Confidentiality Agreement (Kenya)
CONFIDENTIALITY AGREEMENT
Law of Contract Act Cap. 23 | Data Protection Act No. 24 of 2019
THIS CONFIDENTIALITY AGREEMENT ("Agreement") is made on [Agreement Date].
BETWEEN:
(1) [Disclosing Party Name], of [Disclosing Party Address], KRA PIN: [Disclosing Party KRA PIN] (the "Disclosing Party"); and
(2) [Receiving Party Name], of [Receiving Party Address], KRA PIN: [Receiving Party KRA PIN] (the "Receiving Party").
This Agreement is: [Agreement Type].
1. PURPOSE
1.1 The Disclosing Party agrees to disclose certain confidential information to the Receiving Party solely for the following purpose: [Permitted Purpose] (the "Permitted Purpose").
1.2 The Receiving Party shall use the Confidential Information exclusively for the Permitted Purpose and for no other purpose whatsoever without the Disclosing Party's prior written consent.
2. DEFINITION OF CONFIDENTIAL INFORMATION
2.1 "Confidential Information" means all information disclosed by the Disclosing Party to the Receiving Party — whether orally, in writing, electronically, or by demonstration — that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including: [Confidential Info Description].
2.2 Where this Agreement covers personal data ([Includes Personal Data]), "Confidential Information" includes all personal data as defined in Section 2 of the Data Protection Act No. 24 of 2019.
2.3 Confidential Information does not include information that: (a) is or becomes publicly available without breach of this Agreement; (b) was known to the Receiving Party before disclosure; (c) is received from a third party without restriction; or (d) is independently developed by the Receiving Party without reference to the disclosed information.
2.4 Required disclosures to the Kenya Revenue Authority (KRA), the Office of the Data Protection Commissioner (ODPC), the Capital Markets Authority (CMA), the Central Bank of Kenya (CBK), or pursuant to a court order are permitted, provided the Receiving Party notifies the Disclosing Party promptly in writing before such disclosure.
3. CONFIDENTIALITY OBLIGATIONS
3.1 The Receiving Party shall: (a) hold all Confidential Information in strict confidence; (b) not use the Confidential Information for any purpose other than the Permitted Purpose; (c) not disclose the Confidential Information to any third party without the Disclosing Party's prior written consent; (d) restrict access to the Confidential Information to its directors, employees, or professional advisers with a need to know, who are themselves bound by equivalent confidentiality obligations; and (e) implement at least reasonable technical and organisational security measures to protect the Confidential Information.
3.2 Duration: The obligations in this Clause 3 shall continue for [Confidentiality Period]. Obligations relating to trade secrets and personal data shall survive the expiry of this period indefinitely.
4. DATA PROTECTION COMPLIANCE
4.1 Where the Confidential Information includes personal data, the Receiving Party shall act as a data processor under Section 35 of the Data Protection Act No. 24 of 2019 and shall: (a) process personal data only on the Disclosing Party's documented instructions; (b) implement appropriate technical and organisational security measures consistent with the ODPC's Data Protection (General) Regulations 2021; (c) assist the Disclosing Party in responding to data subject rights requests under Sections 26 to 38 of the Data Protection Act No. 24 of 2019; and (d) notify the Disclosing Party of any personal data breach within 72 hours of discovery, to enable the Disclosing Party to report to the ODPC as required.
4.2 Breach of this Clause 4 may attract administrative penalties of up to KES 5,000,000 under Section 71 of the Data Protection Act No. 24 of 2019, in addition to contractual liability under this Agreement.
5. RETURN OR DESTRUCTION
5.1 On written demand by the Disclosing Party or on termination of the Permitted Purpose, the Receiving Party shall, within [Return Deadline], return or securely destroy all documents, digital files, and copies containing Confidential Information and confirm compliance in writing to the Disclosing Party.
6. REMEDIES FOR BREACH
6.1 The Receiving Party acknowledges that breach of this Agreement will cause irreparable harm to the Disclosing Party for which monetary damages alone are an inadequate remedy. The Disclosing Party shall be entitled to seek an urgent injunction, account of profits, and delivery up of materials from [Dispute Forum] without proof of actual financial loss.
6.2 Nothing in this Agreement limits any other remedy available to the Disclosing Party under the laws of Kenya, including damages under the Law of Contract Act Cap. 23 and equitable relief under Section 3 of the Judicature Act Cap. 8.
7. GOVERNING LAW AND DISPUTE RESOLUTION
7.1 This Agreement shall be governed by the laws of Kenya. Any dispute arising from or relating to this Agreement shall be submitted to [Dispute Forum], sitting in [Governing City], under the Arbitration Act No. 4 of 1995 (revised 2022) where applicable.
IN WITNESS WHEREOF, the Parties have executed this Confidentiality Agreement on the date first written above.
Disclosing Party
________________
Signature
Receiving Party
________________
Signature
Witness
________________
Signature
What Is a Confidentiality Agreement (Kenya)?
A Confidentiality Agreement in Kenya obliges the receiving party to keep the disclosing party's proprietary information secret. It restricts disclosure and use of designated confidential information between the disclosing and receiving parties.
Confidentiality agreements in Kenya are distinct from non-disclosure agreements (NDAs), though the terms are frequently used interchangeably in commercial practice. A Confidentiality Agreement is the broader term, often used in employment, investment, and technology contexts, while an NDA typically refers to the pre-contractual form signed before commercial negotiations. Both instruments achieve the same legal result — they create a contractual obligation of confidence that supplements the equitable duty of confidence recognised by Kenyan courts applying received English equity under Section 3 of the Judicature Act (Cap. 8).
The Data Protection Act No. 24 of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), adds a statutory dimension to confidentiality obligations. Where the confidential information includes personal data — the names, identification numbers, medical records, financial details, or location data of identified or identifiable individuals — the receiving party becomes a data processor under the Data Protection Act, subject to the obligations in Section 35 (data processor contracts must be in writing; data must be processed only on documented instructions; technical and organisational security measures are mandatory). A Confidentiality Agreement that covers personal data must therefore incorporate data protection provisions consistent with the Data Protection Act No. 24 of 2019.
Kenya's rapidly growing tech sector — with companies in Nairobi's Silicon Savannah technology ecosystem, fintech firms regulated by the Central Bank of Kenya (CBK), and e-commerce platforms — relies heavily on confidentiality agreements to protect source code, algorithms, customer databases, proprietary business processes, and investment strategies. The Nairobi Centre for International Arbitration (NCIA) is the preferred dispute forum for commercial confidentiality disputes in Kenya, offering confidential arbitration proceedings under the NCIA Arbitration Rules 2015 and the Arbitration Act No. 4 of 1995 (revised 2022).
Kenya acceded to the Hague Apostille Convention in 2021, meaning that Kenyan confidentiality agreements bearing an apostille issued by the High Court Registrar are recognised in all 124 Hague Convention member states without further authentication — particularly relevant for cross-border technology and investment transactions involving Kenyan parties. Under Kenya law, Section 135 of the Companies Act 2015 (No. 17 of 2015) and Section 15 of the Employment Act 2007 (No. 11 of 2007) govern the core requirements for this type of document.
The legal framework governing the Confidentiality Agreement (Kenya) in Kenya draws on several key statutes and regulatory bodies. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Parties executing a Confidentiality Agreement (Kenya) in Kenya should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Law of Contract Act Cap. 23 sets the foundational requirements.
When Do You Need a Confidentiality Agreement (Kenya)?
A Kenya Confidentiality Agreement is needed whenever a party is about to disclose sensitive business, technical, or personal information to another party and wishes to control how that information is used and who it may be shared with.
The Agreement is needed before commercial negotiations — a joint venture discussion, merger and acquisition due diligence, franchise arrangement, investment pitch, or licensing negotiation — where one party must share detailed financial, operational, or technical information to allow the other party to assess the opportunity. Without a signed Confidentiality Agreement, there is no contractual basis to restrain the receiving party from using the information for its own benefit or disclosing it to competitors.
A Confidentiality Agreement is required when engaging an external consultant, IT contractor, auditor, or advisor who will have access to the client's proprietary systems, customer database, financial records, or trade processes. The Agreement is particularly important under the Data Protection Act No. 24 of 2019, which requires a written data processing agreement — which must include confidentiality obligations — whenever personal data is processed by a third party on behalf of a data controller.
The Agreement is needed when a company is onboarding a new business partner — distributor, reseller, manufacturer, or supplier — who will receive confidential product specifications, pricing structures, customer information, or supply chain data. Supply chain confidentiality is increasingly important in Kenya's manufacturing, agricultural export, and pharmaceutical sectors.
A Confidentiality Agreement is required when a startup company is seeking angel investment or venture capital — investors and their due diligence teams will have access to detailed financial models, technology architecture, customer lists, and competitive strategy that the founders need to protect.
The Agreement is also needed between co-founders of a startup who are exploring a joint venture or sharing proprietary technology — even between individuals who trust each other, a written Confidentiality Agreement creates clear expectations and provides a foundation for the more detailed shareholders' agreement or co-founder agreement that will follow. Under Kenya law, Section 3 of the Companies Act 2015 (No. 17 of 2015) and Section 2 of the Law of Contract Act (Cap 23) govern the core requirements for this type of document.
What to Include in Your Confidentiality Agreement (Kenya)
A Kenya Confidentiality Agreement under the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019 must include the following essential provisions to be thorough and enforceable.
Parties: Full legal names of the disclosing party and the receiving party, their addresses, KRA PINs, and BRS Registration Numbers if companies. For mutual agreements, both parties are simultaneously disclosing and receiving parties.
Definition of Confidential Information: A precise and inclusive definition of what constitutes confidential information — trade secrets, business plans, financial projections, customer and supplier lists, technical designs, source code, processes, formulas, pricing structures, employee information, and any personal data as defined in the Data Protection Act No. 24 of 2019. The definition should include oral as well as written disclosures, and information derived or generated from confidential information.
Exclusions from Confidentiality: Standard carve-outs for information that: was in the public domain before disclosure; becomes public through no breach by the receiving party; was independently developed by the receiving party; or was received from a third party without restriction. Required disclosures to regulatory authorities (KRA, CBK, CMA, ODPC) or pursuant to a court order must also be carved out, provided the receiving party notifies the disclosing party promptly.
Permitted Purpose: A specific statement of the purpose for which the confidential information may be used — for example, evaluation of a potential joint venture, due diligence for a share acquisition, or performance of a specific service contract. Use of confidential information for any other purpose without written consent is a breach.
Obligation of Confidence: An express covenant that the receiving party shall: hold confidential information in strict confidence; not use it for any purpose other than the permitted purpose; not disclose it to third parties without the disclosing party's prior written consent; and restrict access to employees, directors, or advisers with a need to know, who are themselves bound by equivalent confidentiality obligations.
Data Protection Compliance: Where the confidential information includes personal data, the Agreement must identify the receiving party as a data processor under Section 35 of the Data Protection Act No. 24 of 2019, require processing only on the disclosing party's documented instructions, require implementation of appropriate technical and organisational security measures, and require notification of any personal data breach within 72 hours of discovery.
Term and Survival: The duration of the confidentiality obligations — typically 2 to 5 years from the date of the Agreement, or 2 to 3 years after the termination of the underlying business relationship. Trade secrets and personal data obligations commonly survive indefinitely.
Remedies for Breach: An acknowledgement that breach of the Agreement will cause irreparable harm for which damages are an inadequate remedy, entitling the disclosing party to seek an injunction or other equitable relief from the High Court of Kenya or the Nairobi Centre for International Arbitration (NCIA) without the need to prove actual financial loss.
Governing Law and Dispute Resolution: The Agreement shall be governed by the laws of Kenya. Disputes may be referred to the Nairobi Centre for International Arbitration (NCIA) under the Arbitration Act No. 4 of 1995 (revised 2022), or to the High Court of Kenya. Forms-legal.com provides this Confidentiality Agreement as a practical starting point for Kenyan businesses and individuals protecting sensitive commercial and personal information. Under Kenya law, Section 135 of the Companies Act 2015 (No. 17 of 2015) and Section 15 of the Employment Act 2007 (No. 11 of 2007) govern the core requirements for this type of document.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Confidentiality Agreement (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/contracts/confidentiality-agreement-kenya
"Confidentiality Agreement (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/contracts/confidentiality-agreement-kenya.
@misc{formslegal-confidentiality-agreement-kenya,
author = {{Forms Legal}},
title = {Confidentiality Agreement (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/contracts/confidentiality-agreement-kenya}},
note = {Free legal document template}
}Also available for these jurisdictions:
Frequently Asked Questions
Yes. A Confidentiality Agreement in Kenya is enforceable as a binding contract under the Law of Contract Act Cap. 23 (received English law of contract, applicable in Kenya under Section 3 of the Judicature Act, Cap. 8) provided it meets the standard requirements for contract formation: offer and acceptance, consideration (each party's promise of confidentiality is mutual consideration in a bilateral agreement; in a unilateral agreement, consideration is found in the underlying commercial relationship or a nominal payment), intention to create legal relations, and certainty of terms. Kenyan courts — particularly the High Court (Commercial Division) and the Nairobi Centre for International Arbitration (NCIA) — regularly grant injunctions to restrain threatened breaches of confidentiality and award damages for actual breaches. The equitable duty of confidence, received into Kenyan law through Section 3 of the Judicature Act and the rules of equity applicable in England as of 12 August 1897, provides an additional non-contractual basis for restraining disclosure even where there is no signed agreement — but a written Confidentiality Agreement is far stronger and provides express contractual remedies including liquidated damages clauses.
In Kenyan commercial practice, a Confidentiality Agreement and a Non-Disclosure Agreement (NDA) achieve the same legal result — a binding obligation of confidence — and the terms are frequently used interchangeably. The subtle distinction in usage is that an NDA (Non-Disclosure Agreement) typically refers to the pre-contractual or standalone instrument signed before commercial negotiations begin, where one party discloses information to allow the other party to evaluate a business opportunity. A Confidentiality Agreement is the broader term used in employment contracts (confidentiality clause in the Employment Contract under the Employment Act No. 11 of 2007), technology agreements, investment agreements, and supply chain contracts, where the confidentiality obligation is embedded in a larger contractual relationship. The ke-non-disclosure-agreement template on forms-legal.com covers the pre-contractual NDA scenario; this Confidentiality Agreement template is designed for standalone or embedded confidentiality obligations in ongoing commercial relationships. Both documents should incorporate Data Protection Act No. 24 of 2019 provisions where personal data is involved, reflecting the ODPC's requirement for written data processing agreements between data controllers and data processors.
The Data Protection Act No. 24 of 2019, administered by the Office of the Data Protection Commissioner (ODPC), significantly expanded confidentiality obligations for Kenyan businesses when the information being shared includes personal data — any information relating to an identified or identifiable natural person, including names, NIC numbers, KRA PINs, medical records, financial information, and location data. Section 35 of the Data Protection Act requires that any arrangement in which a data controller engages a data processor (a third party who processes personal data on the controller's behalf) must be governed by a written contract that: limits the processor to processing data only on the controller's documented instructions; requires the processor to implement appropriate technical and organisational security measures; obligates the processor to assist the controller in responding to data subject rights requests (access, correction, deletion, portability); and requires the processor to notify the controller of any personal data breach within 72 hours. A Confidentiality Agreement that covers personal data must incorporate these Section 35 requirements to ensure the receiving party is compliant with the Data Protection Act. Breach of the Data Protection Act may result in administrative penalties of up to KES 5 million or imprisonment under Section 71 of the Act, in addition to liability for breach of the Confidentiality Agreement.
The appropriate duration for confidentiality obligations in a Kenya Confidentiality Agreement depends on the nature of the information being protected. For general commercial information — business plans, financial projections, customer lists, and pricing data — a duration of 2 to 5 years from the date of disclosure is common in Kenyan practice. This reflects the commercial reality that such information has a finite useful life. For trade secrets — proprietary formulas, source code, manufacturing processes, and algorithms that give the disclosing party a sustained competitive advantage — confidentiality obligations should survive indefinitely, as Kenyan courts (applying received English equity) will protect genuine trade secrets without a time limit, provided the information remains secret and retains commercial value. For personal data shared under the Data Protection Act No. 24 of 2019, confidentiality obligations must continue for as long as the receiving party processes or retains the data — the Data Protection Act does not permit a time limit that would allow disclosure of personal data after the contractual term expires. In employment contexts, post-employment confidentiality obligations of 2 to 3 years covering trade secrets and client information are routinely upheld by the Employment and Labour Relations Court (ELRC), provided they are not so wide as to amount to an unreasonable restraint of trade under Section 87 of the Employment Act No. 11 of 2007.
A party whose confidential information has been disclosed or misused in breach of a Confidentiality Agreement in Kenya has several remedies available through the High Court (Commercial Division) or the Nairobi Centre for International Arbitration (NCIA). Injunction: the most urgent remedy — an application for an interim injunction (ex parte if necessary) under Order 40 of the Civil Procedure Rules to immediately restrain the receiving party from making further disclosures or using the confidential information. Kenyan courts apply the American Cyanamid balance of convenience test and will grant interim injunctions where there is a serious question to be tried and the balance of convenience favours restraint. Damages: compensation for the financial loss caused by the breach — lost profits, costs of reputational damage, and consequential losses. Where the Confidentiality Agreement includes a liquidated damages clause, the agreed amount may be claimed without proving specific loss. Account of profits: in equity, the disclosing party may seek to recover the profits made by the receiving party through its misuse of the confidential information — particularly relevant where the breach has enabled the receiving party to win business or build a product using the disclosed information. Delivery up and destruction: an order requiring the receiving party to return or destroy all copies of the confidential information in its possession.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement (Kenya)
A Kenya Non-Disclosure Agreement protecting confidential business information, governed by the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019, enforceable in Kenya courts.
Employment Contract (Kenya)
A Kenya Employment Contract setting out terms and conditions of employment, compliant with the Employment Act No. 11 of 2007, NSSF Act 2013, SHIF Act 2024, and the Housing Levy obligations.