Diligence needs to see the code. The contracts often say it cannot. How to disclose what a buyer needs without breaching the confidentiality clauses that govern it.
Confidentiality clauses and disclosing code to a buyer pull in opposite directions, and a deal team has to hold both at once. Diligence needs to understand the software that powers the target: how it is built, what it depends on, and where the licensing risk sits. The contracts that govern that software frequently forbid exactly the disclosure diligence requires. Vendor agreements bar handing source code or commercial terms to a third party. Customer contracts restrict what can be shared about bespoke work. Partner deals carry confidentiality obligations that survive the transaction. Managing confidentiality clauses and disclosing code to a buyer is the discipline of getting diligence the answers it needs without breaching the obligations the target already owes, because a careless disclosure becomes a liability the buyer inherits at close.
Every piece of material a buyer wants to inspect carries its own confidentiality status. Code the target wrote and owns can usually be shown with ordinary deal protections. Third party source code, licensed in under strict terms, often cannot be disclosed at all without the vendor consent. Commercial terms in vendor contracts are frequently marked confidential and sometimes specifically barred from disclosure to competitors or potential acquirers. Customer data and bespoke deliverables carry obligations the target owes downstream. The disclosure plan starts by classifying material into these tiers, because the controls that apply to each are different. A blanket data room with everything in it is the fastest route to a breach. The clause discovery that feeds this classification is the same exercise described in finding change of control clauses before you sign, run with confidentiality and disclosure restrictions added to the read.
Disclosure to a buyer is managed through nested controls, each tighter than the last. The outer layer is the non disclosure agreement between buyer and seller, which frames every disclosure but does not override obligations owed to third parties. Inside that sits staged access, where material is released by sensitivity tier as the deal progresses, so the most sensitive items appear only to a small named group late in the process. Inside that sits redaction, where third party code, pricing, or customer identifiers are removed before anything is shown. At the centre sits the clean room, where an independent expert inspects the most sensitive material, such as licensed in source code, and reports findings to the buyer without the buyer ever seeing the raw material. The clean room is what lets a buyer get a real answer on a question like whether the target has embedded restricted third party code, without the disclosure itself breaching the vendor confidentiality clause.
| Material type | Confidentiality risk | Control that fits |
|---|---|---|
| Target owned source code | Low, owned by the target | Standard data room under the non disclosure agreement |
| Vendor commercial terms | Medium, often marked confidential | Staged access, redact pricing, named recipients only |
| Licensed in third party code | High, disclosure often barred | Clean room review by an independent expert |
| Customer bespoke deliverables | High, obligations owed downstream | Redaction of identifiers, consent where required |
| Open source components | Variable by licence | Bill of materials and licence scan, not raw disclosure |
A frequent misunderstanding is that the non disclosure agreement between the parties cures any confidentiality problem. It does not. That agreement governs the relationship between buyer and seller, but it has no power over obligations the target owes to a vendor, customer, or partner who is not a party to it. If a software vendor contract states that its source code and terms may not be disclosed to a third party, showing them to a buyer breaches that contract regardless of how robust the buyer side non disclosure agreement is. The breach is the disclosure itself. This matters to the buyer because the consequences of that breach, whether a termination right, a penalty, or a damaged vendor relationship, travel with the business into the buyer hands. The disclosure plan therefore has to respect third party obligations, not just paper over them, which is why the high sensitivity tiers go through redaction and clean rooms rather than the open data room.
Deal structure shapes the disclosure question because it decides who ends up holding the confidential material and the obligations attached to it. In a stock purchase the target entity continues and its confidentiality obligations carry across intact, so the buyer inherits both the material and the duties. In an asset purchase the relevant contracts and code have to be assigned, and the disclosure during diligence has to anticipate which obligations will move. In a carve out the confidential material may be shared with a wider seller group, and disclosure has to separate what belongs to the carved out business from what does not. The structure analysis in stock versus asset purchase and which triggers assignment issues runs alongside the disclosure plan, because the two decisions inform each other. As with every clause question, the legal interpretation of a confidentiality obligation is a matter for the buyer own counsel.
One category sits apart from the confidentiality tiers and trips up deal teams that only think about proprietary code. Open source components carry no confidentiality obligation, so they do not need a clean room, but they carry licence obligations that a buyer must understand, and the way to assess them is not raw code disclosure at all. The right instrument is a software bill of materials and a licence scan that lists every open source component and the terms it travels under. Permissive licences create little risk. Copyleft licences can, in some configurations, carry obligations that extend to the code they are combined with, which is a commercial question the buyer needs answered before close. Because the assessment is done through a scan and a report rather than by handing over code, it fits cleanly alongside the clean room work without adding confidentiality risk, and it closes a gap that a confidentiality focused disclosure plan would otherwise miss.
Consider an anonymised composite: a strategic buyer acquiring a 1,400 employee analytics software business. The buyer wanted comfort that the target product did not embed restricted third party code that would create a licensing problem after close. The target source code was partly its own and partly licensed in from two specialist vendors under agreements that barred disclosure of the licensed code to any third party, and explicitly to competitors. A direct disclosure to the buyer, itself a competitor in part of the market, would have breached both vendor agreements and handed the buyer a liability on day one. The deal team set up a clean room where an independent expert inspected the full code base, confirmed the boundaries between owned and licensed code, and reported that the licensed components were used within their terms. The buyer got the assurance it needed, the vendor agreements stayed intact, and no confidential code changed hands. The lesson for buyers is that the answer diligence needs and the raw material it wants are not the same thing, and clean controls deliver the first without the risk of the second.
We map the confidentiality and disclosure restrictions across the target software estate, design the controls that let diligence see what it needs, and flag where disclosure to a buyer would breach a third party agreement.
Request a change of control clause review