"An NDA is a confidentiality agreement used to protect sensitive information shared during a business sale. It supports, but does not replace, buyer screening and staged disclosure."
Quick Answer
An NDA — Non-Disclosure Agreement — is a legally binding contract that sets out rules for how confidential information shared during a business sale may be used, stored and disclosed. In the UK, sellers typically ask buyers to sign one before releasing detailed financial records, customer lists, supplier contracts or other sensitive business information. An NDA is a sensible starting point, but it is not a guarantee of confidentiality — it works best alongside proper buyer screening, staged disclosure and professional advice.
Contents
1. What an NDA Does in a Business Sale {#what-an-nda-does}
When a business is for sale, the seller needs to share information that would cause serious harm if it leaked — financial performance, profit margins, customer identities, supplier terms, pricing structures, proprietary processes and sometimes staff details. That information is what a buyer needs to evaluate the opportunity. But sharing it without any protection is a significant commercial risk.
An NDA addresses this by creating a legal framework around the information. Specifically, it:
Defines what is confidential.A well-drafted NDA specifies exactly what counts as confidential information. This may include financial statements, management accounts, customer lists, pricing schedules, supplier contracts, employee details, operational processes and anything else the seller designates as sensitive.
Restricts permitted use.The buyer may only use the information for the purpose of evaluating the acquisition. They cannot use customer data to approach those customers directly, use pricing information to undercut the seller's business or pass information to competitors.
Limits who can see it.The buyer can share the information with their professional advisers — their solicitor, accountant, lender and any investor partners — but not with unrelated third parties.
Sets a duration.Confidentiality obligations typically last for a defined period. Common terms range from one to three years, though some provisions (particularly around customer lists and employee details) may be drafted to survive indefinitely.
Provides remedies if breached.The NDA gives the seller a basis for legal action if the buyer misuses the information. Remedies can include injunctions to prevent further disclosure and damages for any loss caused.
An NDA does not guarantee confidentiality. It creates consequences for breach, which is not the same thing. A buyer who breaches an NDA can be pursued through the courts, but by then the damage is often done.
2. When to Use One {#when-to-use-one}
In a business sale, an NDA is typically introduced before detailed information is shared — but after initial interest has been established. The general sequence looks like this:
Stage 1 — Teaser or listing.The business is marketed using a brief description that does not identify the business or its financials. No NDA is needed at this point.
Stage 2 — Initial information memorandum.Once a buyer has expressed interest, a more detailed overview — sometimes called an information memorandum or IM — is shared. Some sellers request an NDA before sending the IM. Others share a reasonably anonymised IM without one and only require an NDA before financial detail is disclosed.
Stage 3 — Financial information and due diligence.Management accounts, filed accounts, tax records, customer data and contracts are shared at this stage. An NDA should always be in place before any of this is shared.
Stage 4 — Data room access.If the seller operates a formal data room containing detailed operational, legal and financial documentation, NDA compliance is usually a condition of access.
As a seller, the practical rule is: request an NDA before you share anything you would not want disclosed if the deal fell through.
As a buyer, be prepared to sign one before receiving detailed financial information. Refusing to sign a reasonable NDA is a significant red flag to sellers and their advisers, and will typically result in information being withheld.
3. What an NDA Should Include {#what-it-should-include}
A short, generic NDA downloaded from the internet may not be adequate for a business sale. The following are the core components that a properly drafted NDA should address.
The parties.Full legal names and addresses of both the seller and the buyer. If the buyer intends to acquire through a limited company, the NDA should identify both the individual and the company where relevant. If there are multiple buyers (for example, two individuals buying together), all parties should be named.
The purpose.The NDA should state clearly that confidential information is being shared for the sole purpose of evaluating a potential acquisition of a named business (or a business in a defined sector, if the name itself is sensitive at this stage).
Definition of confidential information.This is one of the most important clauses. A broad definition — covering all information disclosed, whether oral, written or in any other form — is generally stronger than a narrow list. Many NDAs also allow the seller to designate specific documents as confidential at the point of disclosure.
Permitted recipients.The buyer's professional advisers (solicitor, accountant, finance broker, lender) should be named as permitted to receive confidential information. The NDA should require the buyer to ensure those advisers are themselves bound by confidentiality, either through their professional obligations or by signing equivalent terms.
Obligations on the recipient.The buyer should be required to: store information securely, not copy or distribute it beyond permitted recipients, not use it for any purpose other than evaluating the acquisition, and notify the seller promptly if they become aware of any unauthorised disclosure.
Duration.How long do the obligations last? For general commercial information, one to three years is typical. For customer data and employee information, longer periods or indefinite obligations are sometimes appropriate.
Return or destruction of information.If the deal does not proceed, the NDA should require the buyer to return all copies of confidential documents or certify that they have been destroyed. This is increasingly relevant given the volume of digital data shared during due diligence.
Exclusions.Standard exclusions from confidentiality obligations include: information already in the public domain, information the buyer already possessed before it was shared, and information received lawfully from a third party. Some NDAs also exclude information the buyer is required to disclose by law or court order, with an obligation to notify the seller promptly if such disclosure is required.
Non-solicitation.Many business sale NDAs include a provision preventing the buyer from soliciting the seller's employees, customers or suppliers if the deal does not proceed. This is a reasonable protection for the seller and should be included where staff or customer relationships are sensitive.
Governing law and jurisdiction.For UK transactions, the NDA should specify that it is governed by English law (or Scots law if the business is in Scotland) and that disputes will be resolved in the English (or Scottish) courts.
Remedies.The NDA should state that breach would cause irreparable harm for which damages alone would be inadequate, and that the seller is entitled to seek injunctive relief as well as any other remedies available at law. This supports the seller's ability to obtain an emergency injunction quickly in the event of breach.
4. Buyer Checks Before Signing {#buyer-checks}
Buyers are sometimes handed an NDA and asked to sign without reading it carefully. This is a mistake. Before signing, check the following.
Is the definition of confidential information workable?Some NDAs define confidential information so broadly that it would restrict what you can discuss with your own solicitor or accountant without explicit permission. Make sure professional advisers are clearly included as permitted recipients.
Does it allow lender review?If you are using a bank loan, SBA-style lending or any form of external finance, your lender will need to review financial information. Check that the NDA permits this — or add a clause explicitly permitting it.
How long does it last?A one-year confidentiality period is generally reasonable for business financial information. Obligations that run for more than three years on general commercial information may be harder to manage and worth pushing back on.
Is there a non-solicitation clause — and is it proportionate?A non-solicitation clause preventing you from approaching the seller's customers or employees for 12 to 24 months if the deal does not proceed is generally fair. A clause that prevents you from doing business with any customer in the seller's sector — or employing any professional you met during the process — is likely disproportionate and worth negotiating.
Does it bind your company or you personally?If you are buying through a limited company, check whether the NDA is signed in your personal capacity, in the company's capacity, or both. Many sellers will request both, particularly for a smaller buyer with no trading history.
Are the remedies mutual?In a business sale, the NDA will typically be one-sided — the seller is sharing information and the buyer must protect it. This is normal and expected. However, if you are also sharing information about yourself or your funding sources, you may want equivalent protections for your own disclosures.
Take legal advice if in doubt.For a significant acquisition, it is worth asking your solicitor to review the NDA before you sign, particularly if the business is large, the information is highly sensitive or the confidentiality obligations are unusually broad.
5. Seller Checks Before Sharing {#seller-checks}
Signing an NDA is the start of the process, not the end. Sellers sometimes make the mistake of treating an NDA as sufficient protection and then sharing everything with everyone who signs one. There are additional steps that matter.
Confirm the buyer's identity.An NDA is only as useful as your ability to enforce it. Before sharing confidential information, confirm who you are dealing with. At minimum, check the buyer's name against the Companies House register if they claim to be buying through a company. For larger transactions, a basic identity check or proof of funds request is appropriate before detailed information is shared.
Screen buyers before sharing financials.Not everyone who expresses interest is a genuine buyer. Some enquiries come from competitors, industry observers or individuals with no realistic means of funding an acquisition. Apply a simple qualification process — confirm that the buyer has at least outline funding in place and is a plausible acquirer — before handing over detailed management accounts.
Use staged disclosure.Even with an NDA in place, share information progressively rather than all at once. Start with summarised financial performance. Share detailed management accounts only once the buyer has demonstrated genuine interest and basic credibility. Reserve the most sensitive information — customer contracts, key supplier terms, staff details — for late-stage due diligence once heads of terms are agreed.
Keep a log of what you share.Maintain a record of which documents you sent, when and to whom. This is useful both for managing the process and for any enforcement action if you need to demonstrate what was disclosed and when.
Do not share personal data carelessly.If the information you are sharing includes personal data about employees or customers (names, contact details, salaries, health records), you need to consider your obligations under UK GDPR. See the section on data protection below.
Seek legal advice before sharing anything highly sensitive.If the business involves proprietary technology, trade secrets, valuable customer relationships or anything that could cause serious damage if disclosed, take legal advice before sharing and not after.
6. The Limits of NDAs {#limits-of-ndas}
NDAs are a standard part of business sale processes, but buyers and sellers should understand what they cannot do.
An NDA does not prove the buyer is serious.Any buyer can sign an NDA. It requires almost no effort or commitment. Signing an NDA is not evidence of genuine interest, financial capacity or willingness to proceed. Sellers sometimes confuse NDA signature with buyer qualification — these are different things.
An NDA does not prevent all misuse.A determined buyer who wants to misuse information can do so. The NDA creates legal consequences but does not physically prevent anything. Enforcement takes time, money and evidence. By the time a court acts, the harm may already be done.
An NDA does not make sharing personal data lawful.If the information you intend to share includes personal data covered by UK GDPR, you still need a lawful basis for sharing it. An NDA between you and the buyer does not, by itself, create that lawful basis. You may need to anonymise data initially, or rely on a legitimate interest analysis with appropriate safeguards.
An NDA is not a substitute for professional advice.Some sellers believe that once an NDA is in place, they can conduct the rest of the sale process informally. This is a mistake. An NDA sits alongside — not instead of — proper legal, financial and tax advice throughout the transaction.
An NDA may be difficult to enforce.Enforcing an NDA requires proving: that a specific person breached a specific obligation; that the breach caused identifiable harm; and that you acted promptly. In practice, this can be difficult and expensive, particularly for smaller transactions. This is why staged disclosure and buyer screening remain important even when an NDA is in place.
7. NDA and UK Data Protection Law {#nda-and-data-protection}
One aspect of business sale confidentiality that is often overlooked is UK GDPR. When a business is sold, information about employees, customers and suppliers is frequently shared as part of due diligence. Much of this information is personal data.
Under UK GDPR, personal data may only be shared where there is a lawful basis for doing so. The most relevant bases in a business sale context are:
Legitimate interests.Sharing employee data (names, roles, salary ranges) with a prospective buyer as part of due diligence is generally defensible under the legitimate interests basis, provided the processing is proportionate and necessary. You should be able to demonstrate that you carried out a legitimate interests assessment.
Legal obligation.Where sharing is required by law (for example, in a TUPE situation where employee information must be provided), this provides a separate lawful basis.
Anonymisation.Before a buyer is qualified and a serious offer is in prospect, consider anonymising personal data where possible. Sharing staff numbers and payroll cost bands rather than individual names and salaries reduces your data protection exposure during early-stage discussions.
Contractual provisions.Many NDAs now include a data protection schedule setting out the obligations of each party in relation to personal data. For transactions involving significant employee or customer data, this is good practice and your solicitor should be asked to include it.
The ICO (Information Commissioner's Office) publishes guidance on data sharing that is worth reading before you share any personal data as part of a business sale process. You can find this at ico.org.uk.
8. Common NDA Mistakes {#common-nda-mistakes}
Mistake 1: Using a generic template without reviewing it.A one-size-fits-all NDA may not reflect the specifics of your business. A business with trade secrets, proprietary technology or long-term customer contracts may need more tailored protection than a standard template provides.
Mistake 2: Not naming all permitted recipients.If the buyer's solicitor, accountant or lender is not named as a permitted recipient, technically they should not be shown the confidential information. This creates friction and potential compliance problems later.
Mistake 3: Sharing everything upfront.Getting an NDA signed and then sending the full data room immediately removes the benefit of staged disclosure. Share in proportion to progress.
Mistake 4: Not following up on return or destruction.When a deal falls through, sellers often forget to request the return or destruction of confidential documents. This leaves sensitive information in the buyer's possession with no further obligation.
Mistake 5: Not checking the buyer's identity.Sending an NDA to an email address and accepting a signature without confirming who the buyer actually is leaves you with little practical recourse if the information is misused.
Mistake 6: Assuming an NDA covers verbal conversations.Many buyers and sellers discuss sensitive matters over the phone or in person before anything is formally documented. Check whether your NDA covers oral disclosures — many templates do, but only if the information is subsequently confirmed in writing within a set timeframe.
Mistake 7: Overlooking non-solicitation.A buyer who does not complete the acquisition but who subsequently approaches your key member of staff or your largest customer has caused real harm. A non-solicitation clause in the NDA provides some protection against this.
9. NDA Checklist {#nda-checklist}
Use this checklist as a starting point. Seek legal advice for any transaction where the information being shared is highly sensitive or the transaction value is significant.
Before signing (buyer and seller):
All parties are correctly identified by full legal name and address
The purpose of the NDA is clearly defined (evaluation of a potential acquisition)
Confidential information is defined broadly enough to cover all relevant material
Permitted recipients are named (advisers, lenders, investors)
Obligations on the recipient are clearly stated
Duration is specified and proportionate to the information being shared
Return or destruction of information on deal failure is included
Non-solicitation clause is included where appropriate
Data protection obligations are addressed
Governing law and jurisdiction are specified
Remedies clause (including injunctive relief) is included
Before sharing information (seller):
Buyer identity confirmed
Basic qualification carried out (funding, motivation, credibility)
Disclosure staged to match progress
Log of documents shared maintained
Personal data anonymised or handled appropriately under UK GDPR
Legal advice taken if information is highly sensitive
Before signing (buyer):
NDA permits disclosure to solicitor, accountant, lender and investors
Duration is reasonable
Non-solicitation clause is proportionate
Understood whether obligations run personally, corporately or both
Any unusually broad clauses identified and negotiated where appropriate
10. FAQs {#faqs}
Do I have to sign an NDA to view a business for sale?
Not always. For early-stage listings, sellers often share a brief overview or information memorandum without requiring an NDA. However, before detailed financials, customer data or supplier contracts are disclosed, most sellers will require an NDA. Refusing to sign a reasonable NDA will usually result in information being withheld.
Is an NDA the same as a confidentiality agreement?
Yes. NDA (Non-Disclosure Agreement) and confidentiality agreement are different names for the same thing. Some practitioners prefer the term confidentiality agreement or confidentiality undertaking, but they refer to the same type of document.
Can I negotiate the terms of an NDA?
Yes. An NDA is a contract and its terms can be negotiated. As a buyer, it is reasonable to push back on an unusually long duration, an overly broad non-solicitation clause or restrictions that would prevent your professional advisers from reviewing information. As a seller, you may want to strengthen the definition of confidential information or add a data protection schedule.
What happens if a buyer breaches an NDA?
The seller can seek legal remedies, including an injunction to prevent further disclosure and damages for any loss caused. In practice, enforcement requires evidence of the breach and typically involves legal costs and time. This is why preventative measures — buyer screening, staged disclosure, identity verification — remain important even with an NDA in place.
Should I share staff names and salaries under an NDA?
Be cautious. Employee personal data is protected under UK GDPR. Before sharing individual staff details, consider whether you can share anonymised or aggregated data instead (for example, number of full-time employees, payroll cost range, roles). Share individual employee details only at a later stage of due diligence, once a serious offer is in prospect, and ensure your NDA includes data protection provisions.
Does an NDA prevent a competitor from buying my business and then backing out?
Not directly. An NDA prevents misuse of information, but it does not prevent a competitor from using the process to gather market intelligence and then walking away. Staged disclosure is your primary defence against this risk — share only what is necessary to evaluate the business at each stage, and reserve the most sensitive operational detail for late-stage due diligence after heads of terms are agreed.
Do I need a solicitor to draft or review an NDA?
For a simple transaction involving straightforward information, a well-drafted standard template may be sufficient. For larger transactions, businesses with trade secrets or proprietary technology, businesses with significant employee or customer data, or any situation where you are uncertain, take legal advice. The cost of a solicitor reviewing an NDA is small compared to the potential harm from an inadequate one.
What is the difference between an NDA and heads of terms?
These are separate documents that are typically used at different stages. An NDA is signed before detailed information is shared, usually before any formal offer is made. Heads of terms (sometimes called a letter of intent or memorandum of understanding) are signed once an outline deal has been agreed — they set out the key commercial terms of the acquisition. Heads of terms often include a confidentiality clause, but they do not replace a separate NDA that governs the due diligence process.
Key Takeaways
An NDA is a standard, necessary step in a UK business sale process — but it works best as part of a broader approach to protecting confidential information, not as a standalone solution.
Before sharing any detailed financial or operational information, confirm the buyer's identity and ensure an NDA is in place. Stage your disclosure to match the buyer's progress through the process. Include non-solicitation protection where staff or customer relationships are at risk. Address UK GDPR obligations wherever personal data is involved.
As a buyer, read the NDA before signing. Ensure your professional advisers are named as permitted recipients. Push back on terms that are unreasonable or impractical — but be prepared to sign a reasonable confidentiality agreement as a condition of seeing detailed information.
Neither party should treat an NDA as a guarantee. Enforcement is possible but not always practical. Build your protection into the process itself: screen buyers, share progressively, keep records and take professional advice before sharing anything highly sensitive.
Related Resources
Important Disclaimer
Buy a Business Ltd is a marketplace, not a broker. Information, guides, checklists and examples on this site are for general guidance only and do not constitute legal, tax, financial, investment, valuation, brokerage or regulated advice.
Buying or selling a business involves risk. You should seek independent professional advice — including from a solicitor, accountant and other relevant specialists — before buying, selling, valuing or financing a business. Nothing in this guide constitutes legal advice and should not be relied upon as such.
Sources and Useful References
ICO (Information Commissioner's Office): Data sharing guidance —ico.org.uk
Companies House: Search for company information —find-and-update.company-information.service.gov.uk
GOV.UK: Business sales and transfers guidance
Law Society: Guidance on confidentiality in commercial transactions