NDA Review Playbook (Commercial, Jurisdiction-Agnostic)

Overview

What this skill does	What it does not do
Reviews an NDA and outputs issues, risks, and suggested redlines	Provide jurisdiction-specific legal conclusions
Supports Recipient or Discloser perspectives (user-chosen)	Guarantee enforceability
Produces an executive summary + clause-by-clause markup guidance	Replace counsel for complex deals

Scope limitation (important): this playbook supports one-way (unilateral) commercial NDAs only.

If the NDA is mutual, stop: this playbook is out of scope and you should escalate to counsel or use a separate mutual-NDA review approach.

Variation callouts appear throughout:

• M&A / Due diligence
• Employment / contractor
• Investor / VC

LEGAL DISCLAIMER

THIS IS NOT LEGAL ADVICE. This skill is provided for informational and educational purposes only. Laws vary by jurisdiction and individual circumstances, and only a licensed attorney can provide advice tailored to your specific situation. When the NDA is high-risk, high-value, cross-border, or otherwise sensitive, escalate to qualified counsel.

Remember: All outputs from this skill must be reviewed by a qualified legal professional before being used for any legal purposes.

---

Inputs to collect (ask before reviewing)

A. Role and deal context (required)

• Are we reviewing as Recipient (we receive confidential info) or Discloser (we disclose confidential info)?
• Confirm the NDA is one-way (unilateral). If it is mutual, stop: this playbook cannot be used.
• What is the purpose / permitted use (e.g., evaluation of partnership, vendor RFP, diligence)?
• What are the parties (legal names) and any affiliates that should be covered?
• What information types are expected (tech, pricing, customer data, product roadmap, source code)?
• Desired timeline: when do we need to sign?

B. Practical constraints (recommended)

• Do we need to share with affiliates, advisors, contractors, auditors, or potential acquirers?
• Will we need to export data across borders or store in cloud tools?
• Will any personal data be shared? If yes, are there separate data-processing terms?

Jurisdiction-agnostic note: avoid asserting “this clause is invalid” without the governing law details; focus on commercial risk, operational feasibility, and market norms.

Deliverables (output format)

Quick start (default output template)

ALWAYS output:

1. Executive summary
2. Clause-by-clause issue log (single table)

A. Executive summary (1 page)

• Party role (Recipient or Discloser) and confirmation it is one-way (unilateral)
• Top 5 negotiation points (ranked)
• “Sign as-is” / “Sign with changes” / “Escalate” recommendation

B. Clause-by-clause issue log (lawyer-style, thorough)

Use a single table so counsel and business owners can track issues, owners, and deadlines.

Clause	Issue (1 line)	Risk (H/M/L)	Preferred redline	Fallback	Rationale (1–2 sentences)	Owner	Deadline
Definition	Overbroad; includes unmarked info with no reasonableness
Term & survival	Perpetual confidentiality for all information
Use restriction	Purpose too broad; blocks internal evaluation
Disclosures	Representatives undefined; strict liability
Return/destruction	No backup carve-out
Remedies	One-way fees + automatic injunction
Liability	Indemnity + unlimited consequential damages
Boilerplate	Assignment prohibits change of control

Example (compact)

Executive summary (example skeleton):

• Role: Recipient (one-way NDA)
• Recommendation: Sign with changes
• Top 5 points: definition scope; term/survival; representatives; backup carve-out; remedies/fees

Issue log (example rows):

Clause	Issue (1 line)	Risk (H/M/L)	Preferred redline	Fallback	Rationale (1–2 sentences)	Owner	Deadline
Term & survival	Perpetual confidentiality for all information	H	Add 2–5 year survival; trade secret carve-out only	5-year survival for all	Reduces indefinite operational burden while protecting truly sensitive info	Legal	Before signature
Return/destruction	No backup carve-out	M	Add backup/legal hold exception + continued confidentiality	Allow retention in immutable backups only	Required for standard IT operations; avoids impossible compliance	Security + Legal	Before signature

5-step workflow

Step 1 — Identify stance (Recipient vs Discloser)

• Confirm which side we are on for this specific NDA (titles are often misleading).
• Confirm the NDA is one-way (unilateral). If it is mutual, stop (out of scope).

Quick heuristic:

• If we are being asked to keep their info secret → we are Recipient.
• If we are sharing our sensitive info → we are Discloser (if the NDA is mutual, stop: out of scope).

Step 2 — Triage the NDA (fast risk scan)

Flag these immediately:

• Perpetual confidentiality for all information (no trade secret distinction)
• Residuals clause allowing use of “memory” or generalized knowledge
• Injunctive relief + attorneys’ fees one-way against Recipient
• Indemnity for breach or broad third-party claims
• No carve-outs for compelled disclosure or prior knowledge
• Overbroad definition: “all information, whether marked or not” with no reasonableness
• Affiliate coverage missing when we must share internally

If any are present and the NDA matters, proceed with full review and consider escalation.

Step 3 — Clause-by-clause review (use the reference modules)

Use these references while reviewing:

• Key clauses
• Party obligations
• Duration & scope
• Remedies & liability
• Standard exceptions

Step 4 — Draft redlines and negotiation positions

For each issue, produce:

• Preferred redline (best risk outcome)
• Fallback position (acceptable compromise)
• Rationale (1–2 sentences: business + operational feasibility)
• Owner (who needs to approve / negotiate: Legal, Sales, Security, Product)
• Deadline (by when the counterparty needs the change)

Negotiation discipline: do not propose 20 changes. Focus on the 5–10 that materially change risk.

Step 5 — Finalize the package

• Ensure consistency (definitions used the same way everywhere)
• Confirm operational feasibility (can we actually comply?)
• Re-scan the Step 2 triage list and ensure each flagged item is represented in the issue log
• Provide a short “what we changed and why” summary

Perspective-specific checklists

A. Recipient checklist (incoming NDA — typical case)

Topic	Red flags	Typical ask
Definition of Confidential Information	Overbroad; includes independently developed info; no marking/identification standard	Add reasonableness + identification standard; add exclusions
Purpose / Permitted Use	Any use restriction beyond evaluation; bans on internal sharing	Tie to stated purpose; allow internal need-to-know
Representatives	We are liable for any representative breach without control	Limit to those under written confidentiality; commercially reasonable care
Term & survival	Perpetual for everything; unclear start date	Fixed term; longer only for trade secrets
Return / destruction	Requires deletion of backups immediately	Add practical backup carve-out
Remedies	One-way fees + broad injunction language	Mutuality or reasonableness; clarify equitable relief scope
Liability / indemnity	Indemnity; unlimited damages; consequential damages	Cap or exclude categories; remove indemnity
Residuals	Allows use of “retained in memory”	Delete or narrow heavily

M&A / Due diligence: ensure diligence sharing (advisors, financing, affiliates) is permitted and that data room exports/notes are covered.

B. Discloser checklist (when we are sharing sensitive info)

Topic	Red flags	Typical ask
Definition	Too narrow; requires marking only; excludes oral disclosures	Add oral confirmation mechanism; broaden categories reasonably
Security standard	Only “reasonable” with no baseline	Add minimum safeguards, or align with internal policy
Exclusions	Too broad (e.g., “independently developed” with no proof)	Require written evidence of prior knowledge/independent development
Term & survival	Too short	Extend for sensitive categories; trade secret survival
Remedies	No equitable relief, no fees	Add equitable relief and/or fees (carefully)

Investor / VC: watch for standstill, solicitation, and “no contact” provisions—these are not standard in plain NDAs and may need separate agreement.

Risk rating guide

Rating	Meaning	Example
High	Creates material, uncapped, or operationally impossible risk	Broad indemnity + unlimited damages for any breach
Medium	Risk is real but manageable with process controls	Strict notice deadlines for compelled disclosure
Low	Mostly cosmetic or market-standard	Minor notice method issues

Common pitfalls (issue → risk → fix)

Issue	Risk	Suggested fix
“All information is confidential forever”	Operational burden; unfair risk allocation	Add fixed term + trade secret carve-out
No compelled disclosure carve-out	Breach if subpoenaed	Add “required by law” disclosure path
Return/destruction requires purge of backups	Impossible to comply	Add backup and system integrity exception
Recipient indemnifies discloser	Open-ended exposure	Remove indemnity; use direct damages only
Residuals clause	Allows de facto use of confidential info	Delete or restrict to non-trade-secret, non-source-code

Review prompts (copy/paste)

A. Minimal prompt (fast)

• Role: Recipient/Discloser
• NDA type: one-way (unilateral)
• Purpose: …
• Please produce (1) exec summary, (2) clause-by-clause issue log table with: Clause, Issue, Risk, Preferred redline, Fallback, Rationale, Owner, Deadline, (3) top 5 negotiation points.

B. Deep prompt (recommended)

• Add constraints: affiliates, advisors, contractors, cross-border sharing, personal data, cloud tools.
• Ask for: preferred redline + fallback + rationale per issue.

Ownership & timing defaults (if the user does not specify)

Use these defaults to populate Owner and Deadline in the issue log:

Topic	Default owner	Default deadline
Confidentiality scope/definition, exceptions, term/survival	Legal	Before signature
Security standards / audit rights	Security + Legal	Before signature
Return/destruction and backups	Security + IT + Legal	Before signature
Liability cap / damages / indemnity / fees	Legal + Finance	Before signature
Operational constraints (representatives, affiliates, tooling)	Legal + Business owner	Before signature