| name | nda-review |
| description | Reviews incoming one-way (unilateral) commercial NDAs in a jurisdiction-agnostic way, from either a Recipient or Discloser perspective (user-selected), producing a clause-by-clause issue log with preferred redlines, fallbacks, rationales, owners, and deadlines. |
NDA Review Playbook (Commercial, Jurisdiction-Agnostic)
Version 1.0 — December 2025
This skill is a structured review playbook. It is not legal advice. When the NDA is high-risk, high-value, cross-border, or otherwise sensitive, escalate to qualified counsel.
1) Overview
| What this skill does | What it does not do |
|---|---|
| Reviews an NDA and outputs issues, risks, and suggested redlines | Provide jurisdiction-specific legal conclusions |
| Supports Recipient or Discloser perspectives (user-chosen) | Guarantee enforceability |
| Produces an executive summary + clause-by-clause markup guidance | Replace counsel for complex deals |
Scope limitation (important): this playbook supports one-way (unilateral) commercial NDAs only.
If the NDA is mutual, stop: this playbook is out of scope and you should escalate to counsel or use a separate mutual-NDA review approach.
Variation callouts appear throughout:
- M&A / Due diligence
- Employment / contractor
- Investor / VC
2) Inputs to collect (ask before reviewing)
A. Role and deal context (required)
- Are we reviewing as Recipient (we receive confidential info) or Discloser (we disclose confidential info)?
- Confirm the NDA is one-way (unilateral).
- If it is mutual, stop: this playbook cannot be used.
- What is the purpose / permitted use (e.g., evaluation of partnership, vendor RFP, diligence)?
- What are the parties (legal names) and any affiliates that should be covered?
- What information types are expected (tech, pricing, customer data, product roadmap, source code)?
- Desired timeline: when do we need to sign?
B. Practical constraints (recommended)
- Do we need to share with affiliates, advisors, contractors, auditors, or potential acquirers?
- Will we need to export data across borders or store in cloud tools?
- Will any personal data be shared? If yes, are there separate data-processing terms?
Jurisdiction-agnostic note: avoid asserting “this clause is invalid” without the governing law details; focus on commercial risk, operational feasibility, and market norms.
3) Deliverables (output format)
Quick start (default output template)
ALWAYS output:
- Executive summary
- Clause-by-clause issue log (single table)
A. Executive summary (1 page)
- Party role (Recipient or Discloser) and confirmation it is one-way (unilateral)
- Top 5 negotiation points (ranked)
- “Sign as-is” / “Sign with changes” / “Escalate” recommendation
B. Clause-by-clause issue log (lawyer-style, thorough)
Use a single table so counsel and business owners can track issues, owners, and deadlines.
| Clause | Issue (1 line) | Risk (H/M/L) | Preferred redline | Fallback | Rationale (1–2 sentences) | Owner | Deadline |
|---|---|---|---|---|---|---|---|
| Definition | Overbroad; includes unmarked info with no reasonableness | ||||||
| Term & survival | Perpetual confidentiality for all information | ||||||
| Use restriction | Purpose too broad; blocks internal evaluation | ||||||
| Disclosures | Representatives undefined; strict liability | ||||||
| Return/destruction | No backup carve-out | ||||||
| Remedies | One-way fees + automatic injunction | ||||||
| Liability | Indemnity + unlimited consequential damages | ||||||
| Boilerplate | Assignment prohibits change of control |
Example (compact)
Executive summary (example skeleton):
- Role: Recipient (one-way NDA)
- Recommendation: Sign with changes
- Top 5 points: definition scope; term/survival; representatives; backup carve-out; remedies/fees
Issue log (example rows):
| Clause | Issue (1 line) | Risk (H/M/L) | Preferred redline | Fallback | Rationale (1–2 sentences) | Owner | Deadline |
|---|---|---|---|---|---|---|---|
| Term & survival | Perpetual confidentiality for all information | H | Add 2–5 year survival; trade secret carve-out only | 5-year survival for all | Reduces indefinite operational burden while protecting truly sensitive info | Legal | Before signature |
| Return/destruction | No backup carve-out | M | Add backup/legal hold exception + continued confidentiality | Allow retention in immutable backups only | Required for standard IT operations; avoids impossible compliance | Security + Legal | Before signature |
4) 5-step workflow
Step 1 — Identify stance (Recipient vs Discloser)
- Confirm which side we are on for this specific NDA (titles are often misleading).
- Confirm the NDA is one-way (unilateral). If it is mutual, stop (out of scope).
Quick heuristic:
- If we are being asked to keep their info secret → we are Recipient.
- If we are sharing our sensitive info → we are Discloser (if the NDA is mutual, stop: out of scope).
Step 2 — Triage the NDA (fast risk scan)
Flag these immediately:
- Perpetual confidentiality for all information (no trade secret distinction)
- Residuals clause allowing use of “memory” or generalized knowledge
- Injunctive relief + attorneys’ fees one-way against Recipient
- Indemnity for breach or broad third-party claims
- No carve-outs for compelled disclosure or prior knowledge
- Overbroad definition: “all information, whether marked or not” with no reasonableness
- Affiliate coverage missing when we must share internally
If any are present and the NDA matters, proceed with full review and consider escalation.
Step 3 — Clause-by-clause review (use the reference modules)
Use these references while reviewing:
Step 4 — Draft redlines and negotiation positions
For each issue, produce:
- Preferred redline (best risk outcome)
- Fallback position (acceptable compromise)
- Rationale (1–2 sentences: business + operational feasibility)
- Owner (who needs to approve / negotiate: Legal, Sales, Security, Product)
- Deadline (by when the counterparty needs the change)
Negotiation discipline: do not propose 20 changes. Focus on the 5–10 that materially change risk.
Step 5 — Finalize the package
- Ensure consistency (definitions used the same way everywhere)
- Confirm operational feasibility (can we actually comply?)
- Re-scan the Step 2 triage list and ensure each flagged item is represented in the issue log
- Provide a short “what we changed and why” summary
5) Perspective-specific checklists
A. Recipient checklist (incoming NDA — typical case)
| Topic | Red flags | Typical ask |
|---|---|---|
| Definition of Confidential Information | Overbroad; includes independently developed info; no marking/identification standard | Add reasonableness + identification standard; add exclusions |
| Purpose / Permitted Use | Any use restriction beyond evaluation; bans on internal sharing | Tie to stated purpose; allow internal need-to-know |
| Representatives | We are liable for any representative breach without control | Limit to those under written confidentiality; commercially reasonable care |
| Term & survival | Perpetual for everything; unclear start date | Fixed term; longer only for trade secrets |
| Return / destruction | Requires deletion of backups immediately | Add practical backup carve-out |
| Remedies | One-way fees + broad injunction language | Mutuality or reasonableness; clarify equitable relief scope |
| Liability / indemnity | Indemnity; unlimited damages; consequential damages | Cap or exclude categories; remove indemnity |
| Residuals | Allows use of “retained in memory” | Delete or narrow heavily |
M&A / Due diligence: ensure diligence sharing (advisors, financing, affiliates) is permitted and that data room exports/notes are covered.
B. Discloser checklist (when we are sharing sensitive info)
| Topic | Red flags | Typical ask |
|---|---|---|
| Definition | Too narrow; requires marking only; excludes oral disclosures | Add oral confirmation mechanism; broaden categories reasonably |
| Security standard | Only “reasonable” with no baseline | Add minimum safeguards, or align with internal policy |
| Exclusions | Too broad (e.g., “independently developed” with no proof) | Require written evidence of prior knowledge/independent development |
| Term & survival | Too short | Extend for sensitive categories; trade secret survival |
| Remedies | No equitable relief, no fees | Add equitable relief and/or fees (carefully) |
Investor / VC: watch for standstill, solicitation, and “no contact” provisions—these are not standard in plain NDAs and may need separate agreement.
6) Risk rating guide
| Rating | Meaning | Example |
|---|---|---|
| High | Creates material, uncapped, or operationally impossible risk | Broad indemnity + unlimited damages for any breach |
| Medium | Risk is real but manageable with process controls | Strict notice deadlines for compelled disclosure |
| Low | Mostly cosmetic or market-standard | Minor notice method issues |
7) Common pitfalls (issue → risk → fix)
| Issue | Risk | Suggested fix |
|---|---|---|
| “All information is confidential forever” | Operational burden; unfair risk allocation | Add fixed term + trade secret carve-out |
| No compelled disclosure carve-out | Breach if subpoenaed | Add “required by law” disclosure path |
| Return/destruction requires purge of backups | Impossible to comply | Add backup and system integrity exception |
| Recipient indemnifies discloser | Open-ended exposure | Remove indemnity; use direct damages only |
| Residuals clause | Allows de facto use of confidential info | Delete or restrict to non-trade-secret, non-source-code |
8) Review prompts (copy/paste)
A. Minimal prompt (fast)
- Role: Recipient/Discloser
- NDA type: one-way (unilateral)
- Purpose: …
- Please produce (1) exec summary, (2) clause-by-clause issue log table with: Clause, Issue, Risk, Preferred redline, Fallback, Rationale, Owner, Deadline, (3) top 5 negotiation points.
B. Deep prompt (recommended)
- Add constraints: affiliates, advisors, contractors, cross-border sharing, personal data, cloud tools.
- Ask for: preferred redline + fallback + rationale per issue.
9) Ownership & timing defaults (if the user does not specify)
Use these defaults to populate Owner and Deadline in the issue log:
| Topic | Default owner | Default deadline |
|---|---|---|
| Confidentiality scope/definition, exceptions, term/survival | Legal | Before signature |
| Security standards / audit rights | Security + Legal | Before signature |
| Return/destruction and backups | Security + IT + Legal | Before signature |
| Liability cap / damages / indemnity / fees | Legal + Finance | Before signature |
| Operational constraints (representatives, affiliates, tooling) | Legal + Business owner | Before signature |
If you want, I can add a short “model answer” example output format inside this file, but I kept v1 focused on the playbook structure (no extra templates/assets as requested).