Is an NDA legally binding in the UK?

Yes. A non-disclosure agreement is fully legally binding in the UK when it is signed by both parties and meets the standard requirements for a valid contract: offer, acceptance, consideration, and certainty of terms. An NDA does not need to be witnessed, notarised, or signed as a deed to be enforceable — a simple signed agreement is sufficient. The consideration is the mutual exchange of promises: the disclosing party agrees to share information, and the receiving party agrees to keep it confidential. UK courts routinely enforce NDAs and will grant injunctions to prevent imminent breaches where monetary damages would be inadequate.

Does a UK NDA need to be witnessed or signed as a deed?

No. A standard UK NDA does not need to be witnessed or executed as a deed. A simple contract signed by both parties — including electronic signatures — is legally sufficient. The NDA is binding from the moment both parties have signed. However, if you want the NDA to have a 12-year limitation period (rather than the standard 6 years for simple contracts under the Limitation Act 1980), you can execute it as a deed, which requires each party's signature to be witnessed. For most commercial NDAs, a 6-year limitation period is more than adequate and a simple signed contract is the standard approach.

What governing law should I use for a UK NDA — England and Wales or Scotland?

If both parties are based in England or Wales, choose the law of England and Wales. If one or both parties are based in Scotland, Scottish law is a reasonable choice and the courts of Scotland have jurisdiction. If parties are split between England and Scotland, England and Wales is the most common choice because the Commercial Court and High Court in London have extensive NDA and IP enforcement expertise. Northern Ireland has its own separate legal system and courts — use Northern Ireland law if both parties are based there. The governing law clause does not prevent a party from seeking an emergency injunction in whatever jurisdiction is most convenient.

How does UK GDPR affect NDAs and confidentiality agreements?

Since Brexit (January 2021), the UK has its own data protection law — the UK GDPR combined with the Data Protection Act 2018. If the confidential information you are sharing contains personal data (names, email addresses, financial data linked to individuals, employee records, or customer data), the UK GDPR creates additional obligations on top of the NDA. The recipient of personal data may become a data processor under UK GDPR and may need a Data Processing Agreement (DPA) in addition to the NDA. This template includes a UK GDPR clause confirming that any personal data shared remains under the disclosing party's control and the receiving party will handle it in accordance with the UK GDPR and DPA 2018.

Can I use an American NDA template in the UK?

Not without significant modifications. A US NDA template typically references US law (Delaware, New York, California etc.), US legal concepts, and US courts. Using it in a UK context creates several problems: (1) the governing law clause will be wrong; (2) UK GDPR and DPA 2018 will not be addressed; (3) US-specific remedies and legal procedures differ from UK law; (4) 'attorney' should be 'solicitor' in a UK document; and (5) injunction procedures differ between US and UK courts. Use this UK-specific NDA template, which is drafted under English law, references UK data protection legislation, and uses UK legal terminology throughout.

How long can a UK NDA last?

A UK NDA can specify any confidentiality term, but courts will scrutinise excessively long terms as potential restraints of trade. For standard business NDAs, 1–3 years is enforceable without issue. For trade secrets with long commercial value, 3–5 years is defensible. Indefinite NDAs are generally enforceable for trade secrets (which have no statutory expiry) but may be challenged for general business information. The Limitation Act 1980 gives 6 years to bring a breach of contract claim (12 years if executed as a deed), so the confidentiality term is separate from the limitation period on any claim. Most UK commercial NDAs use a 2-year confidentiality term.

Updated June 2026

Free NDA Template
for the UK

A non-disclosure agreement governed by the law of England & Wales, Scotland or Northern Ireland. Includes UK GDPR and Data Protection Act 2018 compliance, AI tools prohibition, standard exclusions and injunctive relief clause. No signup required.

↓ DOCX (Word) ↓ PDF

— or — ✏ Fill in & download ready-to-send version ↓

No signup required
Free forever
Reviewed June 2026
UK GDPR clause included

Edit & Download

Fill in your details — the preview updates live. Download a filled DOCX or PDF ready to send.

Branding (optional)

Company / Disclosing Party Logo

1 — Disclosing Party

Effective Date

Full Name / Company

Companies House No. (optional)

Registered Address (optional)

Signatory Title (optional)

2 — Receiving Party

Full Name / Company

Company Name (optional)

Address (optional)

3 — Purpose, Term & Jurisdiction

Purpose of Disclosure

Confidentiality Term

Governing Law

PDF: choose "Save as PDF" in the print dialog.

Non-Disclosure Agreement

Effective Date: enter date above

1. Parties

Disclosing Party: Disclosing Party name (Companies House No. ),

Receiving Party: Receiving Party name, ,

2. Permitted Purpose

Information may only be used for: the Purpose.

3–9. Standard Clauses

Confidential information definition · Standard exclusions · Obligations · Permitted disclosures · UK GDPR compliance · AI tools prohibition · Return of materials · Remedies

10. Governing Law & Jurisdiction

Term: 2 years

Governing law: England and Wales. The courts of England and Wales shall have exclusive jurisdiction.

Disclosing Party

Signature

Print name: _______________

Title: _______________

Date: _________________

Receiving Party

Signature

Print name: _______________

Date: _________________

Template preview

Non-Disclosure Agreement (UK) Free to download

Parties

1. Agreement Parties

This Non-Disclosure Agreement ("Agreement") is entered into on [Date] between [Disclosing Party Name], [Registered Address] ("Disclosing Party"), and [Receiving Party Name], [Address] ("Receiving Party"). Only the Disclosing Party will disclose Confidential Information under this Agreement.

Confidential Information

2. Definition of Confidential Information

"Confidential Information" means all non-public information disclosed by the Disclosing Party in any form — written, oral, electronic, visual or otherwise — that is marked "Confidential" or that a reasonable person would understand to be confidential in the circumstances, including but not limited to: business plans, financial information, customer and supplier lists, pricing, technical specifications, software, trade secrets, processes, intellectual property, and personal data (as defined under the UK GDPR).

Exclusions

3. Standard Exclusions

Confidentiality obligations under this Agreement do not apply to information that: (a) is or becomes publicly available through no breach by the Receiving Party; (b) was rightfully known to the Receiving Party before disclosure without restriction; (c) was independently developed by the Receiving Party without reference to the Confidential Information; or (d) is required to be disclosed by law, court order, regulatory authority or the rules of a recognised investment exchange, provided the Receiving Party gives prior written notice to the Disclosing Party where permitted.

UK GDPR Compliance

4. Data Protection — UK GDPR and DPA 2018

To the extent that Confidential Information includes personal data (as defined by the UK General Data Protection Regulation and the Data Protection Act 2018), the Receiving Party shall process such personal data only for the Permitted Purpose, shall implement appropriate technical and organisational measures to protect it, and shall not transfer it outside the United Kingdom without the prior written consent of the Disclosing Party and in compliance with Chapter V of the UK GDPR.

📄 Download the full template — includes AI tools prohibition, permitted disclosures, return of materials and injunctive relief under English or Scottish law.

Download the full template — free

Fill in your details above and download a ready-to-send UK NDA.

Word / DOCX Editable Document Fill in your details above and download a ready-to-send DOCX ↑ Fill & Download PDF Print-Ready Fill in your details above and save as PDF ↑ Fill & Save PDF

What's included in this template

Parties — disclosing party and receiving party identification with optional Companies House number

Definition of confidential information — covers personal data under UK GDPR

Standard exclusions — public domain, independently known, compelled disclosure

Obligations of the receiving party — UK standard of care, need-to-know basis

Permitted purpose — strict restriction to stated use only

Permitted disclosures — including to solicitors and professional advisers

UK GDPR and Data Protection Act 2018 compliance clause

AI tools prohibition — bars input of confidential info into third-party AI systems

Term and confidentiality duration — 1 to 5 years

Remedies and injunctive relief — governed by English, Welsh or Scottish law

How to use this UK NDA template

Choose your governing law based on where both parties are based

If both parties operate in England or Wales, select "England and Wales" — this gives access to the High Court and Commercial Court, which have extensive NDA and trade secret enforcement expertise. If both parties are based in Scotland, Scottish law and the Court of Session are equally appropriate. If parties are split across borders, England and Wales is the most commonly chosen governing law for UK commercial NDAs. Note that the governing law choice does not prevent either party from seeking an emergency injunction (interim interdict in Scotland) in whichever court is most readily accessible at the time of a breach.

Add a UK GDPR / Data Processing Agreement if the confidential information includes personal data

This NDA includes a UK GDPR compliance clause, but if you are sharing significant volumes of personal data — employee records, customer lists, health data, or financial data linked to identifiable individuals — a standalone Data Processing Agreement (DPA) is required under Article 28 of the UK GDPR. The DPA formalises the controller–processor relationship, specifies technical and organisational measures, and sets out the data subject rights procedure. The NDA's UK GDPR clause covers incidental personal data within business information; it is not a substitute for a full DPA when data processing is the primary activity.

Electronic signatures are fully valid in the UK under the Electronic Communications Act 2000

You do not need wet-ink signatures for a UK NDA. Electronic signatures — including typed names, scanned signatures, and e-signature platform signatures — are legally valid for simple contracts in the UK under the Electronic Communications Act 2000 and the Electronic Signatures Regulations 2002. For the highest evidential weight, use a qualified electronic signature (QES) platform such as DocuSign or Adobe Sign, but for standard commercial NDAs a simple e-signature is sufficient. Use Bonsai for fast, tracked e-signatures on this agreement.

Get it signed before any disclosure — UK NDAs have no retroactive effect

A UK NDA protects information disclosed after the agreement is signed. Information shared before signing carries no contractual confidentiality protection. This is particularly important in UK business culture, where it is common to share overview materials or pitch decks informally before formalising terms. Always send the NDA first, get both signatures, and then disclose. If you need to share something urgently before signing, follow up immediately in writing stating that the information was shared in confidence pending execution — this may provide some equitable protection. The Limitation Act 1980 gives you six years from the breach to bring a claim under the agreement.

Frequently asked questions

: Yes. An NDA is fully legally binding in the UK when signed by both parties and meeting the standard requirements for a valid contract: offer, acceptance, consideration, and certainty of terms. A signed NDA does not need to be witnessed, notarised, or executed as a deed to be enforceable — a simple signed agreement is sufficient. The consideration is the exchange of promises: the disclosing party agrees to share information; the receiving party agrees to keep it confidential. UK courts routinely enforce NDAs and will grant injunctions to prevent imminent breaches where monetary damages would be an inadequate remedy.
: No. A standard UK NDA does not require a witness or deed execution. A simple contract signed by both parties — including electronic signatures — is legally sufficient and binding from the moment of signature. If you want the NDA to carry a 12-year limitation period (rather than the standard 6 years under the Limitation Act 1980), you may execute it as a deed, which requires each party's signature to be witnessed by an independent adult. For most commercial NDAs, a 6-year limitation period is more than adequate and a simple signed contract is the standard approach used by UK solicitors.
: If both parties are based in England or Wales, choose "England and Wales." If both parties are in Scotland, Scottish law is appropriate. If parties are split between England and Scotland, England and Wales is the most common choice because the High Court and Commercial Court have extensive NDA and intellectual property enforcement expertise. Northern Ireland has its own legal system — use Northern Ireland law if both parties are based there. The governing law choice does not prevent a party from seeking an emergency injunction (in Scotland, an interim interdict) in whichever court is most immediately accessible at the time of a breach.
: Since Brexit (January 2021), the UK has its own data protection regime — the UK GDPR and Data Protection Act 2018. If the confidential information you share includes personal data (names, email addresses, employee records, customer data, financial data linked to individuals), the receiving party may become a data processor under UK GDPR, requiring a formal Data Processing Agreement (DPA) under Article 28. This NDA includes a UK GDPR clause covering incidental personal data within business disclosures, but it is not a substitute for a full DPA when data processing is the primary purpose. This template also prohibits the receiving party from transferring personal data outside the UK without written consent.
: Not without significant modifications. A US NDA typically references US state law (Delaware, New York, California etc.), US-specific remedies and court procedures, and contains no UK GDPR provision. Using it in a UK context creates problems: the governing law clause references a foreign jurisdiction; UK GDPR obligations are absent; "attorney" should be "solicitor"; and US injunction procedures differ from UK court procedure. This UK-specific template is drafted under English law, references UK data protection legislation, uses UK legal terminology and gives jurisdiction to the courts of England and Wales (or Scotland or Northern Ireland).
: A UK NDA can specify any confidentiality term, but courts will scrutinise excessively long terms as potential restraints of trade. For standard business NDAs, 1–3 years is enforceable without issue. For trade secrets with long commercial value, 3–5 years is defensible. Indefinite NDAs are generally enforceable for trade secrets (which have no statutory expiry under the Trade Secrets (Enforcement, etc.) Regulations 2018) but may be challenged for general business information. The Limitation Act 1980 gives 6 years to bring a breach of contract claim (12 years if executed as a deed), so the confidentiality term is separate from the limitation period on any claim for breach.