NDA including data security clause?

That's STUPID, and not enforceable AT ALL! You want them to use a vpn? *****YOU***** must supply it! If they are FORCED to use it, how could they EVER violate it? And "secured wifi" is NOT secure! It only secures the connection up to the hub. A VPN secures it up to the server! So VPN over an UNSECURED WIFI is actually MORE secure than a communication over a SECURED WIFI.

BTW Interesting fun fact! MOST connections today use SSH other than telnet, and SSH is actually MORE secure over an unsecured wifi than telnet over a secured wifi. WHY? Because it is often the SAME technology, but to the server.

So WHY is such an NDA STUPID and unenforceable? SIMPLE! Because they can NOT use what YOU don't give them, and YOU should secure it!

Just like the other similar post about this both parties should just seek legal advice and let their lawyers work it out.

But if the purchaser wants all these security measures then the purchaser should pay for it 100%

al

What are you protecting, an affiliate site or NASA?

I don't see what's stupid about it. It's his contract so within reason, he can put what he wants in it. If the consultants evaluating his proposal think it's unreasonable, they can either ask for changes to be made or not take the job. And no, he doesn't need to provide the VPN to them -- though if he's really concerned about security it's probably a good idea as using an untrustworthy VPN can be a problem in itself. (What if the VPN provider is itself malicious or insecure?)

Regardless, saying contractors can't use what you don't give to them is completely false. Is he supposed to supply a computer to his contractor? Of course not. Likewise, if he were hiring a contract designer and wanted to specify that the files be saved in Adobe Illustrator CC format, that would be completely reasonable even if he didn't provide Adobe Illustrator CC for his contractor to use. Again it's his contract and he can put what he wants in it.

I also don't think you understand the risks that the OP is talking about -- or you're confused about what SSH is. SSH is a protocol primarily used to issue commands to remote servers. It's generally not used to secure other types of traffic as is SSL or TLS. In other words, SSH is the secure version of telnet. But he's not talking about using telnet. He's talking about requests over unsecure HTTP. And really any unsecure connection over any untrusted network is potentially a problem (HTTP, IMAP and SMTP being the most likely). And in any of those cases SSH isn't going to help.

As to the enforceability of such a contract... I think you do have a good point. But I'll respond to that below.

When it comes to enforceability, you're almost certainly right. An NDA as described above is almost certainly going to be unenforcible in a situation like this. How are you going to monitor what software they're using when on public Wi-Fi? Then again, just about any contract he's likely to make with these contractors is going to be difficult to enforce, if only because of the legal costs and hurdles that into contract enforcement.

That said, just because a contract my be hard or impossible to enforce doesn't mean it's not worth having. For instance, we just sent a contract over to a large company who wanted to run an advertising campaign with us. But the contract is only for a few thousand dollars, so if they somehow broke the contract, we'd likely spend far more in time, effort and money than we would earn recovering whatever losses we might have accrued. Moreover, given the size of the company, I have no doubt that their legal department would crush our legal department in a dispute (especially, since we don't have a legal department!) But that doesn't mean the contract is not worth having.

For us, a contract is an opportunity for two parties to lay out very clearly their shared expectations about a transaction or partnership. Too often, different parties have different memories or interpretations of things that were said, which can lead to disappointment or conflict. A contract puts it all into black and white. So in our case, we know exactly what we're being hired to do and the company knows exactly what they're paying for. And we'll both be more likely to be happy at the end of the day.

All that said, just because I think contracts are a good idea, and just because I think the security provision in this NDA is reasonable to include if he wants it, doesn't mean I think he should necessarily ask for it. It really depends on him and what he thinks is important. Just how sensitive is the data that his contractors are going to have? How worried is he about their security practices? How concerned is he about the use of public Wi-Fi? Knowing that a provision like this would be difficult to enforce, does he still want it in there in order to highlight the issue?

Personally, I wouldn't bother with it. But that's a reflection of me, my own comfort-levels and my own confidence in my own security practices. (For instance, I'd never send sensitive data to a contractor I didn't trust in the first place.) Still, my experience isn't necessarily going to be his experience. So the OP needs to decide what's important to him and put that in the NDA.

I wouldn't bother with an NDA at all if it's a foreigner, and for that reason I was planning on hiring someone in the US and pay more for the extra peace of mind. I also want to avoid the broken English factor when there's some real communication required. I'm trying to save time.

I know sites like Upwork already sort of have one, but nobody pays attention to it before clicking.

I'm just not experienced at hiring people for tasks requiring access. I've been doing everything myself and feel weird about doing things like hiring someone to help migrate and redesign my ecommerce store with thousands of customers' info.