I see nothing on the webpage about public or private PKI signing of a certificate. This certificate is what, an image or a scanned raster pdf file of ink signatures or something, promising they haven't modified the document?

I don't see how that is any sort of improvement over the standard 2-3 page sized NDAs I use already on a regular basis.

PKI signatures aren't (legally) necessary, just a binding statement that what they are presenting to you is a certain version of the contract and hasn't been modified. Lying and modifying it would then be a serious misrepresentation that I don't think they could get away with.

I think the idea is similar to OSI certified licenses. You only have to read (for example) the LGPLv3 license a single time regardless of how many of your dependencies use it.

It doesn’t matter. If they affirm that “this is not modified” and it is modified, the court will tell them to get fucked and will likely cancel out terms to be maximally disadvantageous to the bad actor.

The certificate is an actual certificate. Not a cryptographic metaphorical certificate.

Have a look at the form itself, at least the first page.

It doesn’t have to be a physical certificate it can just be a sentence that states “waypoint NDA version X” in any medium.

It works in the same way as licenses work you don’t actually have to attach a full copy of a GPL license for example or even your own license terms you need to just specify what license are you using and where it can be obtained.