Employee Confidentiality and Security Agreement

Employee Confidentiality and Security Agreement

Drafts an execution-ready agreement protecting company proprietary information, trade secrets, and digital assets while establishing employee security obligations and post-employment restrictions.

---

Checkpoint A: Pre-Draft Intake (Mandatory)

Ask every time unless user says "use defaults." Gather:

1. Governing jurisdiction — state law for restrictive covenants, trade secret protections, consideration requirements
2. Company documents — existing confidentiality agreements, handbooks, security policies
3. Employee role — position, access level, exposure to sensitive systems/data
4. Industry context — regulated industries (healthcare, finance, defense) need sector-specific provisions
5. Existing restrictive covenants — prior agreements that must be harmonized

If user doesn't respond, apply and label defaults: at-will employment state; general staff access level; 3-year non-trade-secret duration; 1-year non-solicitation; governing law per company's home state.

Intake Table

Item	Details
Company (legal name/entity/state)
Employee (name/title/department)
Governing jurisdiction
Access level (general / elevated / executive)
Regulated industry? (specify)
Existing agreements to harmonize
Post-hire execution? (additional consideration needed)

---

Pre-Drafting Research

Area	Key Items
State enforceability	Restrictive covenant standards, blue-pencil vs. reformation, consideration requirements
Trade secret law	UTSA adoption, state statutes, DTSA federal protections
Employee mobility	Non-compete bans/restrictions, NLRA § 7 protections, whistleblower statutes
Data protection	State privacy acts, HIPAA, GLBA, CMMC (if defense)
Recent case law	Reasonableness standards for scope/duration in governing jurisdiction

---

Step 1: Draft Confidential Information Provisions

Definition — Layered Category Approach

Category	Examples
Technical/Proprietary	Trade secrets, source code, algorithms, R&D, manufacturing processes
Business Strategy	Business plans, pricing, margins, financial projections, M&A targets
Customer/Relationship	Customer lists, supplier networks, contract terms, referral sources
Financial/Operational	Financial statements, budgets, compensation structures, performance metrics
Intellectual Property	Inventions, patents, copyrights, trademarks, proprietary methodologies

• Cover all formats: written, oral, electronic, visual
• Include derivative works (analyses, compilations, summaries)
• Protection applies regardless of whether marked "confidential"

Standard Exceptions

Employee bears burden of proof (clear and convincing evidence):

1. Already public at disclosure (not through employee's breach)
2. Lawfully in employee's possession pre-disclosure (documented)
3. Received from third party without restriction
4. Independently developed without reference to Confidential Information (contemporaneous documentation required)

Obligations

• Non-disclosure without prior written authorization from authorized officer
• Duration: indefinite for trade secrets; [3–5] years for other Confidential Information
• Use limited to assigned duties within employment scope
• Standard of care: at least reasonable care, no less than employee's own
• Need-to-know restriction; internal sharing only to authorized personnel under equivalent obligations
• Secure storage: encryption (electronic), locked storage (physical), secure disposal
• Immediate incident notification to security officer/legal

Compelled Disclosure Carve-Out

Immediate notice to legal on receipt of subpoena/court order → cooperate with protective order efforts → disclose only what is legally required.

Protected Activity Savings Clause (REQUIRED)

• DTSA immunity for disclosures to attorneys/government officials in confidence
• Whistleblower cooperation protections
• NLRA § 7 rights preserved (wages, working conditions)

---

Step 2: Draft Security Responsibilities

Password and Access Control

• Personal credentials; never shared
• Minimum: 12+ characters, mixed case/numbers/symbols, unique per system
• No plaintext storage; company-approved password managers only
• MFA required on all available systems
• Lock workstations when unattended; log out of sessions
• Report compromised credentials immediately
• All access terminates upon separation

Acceptable Use

Permitted	Prohibited
Primary business use of company systems	Unauthorized software/extension installation
Limited personal use (non-interfering)	Circumventing security controls or monitoring
Professional communications via company tools	Unauthorized devices on company networks
	Illegal, explicit, or infringing content
	Competitive activities on company systems
	Company data on unapproved personal cloud

• BYOD (if applicable): company MDM required, remote wipe consent, security software mandatory
• Remote access: approved VPN only; adequate privacy at remote locations
• No expectation of privacy on company systems — monitoring may occur without notice

Incident Reporting Protocol

Reportable: data breaches, unauthorized access, malware, phishing, lost/stolen devices, inadvertent disclosure, suspicious behavior, physical security breaches.

1. Report to IT security + direct supervisor within [2–4] hours of discovery
2. Preserve all evidence — no deletion, alteration, or destruction
3. Document: what happened, when discovered, systems/data affected, actions taken
4. Maintain incident confidentiality; share only with authorized personnel
5. Follow incident response team instructions

Non-retaliation: Good faith reporting carries no negative consequences, even if incident resulted from employee's error.

---

Step 3: Draft Termination and Post-Employment Provisions

Return of Property (immediately upon termination or earlier upon request)

• [ ] All company-issued equipment (laptops, phones, tablets, tokens, keys, cards)
• [ ] All physical documents containing Confidential Information
• [ ] Delete company data from personal devices, cloud accounts, personal email
• [ ] Written certification of compliance (specify devices/systems wiped)
• [ ] Certification required before release of final compensation

Company rights: inspect workspace/devices, remotely wipe MDM-enrolled devices, pursue legal remedies.

Survival of Obligations

Obligation	Duration
Trade secret confidentiality	Indefinite (while information qualifies)
Other Confidential Information	[3–5] years post-termination
Employee non-solicitation	[1–2] years (jurisdiction-dependent)
Customer non-solicitation	[1–2] years, material-contact customers only

• Non-solicitation = active solicitation only; does not bar accepting competitor employment or responding to unsolicited inquiries
• Employee must notify prospective employers of continuing obligations
• Employee must notify company of new employment (employer, general responsibilities)
• Cooperation: respond to legal process, assist with litigation/investigations, provide truthful testimony (reasonable compensation for time)

---

Step 4: Draft Legal Framework

Acknowledgments (employee confirms)

• Read and understood; opportunity to consult counsel
• Voluntary execution without duress
• Restrictions reasonable in scope, duration, and geography
• Confidential Information is valuable; unauthorized disclosure = irreparable harm
• Adequate consideration received
• For post-hire execution: specify additional consideration (promotion, raise, bonus, or continued employment per jurisdiction) [VERIFY]

Protected Rights Acknowledgment (REQUIRED)

• DTSA immunity per 18 U.S.C. § 1833(b) [VERIFY]
• Whistleblower protections: unrestricted government agency reporting
• NLRA § 7: right to discuss wages and working conditions

Enforcement Provisions

• Governing law: [state], no conflicts-of-law principles
• Exclusive venue: state and federal courts in [county/state]
• Equitable relief available without bond or proof of actual damages
• Prevailing party: reasonable attorneys' fees, costs, expert fees
• Severability with reformation to minimum enforceable scope
• Integration clause; supersedes prior understandings on subject matter
• Amendment: written, signed by both parties; no oral modifications
• Assignment: company may assign (merger/acquisition/sale); employee may not
• Supplements (does not replace) other confidentiality/IP agreements — most protective provision controls

Signature Block

Employee signature, printed name, date; authorized company representative signature, title, date. Separate acknowledgment page optional.

---

Step 5: Assemble Agreement in Section Order

1. Parties, Recitals, and Effective Date
2. Confidential Information — definitions, categories, exceptions, obligations, compelled disclosure carve-out, protected activity savings clause
3. Security Responsibilities — access control, acceptable use, incident reporting, non-retaliation
4. Termination and Post-Employment — property return, survival of obligations, non-solicitation, cooperation
5. Legal Framework — acknowledgments, protected rights, enforcement, severability, integration
6. Signatures

---

Checkpoint B: Post-Draft Alignment (Mandatory)

After delivering the initial draft, ask:

1. Are the confidential information categories appropriate for this employee's role and access level?
2. Are the non-solicitation durations acceptable given the governing jurisdiction?
3. Is additional consideration needed for post-hire execution?
4. Should BYOD or remote-work provisions be included or expanded?

If user doesn't answer, recommend confirming non-solicitation scope and post-hire consideration (highest-risk decisions) and proceed if authorized.

---

Quality Audit

Before finalizing, verify:

• [ ] DTSA whistleblower immunity notice included per 18 U.S.C. § 1833(b) [VERIFY]
• [ ] NLRA § 7 savings clause present — no overbroad restrictions on wage/conditions discussions
• [ ] Protected activity carve-out covers government reporting and attorney disclosures
• [ ] Trade secret duration = indefinite; other confidential info = [3–5] years
• [ ] Non-solicitation scope reasonable for governing jurisdiction [VERIFY]
• [ ] Post-hire consideration specified if agreement executed after onboarding
• [ ] Blue-pencil/reformation doctrine matches governing state [VERIFY]
• [ ] Return-of-property checklist complete with certification requirement
• [ ] Incident reporting timeline and protocol specified
• [ ] No non-compete provisions unless specifically requested and confirmed enforceable [VERIFY]
• [ ] All bracketed business terms filled or flagged
• [ ] Compelled disclosure carve-out with notice + protective order cooperation

---

Guidelines

• Jurisdiction calibration is critical — non-compete/non-solicitation enforceability varies by state; CA, CO, MN, OK, ND broadly restrict or ban non-competes [VERIFY current status]
• Consideration requirement — many jurisdictions require independent consideration beyond continued employment for post-hire agreements [VERIFY]
• Blue-pencil vs. reformation — know whether the jurisdiction modifies overbroad restrictions or voids them entirely
• DTSA notice — employers must provide DTSA whistleblower immunity notice in any trade secret agreement (18 U.S.C. § 1833(b)) [VERIFY]
• NLRA compliance — confidentiality provisions must not chill Section 7 rights
• Role-based customization — adjust categories, security requirements, and restriction durations to employee access level and seniority
• Do NOT include non-compete provisions unless specifically requested and confirmed enforceable
• Do not fabricate statutory citations, case law, or enforceability standards
• All outputs require attorney review in the governing jurisdiction