Our standard mutual NDA for security engagements. Download, customise the highlighted fields, and send to legal@hexstrike.io for co-signature. We typically countersign within 1 business day.
Confidential & Proprietary — Security Engagement
"Confidential Information" means all non-public information disclosed by either party to the other, in any form or medium, including but not limited to: technical data, security findings, vulnerability reports, system architecture, credentials, business processes, client lists, financial information, and any other information designated as confidential or which a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure.
Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was rightfully known to the receiving party prior to disclosure without restriction; (c) is independently developed by the receiving party without reference to the disclosing party's information; or (d) must be disclosed by law, provided prompt written notice is given to the disclosing party.
Each party agrees to: (a) hold the other party's Confidential Information in strict confidence using at minimum the same degree of care it uses to protect its own confidential information, but no less than reasonable care; (b) not disclose the other party's Confidential Information to any third party without prior written consent; (c) use the other party's Confidential Information solely for the Purpose stated above; and (d) limit access to Confidential Information to employees, contractors, or agents with a need to know and who are bound by confidentiality obligations no less restrictive than those contained herein.
HEXSTRIKE specifically agrees that all data accessed, collected, or generated during a security assessment (including vulnerability findings, credentials, network diagrams, source code, and personal data) shall be: (a) stored using AES-256 encryption; (b) transmitted using TLS 1.3 or PGP encryption; (c) deleted within 14 days of engagement closure unless otherwise agreed in writing; and (d) accessed only by authorised personnel assigned to the engagement.
A party may disclose Confidential Information if required by law, regulation, court order, or governmental authority, provided that the disclosing party: (a) gives the other party prompt written notice prior to disclosure to the extent permitted by law; (b) cooperates with the other party's efforts to seek a protective order or other appropriate relief; and (c) discloses only the minimum amount of Confidential Information legally required.
This Agreement shall remain in effect for a period of [2 / 3 / 5] years from the Effective Date, unless earlier terminated by either party upon 30 days' written notice. Notwithstanding termination, the obligations of confidentiality with respect to Confidential Information disclosed prior to termination shall survive indefinitely.
Nothing in this Agreement grants either party any licence, title, or rights to the other party's Confidential Information, intellectual property, or any other proprietary rights, by implication, estoppel, or otherwise.
Each party acknowledges that breach of this Agreement may cause irreparable harm for which monetary damages would be an inadequate remedy. Accordingly, each party shall be entitled to seek injunctive relief and other equitable remedies, in addition to all other remedies available at law or in equity, without the requirement of posting bond.
This Agreement shall be governed by and construed in accordance with the laws of [Jurisdiction — e.g., "the Republic of Argentina" / "England and Wales" / "the State of Delaware, USA"], without regard to its conflict of law provisions.
This Agreement constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior and contemporaneous agreements, representations, and understandings. This Agreement may be amended only by a written instrument signed by both parties.
Email the signed NDA to legal@hexstrike.io — we countersign within 1 business day.