In my opinion NDAs are worthless (in most cases) and gives a false sense of ownership protection. As far as code reviews, you absolutely should include at least one. I know of a case directly in which the outsourced developer "accidently" left their API endpoint. Had it went into production they would see all sorts of things.