or destruction of information

If the deal doesn’t close, the buyer must return or certify the destruction of all confidential materials received. This includes documents, spreadsheets, files, and any copies. In practice, this is difficult to verify and nearly impossible to fully enforce, but the obligation itself creates a clear expectation and legal accountability.

5. Term

The confidentiality obligation itself should last two to five years from signing. Indefinite NDAs can be challenged in some states as unreasonably broad restraints. Two to five years is standard, defensible, and — for most sensitive information — long enough.

The no-solicitation provisions are typically shorter: one to two years.

6. Remedies for breach

The NDA should state clearly that breach will cause irreparable harm (which matters because it enables injunctive relief — a court order to stop the violation immediately) and that the seller is entitled to seek such relief without posting a bond.

Monetary damages should also be specified or at least preserved. A clause stating that the seller “reserves all legal and equitable remedies” is the minimum. A clause that specifies liquidated damages — a pre-agreed amount — is stronger and avoids the difficulty of proving actual harm.

What sellers most often miss

Not getting principals to sign. When the buyer is an entity — an LLC, a holding company, a PE fund — the NDA should be signed by the entity and by the key individuals who will have access to confidential information. An NDA signed only by a holding company provides limited protection if the decision-makers at that company later deny having seen the information.

Not requiring advisor coverage. The buyer’s attorney and CPA will see your financials. The NDA should explicitly require that they be bound by equivalent confidentiality. Most sophisticated NDAs include a provision requiring the buyer to ensure that their advisors are under equivalent obligations.

Not covering “the fact of the transaction.” As noted above, the existence of a sale process is itself sensitive. If your NDA only protects “financial information,” a buyer who tells the market you’re looking for an exit has arguably not breached — they didn’t disclose financials. Spell it out.

Using the buyer’s form. Sophisticated buyers — especially PE firms and strategic acquirers — often propose their own NDA form. These are typically drafted to protect the buyer, not the seller. At minimum, have your attorney review any buyer-proposed NDA before signing. At best, use a seller-form NDA from the beginning of the process.

Signing remotely with no follow-up. DocuSign is fine. But the broker should confirm receipt, flag any modifications the buyer attempts, and retain the signed copy in the deal file. Unsigned or partially-signed NDAs are common when this step isn’t actively managed.

What an NDA cannot do

The NDA creates legal recourse — it does not guarantee silence.

A buyer who signs an NDA and then deliberately or accidentally discloses your information can be sued. But litigation is slow, expensive, and requires you to prove harm. If your business loses a major customer because a buyer disclosed you’re for sale, the damages may be real but proving the causal link in court is another matter.

This is why process controls are not replaceable by legal documents. The NDA is a backstop, not a substitute for:

• Careful buyer screening before disclosure
• Staged information release tied to qualification level
• Broker-managed communication that keeps the owner arm’s length
• Document watermarking and access control

The best NDA is the one you never have to enforce because your process never gave a bad actor the chance to cause harm.

Practical checklist before you send a CIM

Before releasing any detailed business information to a buyer:

• NDA signed by the buyer entity and key individual decision-makers
• Signed copy in your broker’s deal file, dated
• Buyer qualified for financial capacity (confirmed with your broker)
• Buyer’s acquisition rationale reviewed (beware strategic/competitive buyers)
• No-solicitation provision covers both employees and customers
• Permitted use restricted to evaluating this transaction only
• Your attorney has reviewed the NDA form (or drafted it)

This is not a bureaucratic checklist — it’s the difference between a controlled process and an exposed one. Skipping steps to move faster almost never saves time and often costs you in ways that are hard to quantify but impossible to ignore.

If you’re ready to understand what your business is worth before this process starts, a confidential valuation is the right first step.