Doctrine deep-dive? Trace it across statutes and judgments with LITT.
Size
0%
Lex-O-Pedia

Are Clickwrap NDAs for Data-Room Access Enforceable in India?

A clickwrap NDA gating access to a virtual data room is a valid electronic contract under Section 10A of the IT Act, but its enforceability turns on clear terms, provable assent, verified identity and an unresolved stamp-duty question. The doctrine explained.

0 / 0 · 0 min left
300 wpm

Virtual data rooms increasingly gate their contents behind a clickwrap non-disclosure agreement: a reviewer is shown the confidentiality terms on screen and must click "I Agree" before the documents unlock. The convenience is obvious, but so is the doubt — is an NDA accepted by a mouse click, with no signature and often no negotiation, actually enforceable in India? The short answer is yes, an electronic acceptance can form a binding NDA. The longer answer is that enforceability depends on getting four things right: clear terms, provable assent, a verifiable identity, and the still-unsettled question of stamp duty. This piece works through each, distinct from the general question of when any NDA binds.

The Statutory Foundation: Section 10A of the IT Act

The starting point is Section 10A of the Information Technology Act, 2000, inserted by the 2008 amendment, which gives electronic contract formation express statutory recognition:

"Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose."

The provision — which mirrors Article 11 of the UNCITRAL Model Law on Electronic Commerce — offers a negative assurance: the electronic medium cannot, by itself, be a ground for denying enforceability. A clickwrap "I Agree" is an electronic record of the user's assent, and so falls squarely within it. The protection is not unlimited. Section 10A does not save two categories of instrument: those listed in the First Schedule of the IT Act, and documents that must be signed under some other law. NDAs sit in neither category — they are not on the Schedule and are not mandatorily signed instruments — so presenting an NDA through clickwrap does not run into the IT Act's exclusions.

Contract-Formation Essentials Still Apply

Section 10A removes the medium objection; it does not dispense with the ordinary law of contract. A clickwrap NDA must still satisfy the Indian Contract Act, 1872. Displaying the NDA with an "I Agree" button is a proposal under Section 2(a); clicking it is signification of assent under Section 2(b), which the Act nowhere requires to be in writing or signed — assent may be expressed by act or conduct. Section 7 requires acceptance to be "absolute and unqualified" and "expressed in some usual and reasonable manner", and a click in response to an on-screen NDA is a usual and reasonable manner of accepting an online contract. Under Section 4, that acceptance is communicated when the click is registered on the disclosing party's server.

Section 10 supplies the remaining checklist: free consent, parties competent to contract, lawful consideration and lawful object. In the data-room setting the consideration is straightforward — access to the confidential information in exchange for the promise to keep it confidential and to observe the access restrictions. This mutual exchange of promises is valid consideration, whether the benefit is monetary or, as here, the opportunity to evaluate a potential transaction. The one drafting sensitivity is free consent: dark patterns such as pre-ticked boxes or a misleadingly labelled button can be argued to vitiate consent, so the interface should present the full text clearly and make the act of agreeing an unambiguous, affirmative step.

What the Courts Have Said

Indian courts have enforced electronically formed contracts for well over a decade. The anchor authority is Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., (2010) 3 SCC 1, where the Supreme Court held that a contract concluded through an exchange of emails, with no formal signed document, was valid and binding. The Court's reasoning travels directly to clickwrap:

"It is for the parties to decide whether they wish to be bound and, if so, by what terms, whether important or unimportant."

and, on the absence of a formal instrument:

"... unless an inference can be drawn from the facts that the parties intended to be bound only when a formal agreement had been executed, the validity of the agreement would not be affected by its lack of formality."

Trimex confirms that a court will enforce a contract formed electronically without a signature where the parties' contractual intent is clear, the material terms are agreed, no vitiating factor is present, and acceptance is unequivocal — the very conditions a well-built clickwrap flow is designed to satisfy.

That clickwrap is an accepted commercial mechanism, and not merely a consumer-facing one, was acknowledged in the Competition Commission of India's treatment of RKG Hospitalities v. Oravel Stays Pvt. Ltd. (CCI Case No. 03 of 2019, order of 19 October 2022), which noted that platforms routinely "enter into a standard clickwrap agreement with all hotel partners" — a business-to-business use of the mechanism recorded in a major administrative proceeding.

The limits are drawn most sharply by the Income Tax Appellate Tribunal in DDIT v. Gujarat Pipavav Port Ltd., ITA No. 7823/Mum/2010 (10 February 2017). Examining clickwrap software licences, the Tribunal flagged the identity problem — that without an electronic signature "it is not known who is actual user or which person actually has violated the terms of the agreement" — and then set the boundary of unequal bargaining power:

"In cases where on[e] party holds a higher power of negotiation, then the clickwrap agreements will be unenforceable in the absence of necessary requirements to establish a valid contract."

Pipavav signals that courts will scrutinise whether the counterparty had a meaningful opportunity to understand and accept the terms, whether the person bound is genuinely identified, and whether any term is so one-sided as to offend public policy. A data-room NDA between a company and business users or their counsel should therefore be fair and reciprocal in the protections it imposes. Consistent with that, Delhi High Court authority on clickwrap banking terms treats the agreement as enforceable where the terms are clear and the user had an opportunity to read them — a failure to read does not excuse acceptance — but treats enforceability as compromised where the terms are obscured, ambiguous or presented so as to prevent access.

The Identity Problem, and How to Solve It

Indian contract law does not require that a signer be "named" in the agreement, but the party seeking to enforce a clickwrap NDA against a specific person must prove that person's assent. Trimex permits a contract without execution formalities; it still leaves the enforcing party to establish that the other side agreed. The Pipavav concern — that it may be "the computer upon which such software is loaded" rather than an identifiable person that appears to have agreed — is the practical risk. If a reviewer clicks "I Agree" but their identity is neither captured nor verifiable, a court may ask whether that person was authorised to bind the organisation at all.

The workable answers under Indian law are evidentiary. Collecting the user's email address and verifying control of it through a code sent to that address creates a contemporaneous, linkable record of who accepted. Timestamped logging of the IP address, the click and the associated email builds an audit trail and, importantly, evidences that the user had an opportunity to read the terms. And an express representation of authority — a checkbox by which the user certifies that they are authorised to accept on behalf of a named entity and have read the terms — shifts the risk of an unauthorised click onto the person who made it.

None of this requires a Digital Signature Certificate. Section 5 of the IT Act recognises electronic signatures where a law requires authentication by signature, and a DSC issued by a certifying authority carries cryptographic authentication used mainly for government filings. But for NDA enforcement a DSC is unnecessary: a checkbox "I Agree" combined with email verification is legally sufficient to form the contract under the Contract Act and the IT Act, and is far more user-friendly. What matters is that the disclosing party can later prove the acceptance was made knowingly — hence the emphasis on verification and log retention.

The Unresolved Question: Stamp Duty

The most genuinely uncertain area is stamp duty. The Indian Stamp Act, 1899 charges duty on instruments that are "executed", and "execution" has traditionally meant a signature — a physical or electronic mark of intent. A clickwrap acceptance, carrying neither, sits in a grey zone: it is unclear whether a click "executes" the instrument for stamp-duty purposes at all. Two readings are defensible. On one, if the click is acceptance under Section 10A then the contract is executed on acceptance and duty is triggered. On the other, if "execution" under the Stamp Act requires a signature, an unsigned clickwrap does not execute the instrument, and the Act — which predates electronic contracts — may simply not contemplate it.

Whether duty attaches at all to a confidentiality agreement is a separate strand. NDAs without an assignable monetary value are often treated as bearing only nominal duty or none. In John Cockerill India Limited v. Sanjay Kamalakar Navare, the Bombay High Court classified a non-disclosure and non-solicitation agreement with no assignable monetary value under the relevant entry of the Maharashtra Stamp Act as a document for which no substantive duty was chargeable, treating the minimal amount as the proper duty. The prudent reading is that a pure confidentiality undertaking that recites no monetary value attracts, at most, minimal duty.

The stakes rose sharply after N.N. Global Mercantile Pvt. Ltd. v. Indo Unique Flame Ltd. (Supreme Court, 25 April 2023), which held, by majority, that an unstamped or insufficiently stamped agreement is not enforceable until the stamping defect is cured. Although that decision arose in the arbitration context and the position on unstamped arbitration agreements has since continued to evolve, its logic — that an inadequately stamped instrument is unenforceable until cured — is what makes stamping a live concern for any NDA on which a party may need to rely. Separately, and regardless of N.N. Global, an unstamped or insufficiently stamped agreement cannot be admitted in evidence until the duty and any penalty are paid; the document may be impounded under Section 33 of the Stamp Act and made admissible only once the correct duty, with penalty, is paid and endorsed.

The mitigation is to remove the doubt in advance. Several states have amended their stamp laws to bring "electronic records" within the definition of "instrument" and permit e-stamping through an online portal, so that duty can be paid once on the standard NDA template before it is placed behind the clickwrap gate — converting an unsigned electronic form into a stamped electronic record. Retaining the e-stamp certificate as proof, and stating in the NDA that the agreement has been duly stamped and that clickwrap acceptance constitutes acceptance of that stamped agreement, closes off the enforceability and admissibility arguments most cheaply.

Practical Takeaways

A clickwrap NDA for data-room access is enforceable in India if it is built with its evidentiary and fiscal weak points in mind:

  • Present the full text clearly. Show the entire agreement in a readable, scrollable form; make the "I Agree" button prominent and distinct from a decline option; avoid pre-ticked boxes and misleading labels that could vitiate consent.
  • Capture and verify identity. Require the user's email address and verify control of it by a code; do not rely on a bare click from an unidentified user.
  • Log everything. Record the timestamp, IP address, email and the exact version of the agreement accepted, and retain the logs for the limitation period.
  • Take an express authority representation. Include a certification that the user is authorised to bind the named entity and has read and understood the terms.
  • Keep the terms fair and reciprocal. Frame obligations as confidentiality and non-use, not as business restrictions, and avoid one-sided terms a court might strike down as unconscionable.
  • E-stamp the template. Pay stamp duty once on the standard form via the applicable state e-stamping portal, retain the certificate, and recite in the NDA that the agreement is stamped and that clickwrap acceptance constitutes acceptance of the stamped agreement.
  • A DSC is not required. Email-verified checkbox acceptance is sufficient to form and prove the contract.

There is no SEBI or other regulator-specific guidance on clickwrap NDAs for M&A or data-room contexts; the general framework governing electronic contracts applies uniformly. The residual risk is concentrated in stamping and proof of identity, which is precisely where the design of the flow, rather than the drafting of the clauses, does the decisive work.

Key Authorities

  1. Information Technology Act, 2000, Sections 5 and 10A — electronic contract formation is not unenforceable for being electronic; electronic signatures recognised where a signature is required. Source
  2. Indian Contract Act, 1872, Sections 2, 4, 7, 10 — offer, acceptance, mode of acceptance and the essentials of a valid contract. Source
  3. Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., (2010) 3 SCC 1 — an email-formed contract without signature is binding where intent and material terms are clear. Source
  4. RKG Hospitalities v. Oravel Stays Pvt. Ltd., CCI Case No. 03 of 2019 (19 October 2022) — clickwrap recognised as a standard B2B commercial mechanism. Source
  5. DDIT v. Gujarat Pipavav Port Ltd., ITA No. 7823/Mum/2010 (10 February 2017) — the identity problem and the limit of unequal bargaining power in clickwrap. Source
  6. Indian Stamp Act, 1899, Sections 3 and 33 — duty on executed instruments; impounding and cure of unstamped documents. Source
  7. N.N. Global Mercantile Pvt. Ltd. v. Indo Unique Flame Ltd., Supreme Court, 25 April 2023 — an inadequately stamped agreement is unenforceable until the defect is cured (position on arbitration agreements subsequently evolving).
  8. John Cockerill India Limited v. Sanjay Kamalakar Navare, Bombay High Court — an NDA with no assignable monetary value attracts, at most, minimal stamp duty.

This analysis reflects the law as at June 2026. It is published for general information and does not constitute legal advice.

Written by Sushant Shukla
Follow the thread

Questions about this piece

AI-powered, citation-anchored. Pick a question to see the answer.

  1. 01
  2. 02
  3. 03
Powered by LITT AI · Educational explainer, not legal advice. Verify before relying.
1.5×

More in

Legal Wires

Legal Wires

Stay ahead of the legal curve. Get expert analysis and regulatory updates natively delivered to your inbox.

Success! Please check your inbox and click the link to confirm your subscription.