This page is a primer for potential and actual Mozilla partner companies on our attitude to their confidential information and to Non-Disclosure Agreements (NDAs).
Mozilla and Non-Disclosure
We strive to respect the confidentiality of information provided by our partners when it is provided with an understanding that it not be made public. At the same time, Mozilla is an open source project and most of what we do is visible for all to see. This is an essential part of our success, and also a key part of the value we provide to a partnership. We need to maintain this core value to best help you and our other partners achieve your business goals.
These two important values could potentially be in tension. Our primary tools in balancing our open purpose with receiving information that is confidential are a) trust, and b) specificity.
Because of the structure of our community, NDAs present a particular difficulty for us. Mozilla employees and contractors are bound to respect confidentiality by their contracts. However, the Mozilla community consists of people who work for Mozilla, people who work for other companies and organizations, and people who work for no-one. This is one of our great strengths, but it means that Mozilla does not have the power to bind a significant section of the community with an NDA. Therefore, any information shared under NDA must necessarily be restricted to a subset of our community - those who work for us. This hampers our ability to work effectively with that information in our standard processes.
Mozilla has a long reputation as a trustworthy partner. We have good relationships and business partnerships with major players such as Google, Microsoft and Twitter. On more than one occasion we have received information without an NDA which other companies can only see under NDA. This is because Mozilla people realise the importance to our partners and to our reputation of keeping appropriate confidentiality.
If there is no specific instruction, our rule of thumb could be expressed something like the following: "Partner financial data, business strategy, product information, configuration and ship dates are confidential. Our roadmap and your inputs into it, Mozilla source code and related development discussion are public."
So we try and use this accumulated trust and good reputation to postpone or eliminate the point where an NDA becomes necessary in a relationship, relying instead on verbal agreements and making sure that involved community members are clear on any confidentiality assurances we have given.
When two "ordinary" companies agree to collaborate, the usual practice is to sign a general and broad NDA covering all the information they exchange. Any publishing of information is an exception to that general rule, and specifically defined. At Mozilla, within a relationship of trust as outlined above, we prefer that "open" be the default, and that as much as possible can be shared with the whole collaborating community. Therefore, we prefer NDAs, when we do sign them, to specifically set out what information is confidential, and make sure the length of time such information is confidential is tailored to the specific information being shared.
This need for specificity will also probably require more work from you and your lawyers, in carefully reducing to a minimum both the set of information which must be kept confidential, and the length of time that it needs to be kept confidential for.
This means that negotiating an NDA with Mozilla can be more time-consuming than negotiating one with someone else. It is not a case of "quickly sign this and we can get down to discussion". Any NDA requires careful review, and 'standard' ones probably require modification, by our legal team - and therefore, probably, review by yours. (Mozilla is able to provide a template NDA that meets our requirements, if that is helpful for you.)
Our usual mechanism for keeping specificity is the CITR (Confidential Information Transfer Record), an addendum to the NDA executed each time new confidential information, or confidential information on a new topic, is to be revealed.
Potentially Problematic Clauses
There are some other terms which often feature in NDAs which are problematic for us. We list them here to give you some warning, and to help you better understand our stance.
- We insist on a limited term, of e.g. 1-2 years, for the protection of any information disclosed.
- We require that information has to be non-public to be considered confidential (many NDAs do correctly feature an exception for information which is already public).
- If confidential information is disclosed orally, it needs to be listed as confidential in writing prior to the oral disclosure. This makes it clear to all what is confidential and what is not.
- We object to statements like 'if something should reasonably be considered confidential, it is confidential'; we object to this because it also adds too much ambiguity.
These factors combine to mean that negotiating an NDA with Mozilla can be a more complicated, and more detrimental to friction-free working, than negotiating it with another organization. So, when engaging with us, we ask you to consider whether and how far a verbal agreement will suffice, based on Mozilla's industry reputation. If you reach the stage where such an agreement no longer suffices, then you need to be aware of the complexities and downsides outlined above.
Having said that, we're confident that, as with many companies in the past, when it becomes necessary we can come to an agreement on language that adequately protects your confidential information and still meets our needs as an open business.