Don’t Take Your NDA for Granted During Software Audits

People at meeting

Many businesses expend far too little effort in securing appropriate non-disclosure agreements during software audits. Some businesses even wholly overlook NDAs during the audit process, believing that they have no leverage to demand reasonable protections for the information that the auditors will ask them to provide. This is a mistake that can cost a company millions.

An NDA often represents the only opportunity to put a fence around the scope of a software audit. Many software publishers and their hired auditors may refuse to consider comprehensive pre-audit agreements. However, most typically will agree to negotiate NDAs to control the handling of audit data. An audited businesses needs to make the most of that opportunity by ensuring that the data to be disclosed is relevant to the kinds of questions that the auditor is allowed to ask. Here are some key points to keep in mind:

  • What Do the License Agreements Say? EULAs and other licensing agreements often contain fairly specific descriptions of how audits pertaining to those agreements may proceed. In some cases, those audit terms tightly constrain what information the auditors may disclose to the software publishers. For example, some IBM Application Specific Software License Agreements state:

    The auditor will sign a confidentiality agreement and will only disclose to IBM due and payable for the period examined.

    The NDAs proposed by auditors often contain no restrictions on what confidential information they may disclose to their clients, the software publishers. Audited businesses need to make sure that the reportable audit information is defined in the NDA in a way that is consistent with the terms of the controlling license agreements.

  • Police the Auditors. Most software auditors by practice will allow the audited business to review the preliminary audit findings for errors or discrepancies before the results are shared with the software publisher. The NDA should go further to make that sharing a contractual commitment, rather than merely a statement intent. Ideally, a company also should push to ensure that the auditor is required either to incorporate the company’s proposed corrections to the draft findings or to include notes in the findings describing the company’s objections.
  • Extra-Contractual Objections. Sometimes, valid objections to proposed audit parameters can arise from sources other than the parties’ contracts. For example, if an audited company competes with the software publisher in certain lines of business, then excessive data sharing could implicate trade-secret concerns. Or, a healthcare provider could be subject to stringent data-security obligations that may make certain, proposed audit processes cumbersome or impossible. Where those considerations exist, it almost always is a good idea to include appropriate, corresponding protective measures in the NDA.