Your NDA Is Stuck In 1999. Your Data Is Not

Most organisations sign non-disclosure agreements (“NDA”) as a matter of routine. They are often treated as preliminary documents exchanged at the start of a commercial discussion, reviewed lightly and executed quickly. However, in a cloud-based and artificial- intelligence-driven environment, the standard NDA is no longer administrative boilerplate. It is a core data governance instrument. A typical NDA would usually include a clause as follows: “Upon termination, the receiving party shall return or destroy the disclosing party's confidential information”.

Traditionally, confidential information lived in filing cabinets, local servers or email inboxes, and it assumed that data existed in a single location and that deletion was immediate and absolute. That assumption is no longer legally or technically accurate.

Confidential information today exists across distributed cloud infrastructure, automated backups, disaster recovery replicas, telemetry logs, system metadata and increasingly within artificial intelligence environments. In this context, a generic return or destroy obligation is not merely outdated, it is misaligned with operational reality and creates regulatory exposure.

For organisations subject to the Protection of Personal Information Act (“POPIA”), 2013, and operating within a global ecosystem influenced by international data protection standards such as the General Data Protection Regulation, an NDA is not a ceremonial document. It is a governance instrument. It must reflect how information is actually processed, replicated, retained and analysed.

In modern cloud environments hosted on platforms such as Amazon Web Services, Microsoft Azure or Google Cloud Platform, or even blockchain platforms, confidential information does not reside in one identifiable location. It may simultaneously exist in live production systems, immutable backups, immutable distributed ledgers, audit logs, security monitoring tools, disaster recovery environments and the infrastructure of sub-processors. No responsible technology team can guarantee instantaneous destruction across these layers, nor is it practicable. If an NDA requires absolute return or deletion without qualification, the obligation is either technically incapable of performance or signed without a full understanding of the architecture of modern IT systems.

A legally defensible NDA must therefore move beyond simplistic destruction language and adopt a structured data exit and residual data management framework. This includes clear obligations regarding cessation of use, return of data in a usable and machine readable format, deletion from live systems within defined timeframes, the natural ageing out of backups in accordance with documented retention cycles, binding deletion obligations on sub processors, and written certification of destruction. It must also recognise narrowly defined lawful residual retention where required by regulation, audit obligations, fraud prevention frameworks, or litigation defence.

Artificial intelligence introduces an additional layer of risk that most legacy NDAs do not address. Employees routinely upload confidential information into AI tools. Service providers analyse datasets to improve models. Platforms retain prompts, outputs, embeddings and derived analytics. If an NDA is silent on whether confidential information may be used for model training, service improvement or analytics, the disclosing party may have limited recourse if its information becomes embedded within a system. Modern confidentiality drafting must expressly prohibit the use of confidential information for artificial intelligence training, model refinement, or product enhancement, and must restrict post termination processing within such environments.

Regulatory scrutiny is also increasing. In investigations under POPIA and comparable frameworks, a recurring question arises: “How does the organisation know that its data was deleted (permanently)”. Without clear contractual rights to obtain written certification of destruction and evidence of deletion processes or clear audit rights that question becomes difficult to answer.

Across South Africa, NDAs are signed daily. Each agreement is a potential governance failure if it relies on drafting conceived for a pre-cloud, pre-artificial intelligence environment.

Updating your NDA is not administrative housekeeping. It is POPIA risk management. It is artificial intelligence governance. It is cybersecurity resilience. It is litigation preparedness. It is regulator readiness.

If your NDA still relies on a generic return or destroy clause without structural refinement, it is unlikely to provide meaningful protection in the environments where your confidential information actually resides.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.