casemark/confidentiality-security-agreement
skills/legal/confidentiality-security-agreement/SKILL.md
Drafts enforceable U.S. Employee Confidentiality and Security Agreements protecting proprietary information, trade secrets, and digital assets, with layered confidential-information definitions, security and acceptable-use obligations, incident reporting protocols, termination property-return procedures, and post-employment restrictive covenants. Incorporates state-specific enforceability standards, DTSA whistleblower immunity notice, and NLRA Section 7 savings clauses. Use when onboarding employees, updating confidentiality policies, or drafting NDA-style employment agreements (trigger keywords: confidentiality agreement, employee NDA, security agreement, trade secret, acceptable use, incident reporting, post-employment restrictions).
$ install --global
skillsauthnpx skillsauth add casemark/skills confidentiality-security-agreementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 27, 2026, 3:35 AM121.0s1 file scanned
SKILL.md
- name:
- confidentiality-security-agreement
- language:
- en
- description:
- >-
- (trigger keywords:
- confidentiality agreement, employee NDA, security
Employee Confidentiality and Security Agreement
Drafts an execution-ready agreement protecting company proprietary information, trade secrets, and digital assets while establishing employee security obligations and post-employment restrictions.
Checkpoint A: Pre-Draft Intake (Mandatory)
Ask every time unless user says "use defaults." Gather:
- Governing jurisdiction — state law for restrictive covenants, trade secret protections, consideration requirements
- Company documents — existing confidentiality agreements, handbooks, security policies
- Employee role — position, access level, exposure to sensitive systems/data
- Industry context — regulated industries (healthcare, finance, defense) need sector-specific provisions
- Existing restrictive covenants — prior agreements that must be harmonized
If user doesn't respond, apply and label defaults: at-will employment state; general staff access level; 3-year non-trade-secret duration; 1-year non-solicitation; governing law per company's home state.
Intake Table
| Item | Details | |---|---| | Company (legal name/entity/state) | | | Employee (name/title/department) | | | Governing jurisdiction | | | Access level (general / elevated / executive) | | | Regulated industry? (specify) | | | Existing agreements to harmonize | | | Post-hire execution? (additional consideration needed) | |
Pre-Drafting Research
| Area | Key Items | |---|---| | State enforceability | Restrictive covenant standards, blue-pencil vs. reformation, consideration requirements | | Trade secret law | UTSA adoption, state statutes, DTSA federal protections | | Employee mobility | Non-compete bans/restrictions, NLRA § 7 protections, whistleblower statutes | | Data protection | State privacy acts, HIPAA, GLBA, CMMC (if defense) | | Recent case law | Reasonableness standards for scope/duration in governing jurisdiction |
Step 1: Draft Confidential Information Provisions
Definition — Layered Category Approach
| Category | Examples | |---|---| | Technical/Proprietary | Trade secrets, source code, algorithms, R&D, manufacturing processes | | Business Strategy | Business plans, pricing, margins, financial projections, M&A targets | | Customer/Relationship | Customer lists, supplier networks, contract terms, referral sources | | Financial/Operational | Financial statements, budgets, compensation structures, performance metrics | | Intellectual Property | Inventions, patents, copyrights, trademarks, proprietary methodologies |
- Cover all formats: written, oral, electronic, visual
- Include derivative works (analyses, compilations, summaries)
- Protection applies regardless of whether marked "confidential"
Standard Exceptions
Employee bears burden of proof (clear and convincing evidence):
- Already public at disclosure (not through employee's breach)
- Lawfully in employee's possession pre-disclosure (documented)
- Received from third party without restriction
- Independently developed without reference to Confidential Information (contemporaneous documentation required)
Obligations
- Non-disclosure without prior written authorization from authorized officer
- Duration: indefinite for trade secrets; [3–5] years for other Confidential Information
- Use limited to assigned duties within employment scope
- Standard of care: at least reasonable care, no less than employee's own
- Need-to-know restriction; internal sharing only to authorized personnel under equivalent obligations
- Secure storage: encryption (electronic), locked storage (physical), secure disposal
- Immediate incident notification to security officer/legal
Compelled Disclosure Carve-Out
Immediate notice to legal on receipt of subpoena/court order → cooperate with protective order efforts → disclose only what is legally required.
Protected Activity Savings Clause (REQUIRED)
- DTSA immunity for disclosures to attorneys/government officials in confidence
- Whistleblower cooperation protections
- NLRA § 7 rights preserved (wages, working conditions)
Step 2: Draft Security Responsibilities
Password and Access Control
- Personal credentials; never shared
- Minimum: 12+ characters, mixed case/numbers/symbols, unique per system
- No plaintext storage; company-approved password managers only
- MFA required on all available systems
- Lock workstations when unattended; log out of sessions
- Report compromised credentials immediately
- All access terminates upon separation
Acceptable Use
| Permitted | Prohibited | |---|---| | Primary business use of company systems | Unauthorized software/extension installation | | Limited personal use (non-interfering) | Circumventing security controls or monitoring | | Professional communications via company tools | Unauthorized devices on company networks | | | Illegal, explicit, or infringing content | | | Competitive activities on company systems | | | Company data on unapproved personal cloud |
- BYOD (if applicable): company MDM required, remote wipe consent, security software mandatory
- Remote access: approved VPN only; adequate privacy at remote locations
- No expectation of privacy on company systems — monitoring may occur without notice
Incident Reporting Protocol
Reportable: data breaches, unauthorized access, malware, phishing, lost/stolen devices, inadvertent disclosure, suspicious behavior, physical security breaches.
- Report to IT security + direct supervisor within [2–4] hours of discovery
- Preserve all evidence — no deletion, alteration, or destruction
- Document: what happened, when discovered, systems/data affected, actions taken
- Maintain incident confidentiality; share only with authorized personnel
- Follow incident response team instructions
Non-retaliation: Good faith reporting carries no negative consequences, even if incident resulted from employee's error.
Step 3: Draft Termination and Post-Employment Provisions
Return of Property (immediately upon termination or earlier upon request)
- [ ] All company-issued equipment (laptops, phones, tablets, tokens, keys, cards)
- [ ] All physical documents containing Confidential Information
- [ ] Delete company data from personal devices, cloud accounts, personal email
- [ ] Written certification of compliance (specify devices/systems wiped)
- [ ] Certification required before release of final compensation
Company rights: inspect workspace/devices, remotely wipe MDM-enrolled devices, pursue legal remedies.
Survival of Obligations
| Obligation | Duration | |---|---| | Trade secret confidentiality | Indefinite (while information qualifies) | | Other Confidential Information | [3–5] years post-termination | | Employee non-solicitation | [1–2] years (jurisdiction-dependent) | | Customer non-solicitation | [1–2] years, material-contact customers only |
- Non-solicitation = active solicitation only; does not bar accepting competitor employment or responding to unsolicited inquiries
- Employee must notify prospective employers of continuing obligations
- Employee must notify company of new employment (employer, general responsibilities)
- Cooperation: respond to legal process, assist with litigation/investigations, provide truthful testimony (reasonable compensation for time)
Step 4: Draft Legal Framework
Acknowledgments (employee confirms)
- Read and understood; opportunity to consult counsel
- Voluntary execution without duress
- Restrictions reasonable in scope, duration, and geography
- Confidential Information is valuable; unauthorized disclosure = irreparable harm
- Adequate consideration received
- For post-hire execution: specify additional consideration (promotion, raise, bonus, or continued employment per jurisdiction)
[VERIFY]
Protected Rights Acknowledgment (REQUIRED)
- DTSA immunity per 18 U.S.C. § 1833(b)
[VERIFY] - Whistleblower protections: unrestricted government agency reporting
- NLRA § 7: right to discuss wages and working conditions
Enforcement Provisions
- Governing law: [state], no conflicts-of-law principles
- Exclusive venue: state and federal courts in [county/state]
- Equitable relief available without bond or proof of actual damages
- Prevailing party: reasonable attorneys' fees, costs, expert fees
- Severability with reformation to minimum enforceable scope
- Integration clause; supersedes prior understandings on subject matter
- Amendment: written, signed by both parties; no oral modifications
- Assignment: company may assign (merger/acquisition/sale); employee may not
- Supplements (does not replace) other confidentiality/IP agreements — most protective provision controls
Signature Block
Employee signature, printed name, date; authorized company representative signature, title, date. Separate acknowledgment page optional.
Step 5: Assemble Agreement in Section Order
- Parties, Recitals, and Effective Date
- Confidential Information — definitions, categories, exceptions, obligations, compelled disclosure carve-out, protected activity savings clause
- Security Responsibilities — access control, acceptable use, incident reporting, non-retaliation
- Termination and Post-Employment — property return, survival of obligations, non-solicitation, cooperation
- Legal Framework — acknowledgments, protected rights, enforcement, severability, integration
- Signatures
Checkpoint B: Post-Draft Alignment (Mandatory)
After delivering the initial draft, ask:
- Are the confidential information categories appropriate for this employee's role and access level?
- Are the non-solicitation durations acceptable given the governing jurisdiction?
- Is additional consideration needed for post-hire execution?
- Should BYOD or remote-work provisions be included or expanded?
If user doesn't answer, recommend confirming non-solicitation scope and post-hire consideration (highest-risk decisions) and proceed if authorized.
Quality Audit
Before finalizing, verify:
- [ ] DTSA whistleblower immunity notice included per 18 U.S.C. § 1833(b)
[VERIFY] - [ ] NLRA § 7 savings clause present — no overbroad restrictions on wage/conditions discussions
- [ ] Protected activity carve-out covers government reporting and attorney disclosures
- [ ] Trade secret duration = indefinite; other confidential info = [3–5] years
- [ ] Non-solicitation scope reasonable for governing jurisdiction
[VERIFY] - [ ] Post-hire consideration specified if agreement executed after onboarding
- [ ] Blue-pencil/reformation doctrine matches governing state
[VERIFY] - [ ] Return-of-property checklist complete with certification requirement
- [ ] Incident reporting timeline and protocol specified
- [ ] No non-compete provisions unless specifically requested and confirmed enforceable
[VERIFY] - [ ] All bracketed business terms filled or flagged
- [ ] Compelled disclosure carve-out with notice + protective order cooperation
Guidelines
- Jurisdiction calibration is critical — non-compete/non-solicitation enforceability varies by state; CA, CO, MN, OK, ND broadly restrict or ban non-competes
[VERIFY current status] - Consideration requirement — many jurisdictions require independent consideration beyond continued employment for post-hire agreements
[VERIFY] - Blue-pencil vs. reformation — know whether the jurisdiction modifies overbroad restrictions or voids them entirely
- DTSA notice — employers must provide DTSA whistleblower immunity notice in any trade secret agreement (18 U.S.C. § 1833(b))
[VERIFY] - NLRA compliance — confidentiality provisions must not chill Section 7 rights
- Role-based customization — adjust categories, security requirements, and restriction durations to employee access level and seniority
- Do NOT include non-compete provisions unless specifically requested and confirmed enforceable
- Do not fabricate statutory citations, case law, or enforceability standards
- All outputs require attorney review in the governing jurisdiction
Related Skills
casemark/skills/legal/automated-contract-summary
development
VerifiedTrustedCommunity
name: automated-contract-summary language: en description: Generates structured executive summaries of contracts using ML — captures key terms, party obligations, risk allocations, and compliance requirements in a standardized format. Optimized for high-volume review where speed and consistency matter. tags: - summarization - agreement - corporate --- # Automated Contract Summarization Produces standardized executive summaries of contracts using machine learning, capturing essential term
21SKILL.mdUpdated May 26, 2026
casemark/obligation-mapping
tools
VerifiedTrustedCommunity
Extracts regulatory obligations from dense regulations across jurisdictions. Breaks down multi-level regulations into clear article-level obligations, classifies applicability to a business, and prioritizes by risk level. Use when translating regulations into actionable compliance requirements.
21SKILL.mdUpdated May 25, 2026
casemark/horizon-scanning
development
VerifiedTrustedCommunity
Continuously monitors regulatory landscapes for changes relevant to a specific business. Ingests global regulatory updates, filters by relevance, summarizes impact, and produces an actionable change advisory. Use when tracking regulatory developments affecting a particular product or market.
21SKILL.mdUpdated May 25, 2026
casemark/gap-analysis
testing
VerifiedTrustedCommunity
Compares an organization's existing compliance controls, policies, and procedures against extracted regulatory obligations to identify coverage gaps. Produces a remediation plan with prioritized actions. Use when assessing compliance maturity or preparing for regulatory audits.
21SKILL.mdUpdated May 25, 2026