Three months after closing, the buyer discovered ₹40 crore of undisclosed FEMA non compliance and a DPDPA exposure waiting to mature on 13 May 2027.

The deal closes. Three months later, the buyer discovers undisclosed FEMA non compliance worth ₹40 crore. Or a tax assessment that was settled at ₹2 crore but pending Tribunal appeal at ₹18 crore. Or that the founder never assigned the platform IP to the company. Or that the target processes personal data of three million subjects without a single consent artefact, three months before the DPDPA enforcement window opens. The remediation eats half the synergy. The dispute reaches arbitration. The deal becomes the case study no one wanted.

Due diligence is not a checkbox. It is the deal economics. The findings determine the price, the indemnification, the conditions precedent, and what survives closing. The verticals, the methodology, the depth of public record cross verification: each is a deliberate choice that buyers and sellers must understand.

This page is the operational map. The eight verticals (legal, contracts, litigation, IP, employment, regulatory, FEMA and DPDPA), the deliverable formats, the timing, the deal breaking findings buyers consistently miss, and the contractual translation of findings.

Indian corporate due diligence is organised across eight verticals. Each vertical has its own checklist, its own public record cross verification, its own typical findings, and its own contractual translation.

Vertical 1: Corporate. Incorporation, board composition, shareholding history, capital structure, share transfers. We verify MCA filings against company books. We track the chain of share transfers from incorporation to current cap table. Common findings: missing board resolutions, incorrect filings, gaps in cap table, share transfers that never went through Form FC TRS for foreign holders.

Vertical 2: Material Contracts. Customer contracts (top 10 by revenue), supplier contracts (top 5 by spend), licensing agreements, partnership agreements, real estate leases, debt instruments. We review for: change of control triggers, exclusivity provisions, termination rights, IP licensing, indemnification, governing law, dispute resolution. Common findings: change of control terminations that nullify customer relationships at closing, exclusivity that blocks the buyer cross sell strategy, customer concentration above 30% threshold.

Vertical 3: Litigation. Civil, commercial, criminal, regulatory, tax, arbitration. We search eCourts, NCLT, NCLAT, high courts, supreme court, regulatory tribunals (SEBI, IBBI, RBI, CCI). We run director level criminal record searches. We map each matter by amount in dispute, stage, expected resolution timeline, and probability of adverse outcome. Common findings: matters not disclosed because management did not know, threatened actions not yet filed but likely (legal notice received).

Vertical 4: Intellectual Property. Trademark, patent, copyright, design registrations. Chain of title (founder assignments, employee assignments, contractor assignments). Use and infringement (third party claims, watch notices). License agreements (in bound and out bound). Open source compliance (audit of OSS components). Common findings: founder IP not assigned to company, employee IP assignment clauses missing or weak, GPL contamination in proprietary codebase, expired registrations.

Vertical 5: Employment. Workforce composition (FTE, contractor, intern, consultant), classification accuracy, benefits compliance (PF, ESI, gratuity, leave encashment), POSH compliance (IC, training, returns), wage code compliance, ESOP plans, stock option agreements, terminations and disputes. Common findings: contractor misclassification creating retroactive liability, gratuity shortfall, POSH non compliance, ESOP pool sizing not matching cap table.

Vertical 6: Regulatory. Sector specific licenses (RBI for financial services, IRDAI for insurance, MoH for pharma, FSSAI for food, BIS for products, telecom licenses for telecom). Operating permits (factory license, shops and establishments registration, fire license, environmental clearances). Common findings: expired licenses, missing renewals, scope variances between license and actual operations.

Vertical 7: FEMA. Foreign investment (FC GPR filings, FC TRS filings), External Commercial Borrowing (Form ECB filings), Overseas Direct Investment (Form ODI filings), Liaison and Branch Office permissions, downstream investment compliance, pricing compliance for share transfers. Common findings: FC GPR not filed within 30 days, FC TRS missing for foreign holder share transfers, downstream investment without prior approval, pricing below DCF valuation.

Vertical 8: DPDPA (effective 13 May 2027). The Digital Personal Data Protection Act read with the DPDP Rules notified on 13 November 2025 begins enforcement on 13 May 2027. The target is examined as a future Data Fiduciary: notice and consent records, processing inventory, lawful basis mapping, sub processor contracts and chain, retention schedules, security safeguards, breach response posture, Data Principal rights workflow, Consent Manager onboarding (where applicable), Data Protection Officer readiness, and Significant Data Fiduciary thresholds. A target that demonstrates DPDPA seriousness signals governance maturity and reduces the buyer post closing remediation cost. A target that does not exposes the buyer to a maximum penalty of ₹250 crore once enforcement begins, plus class action style claims and personal liability of directors. In M&A and growth or late stage investment, DPDPA posture is now a board level signal, not a back office hygiene item.

Diligence findings can be delivered in several formats. The format choice depends on the deal stage, the buyer profile, and the issue density.

Long form report. Detailed report organised by vertical. Each finding documented with: legal background, factual finding, severity rating, contractual implication, recommended remediation. Standard for primary M&A diligence. Used by buyer to negotiate the SPA and drive disclosures.

Red flag report. A focused summary of material issues only, organised by severity. Red flags are deal breakers requiring resolution pre closing. Amber flags are issues requiring management or specific indemnities. Green flags are routine items. Preferred by deal teams for fast track decisions.

Vendor due diligence report. Commissioned by the seller before the sale process. The seller controls scope and disclosure. Buyers receive the VDD report and run a confirmatory diligence on top of it. Standard in auction sale processes managed by investment bankers.

Confirmatory diligence. A focused review on top of a VDD or prior diligence. Buyer focuses on areas it identifies as residual risk after reviewing the prior report. Common in private equity bolt on acquisitions where the platform was already diligenced.

Bring down diligence. A pre closing review to verify no material adverse change since the original diligence date. Specifically targets new contracts signed, new litigation, new debt, capital structure changes, regulatory developments and any new personal data incidents.

Sizing the engagement.

• Lean targets in a single jurisdiction conclude on a compressed cycle.
• Mid market targets across multiple states or business lines run on a standard cycle.
• Large multi entity or multi geography targets run on an extended cycle.
• International targets add a further phase for foreign jurisdiction sub diligence.

Indicative timelines are agreed at the request list stage with the deal team and revisited as data room density becomes clear. The phases below are descriptive, not prescriptive.

Workflow phases.

Setup and request list. Define scope with the buyer deal team. Issue request list (typically a triple digit count of line items across the eight verticals). Establish data room access. Hold kick off call with seller management.

Initial review. Systematic review of data room documents per vertical. Track issues. Issue follow up requests. Hold management Q&A calls per vertical (corporate, contracts, employment, IP, regulatory, FEMA, DPDPA).

Public record cross verification. Search MCA, ROC, eCourts, NCLT, regulatory databases, IP registries, EPFO, breach disclosures. Identify discrepancies. Issue queries to seller.

DPDPA readiness assessment. Examine processing inventory, consent posture, sub processor chain, retention rules, breach response, DPO readiness, Significant Data Fiduciary trigger analysis. Map gaps to remediation effort and cost.

Draft report. Issue draft diligence report. Hold finding review meeting with buyer deal team. Allow seller response on contested findings.

Final report and SPA translation. Final report issued. Buyer counsel translates findings to representations, warranties, indemnities, conditions precedent, and price adjustments in the SPA. Disclosure schedule built from diligence findings.

Bring down diligence (pre closing). Verify no material adverse change. Confirm conditions precedent satisfied.

Across hundreds of diligence engagements, six categories of findings recur as deal breakers. Each is missed because it sits at the intersection of two verticals or because the seller does not know to disclose.

Finding 1: Undisclosed FEMA non compliance (downstream investment). The target made an investment in a wholly owned subsidiary or step down subsidiary. The target is itself a foreign owned company. Under FEMA, this is downstream investment requiring prior compliance with sectoral conditions and reporting. Often missed by management because they assume domestic investments by Indian incorporated entities are exempt. The penalty is up to 300% of the amount involved plus contingent risk on the underlying investment.

Finding 2: Founder IP not assigned to company. The founder built the platform before incorporating. Or the founder uses a personal repository to store core IP. The IP assignment agreement either was never signed or assigns only future work. The platform IP technically belongs to the founder personally, not the target. At any point post closing, the founder could leave and assert IP rights. The fix is a full retroactive assignment, with the SPA conditioning closing on its execution.

Finding 3: Tax assessment with appeal pending. The assessing officer issued an assessment of ₹18 crore. The company filed a Tribunal appeal and disclosed only the ₹2 crore deposit made for stay. The actual contingent liability is ₹18 crore plus interest plus penalty. Diligence catches the gap between disclosed amount and actual exposure by reviewing the assessment order and the appeal memo.

Finding 4: POSH and wage code non compliance with class action exposure. The company has 200 women employees but no IC. No annual POSH return filed for three years. Some employees report harassment but were managed informally. Under POSH, every employee is potentially a complainant with retroactive claim. Similar pattern in wage code: minimum wage shortfall, no overtime payment, no records. Class action exposure is the multiplier.

Finding 5: Change of control terminations in customer contracts. The top three customers (40% of revenue) have change of control termination clauses. The buyer acquires the target. The customers have the right to terminate within 30 to 60 days post closing. The target loses 40% revenue post closing. The fix is buyer outreach to customers pre closing for waiver letters, treated as a closing condition.

Finding 6: DPDPA readiness gap on the eve of enforcement. The target processes personal data of millions of Data Principals. There is no processing inventory, no consent artefact, no Data Protection Officer, no breach response runbook, no sub processor diligence. Enforcement begins on 13 May 2027. A buyer that closes without this finding inherits a regulatory shock with a maximum penalty of ₹250 crore, class action style claims, and personal liability for directors of a Data Fiduciary. The fix is a remediation plan as a condition precedent: appoint a DPO, build the inventory, push contractual flow downs to processors, draft the notice and consent suite, install the breach playbook and rights workflow.

Diligence findings move to four places in the SPA.

Representations and warranties. The seller represents specific facts. Findings translate to specific representations: that all FEMA filings are made (the FC GPR finding); that all IP is assigned to the company (the founder assignment finding); that all tax assessments are disclosed (the appeal finding); that the target has assessed its DPDPA readiness and either complies or has a remediation plan (the DPDPA finding). A breach of representation triggers indemnification.

Indemnification. Specific indemnity for known issues. The diligence found ₹18 crore tax exposure. The SPA includes a specific tax indemnity covering this matter without any deductible or threshold (because it is a known liability not a general representation breach). Specific indemnities sit alongside general indemnification for unknown breaches. DPDPA exposure is captured through a dedicated indemnity covering regulatory penalty and class action defence cost.

Conditions precedent. Resolution before closing. The diligence found founder IP not assigned. Closing condition: founder executes a retroactive assignment. The diligence found change of control issues with customers. Closing condition: customer waiver letters obtained. The diligence found expired sector license. Closing condition: license renewal obtained. The diligence found DPDPA readiness gaps. Closing condition: appointment of Data Protection Officer, baseline processing inventory completed, and a board approved remediation plan in place ahead of 13 May 2027.

Purchase price adjustment. Quantified contingent liability adjusts the price. The tax exposure is quantified at ₹18 crore with 60% probability. The SPA reduces the purchase price by ₹10 crore (probability adjusted) or holds the amount in escrow pending tribunal outcome. The disclosure schedule lists the reservation explicitly. DPDPA remediation cost (DPO hire, technology, contracting, notice and consent suite) is netted from the deal value or held back in an escrow that releases on milestones.

The diligence report becomes the master reference for the disclosure schedule. Every disclosed exception in the SPA representations links back to a specific diligence finding. This is how the diligence work product translates to deal economics.