What 300 NDAs Taught Me About Change of Control Clauses

A change of control clause in a non-disclosure agreement specifies what happens to confidentiality obligations when one party undergoes a change in ownership, such as through an M&A transaction. These provisions determine whether NDAs survive closing, require counterparty consent, or terminate automatically, with direct implications for the buyer's ability to maintain the target's confidentiality protections post-acquisition.

Over the past year, we have analyzed change of control provisions across more than 300 NDAs for mid-market M&A transactions using Mage's clause-level extraction. The patterns that emerge across the full dataset are striking, and they are invisible when you review NDAs one at a time.

The Five Categories

After extracting and categorizing change of control provisions from 300 NDAs, five distinct patterns emerge. Each has different implications for deal execution and post-closing operations.

Category 1: Silent (35% of NDAs)

The largest category. These NDAs contain no change of control provision at all. The agreement is silent on what happens if either party is acquired.

For deal teams, silent NDAs are generally the lowest risk. In a stock acquisition, the legal entity survives and the NDA continues by its terms. In an asset acquisition, the analysis turns on the NDA's assignment provision, which is a separate question.

The key diligence point for silent NDAs is not the absence of a COC clause but the presence of other provisions (assignment restrictions, termination for convenience) that could interact with a change in control even without an explicit COC trigger.

Category 2: Notice-Only (15% of NDAs)

These NDAs require the party undergoing a change of control to notify the counterparty, but do not give the counterparty any termination or consent right. The NDA survives the transaction provided notice is given.

Notice-only provisions are relatively low risk, but they create an administrative obligation. For a target with 20 notice-only NDAs, the buyer needs to send 20 notification letters around closing. Missing the notice requirement could technically constitute a breach, though the practical consequences are usually minimal.

The diligence takeaway: flag these for the closing checklist and confirm the notice window (typically 30-60 days) does not create timing problems relative to the expected closing date.

Category 3: Consent-Required (25% of NDAs)

The second most common category. These NDAs require the counterparty's consent before the NDA can survive or be assigned in connection with a change of control. Without consent, the NDA may terminate or the disclosing party may have a termination right.

Consent-required provisions vary significantly in their mechanics:

• Affirmative consent: The NDA explicitly survives only if the counterparty provides written consent. Silence is not consent.
• Negative consent: The NDA survives unless the counterparty objects within a specified period (e.g., 30 days after notice). Silence equals consent.
• Reasonable consent: The NDA states consent shall not be unreasonably withheld. This provides some protection but introduces ambiguity.

For M&A deal teams, consent-required NDAs are the highest-effort category. Each one requires an outreach to the counterparty, and the buyer must factor potential non-consent into closing risk. If a critical technology partner's NDA requires affirmative consent, the risk that consent is denied or delayed becomes a deal consideration.

Category 4: Automatic Termination (10% of NDAs)

The most aggressive category. These NDAs state that the agreement automatically terminates upon a change of control, without any notice, consent, or cure period.

Automatic termination NDAs create an immediate confidentiality gap at closing. If the NDA covered a technology partnership, trade secret exchange, or joint development relationship, the confidentiality protections disappear the moment the deal closes. The buyer acquires the business but loses the contractual protection for information the target had been sharing under that NDA.

At 10% of the 300 NDAs reviewed, this represents roughly 30 agreements. In most cases, these cover lower-value relationships where the automatic termination is manageable. But when automatic termination applies to a strategic technology partner or a key customer relationship, the risk is substantial.

Category 5: Conditional Termination (15% of NDAs)

These NDAs give the counterparty a termination right (not automatic) triggered by a change of control, often with conditions attached: a cure period, a requirement that the termination be exercised within a specified window, or a condition that the termination right only applies if the acquirer is a competitor.

Conditional termination provisions are more nuanced than automatic termination and require closer analysis:

• A 60-day termination window gives the buyer time to negotiate continued coverage
• A competitor-only trigger may not apply depending on the buyer's business
• A cure provision may allow the buyer to address the counterparty's concerns before termination takes effect

These provisions require individual assessment during diligence. The specifics matter, and they vary significantly across agreements.

What Pattern Analysis Reveals

Reviewing NDAs one at a time produces a list of individual findings. Reviewing all 300 through structured extraction reveals patterns:

Counterparty concentration. When the same counterparty appears across multiple NDAs with aggressive COC terms, the aggregate exposure to that relationship becomes visible. A technology vendor with consent-required provisions across 5 separate NDAs represents a concentrated consent risk.

Standard form identification. Many NDAs within a single data room share the same template. Extracting COC provisions across all of them reveals which template was used and whether any agreements deviate from the standard form. The deviations often indicate a negotiated relationship that deserves closer attention.

Risk distribution by category. Knowing that 10% of NDAs have automatic termination is useful. Knowing that those 30 NDAs cover 6 technology partnerships and 24 standard vendor relationships tells you where the actual risk concentrates.

Deal structure implications. The aggregate COC analysis informs deal structure decisions. If 25% of NDAs require consent, and those NDAs cover relationships representing 40% of the target's technology stack, the consent risk may favor a stock purchase over an asset purchase.

This pattern-level analysis is only possible when every NDA in the data room is reviewed. Sampling 10-20% of NDAs provides individual findings but cannot reveal the aggregate patterns that inform deal strategy.

Practical Implications for Deal Teams

For attorneys conducting M&A diligence, the NDA COC analysis feeds directly into several deal deliverables:

Disclosure schedules. Contracts with consent-required or termination provisions are disclosed under the standard "contracts requiring third-party consent" representation.

Closing conditions. Material consent-required NDAs may become closing conditions or pre-closing covenants, requiring the seller to obtain consent before closing.

Indemnification provisions. Risks from automatic termination NDAs that cannot be addressed pre-closing may be allocated through specific indemnification provisions.

Post-closing integration planning. The buyer's integration team needs to know which NDA relationships require immediate attention after closing: consent requests to send, notices to deliver, and confidentiality protections to replace.

When the COC extraction is structured from the start, these deliverables populate directly from the analysis. The data flows from extraction to disclosure schedule without a manual transcription step.

---