Note – The details within this blog post are not to be interpreted as legal advice.
The procurement process has a lot of moving parts. From creating well-defined requirements to finding qualified vendors to performing methodical evaluations (and everything else in between!), there’s a lot that happens before you ultimately select a winning vendor.
During the back and forth communication that occurs between your organization’s primary contact/project lead and the prospective vendors who are competing for your business you will be sharing information about your organization. Some of that information may even be sensitive, confidential or not available to anyone outside of your organization… and can be in the form of paper or digital documents or information (collectively, “nonpublic information”).
Some common examples of information exchanges that can take place during the procurement process include:
Including nonpublic information within your RFP, when necessary, in order to provide the appropriate background knowledge to prospective vendors. This helps vendors understand your requirements and create a more accurate statement of work for you to consider.
Receiving proprietary/nonpublic information from your vendors when they respond to your solicitation.
Providing a prospective vendor with nonpublic information, in the form of data, in order to demonstrate software capabilities (Best Practice: We always recommend providing dummy data to prospective vendors. Also, your organization’s privacy/data sharing policies may not even allow for live data to be shared with third-parties).
Are you taking the appropriate steps to ensure your organization’s nonpublic information (and any nonpublic information you receive from vendors) is being protected? A Nondisclosure Agreement (NDA) is a contracting tool that helps you do so. Here are six best practices on using NDAs:
One-Way vs Mutual – One-way NDAs are used when you will be disclosing information to your prospective vendor but they will not be disclosing anything to you. Mutual NDAs are used when both parties (you AND the vendor) will be sharing nonpublic information with each other. In most cases during the procurement process, a mutual NDA will be the best fit.
Timing of Execution – Even though you may be simply evaluating potential vendors, and may not ever make it to the contracting stage with them, it’s important that nonpublic information is protected before it is shared. Always execute an NDA prior to sharing any type of nonpublic information. That may even mean getting NDAs signed before issuing an RFP.
Using a Template – Having a standard NDA template creates consistency and efficiency in the process. It’s important to note that your Legal department should be involved in the development of your NDA template to ensure all of the important terms, conditions and definitions surrounding confidentiality were included. Also, if a vendor insists on using their own NDA template rather than yours, make sure your legal department takes a good look at it as well.
Knowing Your Policies – Before you disclose any type of information to third-parties, you should be very familiar with your organization’s information classification and handling policies, and any other relevant policies (i.e. Information Security, document retention, etc.)
Testing Your Vendors – Your vendor’s willingness to execute an NDA may be a good sign of how easy (or difficult) it could be to work with them. It could also be a warning sign. For example, if a vendor is hesitant to sign an NDA or simply refuses to do so, that may be a red flag that they don’t take information security seriously and you should re-consider working with them.
Working with Existing Vendors – If you are going to be using an existing vendor for additional work, and that work requires you to share nonpublic information, make sure you have a Master Services Agreement (MSA) with that vendor that defines your relationship and that the MSA contains the appropriate confidentiality provisions. If not, it doesn’t matter that you already work with the vendor… You should execute an NDA or amend your MSA with the appropriate confidentiality provisions before procuring any additional services.
NDAs allow you have confidence that data shared between you and prospective vendors is protected, and can hopefully lead to a more open and transparent relationship which is ultimately better for business. If you have any questions about the procurement process or third-party management in general, be sure to contact us! We’d be happy to help.