FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityContract

Why Your NDAs Are Silent on AI Tools and What to Add to Them

By Basel IsmailMay 20, 2026

Why Your NDAs Are Silent on AI Tools and What to Add to Them

Pull up the last NDA your company signed. Search for "artificial intelligence," "machine learning," "large language model," or "generative AI." If you find nothing, you are in good company. Most NDAs in circulation were drafted from templates that predate the release of ChatGPT in November 2022, and even agreements signed after that date tend to recycle the same boilerplate. The problem is straightforward: your confidential information is almost certainly being fed into AI tools by counterparties, employees, or vendors, and your NDA says nothing about it.

This is not a theoretical risk. In April 2023, Samsung engineers pasted proprietary source code into ChatGPT on at least three separate occasions within a single month, exposing trade secrets to OpenAI's training pipeline. Samsung responded by banning internal use of generative AI tools. But if you were Samsung's counterparty, and your confidential information was part of what got uploaded, your NDA likely gave you no specific recourse for that scenario.

The Gap in Standard NDA Language

Traditional NDAs define confidential information, restrict its disclosure to third parties, require reasonable security measures, and set a term. Some include carve-outs for information that becomes publicly available or is independently developed. These provisions were designed for a world where disclosure meant a human sharing information with another human or organization.

Generative AI tools break this model in a few ways:

Input as disclosure. When someone pastes confidential text into a cloud-based AI tool, they may be transmitting it to a third-party service provider. Under many NDA definitions, that constitutes disclosure. But the receiving party's employees often do not think of it that way, because they are "just using a tool."
Training data incorporation. Some AI services retain user inputs to improve their models. If confidential information enters a training dataset, it can surface in outputs to other users. This is a form of disclosure that no traditional NDA contemplated.
Loss of trade secret status. Under the Defend Trade Secrets Act (18 U.S.C. 1836) and the Uniform Trade Secrets Act (adopted in some form by 48 states), trade secret protection requires that the owner take "reasonable measures" to maintain secrecy. If your NDA does not address AI tools and your counterparty uploads your information to one, you may have a harder time arguing you took reasonable measures. The Compulife Software Inc. v. Newman line of cases (11th Cir., 2020) reinforced that courts scrutinize the specific steps a trade secret owner took to protect information.

The "reasonable security measures" clause in most NDAs is too vague to cover this. Telling a counterparty to use "commercially reasonable" protections does not clearly prohibit an employee from pasting your data into Claude or Copilot.

What to Add: Vendor and Third-Party Agreements

For NDAs with vendors, partners, and other commercial counterparties, consider adding the following provisions. These are not hypothetical suggestions; they are drawn from language already appearing in revised agreements at companies that have been paying attention.

1. Explicit AI Tool Restriction

Add a clause that prohibits the receiving party from inputting, uploading, or otherwise making confidential information available to any generative AI system, large language model, or machine learning tool, whether cloud-based or locally hosted, without prior written consent. Be specific about what "AI tool" means. Reference third-party services by category and include internally developed tools as well. Vagueness here defeats the purpose.

2. Subprocessor and Tool Disclosure

Require the receiving party to disclose any AI-powered tools used in connection with the work that involves your confidential information. This mirrors the subprocessor disclosure requirements familiar from GDPR Data Processing Agreements (Article 28) and gives you visibility into the technology stack touching your data.

3. No Training Consent

State explicitly that no confidential information may be used to train, fine-tune, or otherwise improve any AI model, whether by the receiving party or any third-party service the receiving party uses. This addresses the scenario where a vendor uses an AI platform that retains inputs for model improvement. OpenAI's enterprise API, for instance, does not use inputs for training by default, but their consumer products historically did, and many other providers still do.

4. Audit and Verification Rights

Include the right to audit or request certification regarding AI tool usage in connection with confidential information. Annual certifications are a reasonable middle ground if full audit rights are a dealbreaker in negotiations.

What to Add: Employment and Contractor Agreements

The employment context requires a different approach because you have more control but also more exposure. Employees are the ones most likely to casually paste confidential information into an AI chatbot to summarize a document or draft an email.

1. Acceptable Use Policy Incorporation

Your NDA or confidentiality agreement with employees should reference a specific AI Acceptable Use Policy and make compliance with that policy a contractual obligation, not just an HR guideline. This gives you a breach of contract claim in addition to any trade secret misappropriation theory.

2. Approved Tool Lists

Specify that employees may only use AI tools that appear on an approved list maintained by IT or the CISO's office. This is operationally practical and legally clear. It also shifts the burden: the employee cannot claim they did not know a particular tool was off-limits.

3. Output Ownership and Review

Address who owns AI-generated outputs created using confidential information as inputs. The U.S. Copyright Office has taken the position (see its February 2023 guidance on Zarya of the Dawn and the March 2023 Federal Register notice) that purely AI-generated content may not be copyrightable. If an employee uses your trade secrets to generate content via an AI tool, you want contractual ownership rights that do not depend on copyright eligibility.

4. Incident Reporting

Require employees to report any unauthorized input of confidential information into an AI tool within a defined timeframe, such as 24 or 48 hours. Treat it like a data breach notification obligation. Early detection matters because some AI providers allow you to request deletion of inputs if you act quickly enough.

A Note on Enforceability

Some of these provisions will be tested in litigation over the next few years, and we do not yet have a robust body of case law on AI-specific NDA breaches. But courts consistently enforce clear, specific contractual restrictions. The more precisely you define what the receiving party cannot do with AI tools, the stronger your position. The Waymo LLC v. Uber Technologies, Inc. trade secrets case (N.D. Cal., 2018, settled for approximately $245 million) demonstrated that courts and juries take seriously the question of whether a company's protective measures matched the sensitivity of its information. Adding AI-specific language is part of demonstrating that your measures are current and reasonable.

One practical tip: do not bury AI restrictions in a standalone AI policy that is not cross-referenced in the NDA. If the NDA is the operative agreement governing confidentiality, the AI restrictions need to live there or be explicitly incorporated by reference.

How FirmAdapt Addresses This

FirmAdapt was built with the assumption that confidential and regulated data would flow through AI systems, which is why the platform processes information within a compliance-first architecture that does not send data to third-party model providers for training. Customer data stays within controlled environments, and FirmAdapt's infrastructure is designed so that organizations can point to specific, documented technical controls when demonstrating "reasonable measures" under trade secret law.

For companies revising their NDAs along the lines described above, FirmAdapt also provides a practical answer to the operational question that follows: once you restrict AI tool usage contractually, you need a compliant AI platform your teams can actually use. FirmAdapt fills that role, giving employees access to AI capabilities without creating the confidentiality exposures that make these NDA updates necessary in the first place.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free