A Non-Disclosure Agreement (NDA), or Confidentiality Agreement, is a foundational legal instrument in any AI red teaming engagement. You will be handling extremely sensitive assets—proprietary models, unreleased features, customer data, and identified vulnerabilities. A breach of confidentiality can lead to severe financial, reputational, and legal consequences. A one-size-fits-all NDA is a significant risk; the legal protections must scale with the sensitivity of the engagement.
This appendix provides conceptual templates for three distinct levels of NDAs. They illustrate the key clauses and structural differences you should consider. These are not substitutes for professional legal advice but are designed to help you understand the components and engage more effectively with legal counsel.
The following templates are for educational and illustrative purposes ONLY. They are simplified and do not constitute legal advice. The enforceability of an NDA depends heavily on specific circumstances and jurisdiction. ALWAYS consult with a qualified legal professional to draft or review any NDA before use.
Level 1: Standard Unilateral NDA
This is the most common type of NDA, used when one party (the Disclosing Party, e.g., the AI developer) is sharing confidential information with another (the Receiving Party, e.g., the red teamer). It’s suitable for initial discussions, black-box testing of non-critical systems, or engagements where the red teamer’s access is limited.
“Confidential Information” shall include all information disclosed by Disclosing Party to Receiving Party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. It includes, but is not limited to, business plans, customer lists, and technical data related to the [AI System Name]. It does not include information that is (a) publicly known, (b) already in the Receiving Party’s possession, or (c) independently developed by the Receiving Party.
2. Obligations of Receiving Party.
Receiving Party agrees to (i) use the Confidential Information solely for the purpose of [Purpose of Engagement, e.g., “performing a security assessment”] (the “Purpose”), and (ii) not disclose the Confidential Information to any third party without prior written consent from the Disclosing Party.
3. Term.
The obligations of non-disclosure under this Agreement shall survive for a period of [e.g., three (3)] years from the date of disclosure.
Level 2: Mutual (Bilateral) NDA
A mutual NDA is necessary when both parties will be sharing confidential information. In AI red teaming, this is common. The client shares model details, and the red team shares proprietary testing methodologies, tools, or preliminary findings that are themselves sensitive. This agreement protects both sides equally.
“Confidential Information” means any information disclosed by one party (“Discloser”) to the other party (“Recipient”). For Company, this includes [e.g., AI model architecture, training data schemas, and API keys]. For Red Teamer, this includes [e.g., proprietary testing scripts, vulnerability discovery methodologies, and custom-developed tools].
2. Mutual Obligations.
Each party, as a Recipient, agrees to use the other party’s Confidential Information solely for the Purpose of the Engagement and will protect it with the same degree of care it uses to protect its own confidential information of like kind, but not less than a reasonable degree of care.
3. Intellectual Property.
Each party retains ownership of its pre-existing Confidential Information and intellectual property. No license is granted under this Agreement. All feedback provided by Red Teamer on Company’s systems is the property of Company, provided it does not include Red Teamer’s pre-existing Confidential Information.
Level 3: High-Security / Project-Specific NDA
This is a highly restrictive agreement for engagements involving extreme sensitivity: white-box access to source code, direct interaction with production databases containing PII, or testing of a “crown jewel” AI model before a major product launch. The language is precise, narrow, and includes severe restrictions.
Confidential Information under this agreement is strictly limited to: (a) the complete source code for the AI model designated as “Project Chimera,” (b) the training dataset identified as “PC_DATASET_V4.2”, and (c) all security vulnerability reports generated by the Receiving Party during the engagement period from [Start Date] to [End Date]. No other information shall be considered confidential under this specific Agreement.
4. No Residuals Clause.
Notwithstanding any other provision, Receiving Party agrees that it will not use any “residuals” (information in non-tangible form which may be retained in the unaided memory of persons who have had access to the Confidential Information) for any purpose other than the Engagement. The Receiving Party shall not be prohibited from using general skills and knowledge, but shall not specifically apply any remembered Confidential Information of the Disclosing Party.
5. Data Destruction.
Upon termination of the Engagement, Receiving Party shall, and shall cause its representatives to, promptly return or securely destroy all materials containing Confidential Information, and provide a written certification of such destruction to the Disclosing Party within [e.g., ten (10)] business days.
6. Term for Trade Secrets.
The obligations of confidentiality for any information qualifying as a trade secret under applicable law shall persist indefinitely, for as long as such information remains a trade secret.
Comparative Overview
The following table summarizes the key distinctions between the three levels of NDAs to help you select the appropriate starting point for discussions with your legal team.
| Feature | Level 1: Standard Unilateral | Level 2: Mutual (Bilateral) | Level 3: High-Security |
|---|---|---|---|
| Primary Use Case | Initial talks, simple black-box tests, bug bounties. | Collaborative projects, partnerships, sharing of proprietary tools. | White-box audits, source code access, PII/sensitive data handling. |
| Directionality | One-way (Discloser to Recipient). | Two-way (both parties are Discloser and Recipient). | Typically one-way, but with extremely strict obligations on the Recipient. |
| Definition of Info | Broad and general. | Specific definitions for each party’s information. | Hyper-specific, often tied to a single project or dataset. |
| Typical Term | 2-3 years. | 3-5 years. | 5+ years, with indefinite terms for trade secrets. |
| Key Clauses | Standard obligations of non-use and non-disclosure. | Mutual obligations, IP ownership clarification. | No Residuals clause, mandatory data destruction, audit rights, specific penalties. |