NDA Review at Scale: From Hours to Minutes

The NDA bottleneck

Non-disclosure agreements are the most common contract type in business. They precede almost every commercial relationship: vendor evaluations, partnership discussions, M&A conversations, customer pilots, consultant engagements. A mid-size tech company's legal team might review 30 NDAs per month. A large enterprise sees multiples of that.

Most NDAs are routine. Two parties, mutual obligations, standard exclusions, two-year term. The legal team reads through them, confirms they match the company's standard terms, and signs off. Total value of the attorney's time spent: close to zero, because the agreement was standard.

But some NDAs are not routine. A counterparty's form might include a non-compete buried in the obligations section. The definition of confidential information might be broader than your standard, covering publicly available information or independently developed work. The term might be perpetual rather than time-limited. The jurisdiction might be unfavorable.

These are the NDAs that actually need attorney attention. The problem is that finding them requires reading all of them. And at 30 per month, that reading time adds up to hours of attorney time spent on documents that, 80% of the time, are perfectly standard.

This is the NDA bottleneck: the legal team spends substantial time on low-value review to catch the occasional high-value deviation. It's the worst kind of work -- repetitive enough to breed complacency, but consequential enough that you can't skip it.

Building a baseline from your standard NDA

The first step in scaling NDA review is defining what "standard" means for your organization. Every company has an NDA template, and that template reflects the company's risk tolerance, business model, and legal department's preferences.

docrew works by comparing incoming NDAs against your standard template. You start by pointing the agent at your template and asking it to extract the baseline terms. The agent reads your standard NDA and identifies the key provisions:

Definition of confidential information. What's included, what's excluded. Your standard template likely has specific exclusions for information that's publicly available, independently developed, rightfully received from a third party, or already known to the receiving party.

Obligation scope. What the receiving party must do (protect with reasonable care, limit access to need-to-know personnel) and what they must not do (disclose to third parties, use for purposes beyond the defined scope, reverse engineer).

Term and survival. How long the agreement lasts and how long confidentiality obligations survive after termination.

Permitted disclosures. Carve-outs for disclosures required by law, regulation, or legal process, typically with notice requirements and an opportunity to seek protective orders.

Return/destruction obligations. What happens to confidential information when the agreement ends.

Remedies. Whether the agreement acknowledges that breach may cause irreparable harm and that injunctive relief is appropriate.

Governing law and jurisdiction. Which state's law governs and where disputes are resolved.

Residuals clause. Whether the agreement permits the receiving party to use general knowledge, skills, and experience gained during the relationship, even if derived from exposure to confidential information.

This baseline becomes the reference point. Every incoming NDA is compared against these provisions, and deviations are identified and categorized.

Processing a batch of incoming NDAs

When the legal team receives a batch of NDAs for review, the workflow with docrew is straightforward. Place the incoming NDA files in a folder, and ask the agent to review them against your standard template.

The agent reads each NDA in full, not scanning for keywords or matching templates. It understands the substantive provisions of each agreement and compares them against your baseline. For each NDA, it produces a deviation report.

Here's what the agent identifies for a typical batch of 30 NDAs at a mid-size tech company:

22 NDAs: standard. These agreements match your template on all material terms. The agent confirms the match and moves on. An attorney can sign off on these in bulk, spending seconds per agreement rather than minutes.

3 NDAs: minor deviations. These agreements differ from your template in ways that are cosmetic or immaterial -- different section numbering, slightly different phrasing that achieves the same legal effect, or additional provisions that are favorable to your side. The agent notes the deviations but classifies them as non-substantive.

5 NDAs: material deviations. These agreements differ from your template in ways that change the risk profile. These are the ones that need attorney review, and the agent provides specific details about each deviation.

The legal team's review time drops from reading 30 NDAs end to end to reviewing 5 deviation reports. The attorney's expertise is applied where it matters -- assessing whether the deviations are acceptable, negotiable, or dealbreaking -- rather than on confirming that standard agreements are standard.

Detecting scope expansions

The most common material deviation in NDAs is scope expansion -- provisions that broaden the receiving party's obligations beyond what your standard template requires.

docrew identifies several categories of scope expansion:

Broadened confidential information definition. Your template defines confidential information as information disclosed in connection with a specific purpose. The counterparty's form defines it as "any and all information" disclosed by the party, with no purpose limitation. This turns the NDA from a scoped agreement into a blanket obligation.

Expanded non-use provisions. Your template restricts use of confidential information to a defined evaluation purpose. The counterparty's form prohibits use "for any purpose other than the benefit of the disclosing party." This is subtly different -- it shifts the standard from "only for the defined purpose" to "only if it benefits them," which is broader and more subjective.

Extended obligations to affiliates. Your template binds only the signing parties. The counterparty's form extends obligations to "the receiving party and its affiliates, subsidiaries, parent companies, and related entities." If your company is part of a corporate group, this extends the NDA's reach far beyond the specific business relationship.

Removal of standard exclusions. Your template excludes information that the receiving party independently develops without reference to the confidential information. The counterparty's form omits this exclusion entirely, meaning that anything your team develops that resembles the disclosed information could be claimed as derived from confidential information.

For each expansion, the agent quotes the specific language from both your template and the incoming NDA, making it easy for the reviewing attorney to see exactly what changed and assess the impact.

Identifying non-compete additions

NDAs should be confidentiality agreements. But counterparties sometimes embed non-compete, non-solicitation, or exclusivity provisions that go well beyond confidentiality.

These additions are particularly dangerous because they appear in a document that most people consider low-risk. Business teams often sign NDAs with minimal legal review precisely because they're "just NDAs." A non-compete buried in the obligations section can restrict the company's ability to pursue business opportunities, hire talent, or work with competitors -- restrictions that would receive serious scrutiny if they appeared in a standalone agreement.

docrew flags several types of non-compete additions:

Direct non-competition. "During the term of this Agreement and for a period of twelve (12) months thereafter, the Receiving Party shall not engage in any business that competes with the Disclosing Party's business." This turns an NDA into a non-compete agreement.

Non-solicitation of employees. "Neither party shall, during the term and for twenty-four (24) months after termination, directly or indirectly solicit for employment any employee of the other party." This is common but often has an overly broad scope or duration.

Non-solicitation of customers. "The Receiving Party shall not, during the term of this Agreement, solicit or transact business with any customer of the Disclosing Party whose identity was disclosed as Confidential Information." This restricts business development based on information learned through the NDA relationship.

Exclusivity provisions. "During the term of this Agreement, the Receiving Party shall not engage in discussions or negotiations with any third party regarding the subject matter of the discussions between the parties." This creates an exclusivity obligation that may not be appropriate for an early-stage evaluation.

The agent flags each of these provisions as material deviations that require attorney review, regardless of how they're labeled or where they appear in the document.

Catching carve-out removals

Your standard NDA template includes carefully drafted carve-outs -- exceptions to the confidentiality obligations that protect your company's operational freedom. When a counterparty removes or narrows these carve-outs, it shifts risk in ways that aren't immediately obvious.

docrew compares the carve-outs in each incoming NDA against your template and flags missing or modified exceptions:

Missing independent development exclusion. Your template excludes information that the receiving party independently develops. The incoming NDA omits this exclusion. Without it, your own R&D could be challenged if it produces results similar to what was disclosed under the NDA.

Narrowed public domain exclusion. Your template excludes information that "becomes publicly available through no fault of the Receiving Party." The incoming NDA narrows this to information that "is published in a generally available publication." This is materially narrower -- information that becomes publicly known through channels other than publication (industry conferences, regulatory filings, competitor announcements) might not be covered.

Removed residuals clause. Your template includes a residuals clause allowing your team to use general knowledge and experience gained during the relationship. The incoming NDA has no such clause, meaning that the mental impressions and general know-how your employees develop could theoretically be constrained.

Modified legal process carve-out. Your template allows disclosure required by legal process with prompt notice to the disclosing party. The incoming NDA requires prior written consent before any disclosure, even if compelled by a court order. This is problematic because it could put your company in the position of choosing between complying with a court order and breaching the NDA.

Each missing carve-out is a risk that compounds over time. If your team signs 30 NDAs per month and 10% have missing carve-outs that go unnoticed, the accumulation of restricted rights across hundreds of NDA relationships becomes significant.

Flagging unusual duration terms

NDA duration is straightforward in concept but varied in execution. Your standard template might specify a two-year term with confidentiality obligations surviving for three years after disclosure. Incoming NDAs may propose very different timelines.

docrew flags duration deviations including:

Perpetual confidentiality obligations. "The obligations of confidentiality set forth herein shall survive in perpetuity." This means the company is bound to protect the information forever, even after the business relationship ends and the information loses its commercial value. Perpetual obligations are common in trade secret contexts but inappropriate for general business NDAs.

Extended post-termination survival. Your template provides for three years of survival after termination. The incoming NDA provides for seven years. Depending on the nature of the information, this may or may not be reasonable, but it should be a conscious decision, not an oversight.

No expiration with automatic renewal. Some NDAs have no fixed term and renew automatically until terminated by either party. This isn't necessarily problematic, but it means the obligations continue indefinitely unless someone remembers to send a termination notice.

Mismatched term and survival. The NDA has a one-year term but a ten-year survival period. This means the window for disclosing information is short, but the obligations last a decade. Depending on the business context, this asymmetry might be intentional or it might reflect poor drafting.

The economics of scaled NDA review

Consider the math for an in-house legal team at a tech company reviewing 30 NDAs per month.

Manual review. An experienced attorney spends 15-20 minutes per NDA reading, comparing against the standard, and making a decision. At 30 per month, that's 7.5-10 hours of attorney time. At a fully loaded cost of $200 per hour for in-house counsel, that's $1,500-2,000 per month on NDA review.

With docrew. The agent processes the batch and produces deviation reports. The attorney reviews the 5-8 NDAs with material deviations, spending 10-15 minutes on each. The standard NDAs get a 30-second confirmation. Total attorney time: 2-3 hours per month.

The time savings are meaningful, but the real value is in the quality of review. When an attorney is reading their 25th NDA of the month, the likelihood of catching a subtle scope expansion in the definition section drops significantly. Fatigue and familiarity breed complacency. The agent doesn't get tired and doesn't assume that because the last 20 NDAs were standard, the 21st will be too.

Keeping everything local

NDAs are confidentiality agreements, and the irony of uploading them to a cloud AI service for review should not be lost on anyone. The NDA you're reviewing exists because someone decided that certain information needs to be protected. Processing that agreement through a cloud service creates exactly the kind of disclosure risk that the NDA is designed to prevent.

docrew processes every NDA on the reviewer's local machine. The agent reads the files from the local file system, compares them against the locally stored template, and produces deviation reports as local files. No document content is transmitted to any external service.

This is particularly important for NDAs that precede M&A discussions, joint ventures, or other strategic transactions. The mere existence of an NDA between two companies can be market-moving information. A cloud service that logs which companies are exchanging NDAs would have a valuable dataset that neither party intended to create.

Local processing eliminates this risk entirely. The NDA review happens on the attorney's machine, the results stay on the attorney's machine, and when the review is complete, there's no third-party copy of anything.

For legal teams that review NDAs at scale, the combination of speed, accuracy, and confidentiality makes AI-assisted review with local processing not just efficient, but the responsible choice.