Due diligence & M&A

NDA for Due Diligence in the UK: Protecting Confidential Information During Business Investigations

Before buyers, investors or lenders examine a company's books, an NDA is essential. This guide explains when to use a due diligence NDA in the UK, what it must cover, permitted disclosees, and how it differs from a standard confidentiality agreement.

By Richard Wood, Founder8 min readUpdated 19 June 2026Last reviewed 19 June 2026NDAdue diligenceM&Aacquisition

Due diligence is the phase of any acquisition, investment or financing transaction in which the buyer, investor or lender examines the target company's operations, finances, legal position and commercial performance before committing to a deal. It is also the phase at which the most sensitive information changes hands. Customer lists, management accounts, supplier contracts, employment data, IP filings and litigation history are all typically disclosed — often to a room full of advisers on the buyer's side. Without a properly drafted NDA, all of this information is disclosed without any contractual protection.

This is general information, not legal advice

NDASafe is a document preparation service, not a law firm. Our templates are legally reviewed against applicable UK law at the point of release, but every situation is different. Where significant value, unusual risk or a cross-border element is involved, take independent legal advice before you sign.

Why a due diligence NDA is essential

A due diligence NDA serves three distinct functions that a general confidentiality clause in a letter of intent or heads of terms does not adequately address.

First, it creates a legally binding obligation before any information is shared — not after. In many transactions the information memorandum or data room is made available before heads of terms are negotiated. A standalone NDA executed at the outset ensures that every piece of information shared from the first conversation is protected.

Second, it controls who within the buyer's team can access information and on what terms. A well-drafted due diligence NDA includes a permitted disclosees mechanism that covers lawyers, accountants, banks and co-investors, while keeping the buyer responsible for any breach by its advisers.

Third, it restricts what the buyer can do with the information if the deal does not proceed. Without an express non-use obligation, a buyer who walks away from a transaction could theoretically use what it learned to compete with the seller, approach its customers, or poach its employees. A due diligence NDA makes that unlawful.

One-way or mutual: choosing the right structure

The choice between a one-way NDA and a mutual NDA depends on whether both parties are sharing genuinely sensitive information during the due diligence process.

  • One-way NDA (seller as disclosing party): appropriate for a straightforward asset or share sale where only the seller discloses confidential information to the buyer. The seller is the disclosing party; the buyer is the receiving party with confidentiality obligations. The simplest and most common structure for SME acquisitions.
  • Mutual NDA: appropriate where the buyer also discloses confidential information — for example in a merger of equals, a private equity deal where the fund shares details of its investment thesis and portfolio strategy, or a joint venture negotiation where both parties share financial projections and technical plans. A mutual NDA creates reciprocal obligations on both sides.
  • Investor NDA: in seed and Series A rounds the investor typically receives information from the startup (financials, cap table, technology roadmap) without disclosing much in return. A one-way NDA with the startup as disclosing party is appropriate. NDASafe's investor NDA template is designed for this structure.

What a due diligence NDA must cover

A due diligence NDA covering a UK transaction should address the following provisions:

  • Confidential information definition: all information disclosed in connection with the proposed transaction, whether written, oral or electronic, together with a specific list of categories (financial records, customer and supplier data, employee information, technical IP, regulatory history). Avoid limiting protection to information marked ‘confidential’.
  • Permitted purpose: the buyer may use confidential information only for evaluating the proposed transaction and for no other commercial purpose.
  • Non-use obligation: the buyer must not use confidential information to compete with the seller, approach its customers or suppliers, recruit its employees, or for any purpose unconnected with the proposed transaction.
  • Permitted disclosees: a defined list of categories (legal advisers, financial advisers, lenders, co-investors) who may receive information on equivalent confidentiality terms, with the buyer remaining responsible for their compliance.
  • Return or destruction: all confidential information must be returned or certifiably destroyed on request or on termination of negotiations, with written confirmation of destruction on request.
  • Duration: typically two to five years from the date of signing, or two to three years from the date the transaction terminates. Longer for highly sensitive technical information.
  • Exclusions: standard exclusions for information already in the public domain, already known to the buyer, independently developed, or received from a third party without restriction.
  • No representation on accuracy: the NDA should state that it imposes no obligation on the seller to ensure the accuracy or completeness of information disclosed — that obligation falls under the transaction documents and any warranties given on completion.
A heads of terms confidentiality clause is not enough

Many UK heads of terms include a short confidentiality clause. This is rarely sufficient for a full due diligence process. It typically lacks a permitted disclosees mechanism, does not address return or destruction, and may be stated as 'subject to contract' — meaning it is not binding. A standalone NDA executed before any information is shared is the correct approach.

Non-solicitation and standstill provisions

A due diligence NDA may include additional protective provisions beyond confidentiality itself.

A non-solicitation clause prohibits the buyer from approaching or recruiting the seller's key employees for a defined period — typically 12 to 24 months — regardless of whether the transaction proceeds. This is particularly important where the buyer is a trade buyer who could approach the seller's management team directly after a failed process.

A standstill clause prohibits the buyer from acquiring shares in the seller's holding company (or a group company) other than through the agreed transaction process, for a defined period. This protects the seller from a hostile accumulation of shares by a buyer who has received inside information through the due diligence process.

Both provisions go beyond standard confidentiality and may be resisted by trade buyers. Whether to include them depends on the sensitivity of the information being shared and the competitive relationship between the parties.

Data room access and electronic disclosure

Most UK due diligence is now conducted through a virtual data room — a secure online document repository to which the seller grants access to named individuals on the buyer's team. The NDA should address electronic disclosure explicitly: the buyer's team must not download or print documents except to the extent necessary for the permitted purpose, and any downloaded materials are subject to the same confidentiality obligations as documents received in hard copy.

Data room providers typically require users to agree to the platform's own terms before accessing the room. These platform terms sit alongside, and do not replace, the transaction NDA. The NDA governs what the buyer can do with the information; the platform terms govern the mechanics of access.

Where the data room contains personal data — employee records, customer data, contracts with individuals — the seller should ensure that providing access to the buyer is lawful under UK GDPR. The standard legal basis is legitimate interests (evaluating a transaction) combined with appropriate technical safeguards (named access, no bulk download, audit trail). Where the transaction proceeds to completion, a data processing agreement or appropriate data transfer mechanism will be needed.

Return and destruction on deal termination

If the transaction does not proceed, the due diligence NDA should specify what happens to the confidential information the buyer has received. Standard provisions include:

  • Return or destruction on demand: the seller can request return or destruction of all confidential information at any time, not just on formal termination. This is particularly important if the seller decides to terminate the process with a specific buyer partway through.
  • Destruction of notes and summaries: the obligation extends to the buyer's own notes, summaries, analyses and reports that incorporate confidential information — not just documents received directly from the seller.
  • Written certification: the buyer should confirm destruction in writing promptly on request. A standard formulation is a letter from the buyer's legal adviser certifying that all confidential information has been destroyed and no copies retained.
  • Permitted retained copies: lawyers and other advisers may retain confidential information subject to professional obligations to keep client files for a minimum period. The NDA should expressly permit this retention on the condition that retained materials remain subject to confidentiality obligations.
  • Survival of obligations: confidentiality obligations survive return or destruction and continue for the full duration of the NDA, not just while the buyer holds the information.

Which NDASafe template to use

The appropriate template depends on the transaction structure:

  • Mutual NDA (£29): use for mergers, joint venture negotiations, and any transaction where both the buyer and the seller disclose genuinely sensitive information.
  • One-Way NDA, Disclosing (£29): use for straightforward acquisitions where only the seller discloses confidential information to the buyer for the purpose of the buyer's due diligence.
  • Investor NDA (£29): use for seed, angel and Series A investment discussions where the startup is the disclosing party and the investor is reviewing financial and technical information before deciding whether to invest.
  • Complete NDA Bundle (£79): all eight NDA variants. Suitable for corporate advisers, transaction lawyers, and businesses that regularly conduct or are subject to due diligence processes.
UK due diligence NDA templates — legally reviewed, instant download

NDASafe's NDA templates are editable Word documents with permitted disclosees provisions, non-use obligations, and return-or-destroy clauses appropriate for UK M&A and investment transactions. Single template £29. Complete bundle (all 8 variants) £79. Delivered instantly as an editable .docx file.

Step by step

  1. 1
    Sign the NDA before any information is shared

    The NDA must be signed — not just agreed in principle — before any confidential document is provided. In practice this means the NDA should be executed before the information memorandum is released, before access to the data room is granted, and before any management presentation is given. Sharing information and then asking the buyer to sign the NDA creates a gap in protection that is difficult to remedy retrospectively.

  2. 2
    Define confidential information broadly and specifically

    The confidential information definition should cover all categories of information the seller will share: financial records, management accounts, customer and supplier contracts, employee details, technical IP, regulatory history and litigation. Avoid definitions limited to ‘information marked confidential’ — in a real due diligence process much of the most sensitive information is conveyed verbally or in unmarked documents. A broad catch-all definition (‘all information disclosed in connection with the proposed transaction’) combined with a specific list of categories is the most robust approach.

  3. 3
    Include a permitted disclosees provision for advisers

    The buyer will need to share confidential information with its lawyers, accountants, financial advisers, lenders and potentially co-investors. The NDA should permit disclosure to these categories of ‘permitted disclosees’ on the condition that: (a) they are told the information is confidential; (b) they are subject to equivalent confidentiality obligations; and (c) the buyer remains responsible for any breach by a permitted disclosee. This avoids the impracticality of separate NDA negotiations with every adviser.

  4. 4
    Agree the permitted purpose and non-use obligation

    The NDA should expressly limit the buyer's use of confidential information to evaluating the proposed transaction. A non-use obligation — prohibiting use of the information for any other commercial purpose, including competing with the seller or approaching its customers or suppliers — is essential. This is particularly important where the buyer is a trade buyer who operates in the same sector as the seller.

  5. 5
    Set return-or-destroy obligations for deal termination

    The NDA should require the buyer to return or certifiably destroy all confidential information (including copies, notes and electronic records) promptly on request or on termination of negotiations. Destruction certification in writing is best practice. Standard exceptions apply: documents that must be retained by law, or information that has been incorporated into backup systems that are not individually accessible. Survival of confidentiality obligations after return or destruction should be expressly stated.

Frequently asked questions

When should we sign a due diligence NDA — before or after heads of terms?

Before either. An NDA should be signed before any confidential information is shared, which in a typical transaction means before the information memorandum is released, before management presentations, and before any financial or operational data is disclosed. Heads of terms are sometimes signed simultaneously with or shortly after the NDA, but the NDA should always come first if sensitive information is involved.

Should the due diligence NDA be mutual or one-way?

It depends on the transaction structure. In a straightforward acquisition where only the seller shares confidential information, a one-way NDA (disclosing party) is appropriate. In a merger, joint venture negotiation, or private equity deal where both parties share sensitive commercial or financial data, a mutual NDA is more appropriate. If in doubt, a mutual NDA provides protection for both sides and is generally accepted by buyers and their advisers.

What information does a due diligence NDA typically protect?

A due diligence NDA typically covers financial records, management accounts, customer and supplier contracts, employee data, intellectual property details, regulatory filings, litigation history, and any other commercially sensitive information disclosed during the investigation process. The definition of 'confidential information' should be broad enough to capture all materials shared in the data room and in management meetings, not just formal documents.

Can a due diligence NDA prevent the buyer using information if the deal falls through?

Yes — this is one of the primary purposes of a due diligence NDA. The agreement should expressly prohibit the buyer from using confidential information for any purpose other than evaluating the proposed transaction. If the deal does not proceed, all confidential information must be returned or destroyed, and the buyer's team must not use what they learned to compete with, poach customers from, or approach the seller's employees.

How long should a due diligence NDA last?

A due diligence NDA typically runs for two to five years from the date of signing, or two to three years from the date the transaction is abandoned or completed. Shorter periods are common where the information becomes stale quickly; longer periods are appropriate for technical trade secrets or highly sensitive IP. The duration should be realistic — a court is unlikely to enforce an indefinite confidentiality obligation on information that is no longer commercially sensitive.

Do we need separate NDAs for each adviser or can we use a permitted disclosees list?

A permitted disclosees list is the standard approach. Rather than requiring every adviser — lawyers, accountants, financial advisers, consultants — to sign a separate NDA, the buyer's NDA includes a list of categories of permitted recipients (advisers, financing banks, co-investors) who can receive confidential information on the condition that they are told it is confidential and are bound by equivalent obligations. This is more practical than separate agreements and is widely accepted in UK M&A transactions.

Templates mentioned in this guide

Mutual NDA

From £29

Both parties share information. The default for partnerships, joint ventures, and exploratory conversations.

View template

One-Way NDA, Sharing

From £29

You're sharing confidential information. Strong protection on outbound data.

View template

Investor NDA

From £29

For pitch decks and fundraising materials. Non-circumvention and no-poach included.

View template

Related guides

M&A guide
NDA for M&A UK: Protecting Both Sides of a Business Acquisition
How NDAs work across the full M&A deal process in the UK — from the first approach through due diligence — covering mutual vs one-way, what an acquisition NDA must include, and when a template is enough.
Business sale guide
NDA for Business Sale UK: Protecting Buyers and Sellers in a Transaction
A business sale involves sharing some of the most sensitive commercial information a company holds — with a counterparty who may be a competitor. This guide explains what a UK business sale NDA must cover, how to structure it for buyer and seller, and when to sign it.
Investor & startup
NDA for Investors UK: Should You Ask an Investor to Sign?
Most UK venture capitalists will not sign an NDA before a pitch. Angel investors, family offices and strategic partners often will. Here is when an investor NDA makes sense, what it should contain, and how to protect your business idea without killing the deal.
Private equity guide
NDA for Private Equity UK: Protecting Deal Information, Portfolio Data and Fund Terms
Private equity firms, portfolio companies, management teams and investors share sensitive deal information, financial data and fund terms before any transaction or investment agreement is signed. This guide explains when a UK private equity NDA is needed and how to protect pre-contract disclosures under English law.