Why Your NDA Doesn't Protect You From Translation Tool Data Leaks

I had a conversation with a startup founder last month that stuck with me.

she was about to close a funding round. her lawyer sent over the term sheet in German. she needed to understand it before the call. so she pasted the whole thing into a free translation tool.

when I asked about confidentiality, she said: "it's fine, we have an NDA with the investor."

and technically, she's right. the NDA covers the investor. it covers her team. it covers the lawyer.

it does not cover Google.

The false comfort of 'they signed an NDA'

NDAs are contracts between parties. they say: you and I agree not to share this information with third parties.

the key word is parties. an NDA binds the humans (and companies) who sign it. it doesn't bind the software those humans use to process the information.

when you paste a confidential term sheet into a translation tool, you haven't asked the translation tool to sign an NDA. you've voluntarily disclosed the information to a third party — one whose terms of service may include the right to use your input for model training, analytics, or service improvement.

the NDA protects you from the other side leaking. it does nothing about your side leaking through tooling.

and here's the uncomfortable part: the other side might have a legitimate breach claim against you. "you disclosed our confidential term sheet to a data processor without our consent" is a real argument. and it's a strong one.

What NDAs actually cover vs what translation tools do

let's be specific about the gap.

What your NDA typically covers

• the parties can't share the information with unauthorized third parties
• the information must be treated as confidential
• there are usually exceptions for "professional advisors" and "agents"
• there's a defined scope (what counts as confidential) and a time period

What translation tools typically do

• training: some tools use your text to improve their models. your confidential information becomes part of a shared dataset used to generate outputs for other users
• logging: some tools log your full translation request for debugging, analytics, or abuse detection. your text sits in a database, accessible to the vendor's employees and potentially their subprocessors
• retention: some tools store your translation indefinitely. even tools that claim short retention may keep content in backups, caches, or log files
• subprocessing: your text often passes through multiple systems — the vendor's frontend, their API, their cloud provider, their translation engine. each hop is another entity with access

here's the thing: none of these entities signed your NDA.

3 real scenarios where NDAs fail to protect

these aren't hypothetical. they're patterns I've seen or heard about from legal teams.

Scenario 1: the M&A leak

a company is in acquisition talks. the target sends due diligence documents in French. the buyer's finance team pastes them into a free translation tool to speed up review.

the tool trains on the data. six months later, a competitor's employee uses the same tool and gets suspiciously relevant autocomplete suggestions.

the NDA between buyer and target? completely irrelevant. the buyer disclosed the information to a third party (the translation tool) without authorization. the NDA breach is on the buyer's side.

Scenario 2: the cross-border HR dispute

a multinational company translates employee performance reviews from German to English using a tool that logs translation content.

an employee files a GDPR subject access request. the company has to disclose all personal data it holds — including data held by processors. they now have to explain why employee performance reviews were shared with a translation vendor, whether a DPA was in place, and whether the employee consented.

the NDA between the company and the employee? doesn't cover this. this is a GDPR processing issue, and the NDA doesn't substitute for proper data processing governance.

Scenario 3: the startup term sheet

a founder pastes a term sheet into ChatGPT to understand the liquidation preferences. the investor's law firm later discovers this during a routine due diligence check on data hygiene.

the investor pulls the deal. not because the information was actually leaked — but because the founder demonstrated a pattern of careless data handling that raises questions about how they'll handle customer data, IP, and trade secrets.

the NDA was in place. the information was technically shared with OpenAI's servers. the trust is broken.

What actually protects you

if NDAs aren't enough, what is? the answer is boring but correct: technical controls.

Data Processing Agreements (DPAs)

a DPA is a legally binding contract between you (the data controller) and the translation vendor (the data processor). unlike an NDA, a DPA specifically governs how the vendor handles your data — what they can do with it, how long they keep it, and what happens when you want it deleted.

this is what GDPR Article 28 requires. if you're processing personal data through a translation tool and you don't have a DPA, you're already non-compliant.

Zero-retention architecture

the most effective protection against translation data leaks is... not having the data to leak. tools with zero-retention architecture delete your content after a defined window (e.g., 30 minutes). there's no training set to leak into, no log to breach, no backup to subpoena.

this isn't a policy. it's an architectural constraint. the data doesn't exist, so it can't be disclosed.

No-training guarantees

separate from retention, you need a contractual commitment that your content will never be used for model training. this should be in the DPA, not just on a marketing page.

"we don't train on your data" on a website is a statement. "we don't train on your data" in a DPA is a legally enforceable commitment.

Vendor evaluation

for any tool touching confidential information, run it through the same vendor evaluation checklist you'd use for any data processor. training policy. retention window. residency. access controls. subprocessors.

Checklist: what legal teams should require from translation vendors

Requirement	Why it matters
Signed DPA	Legally binds the vendor to data handling commitments
No-training commitment	Prevents content from entering model training pipelines
Defined retention window	Ensures content is deleted within a verifiable timeframe
EU data residency	Keeps processing within your regulatory jurisdiction
Subprocessor transparency	You know exactly who touches your data
No content logging	Prevents your text from sitting in debug or analytics logs
Incident response process	What happens if there's a breach at the vendor level

if a vendor can't provide all of these, they're not ready for confidential work. use them for marketing copy and internal memos. use something else for the sensitive stuff.

What to tell your team

the practical takeaway for most organizations is a simple rule:

if it's covered by an NDA, it needs a DPA-grade translation tool.

print that on a poster. put it in the security training. make it part of the onboarding checklist.

the NDA tells you the information is important. the DPA tells you the tool is safe to process it.

one without the other is a gap. and gaps are where breaches happen.

Takeaways

• NDAs protect you from the other party leaking — they don't protect you from your own tooling leaking
• pasting NDA-covered content into a free translation tool may constitute unauthorized third-party disclosure
• the gap between "we signed an NDA" and "our tools are compliant" is where real risk lives
• DPAs, zero-retention architecture, and no-training guarantees are what actually protect confidential content
• if the information is important enough to need an NDA, it's important enough to need a secure translation path

Further reading

• Is Your Legal Translation Actually Privileged?
• Which translation services should I use for sensitive documents?
• We don't want your data
• GDPR & AI Act compliance
• How your data is handled