Published Jun 8, 2026
Key Takeaways
- An NDA with your VA protects business data, client information, proprietary processes, and competitive intelligence
- Your NDA should define what is confidential, how long confidentiality lasts, and what happens on breach
- Agency VAs (like Stealth Agents) typically sign NDAs as part of onboarding -- confirm this before sharing sensitive systems
- Access controls and data hygiene practices matter as much as the NDA itself
- Stealth Agents VAs start at $10/hr -- all include standard confidentiality agreements
Bringing a virtual assistant into your business means giving someone access to your systems, client data, and internal processes. That access creates real risk if it's not properly protected. A virtual assistant NDA -- paired with sensible access controls -- is how you manage that risk without making the working relationship adversarial.
Here's what you need to know.
Why a VA NDA Matters
Your VA may have access to client contact lists, pricing data, proprietary workflows, sales processes, financial records, internal communications, and competitive intelligence. Without a confidentiality agreement, there's no legal framework defining what they can and can't do with that information after the engagement ends.
An NDA doesn't prevent bad behavior -- it creates legal recourse if it happens, and it sets clear expectations that signal you take data protection seriously. Most professional VAs are accustomed to signing NDAs and view them as a standard part of business.
What Your VA NDA Should Cover
Definition of confidential information. The agreement should define what counts as confidential: client names and contact details, business financial information, pricing and contract terms, proprietary processes, trade secrets, and any information explicitly marked confidential. A broad definition protects you; a definition that's too vague may not hold up in a dispute.
Scope of permitted use. Your VA can use confidential information only to perform their work for you. They cannot share it with third parties, use it for their own benefit, or use it to solicit your clients.
Duration. Confidentiality obligations typically survive the end of the engagement. A standard term is 2 to 5 years post-engagement for general business information. Trade secrets should be protected indefinitely.
Return or destruction of information. On termination, your VA should return or certify destruction of all confidential materials -- access credentials, downloaded documents, copies of client data.
Exclusions. Standard carve-outs for information already in the public domain, independently developed, or required to be disclosed by law.
Remedies. What happens on breach. Most NDAs specify injunctive relief (court order to stop the breach) plus damages. For offshore VAs, enforcement is more complex -- more on this below.
Offshore VA NDAs: Practical Reality
Enforcing an NDA against a VA in the Philippines or Latin America through litigation is expensive and impractical for most small businesses. The NDA's value in offshore arrangements is primarily:
- Setting clear expectations and creating a professional accountability framework
- Enabling agency-level enforcement (the agency bears consequences for their VAs' behavior)
- Deterring casual breach (most people don't violate agreements they signed deliberately)
For offshore VAs, the most practical protection is a combination of a signed NDA AND smart access controls -- only giving access to what's necessary, using role-based permissions in software, and not sharing master credentials.
When hiring through an agency like Stealth Agents, the agency itself is a party to the confidentiality relationship. Agency VAs sign NDAs with the agency, and the agency bears responsibility for their staff's conduct. This is one of the practical advantages of agency hiring over direct freelance arrangements.
Access Controls That Matter as Much as the NDA
The NDA creates legal protections. Access controls prevent most problems from arising in the first place.
Principle of least privilege. Give your VA access only to the systems and data they need for their specific tasks. A scheduling VA doesn't need access to your financial records. A data entry VA doesn't need admin-level access to your CRM.
Role-based tool access. Most business tools offer permission levels. Your VA should have editor access (not admin) to tools they operate. Admin access should stay with you.
Separate accounts where possible. Create a dedicated business email account for your VA to use rather than giving access to your primary email. Use sub-accounts or user seats in software rather than sharing master login credentials.
Shared password managers. If your VA needs access to tools that don't have user-level seats, use a shared password vault (1Password, Bitwarden Teams) where you can revoke access instantly on offboarding. Never email passwords.
Offboarding checklist. When the engagement ends, revoke all access immediately and systematically. Have a checklist of every tool and account your VA had access to and confirm each one is revoked.
What to Do Before Sharing Sensitive Information
Before you give your VA access to client data, financial systems, or proprietary processes:
- Have a signed NDA in place (or confirm the agency's standard agreement covers it)
- Review what you're about to share -- is it necessary for the tasks assigned?
- Implement the access controls described above
- Brief your VA verbally on your data handling expectations, not just the written agreement
The conversation matters. A VA who understands why you take confidentiality seriously is more likely to apply good judgment in ambiguous situations than one who signed a document they barely read.
Sample NDA Provisions
If you're drafting your own agreement (or reviewing a template), these are the provisions most commonly missing or poorly written:
Specific definition of client data as confidential. Many generic NDA templates don't explicitly cover client contact information. Make sure it's named.
Post-engagement obligations. Confirm the agreement explicitly states that confidentiality continues after the engagement ends and for how long.
No-solicit provision. Consider including a clause prohibiting your VA from soliciting your clients directly for 12 to 24 months post-engagement. This is separate from the NDA proper but often included in the same document.
Q: Does Stealth Agents require VAs to sign NDAs?
A: Yes. Stealth Agents VAs sign confidentiality agreements as part of their onboarding with the agency. You can also request that your VA sign a client-specific NDA for additional contractual protection. VAs start at $10/hr for dedicated full-time support.
Q: Can I enforce an NDA against an offshore virtual assistant?
A: Direct enforcement via litigation is expensive and impractical for most small businesses. The practical value of an offshore NDA is expectation-setting, agency-level accountability, and deterrence of casual breach. For sensitive data, access controls and data minimization practices are equally important.
Q: What's the most important thing to include in a VA NDA?
A: A precise definition of what counts as confidential information. Vague definitions like "all business information" are sometimes hard to enforce. Name specific categories: client data, financial records, pricing, proprietary processes, trade secrets. The clearer the definition, the clearer the obligation.
Data protection with a virtual assistant is a combination of legal documentation and practical access management. Stealth Agents handles the baseline confidentiality agreement as part of onboarding -- but reviewing your own access controls and what you share is equally important. The team can advise on standard data security practices for VA engagements when you're getting started.