NDA Compliance Starts with Your Note-Taking Tool
Every consultant signs NDAs. But most store client work on cloud platforms their clients never approved. Here's why your note-taking habits may be your biggest compliance gap.
The NDA paradox
Every consulting engagement starts the same way: sign the NDA. You promise to protect your client's confidential information. Then you open your laptop and start taking notes on a cloud service that stores data on servers managed by a company your client never approved.
This isn't malicious. It's just the default behavior of modern work. But defaults and NDAs don't always agree.
What NDAs typically cover
Standard consulting NDAs protect:
- Client business strategies and competitive intelligence
- Financial data, pricing models, and projections
- Organizational assessments and restructuring plans
- Technical specifications and trade secrets
- Any information the client considers confidential
"Any information the client considers confidential" is deliberately broad. It almost certainly covers your working notes.
The third-party problem
When you store working notes on a cloud platform, you've introduced a third party: the cloud provider. This creates several NDA complications:
- Unauthorized disclosure: Even storing data on a third-party's server could constitute disclosure under strict NDA interpretations
- Breach liability: A cloud provider breach exposes your client's data through no action of yours — but the NDA may not distinguish between your breach and your vendor's
- Cross-border data: Cloud providers may store data in jurisdictions your client didn't anticipate
- AI processing: Content analysis, indexing, and AI training constitute processing your client's confidential information
The multi-client risk
Consultants work across multiple clients. This amplifies the cloud storage risk:
- Multiple clients' strategies on the same cloud account
- Cross-client metadata patterns visible to the provider
- A single account compromise exposes every client
- Competitive conflicts if clients operate in the same industry
Local encryption with per-client vaults eliminates these risks entirely. Each client's data exists in a separate encrypted vault with a unique password.
Practical steps
- Keep formal deliverables in your firm's approved systems
- Use locally encrypted storage for working notes, competitive analysis, and strategic thinking
- Create per-client encrypted vaults for complete isolation
- Audit which SaaS tools touch client data — each one is an undisclosed third party
Conclusion
NDA compliance isn't just about not talking. It's about where your notes live and who else can access them. The gap between "I signed an NDA" and "I store client work on someone else's server" is where professional risk lives.
Writtt is a free, open-source text editor with AES-256 encryption and zero cloud dependency. Download it here or explore it on GitHub.