Before entrusting your data to an IT provider, you request a non-disclosure agreement (NDA). That is good. It is even essential. But it is far from sufficient.
An NDA is a legal document. It encrypts nothing, controls no access, monitors no data flow. It sets obligations -- and provides for sanctions. But between the signature and the lawsuit, there is a gap that only concrete technical and organizational measures can bridge.
What the NDA Actually Protects
The confidentiality agreement remains an essential contractual pillar. Here is what it concretely provides in a relationship with an IT provider:
Legal non-disclosure obligation
The provider formally commits not to disclose your confidential information to third parties. This is the foundation of any trust-based relationship in managed services.
Defined confidentiality period
The NDA frames the duration of the obligation -- for example, 3 years after contract termination (see our T&Cs, Art. 16) (fr). Without this clause, confidentiality expires with the contract.
Legal basis for recourse
In case of a proven leak, the NDA provides the contractual basis to hold the provider liable. Without a written agreement, proving a confidentiality obligation is much more difficult.
Trade secret protection
The NDA complements trade secret protection (Article L151-1 of the French Commercial Code), whose protection duration is unlimited as long as the secret is maintained.
The NDA's Limitations Against Technical Reality
The NDA is a legal tool. However, protecting your data at an IT provider is primarily a technical and organizational challenge. Here is what the NDA does not cover:
An NDA does not encrypt your data
The confidentiality agreement prohibits disclosure -- but it does not make data unreadable. If your provider's backups are not encrypted, any technician with storage access can read your files. The NDA only punishes after the fact; it technically prevents nothing.
An NDA does not control technical access
Who has access to your servers? With what privileges? The NDA says nothing about access management, privileged accounts, multi-factor authentication, or environment separation. A system administrator sees everything -- unless technical measures prevent it.
An NDA does not protect against negligence
Unpatched vulnerabilities, weak passwords, poorly supervised subcontractors, untested backups... Security incidents are rarely the result of intentional disclosure. They stem from technical negligence that the NDA does not address.
Proving a breach is nearly impossible
Even in case of a leak, how do you prove your provider is the source? Without immutable access logs, without an evidence agreement, without operation traceability, the NDA is a weapon without ammunition.
The 5 Pillars That Matter More Than the NDA
To truly protect your data at an IT provider, demand these 5 technical and organizational guarantees. They transform the NDA's legal commitment into effective protection.
Client-side encryption
Client-side encryption is the only absolute technical guarantee: even the provider cannot read your data. The encryption keys stay with you -- not with your managed service provider.
Concrete example: Proxmox Backup Server (PBS) backups encrypt data with a key held only by the client. The provider stores encrypted blocks that it cannot decrypt, even with root access to the backup server.
Sovereign hosting
A French NDA does not protect you if your data is hosted in the United States. The Cloud Act allows US authorities to access data stored by American companies, regardless of the hosting country. That is why we offer sovereign server management, operated entirely in France.
What to demand: hosting in France, operated by a French company, on infrastructure not subject to extraterritorial jurisdictions. This is the only way to ensure that GDPR fully applies.
Subcontractor oversight
Does your provider use subcontractors? If so, are they subject to the same confidentiality obligations? An NDA that does not cover the subcontracting chain is a leaky NDA.
What to demand: cascading NDA with each subcontractor, GDPR-compliant DPA (Data Processing Agreement), audit rights, and subcontractor list disclosed to the client (see our T&Cs, Art. 5.7) (fr).
Environment separation
Indiscriminate environment sharing is a major risk. If your data sits alongside other clients' data on the same server without isolation, an incident at a neighbor's can compromise your data.
What to demand: network isolation (dedicated VLAN), separate virtual machines, isolated storage, and ideally dedicated clusters for sensitive environments.
Traceability and immutable logs
Without logs, no evidence. Without evidence, the NDA is useless. Traceability is the missing link between the legal obligation and the ability to enforce it. And the timestamps must be reliable -- an NTP desynchronization makes cross-source correlation impossible and compromises the evidentiary value of logs.
What to demand: immutable access logs (write-once), contractual evidence agreement, defined retention period (minimum 90 days), and client access to logs on request (see our T&Cs, Art. 8) (fr).
The RDEM Systems Approach
At RDEM Systems, the NDA is not a sales argument -- it is the contractual minimum. Here is what we concretely implement:
Equinix France hosting
3 Equinix datacenters in the Paris region, operated by a French company, outside the Cloud Act.
Client-side encrypted backups
Proxmox Backup Server with client-side encryption. We cannot read your backups, even if we wanted to.
Systematic NDAs with subcontractors
Each third-party provider signs an NDA and is subject to obligations at least equivalent to ours (T&Cs, Art. 5.7) (fr).
3-year post-contract confidentiality
Confidentiality obligation maintained for 3 years after contract termination, unlimited for trade secrets (T&Cs, Art. 16) (fr).
Documented BCP/DRP
Tested business continuity and disaster recovery plans, with inter-site replication via dedicated dark fibers.
Incident cooperation
24-hour notification, evidence preservation for 90 days minimum, coordination with authorities (T&Cs, Art. 8.2) (fr).
7 Questions to Ask Your IT Provider
Before signing a managed services contract, ask these 7 questions. If your provider cannot answer them clearly, it is a red flag.
Where is my data physically hosted?
Demand the datacenter names, country, and applicable jurisdiction. Be wary of vague answers ("in the cloud").
Are my backups encrypted? Who holds the keys?
Server-side encryption is not enough if the provider holds the keys. Ask for client-side encryption.
Do you use subcontractors? Are they under NDA?
Request the subcontractor list and verify that cascading confidentiality agreements exist.
How are my environments isolated from other clients?
Dedicated VLANs, separate VMs, isolated storage. Shared hosting without isolation is a major risk.
What access logs do you retain and for how long?
Without traceability, no evidence. Demand immutable logs with a minimum 90-day retention.
What is your notification timeline in case of a security incident?
GDPR requires 72 hours for the supervisory authority. A good provider commits to 24 hours toward its clients.
What happens at the end of the contract? Data deletion, restitution?
Reversibility clause, certified data deletion, and post-contract confidentiality maintenance.
The NDA is the floor, not the ceiling
The confidentiality agreement remains essential -- it is the minimum contractual foundation for any relationship with an IT provider. But confusing it with effective protection is like confusing the lock with the safe.
What truly protects your data is the combination of the NDA with verifiable technical measures: client-side encryption, sovereign hosting, supervised subcontractors, isolated environments, and complete traceability. Demand both.
The NIS2 directive strengthens these requirements regarding backups and resilience -- discover our analysis on NIS2 compliance and backups. And to understand what sets a sovereign provider apart from a reseller, see why choose RDEM Systems (fr).
Need an IT provider that goes beyond the NDA?
At RDEM Systems, confidentiality is not limited to a signed document. Discover our concrete commitments to data protection.