Without providing too much detail publicly... we are a small company that has been asked to craft an API into our system for clients to make updates from their existing software platforms into ours. We have developers that have created most of the API infrastructure that is needed. However, my question is, from a business standpoint, should we be forcing these interested 3rd parties to sign confidentiality agreements before reviewing the technical documentation that has been created? Should an agreement / contract be created and signed before any work occurs? Are there any best practices when going through this process? This is not our core business function and looking for direction to make sure we have covered ourselves legally as well as an operational and security standpoint. Any feedback or guidance would be appreciated.