Non-Disclosure Agreements

Non-disclosure agreements sound simple until you try to prove coverage under assessment pressure. VDA ISA 2.3.1 is a requirement-level control: execute NDAs with employees, contractors, and business partners who access confidential automotive information. (VDA ISA Catalog v6.0) That means you need more than a template in Legal’s folder. You need a repeatable operational mechanism that makes NDA execution unavoidable, traceable, and complete across your workforce and third-party ecosystem.

For a CCO or GRC lead, the fastest path is to treat NDAs as a lifecycle control tied to identity, onboarding, procurement, and offboarding. The goal is defensible evidence that (1) the right populations are in scope, (2) NDAs are executed before access to confidential automotive information, and (3) you can produce executed agreements and coverage reports quickly.

This page gives you requirement-level implementation guidance: scope decisions, steps to implement, artifacts to retain, common audit hangups, and a practical execution plan. It stays focused on what VDA ISA 2.3.1 actually asks you to do and what assessors typically expect you to demonstrate. (VDA ISA Catalog v6.0)

Regulatory text

Requirement (excerpt): “Execute non-disclosure agreements with employees, contractors, and business partners who access confidential automotive information.” (VDA ISA Catalog v6.0)

Operator interpretation: what this means in practice

You must have a documented, repeatable process that results in executed NDAs (signed and retained) for:

• Employees with access to confidential automotive information
• Contractors/temps/consultants with access
• Business partners / third parties with access (including suppliers, service providers, and other partners)

The operative word is “execute.” A policy that says “people should sign NDAs” is not enough. You need proof that agreements are signed for the in-scope population, and you need to connect that execution to actual access pathways (systems, file shares, programs, projects, and physical locations).

Plain-English requirement statement (use this internally)

Before anyone outside or inside the company can access OEM, customer, or partner confidential automotive information, they must sign an NDA that clearly states confidentiality obligations, permitted use, and how information must be protected. Keep the signed NDA on file and be able to show coverage on demand. (VDA ISA Catalog v6.0)

Who it applies to

Entity scope

• Automotive suppliers
• OEMs (VDA ISA Catalog v6.0)

Operational scope (what “access” typically includes)

Treat “access to confidential automotive information” as broader than “has a login.” Include:

• Access to customer portals, OEM collaboration platforms, PLM, CAD repositories, ticketing systems, and shared drives that store customer data
• Participation in projects where confidential drawings, specifications, test data, pricing, or program details are exchanged
• Physical access to areas where confidential information is present (engineering labs, prototype areas, print rooms)
• Third parties who receive exports, extracts, or reports containing confidential automotive information

What you actually need to do (step-by-step)

Step 1: Define “confidential automotive information” for scoping and routing

Write a short, operational definition that procurement, HR, and IT can apply consistently. Keep it aligned to your reality (OEM program materials, drawings, specifications, prototype data, partner proprietary info). This definition is what triggers NDA requirements across workflows. (VDA ISA Catalog v6.0)

Deliverable: “Confidential automotive information scope statement” (one page) owned by GRC with Legal review.

Step 2: Identify in-scope populations and entry points

Map where people and third parties enter your environment:

• HR onboarding (employees)
• Staffing/contractor onboarding (contractors)
• Procurement and third-party onboarding (business partners)
• Project onboarding (e.g., new program kickoff, new OEM engagement)

For each entry point, name a system of record (HRIS, vendor management, contract repository) and an owner accountable for “NDA executed” status before access. (VDA ISA Catalog v6.0)

Practical control design: Add “NDA required?” and “NDA executed date” as mandatory fields in the relevant intake workflow.

Step 3: Standardize NDA templates and clauses you will enforce

Legal should provide approved templates, but as the control owner you must ensure they are operationally usable:

• A standard employee confidentiality agreement (or NDA equivalent)
• A standard contractor NDA (often separate from MSA/SOW)
• A standard mutual NDA for business partners
• A standard one-way NDA where appropriate

Your job is not to write clauses; it is to ensure the templates are version-controlled, available, and consistently used for the in-scope population. (VDA ISA Catalog v6.0)

Exam tip: Assessors often ask how you prevent “random NDA forms” from being used. Version control and approved templates answer that.

Step 4: Embed NDA execution as an access gate

Make NDA execution a prerequisite for:

• Creating accounts in systems that store or process confidential automotive information
• Granting access to OEM/customer portals
• Adding users to project file shares and collaboration spaces
• Issuing badges/physical access to restricted areas

This is where programs fail: the NDA exists but does not block access. Fix it with a gating control between intake and provisioning. (VDA ISA Catalog v6.0)

Lightweight implementation options:

• HR/IT checklist: “No account until NDA executed”
• Procurement checklist: “No PO / no SOW start until NDA executed”
• Project onboarding: “No project folder access until NDA executed”

Step 5: Centralize storage and retrieval of executed NDAs

Pick a system of record and enforce it:

• Contract lifecycle management (CLM) repository
• Document management system with access controls
• HR personnel file system for employee agreements (with a pointer/record available to GRC)

Avoid storing NDAs only in email. You need fast retrieval, especially for third-party agreements. (VDA ISA Catalog v6.0)

Step 6: Maintain coverage reporting and handle exceptions

Create a repeatable way to answer:

• Who has access to confidential automotive information?
• Which of those people/third parties have an executed NDA on file?
• Where are the gaps and who owns remediation?

Also define exception handling:

• Emergency access: who can approve, for how long, and what compensating controls apply (for example, supervised access, limited datasets), with after-the-fact NDA execution and documented rationale.

Step 7: Offboarding and post-termination obligations

Tie offboarding to:

• Access revocation for systems containing confidential automotive information
• Confirmation that confidentiality obligations survive termination (usually addressed in the NDA terms)

Operationally, your evidence is offboarding tickets and access removal logs plus the executed agreement. (VDA ISA Catalog v6.0)

Required evidence and artifacts to retain

Auditors typically expect proof at three layers: design, operation, and coverage.

Core artifacts (retain and version-control)

• Approved NDA templates (employee, contractor, mutual/one-way partner)
• Documented procedure/workflow showing NDA execution as a prerequisite for access (VDA ISA Catalog v6.0)
• Definition of “confidential automotive information” for scoping (VDA ISA Catalog v6.0)

Operational evidence (retain for audit sampling)

• Executed NDAs (signed copies) for sampled employees, contractors, and business partners (VDA ISA Catalog v6.0)
• NDA register or report showing: party name, type (employee/contractor/third party), date executed, agreement type/version, repository location, owner
• Onboarding/procurement tickets showing NDA execution checkpoint before access/provisioning
• Access lists for relevant systems or project spaces, tied back to NDA coverage checks

Practical retention notes

• Keep enough metadata so you can produce evidence quickly (agreement date, parties, scope/program, and where stored).
• Control access to NDA files; they can contain sensitive personal or commercial terms.

Common exam/audit questions and hangups

Use these as your readiness checklist:

1. “Show me that all people with access have signed NDAs.” Expect sampling against system access lists and project rosters.
2. “Were NDAs executed before access was granted?” Timing matters. If signatures happen after provisioning, you will be marked down.
3. “Which third parties are covered?” Assessors may pick a partner involved in an OEM program and ask for the executed NDA. (VDA ISA Catalog v6.0)
4. “What’s your definition of confidential automotive information?” If you cannot define it operationally, scoping becomes arbitrary.
5. “Where do you store NDAs and how do you ensure the latest template is used?” This tests governance and consistency.

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Treating NDAs as “procurement-only”

Fix: Include HR onboarding and contractor onboarding explicitly, and tie NDA checks to system provisioning. (VDA ISA Catalog v6.0)

Mistake 2: Signing after access is granted

Fix: Make “NDA executed” a hard gate in the workflow. If your tooling cannot enforce it, enforce it with provisioning checklists and approvals.

Mistake 3: Missing “business partners” that are not traditional vendors

Business partners can include joint development partners, labs, logistics providers, and consultants. Fix: Use “third party with access to confidential automotive information” as the trigger, not “supplier.” (VDA ISA Catalog v6.0)

Mistake 4: Decentralized storage (email, shared drives, personal folders)

Fix: One system of record and an NDA register with repository pointers.

Mistake 5: No way to prove coverage against access

Fix: Build a simple reconciliation: access list (from IAM/file shares/OEM portals) matched to NDA register. Track remediation owners.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the available source catalog. (VDA ISA Catalog v6.0) Practically, the risk exposure is still clear:

• If confidential OEM or partner information is disclosed, NDAs shape your contractual remedies and support incident response coordination with customers and partners.
• Weak NDA execution creates assessment findings under VDA ISA and can slow down customer onboarding or program work where confidentiality is a prerequisite. (VDA ISA Catalog v6.0)

Practical execution plan (30/60/90-day)

Use this as an operator’s plan of record. Adjust sequencing to match your contract volumes and onboarding rate.

First 30 days (triage and control design)

• Confirm scope definition for “confidential automotive information” and document it. (VDA ISA Catalog v6.0)
• Inventory NDA templates in use; retire unofficial variants.
• Identify systems/projects that store confidential automotive information and extract access lists for a baseline.
• Stand up an NDA register (even a controlled spreadsheet to start) with required metadata.
• Choose the system of record for executed NDAs and define the filing standard.

By 60 days (operationalize gating)

• Implement NDA gating in HR onboarding and contractor onboarding (checklist or workflow control).
• Implement NDA gating in third-party onboarding/procurement intake.
• Train HR, procurement, and project managers on triggers and “no signature, no access.”
• Run a reconciliation between access lists and NDA register; open remediation actions for gaps.

By 90 days (prove it works under sampling)

• Close the highest-risk coverage gaps (third parties on active OEM programs first).
• Perform an internal mini-audit: sample employees/contractors/third parties with access and confirm executed NDAs exist and pre-date access.
• Document exception handling (emergency access) and test one scenario end-to-end.
• Package an “audit-ready evidence binder”: procedure, templates, register, and sample executed NDAs. (VDA ISA Catalog v6.0)

Where Daydream fits: If you manage many third parties and need repeatable evidence, Daydream can centralize third-party onboarding checkpoints, track NDA execution status as a required control, and produce assessor-ready coverage reporting without assembling ad hoc spreadsheets.

Frequently Asked Questions

Do we need an NDA for every employee, or only those who access confidential automotive information?

VDA ISA 2.3.1 is scoped to employees who access confidential automotive information. Many organizations choose to have all employees sign a confidentiality agreement, but you still need to prove coverage for the in-scope access population. (VDA ISA Catalog v6.0)

Can an NDA be embedded in an employment agreement or MSA, or does it have to be a standalone document?

The requirement is to “execute non-disclosure agreements,” which is satisfied if confidentiality obligations are executed as part of a broader agreement and are enforceable and retrievable. Operationally, the key is execution, traceability, and being able to produce the signed document. (VDA ISA Catalog v6.0)

What counts as a “business partner” under this requirement?

Treat “business partner” as any third party that can access confidential automotive information, even if they are not a traditional supplier. Use access and data exposure as the trigger. (VDA ISA Catalog v6.0)

How do we prove the NDA was signed before access was granted?

Keep execution dates in your NDA register and retain onboarding/provisioning records that show the access request approval date. Auditors look for date logic that demonstrates the NDA preceded access. (VDA ISA Catalog v6.0)

What if a third party refuses our NDA template and insists on their own?

Allow negotiated variants through Legal, but control the process: track the approved final version, confirm it covers confidentiality obligations for the intended data, and store it in the same repository with the same metadata so it remains auditable. (VDA ISA Catalog v6.0)

How should we handle short-notice contractors who need same-day access?

Use an emergency exception path with named approvers and documented compensating controls, then complete NDA execution immediately after access is granted and record the rationale. Keep exceptions rare and review them for process fixes. (VDA ISA Catalog v6.0)