NDA triage and automated review

NDA triage and automated review is AI-processing of incoming non-disclosure agreements against a predefined playbook. Grow2.ai deploys an LLM-based agent that reads a PDF or DOCX NDA file, extracts legally significant clauses, and makes one of three decisions: approve for signature, return to the counterparty with suggested edits, or escalate to a lawyer.

What the agent does

1. Extracts structured data from unstructured text: NDA term, definition of confidential information, jurisdiction and governing law, agreement type (unilateral or mutual), confidentiality exceptions, injunctive relief provisions, non-solicitation restrictions.
2. Checks against the internal playbook of the company — a set of rules that define acceptable and unacceptable provisions. The playbook is maintained by a lawyer and updated as new cases arise.
3. Classifies the document into three categories: green lane (matches playbook — auto-approval), yellow lane (minor deviations — proposes redlines), red lane (significant risks — escalation to a lawyer).
4. Generates a summary highlighting deviations: what in the NDA conflicts with the playbook, what revised wording is proposed instead, and what the lawyer should focus on during the final review.
5. Routes the document based on the triage result: sends it to a Slack channel for final review, returns an email to the counterparty with suggested edits, or places it in the «ready to sign» folder on Google Drive or Dropbox.

What the agent does NOT do

The agent does not sign the NDA on behalf of the lawyer — the final signature always belongs to a human. The agent does not negotiate with the counterparty directly — it only prepares a draft response. The agent does not process complex NDAs with custom provisions (NDAs in the context of an M&A deal, joint venture, strategic partnership) — such documents are automatically escalated. The agent does not replace a CLM system — it operates at the triage stage before the document enters contract management.

Typical configuration options

Solo / Boutique (1-5 people)

For a legal boutique or solo practice with a limited NDA volume. The agent works with a single universal playbook, key deviations go to the lawyer by email. Integration is minimal: incoming email or Google Drive as the source, email as the response channel. The final decision is made by the lawyer — the agent only prepares a summary and draft response. Launch in 2-3 days, the main cost is the lawyer's time to compile the playbook. Suitable for consulting companies where NDAs go through a single partner or a small team.

SMB (6-30 people)

For a growing company where different departments receive different types of NDAs: sales — with clients, procurement — with vendors, partnerships — with partners. The agent works with 3-4 playbook variants, recognizes the context, and applies the correct playbook. Green lane is auto-approved and goes directly to signature, yellow lane — to the Slack channel #legal-review, red lane — directly to the lawyer. Integrations: DocuSign or Dropbox Sign, Slack, file storage. This is the base preset for most SaaS and professional services companies.

Enterprise (30+ people)

For an organization with a high volume of NDAs and a dedicated legal team. The agent integrates with an existing CLM system (Ironclad, Icertis, LinkSquares), applies SLA-based routing (critical deals — to the priority queue), and maintains an analytics dashboard: average triage time, percentage of auto-approved, top violated playbook provisions. An audit trail is connected — all agent decisions are logged for compliance reviews. Can process NDAs in 2-3 languages in parallel. Requires more serious configuration and integration with internal systems — this is not a weekend project.

The triage process is divided into five sequential steps. Each step uses a specialized component — from OCR to an LLM with a legal prompt — which allows quality control at every stage.

Step 1: Document Intake

An incoming NDA enters the system in one of three ways: it arrives at a dedicated email alias (nda@company.com), is uploaded to a dedicated folder in Google Drive, Dropbox, or SharePoint, or is attached to a ticket in the help desk. The system supports PDF (including scanned), DOCX, Google Docs. The file is copied to working storage and metadata (sender, time, size) is logged.

Step 2: Text and Structure Extraction

For scanned PDFs, OCR is run via the built-in tools of the vertical-saas platform. For DOCX — structure parsing with preservation of tables, clause numbering, and subheadings. The output is clean text with section markup. At this same stage the agent determines the document language and length — if the NDA exceeds the expected range (20+ pages instead of the standard 3-5), the document is flagged as non-standard and routed to the red lane.

Step 3: Extraction of Legally Significant Fields

An LLM agent (language model) passes through the text and fills in a structured schema: definition of Confidential Information, duration of obligations, survival period, jurisdiction clause, mutual or unilateral, permitted disclosures (regulators, advisors, affiliates), carve-outs (publicly known, independently developed), residual clause, injunctive relief, non-solicitation, return or destruction of materials.

Each field is extracted with a citation — a reference to the paragraph of the source document. This is critical for debugging and audit: the lawyer sees where the agent took a given value from, and in case of a decision discrepancy can verify the source in seconds.

Step 4: Comparison with the Playbook

A playbook is a structured document (YAML or JSON-like format) where for each field the following are defined: acceptable values (automatically OK), edge cases (requires attention), red flags (automatically escalate). For example: duration acceptable — up to 5 years, edge — 5-7 years, red — 7+ years or perpetual.

The agent goes through each field, compares the extracted value against the playbook, and generates a deviation list. For each deviation, a suggested redline is generated — the specific wording the company prefers. These redlines are stored in the playbook as approved language patterns, ensuring consistency across different NDAs.

Step 5: Routing and Response

Based on the final classification, the document is routed along one of three paths:

1. Green lane (auto-approve). The document is moved to the 'Ready to sign' folder, and a notification is sent to the deal initiator (sales, partnerships) with a summary of 3-5 bullet points.
2. Yellow lane (counter-proposal). A draft email is generated for the counterparty with the proposed edits. The draft is sent to the lawyer for review in Slack — one-click approval and the email is sent.
3. Red lane (escalation). The lawyer receives a personal notification with a full summary, a list of deviations, and a link to the document. The agent does not suggest edits — the situation requires legal analysis.

Alternative Approaches

Let us compare three approaches to solving the NDA triage task in SMB:

Manual review remains necessary for non-standard documents — the agent does not replace the lawyer, but removes routine initial triage. A no-code workflow via Zapier or a low-code platform can be assembled in a day, but such solutions do not extract meaning from text — they only route files by metadata. An AI agent costs more at the outset (a playbook is needed, tests on real NDAs, integration setup), but pays off over the long run: NDA workload decreases by 50%, as shown by the Safehold case.

Security and Compliance

NDAs contain sensitive commercial data. The basic setup includes: processing documents in an isolated environment without storing content outside the audit log, at-rest encryption in the file storage, access control at the playbook level (who can change the rules). For companies under GDPR or SOC 2, the following is added: data residency in the EU or US region, logging of all agent operations with a timestamp, retention policy for source documents and intermediate representations. If the counterparty is a government entity or a regulated industry (finance, healthcare), the red lane includes mandatory escalation regardless of content. NDA content is not used for model training.

To launch NDA triage, a weekend of work is sufficient if four conditions are met.

1. NDA playbook exists as a document. A playbook is a set of rules the company applies when reviewing NDAs: acceptable timelines, preferred confidentiality scope wording, jurisdiction clauses you will and will not sign. If the playbook is not formalized, the agent has nothing to follow. A minimal playbook is 1-2 pages for a typical NDA.
2. Historical NDA set — minimum 20-30 documents from real deals. Needed to test the agent: run through the system, the agent's decision is compared to the lawyer's decision, discrepancies are found, the playbook is corrected. Synthetic templates are not enough — only real documents from counterparties provide an adequate sample.
3. File storage with API access: Google Drive, Dropbox, OneDrive or SharePoint. The agent reads incoming files and saves intermediate results to a separate folder with controlled access.
4. Communication channel with the lawyer: Slack workspace or Microsoft Teams. Used for yellow lane (review requests) and red lane (escalations).

Optional integrations: DocuSign or Dropbox Sign for green lane (auto-send for signature), CLM platform (Ironclad, LinkSquares) for the enterprise option, email gateway for automatic response to the counterparty.

Potential pitfalls

• Playbook is in the lawyer's head, not in a document. The most common mistake is attempting to launch the agent without a formalized playbook. Without explicit rules, the agent generates plausible decisions that diverge from the company's actual practice. Before implementation, allocate 2-3 days to write the rules into a structured format.
• Testing only on synthetic NDAs. Real NDAs from counterparties contain non-standard wording, typos, custom clauses. If you validate the agent only on clean templates, in production it will make errors on real cases. A minimum of 20 real NDAs in the test set before launch.
• Green lane is too wide. The temptation to auto-approve the maximum number of documents for speed leads to missing rare but critical risks (perpetual confidentiality, non-standard jurisdiction). Start with a narrow green lane — only NDAs from existing known-good counterparties — and expand as decision statistics accumulate.
• Absence of audit trail. For compliance checks, you need to see which decisions the agent made over the past 6-12 months and why. Without agent logging, you cannot pass SOC 2 or an internal legal audit.
• Playbook is not updated. The legal landscape changes — new case law, new regulatory requirements. The playbook requires quarterly review by a lawyer, otherwise the agent's decisions become outdated and the agent begins approving provisions the company no longer wants to accept.