lawvable/nda-review-jamie-tso

NDA Review Playbook (Commercial, Jurisdiction-Agnostic)

Overview

| What this skill does | What it does not do | |---|---| | Reviews an NDA and outputs issues, risks, and suggested redlines | Provide jurisdiction-specific legal conclusions | | Supports Recipient or Discloser perspectives (user-chosen) | Guarantee enforceability | | Produces an executive summary + clause-by-clause markup guidance | Replace counsel for complex deals |

Scope limitation (important): this playbook supports one-way (unilateral) commercial NDAs only.

If the NDA is mutual, stop: this playbook is out of scope and you should escalate to counsel or use a separate mutual-NDA review approach.

Variation callouts appear throughout:

• M&A / Due diligence
• Employment / contractor
• Investor / VC

LEGAL DISCLAIMER

THIS IS NOT LEGAL ADVICE. This skill is provided for informational and educational purposes only. Laws vary by jurisdiction and individual circumstances, and only a licensed attorney can provide advice tailored to your specific situation. When the NDA is high-risk, high-value, cross-border, or otherwise sensitive, escalate to qualified counsel.

Remember: All outputs from this skill must be reviewed by a qualified legal professional before being used for any legal purposes.

---

Inputs to collect (ask before reviewing)

A. Role and deal context (required)

• [ ] Are we reviewing as Recipient (we receive confidential info) or Discloser (we disclose confidential info)?
• [ ] Confirm the NDA is one-way (unilateral). If it is mutual, stop: this playbook cannot be used.
• [ ] What is the purpose / permitted use (e.g., evaluation of partnership, vendor RFP, diligence)?
• [ ] What are the parties (legal names) and any affiliates that should be covered?
• [ ] What information types are expected (tech, pricing, customer data, product roadmap, source code)?
• [ ] Desired timeline: when do we need to sign?

B. Practical constraints (recommended)

• [ ] Do we need to share with affiliates, advisors, contractors, auditors, or potential acquirers?
• [ ] Will we need to export data across borders or store in cloud tools?
• [ ] Will any personal data be shared? If yes, are there separate data-processing terms?

Jurisdiction-agnostic note: avoid asserting “this clause is invalid” without the governing law details; focus on commercial risk, operational feasibility, and market norms.

Deliverables (output format)

Quick start (default output template)

ALWAYS output:

1. Executive summary
2. Clause-by-clause issue log (single table)

A. Executive summary (1 page)

• [ ] Party role (Recipient or Discloser) and confirmation it is one-way (unilateral)
• [ ] Top 5 negotiation points (ranked)
• [ ] “Sign as-is” / “Sign with changes” / “Escalate” recommendation

B. Clause-by-clause issue log (lawyer-style, thorough)

Use a single table so counsel and business owners can track issues, owners, and deadlines.

| Clause | Issue (1 line) | Risk (H/M/L) | Preferred redline | Fallback | Rationale (1–2 sentences) | Owner | Deadline | |---|---|---:|---|---|---|---|---| | Definition | Overbroad; includes unmarked info with no reasonableness | | | | | | | | Term & survival | Perpetual confidentiality for all information | | | | | | | | Use restriction | Purpose too broad; blocks internal evaluation | | | | | | | | Disclosures | Representatives undefined; strict liability | | | | | | | | Return/destruction | No backup carve-out | | | | | | | | Remedies | One-way fees + automatic injunction | | | | | | | | Liability | Indemnity + unlimited consequential damages | | | | | | | | Boilerplate | Assignment prohibits change of control | | | | | | |

Example (compact)

Executive summary (example skeleton):

• Role: Recipient (one-way NDA)
• Recommendation: Sign with changes
• Top 5 points: definition scope; term/survival; representatives; backup carve-out; remedies/fees

Issue log (example rows):

| Clause | Issue (1 line) | Risk (H/M/L) | Preferred redline | Fallback | Rationale (1–2 sentences) | Owner | Deadline | |---|---|---:|---|---|---|---|---| | Term & survival | Perpetual confidentiality for all information | H | Add 2–5 year survival; trade secret carve-out only | 5-year survival for all | Reduces indefinite operational burden while protecting truly sensitive info | Legal | Before signature | | Return/destruction | No backup carve-out | M | Add backup/legal hold exception + continued confidentiality | Allow retention in immutable backups only | Required for standard IT operations; avoids impossible compliance | Security + Legal | Before signature |

5-step workflow

Step 1 — Identify stance (Recipient vs Discloser)

• [ ] Confirm which side we are on for this specific NDA (titles are often misleading).
• [ ] Confirm the NDA is one-way (unilateral). If it is mutual, stop (out of scope).

Quick heuristic:

• If we are being asked to keep their info secret → we are Recipient.
• If we are sharing our sensitive info → we are Discloser (if the NDA is mutual, stop: out of scope).

Step 2 — Triage the NDA (fast risk scan)

Flag these immediately:

• [ ] Perpetual confidentiality for all information (no trade secret distinction)
• [ ] Residuals clause allowing use of “memory” or generalized knowledge
• [ ] Injunctive relief + attorneys’ fees one-way against Recipient
• [ ] Indemnity for breach or broad third-party claims
• [ ] No carve-outs for compelled disclosure or prior knowledge
• [ ] Overbroad definition: “all information, whether marked or not” with no reasonableness
• [ ] Affiliate coverage missing when we must share internally

If any are present and the NDA matters, proceed with full review and consider escalation.

Step 3 — Clause-by-clause review (use the reference modules)

Use these references while reviewing:

• Key clauses
• Party obligations
• Duration & scope
• Remedies & liability
• Standard exceptions

Step 4 — Draft redlines and negotiation positions

For each issue, produce:

• Preferred redline (best risk outcome)
• Fallback position (acceptable compromise)
• Rationale (1–2 sentences: business + operational feasibility)
• Owner (who needs to approve / negotiate: Legal, Sales, Security, Product)
• Deadline (by when the counterparty needs the change)

Negotiation discipline: do not propose 20 changes. Focus on the 5–10 that materially change risk.

Step 5 — Finalize the package

• [ ] Ensure consistency (definitions used the same way everywhere)
• [ ] Confirm operational feasibility (can we actually comply?)
• [ ] Re-scan the Step 2 triage list and ensure each flagged item is represented in the issue log
• [ ] Provide a short “what we changed and why” summary

Perspective-specific checklists

A. Recipient checklist (incoming NDA — typical case)

| Topic | Red flags | Typical ask | |---|---|---| | Definition of Confidential Information | Overbroad; includes independently developed info; no marking/identification standard | Add reasonableness + identification standard; add exclusions | | Purpose / Permitted Use | Any use restriction beyond evaluation; bans on internal sharing | Tie to stated purpose; allow internal need-to-know | | Representatives | We are liable for any representative breach without control | Limit to those under written confidentiality; commercially reasonable care | | Term & survival | Perpetual for everything; unclear start date | Fixed term; longer only for trade secrets | | Return / destruction | Requires deletion of backups immediately | Add practical backup carve-out | | Remedies | One-way fees + broad injunction language | Mutuality or reasonableness; clarify equitable relief scope | | Liability / indemnity | Indemnity; unlimited damages; consequential damages | Cap or exclude categories; remove indemnity | | Residuals | Allows use of “retained in memory” | Delete or narrow heavily |

M&A / Due diligence: ensure diligence sharing (advisors, financing, affiliates) is permitted and that data room exports/notes are covered.

B. Discloser checklist (when we are sharing sensitive info)

| Topic | Red flags | Typical ask | |---|---|---| | Definition | Too narrow; requires marking only; excludes oral disclosures | Add oral confirmation mechanism; broaden categories reasonably | | Security standard | Only “reasonable” with no baseline | Add minimum safeguards, or align with internal policy | | Exclusions | Too broad (e.g., “independently developed” with no proof) | Require written evidence of prior knowledge/independent development | | Term & survival | Too short | Extend for sensitive categories; trade secret survival | | Remedies | No equitable relief, no fees | Add equitable relief and/or fees (carefully) |

Investor / VC: watch for standstill, solicitation, and “no contact” provisions—these are not standard in plain NDAs and may need separate agreement.

Risk rating guide

| Rating | Meaning | Example | |---:|---|---| | High | Creates material, uncapped, or operationally impossible risk | Broad indemnity + unlimited damages for any breach | | Medium | Risk is real but manageable with process controls | Strict notice deadlines for compelled disclosure | | Low | Mostly cosmetic or market-standard | Minor notice method issues |

Common pitfalls (issue → risk → fix)

| Issue | Risk | Suggested fix | |---|---|---| | “All information is confidential forever” | Operational burden; unfair risk allocation | Add fixed term + trade secret carve-out | | No compelled disclosure carve-out | Breach if subpoenaed | Add “required by law” disclosure path | | Return/destruction requires purge of backups | Impossible to comply | Add backup and system integrity exception | | Recipient indemnifies discloser | Open-ended exposure | Remove indemnity; use direct damages only | | Residuals clause | Allows de facto use of confidential info | Delete or restrict to non-trade-secret, non-source-code |

Review prompts (copy/paste)

A. Minimal prompt (fast)

• Role: Recipient/Discloser
• NDA type: one-way (unilateral)
• Purpose: …
• Please produce (1) exec summary, (2) clause-by-clause issue log table with: Clause, Issue, Risk, Preferred redline, Fallback, Rationale, Owner, Deadline, (3) top 5 negotiation points.

B. Deep prompt (recommended)

• Add constraints: affiliates, advisors, contractors, cross-border sharing, personal data, cloud tools.
• Ask for: preferred redline + fallback + rationale per issue.

Ownership & timing defaults (if the user does not specify)

Use these defaults to populate Owner and Deadline in the issue log:

| Topic | Default owner | Default deadline | |---|---|---| | Confidentiality scope/definition, exceptions, term/survival | Legal | Before signature | | Security standards / audit rights | Security + Legal | Before signature | | Return/destruction and backups | Security + IT + Legal | Before signature | | Liability cap / damages / indemnity / fees | Legal + Finance | Before signature | | Operational constraints (representatives, affiliates, tooling) | Legal + Business owner | Before signature |