Enter NDA and handling details
Example data table
| Scenario | Data sensitivity | Access breadth | Storage security | Probability | Base impact | Typical outcome |
|---|---|---|---|---|---|---|
| Vendor onboarding | 3 | 3 | 4 | 6% | USD 12,000 | Moderate risk with clear controls. |
| Joint development | 5 | 4 | 3 | 15% | USD 80,000 | High risk, strengthen remedies and audits. |
| Internal R&D brief | 4 | 2 | 5 | 4% | USD 35,000 | Lower risk, maintain hardened storage. |
Formula used
This calculator computes two related scores:
- Contract Risk Index: a weighted average of normalized factors (0–100).
- Exposure Risk Score: blends Contract Risk with your probability estimate.
Financial exposure estimates expected loss as Base Impact × ERS, adjusted slightly for longer terms and third parties.
How to use this calculator
- Rate each factor based on your NDA and real handling practices.
- Enter a probability estimate for exposure during the term.
- Set a realistic base impact cost for one exposure event.
- Submit to view risk level, expected exposure, and actions.
- Export CSV or PDF for review and contract negotiation notes.
Risk inputs map to real disclosure pathways
The calculator links common NDA exposures to measurable drivers: sensitivity of information, how widely it is accessed, how often it is shared, and how securely it is stored. Each 1–5 rating is normalized to a 0–1 scale, so a move from 2 to 4 produces a comparable impact across factors. This structure supports consistent reviews across vendors, partners, and internal projects. For example, moving Storage Security from 2 to 5 can drop its inverted factor from 0.75 to 0.00, often reducing the index by several points without changing legal language during rapid vendor onboarding and collaboration cycles.
Weighted scoring reflects contract and process leverage
Contract Risk Index uses practical weights that emphasize sensitivity, storage security, and enforceability. Stronger jurisdictions, clearer remedies, and audit rights reduce risk through inverted scoring, rewarding tighter terms. Operational maturity inputs—incident readiness and training—capture whether a team can prevent or contain leakage. The result is a 0–100 index that is easy to compare between NDA drafts.
Exposure Risk Score blends likelihood with safeguards
The Exposure Risk Score combines the contract index with a user-supplied probability estimate, using a mild nonlinearity to avoid over-penalizing strong agreements. This helps differentiate “high likelihood but well-controlled” situations from “moderate likelihood with weak clauses.” In practice, this score is useful for triage: below 25 suggests routine controls, while above 75 signals urgent legal and security alignment.
Expected loss turns scores into budget-ready numbers
Expected Financial Exposure estimates a planning figure: base impact × score, adjusted for term length and third-party involvement. Base impact should include response labor, legal work, customer notifications, contract credits, and lost opportunity costs. Using a single currency code keeps exports consistent for procurement and finance. Treat the number as a comparative benchmark, not a guarantee of loss.
Scenario benchmarking improves negotiation and governance
Teams can run multiple scenarios—such as adding encryption, narrowing access roles, or requiring SOC 2 reports—to see the effect on exposure. When scores fall, you have evidence-backed negotiation points: tighter definitions, time-bounded use restrictions, faster breach notices, and flow-down clauses for subprocessors. Capturing notes alongside exports also creates an audit trail for why specific exceptions were approved.
FAQs
What does the Exposure Risk Score represent?
It is a 0–100 score that blends contract strength with your estimated exposure probability. Higher scores indicate greater overall exposure risk and higher expected impact, helping you prioritize clause improvements and operational controls.
How should I choose the exposure probability?
Use recent incident history, access volume, and sharing cadence. If you have no data, start with a conservative range like 5–15% for routine vendor access, then refine after reviewing logs, audits, and process maturity.
What should be included in base impact?
Include investigation and response labor, external counsel, notifications, service credits, remediation tools, and realistic revenue or opportunity loss. Use an average single-event cost so comparisons remain consistent across scenarios and counterparties.
Why do some inputs reduce the score when higher?
Controls such as storage security, enforceability, remedies, audit rights, training, and incident readiness are inverted because stronger terms and practices reduce risk. Raising those ratings lowers their contribution to the Contract Risk Index.
How can I use results during negotiation?
Run a baseline, then model specific changes like tighter definitions, faster breach notice, stronger audit language, or limiting access roles. Share the before/after deltas to justify requested terms and to document risk acceptance decisions.
Is this calculator a substitute for legal advice?
No. It is a decision-support tool for comparing NDA scenarios. Always validate clauses, enforceability, and regulatory obligations with qualified counsel, especially for cross-border data, IP-heavy collaborations, or highly regulated industries.