Non-Disclosure Isn't Enough

Every client engagement includes a confidentiality clause. Maybe a full NDA. The legal protection is there. So why do you still need technical access controls?

Because legal protection is what you use after something goes wrong. Technical controls are what prevent it from going wrong in the first place.

What an NDA Actually Protects

An NDA (Non-Disclosure Agreement) creates a legal obligation: the signing party agrees not to disclose the specified confidential information without authorisation.

What it doesn't do:

• Prevent someone from opening your strategy document
• Prevent someone from sharing a Google Drive link with a colleague
• Prevent someone from retaining access to documents after the engagement ends
• Prevent accidental forwarding or screenshot sharing
• Do anything automatically — it requires you to detect a breach and seek enforcement

Legal remedies are also expensive, uncertain, and relationship-destroying. Most agencies would never actually pursue litigation against a former client for an NDA breach — which means the NDA is a deterrent, not a guarantee.

The Technical Controls That Actually Prevent Disclosure

Access expiry: Set on sensitive documents at the time of sharing. When the access window closes, the document becomes inaccessible regardless of whether the recipient remembers their confidentiality obligations.

View-only without download: The recipient can read the document but cannot save a local copy. This doesn't prevent determined misappropriation (screenshots exist), but it significantly raises the effort required to retain and distribute your work.

Named individual access: Access tied to specific authenticated individuals, not a shareable link. The person must be logged in to view — they can't forward the link to someone who isn't authorised.

Audit trail: Knowing who accessed what and when doesn't prevent disclosure, but it creates a clear record that's valuable in the event of an NDA enforcement situation.

Portal-based delivery: Concentrating all document access through a managed portal means you have one revocation point for all sensitive documents rather than hunting down individual shares.

The Combined Stack

An NDA without technical controls: You have recourse if something goes wrong, but no prevention mechanism.

Technical controls without an NDA: You have prevention, but no recourse if the technical controls are bypassed.

With both: You've made unauthorised disclosure technically difficult, created clear contractual prohibition, and built a record (audit trail) that supports enforcement if needed.

---

Frequently Asked Questions

Why isn't an NDA sufficient to protect marketing IP?

NDAs create legal obligations but provide no technical enforcement. A client with an NDA can still have unrestricted digital access to your documents, download them, and share them — they've just committed a breach if they do. Technical controls make the breach physically harder, creating a meaningful prevention layer.

What technical controls should a fractional CMO use alongside an NDA?

The key controls are: access expiry dates on sensitive documents, view-only permission without download capability, named-individual access rather than open link sharing, an audit trail to document who accessed what, and portal-based delivery for centralised revocation capability.

How do you enforce a marketing IP NDA if a client breaches it?

Enforcement typically requires documentation of the breach (what was disclosed, to whom, in what context), evidence of the confidentiality agreement, and legal counsel. The audit trail from a managed document portal provides the "who accessed what and when" documentation. However, NDA enforcement is typically a last resort — prevention through technical controls is more practical.