By CrossBorder IP · Published June 5, 2026
Most companies think they have trade secret protection because they have NDAs.
They do not.
An NDA is a contract. Trade secret law — the law that actually gives you legal remedies when someone steals or misappropriates your secrets — requires something more: that you demonstrate you have taken reasonable measures to maintain secrecy.
Courts across the US and internationally are increasingly demanding evidence of systematic, documented trade secret protection. “We had NDAs” is necessary but not sufficient. Judges want to see that confidential information was identified and marked, that access was controlled and documented, that employees were trained, and that the company treated its trade secrets as valuable assets worth protecting — not as an afterthought.
This guide walks you through how to build a trade secret protection programme that satisfies that standard — one that works operationally and holds up legally if you ever need it.
In the United States, the Defend Trade Secrets Act (DTSA) defines a trade secret as information that derives economic value from not being generally known, and for which the owner has taken reasonable measures to keep secret.
The following have been found insufficient on their own:
Reasonable measures that courts give weight to include:
The standard is not perfection. Courts do not require that you make misappropriation impossible. They require that you took reasonable steps appropriate to the nature and value of the information. The stronger your programme, the stronger your legal position.
You cannot protect what you have not identified. Common categories of trade secrets:
Once identified, classify by sensitivity level using a three-tier system:
| Tier | Description | Protection Level |
|---|---|---|
| Tier 1 — Crown Jewels | Core technology, proprietary algorithms, key formulas. Loss would be catastrophic to competitive position. | Maximum: strict access controls, separate systems, senior approval for any disclosure |
| Tier 2 — Sensitive | Customer lists, pricing, unreleased product details, financial projections. | Enhanced: role-based access, NDA required before disclosure, document marking |
| Tier 3 — Internal | General business information that is confidential but not critically sensitive. | Standard: employee confidentiality obligations, internal sharing only |
Technical access controls:
Administrative access controls:
Courts look for evidence that confidential information was identified as such at the time of creation. Marking standards by document type:
Inconsistent marking hurts your case. If some documents are marked and others are not, opposing counsel will argue that you did not really treat the information as confidential. Establish a marking standard and enforce it uniformly.
Every employee should sign an Employment Agreement covering: broad definition of confidential information, obligation to use confidential information only for company purposes, return of all confidential information and company property on departure, continuing post-employment obligations, and IP assignment for all work product.
Every contractor agreement must include explicit IP assignment (not just a licence), confidentiality obligations at least as strong as those for employees, restrictions on using your confidential information for other clients, and return or destruction of confidential materials on project completion.
Any vendor with access to your confidential information should be bound by a Data Processing Agreement or Vendor Confidentiality Agreement covering: restrictions on use of your data beyond the contracted service, sub-processor restrictions, appropriate security obligations, and breach notification requirements.
Before any due diligence process, partnership negotiation, or investor presentation: mutual NDA signed before any confidential information is shared, information sharing limited to what is necessary for the specific purpose, and tracking of what was shared, when, and with whom.
Your team needs to understand what your company’s trade secrets are and why they matter, how to identify and mark confidential information, what they can and cannot share and with whom, and what to do if they suspect misappropriation.
Training frequency: at minimum at onboarding for all new employees and annually for all staff. Keep records of who completed training and when — this is evidence of your reasonable measures.
Departing employees are the most common source of trade secret misappropriation. A proper exit process includes:
The most critical 48 hours in trade secret protection are the period immediately before and immediately after an employee’s departure. Access logs for that period, combined with a proper exit process, can make the difference between catching a problem early and discovering it months later.
Every element of your trade secret programme needs to be documented. What to document:
Ready to protect your IP?
Book a free 15-minute strategy call with Cameron Reid.
Book a Free Strategy CallAbout the Author
Cameron Reid is the cofounder of CrossBorder IP, where he advises SaaS companies, tech startups, e-commerce brands, and in-house legal teams on international IP strategy. With over 20 years of experience spanning Big Law, in-house counsel roles, and startup advisory, Cameron specialises in helping businesses protect and scale their IP globally — particularly across the US, Europe, and Asia-Pacific markets.
Disclaimer: This article provides general information about international IP strategy and should not be relied upon as legal advice. IP laws vary significantly by jurisdiction and every business situation is unique. For specific guidance on your IP protection needs, please consult with a qualified attorney in your jurisdiction.