Indian startups raise their first cheque on momentum. Series A diligence reveals what was deferred. Founders without vesting. IP not assigned. ESOP grants without a board approved plan. Customer contracts that are emails. Vendor templates with unlimited liability. The arithmetic is brutal: founders who built compliance from day zero close in eight weeks. Founders who did not close in six months or do not close at all.
DPDPA 2023 has no startup exemption. From the first user, your startup is a Data Fiduciary with the full obligation set: privacy notice, consent, breach notification within 72 hours, vendor DPAs. Build it in. Do not bolt it on at Series A.
Indian startups raise their first cheque on momentum: a working prototype, three pilot customers, a small team. The legal infrastructure is treated as paperwork to be sorted later.
Later arrives at Series A.
Series A diligence reveals: founders without vesting agreements who have already left with full equity, IP not formally assigned to the company because there was no IP assignment agreement, ESOP grants made without a board approved plan, employees engaged as consultants to avoid statutory contributions, customer contracts that are emails, vendor contracts that are vendor templates accepting unlimited liability for the startup, no privacy policy, GST returns filed late, board meetings that are WhatsApp messages.
Diligence findings translate into deal friction. The transaction either: gets delayed by months while remediation happens, gets repriced because risks are now visible, or fails because the cumulative findings exceed the investor's tolerance. Founders who built compliance from day zero close in eight to twelve weeks. Founders who deferred compliance close in six months or do not close at all.
This page sequences the legal infrastructure from incorporation through Series A. Build it in the right order at the right time, and the legal foundation supports growth instead of fracturing under it.
The first decision is the entity structure. Three options matter for Indian startups.
Private Limited Company (Pvt Ltd). Suitable for startups planning institutional fundraising. Issues equity shares. Permits ESOPs. Standardises with global VC governance. Required for IPO path. Compliance burden is highest: board meetings, AGMs, statutory registers, returns to MCA, audit, secretarial compliance.
Limited Liability Partnership (LLP). Suitable for service businesses, bootstrapped operations, and partnerships. Lower compliance burden. Cannot issue equity shares. Unsuitable for institutional investment because LLP profit shares are not equity. Conversion from LLP to Pvt Ltd later is possible but creates tax complexity.
One Person Company (OPC). Suitable for solo founders without immediate fundraising plans. Single member, single director (with one nominee). Mandatory conversion to Pvt Ltd if turnover exceeds 2 crore or paid up capital exceeds 50 lakh. Useful structure for solo professionals but limited for growth.
For VC funded technology startups: Pvt Ltd is the answer.
The incorporation process is now substantially streamlined. SPICe Plus (Simplified Proforma for Incorporating Company Electronically) is a single integrated form that handles name reservation, incorporation, PAN allotment, TAN allotment, GST registration, EPF registration, ESI registration, professional tax registration (in select states), and bank account opening. The portal is integrated with MCA, CBDT, EPFO, ESIC, and state authorities. Average incorporation timeline is 7 to 14 days.
The founders agreement is the contract between co-founders. It governs equity split, vesting, roles, IP, decision making, and exit.
Critical clauses:
Equity split. Specific percentages allocated to each founder, agreed before incorporation.
Vesting. Standard four years with one year cliff. No equity vests in the first year. After the cliff, equity vests monthly or quarterly. Founder leaving in month 11 leaves with zero. Founder leaving in month 18 leaves with 18.75%.
IP assignment. All IP created by founders related to the business is assigned to the company. Includes pre incorporation IP and IP created during the founder relationship.
Roles and responsibilities. Functional ownership clearly defined. CEO, CTO, COO. Avoids overlap and gaps.
Decision making framework. Ordinary decisions by the responsible founder. Material decisions by majority. Reserved matters (fundraising, M&A, strategic shifts) by unanimous consent.
Exit mechanics. Good leaver vs bad leaver definitions. Buyback rights. Right of first refusal on equity sales. Drag along and tag along after first institutional round.
Dispute resolution. Mediation followed by arbitration. Avoid court litigation between founders.
The founders agreement should be executed before or simultaneously with incorporation. After incorporation, vesting cannot be retrospectively imposed on already issued shares without restructuring. Read more in our dedicated founders agreement guide.
The base set of registrations:
PAN (Permanent Account Number). Mandatory. Issued automatically with SPICe Plus incorporation. Required for all financial transactions.
TAN (Tax Deduction Account Number). Mandatory once you start deducting tax at source (TDS) from payments. Issued with SPICe Plus.
GST (Goods and Services Tax). Mandatory once turnover threshold is crossed. 40 lakh for goods (lower in special category states). 20 lakh for services. Voluntary registration is permitted and often advisable for B2B startups.
Shops and Establishments. State specific registration mandatory in most states for any commercial establishment. Karnataka, Maharashtra, Delhi, and other states require it within 30 days of starting operations.
Professional Tax. State specific tax on salaried persons in certain states (Maharashtra, Karnataka, West Bengal, others). Employer registration and monthly deductions.
EPF (Employees Provident Fund). Mandatory once employee count crosses 20. Some states have lower thresholds. Once registered, applies to all employees earning up to a specified wage cap.
ESI (Employees State Insurance). Mandatory once employee count crosses 10. Applies to employees earning up to 21,000 monthly.
MSME registration. Voluntary but valuable. Provides preference in government procurement, easier finance access, and certain subsidies. Free and online via Udyam portal.
IEC (Import Export Code). Mandatory for any cross border trade. Online via DGFT.
Sector specific. FSSAI (food), drug licence (pharma), TRAI (telecom), RBI (financial services), SEBI (capital markets), IRDAI (insurance). Sector dictates additional requirements.
Sequencing matters. Incorporate first. Then GST if applicable. Then state level registrations. Then EPF and ESI when employee thresholds are crossed. Then DPIIT.
DPIIT recognition is the single most underrated startup compliance step. It costs nothing. It unlocks substantial benefits.
Eligibility:
• Incorporated as Private Limited Company, LLP, or registered partnership
• Less than ten years old from date of incorporation
• Annual turnover not exceeding 100 crore in any financial year
• Working towards innovation, development, or improvement of products, processes, or services, OR having a scalable business model with high potential for employment generation or wealth creation
• Not formed by splitting up or reconstruction of an existing business
Benefits:
Income tax exemption (Section 80 IAC). Three consecutive years of tax holiday from any 10 year window post incorporation. Eligibility requires a separate certification from the Inter Ministerial Board.
Angel tax exemption (Section 56(2)(viib)). Exemption from tax on share premium received above fair market value. Critical for startups raising at high valuations.
Patent and trademark fast tracking. Up to 80% rebate on filing fees and expedited examination.
Fund of Funds for Startups. Access to capital deployed through SIDBI to AIFs that invest in startups.
Public procurement. Exemption from prior turnover and experience requirements in central government tenders.
Self certification. Self certification under nine labour laws and three environmental laws for the first three years.
Easy winding up. Fast track winding up in 90 days under the Insolvency and Bankruptcy Code.
Application is online via the Startup India portal. Documentation: incorporation certificate, MOA AOA, brief description of innovation, founder details. Most applications are processed within 4 to 6 weeks. Recognition is valid until the startup ceases to meet eligibility criteria.
For most early stage startups, IP is the most valuable asset. Brand, code, algorithms, designs, content, customer data. Without IP protection, the company is unfundable.
Trademark. Brand name, logo, tagline. Register before public launch. Indian trademark registration takes 18 to 24 months but priority is established at filing date. Registered trademarks can be enforced in court. Unregistered marks rely on common law passing off claims which are harder to prove. Register in the relevant classes (Class 9 for software, Class 35 for marketing services, Class 42 for technology services, others as applicable).
Copyright. Source code, content, designs, training materials. Copyright arises automatically upon creation in India. Registration is not mandatory but provides evidence in disputes. Critical step: ensure the company owns the copyright through proper IP assignment from founders, employees, and contractors.
Patent. Novel technology, processes, methods. Patents require novelty, inventive step, and industrial applicability. File before public disclosure to preserve novelty. Indian patent prosecution takes 4 to 7 years. Provisional applications can establish priority while you finalise the complete specification.
Trade secrets. Algorithms, business processes, customer lists, pricing strategies. Trade secrets require confidentiality. NDAs with employees and contractors. Access controls on confidential information. Marking documents as confidential. Trade secrets remain protected indefinitely as long as confidentiality is maintained.
Domain names. Register the primary domain plus defensive variations and country specific domains where relevant.
Design registration. For products with distinctive industrial design. Registers the visual design (shape, configuration, pattern, ornament). Protection for 10 years renewable to 15.
The cost of day zero IP protection: 2 to 5 lakh for a baseline portfolio. The cost of remediating IP gaps before Series A: 10 to 30 lakh plus deal friction. The arithmetic is obvious.
Even at 5 employees, the employment framework matters. By Series A diligence it must be substantively complete.
Appointment letters and employment contracts. Written documents specifying role, responsibilities, compensation, working hours, leave, confidentiality, IP assignment, non solicit, and termination. Indian Contract Act 1872 governs enforceability.
NDA and IP assignment. Standalone NDA and IP assignment with each employee, executed at joining. Assigns all IP created during employment to the company.
Employee handbook. Documenting workplace policies: leave, working hours, code of conduct, anti harassment, anti bribery, IT and data security, social media, expense reimbursement, exit. Provides clarity and protection.
POSH committee. Mandatory under the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act 2013 once 10 or more employees are engaged. Internal Committee constitution, policy, complaint mechanism, annual report.
ESOP plan. Board approved Employee Stock Option Plan (ESOP). Approved by special resolution of shareholders. Grant letters to employees specifying number of options, exercise price, vesting schedule, and treatment on termination or company exit. ESOP design affects retention and exit outcomes.
Statutory deductions. Income tax (TDS), professional tax, EPF, ESI as applicable. Monthly deductions, monthly deposits, periodic returns.
Leave policies. Paid leave, sick leave, maternity leave (26 weeks under Maternity Benefit Act), paternity leave (often optional), bereavement leave, casual leave. Documented and applied consistently.
Termination procedures. Notice periods, payment in lieu, garden leave provisions where applicable, exit interviews, return of company property, post termination obligations (confidentiality, non solicit).
DPDPA 2023 has no startup exemption. Any startup processing personal data of Indian residents is a Data Fiduciary subject to the full set of obligations.
For a B2C startup with users in India, this means:
• Privacy notice in plain language available in English or Eighth Schedule languages
• Valid consent architecture: free, specific, informed, unconditional, with easy withdrawal
• Reasonable security safeguards proportionate to the data being processed
• Data Principal rights facilitation (access, correction, erasure, nomination, grievance)
• Data breach notification to the Data Protection Board within 72 hours
• Data Processing Agreements with all vendors handling personal data
• Cross border transfer arrangements where data leaves India
• Children's data protections if processing data of users under 18 (verifiable parental consent, no behavioural advertising)
For a B2B SaaS startup, additional obligations as Data Processor for customer data: DPA with each customer, sub processor management, breach notification chain.
Practical implication: build DPDPA compliance into the product from day zero. Privacy notice and consent flows during onboarding. Granular consent for marketing. User dashboard for accessing and exercising rights. Backend logs for accountability. Vendor DPAs with each tool used. Breach response runbook.
Retrofitting compliance after product market fit is significantly more expensive than building it in. Investors increasingly diligence DPDPA compliance during Series A. Read the DPDP Rules 2025 guide for operational details and the DPA drafting guide for vendor contracts.
Fundraising at seed and Series A involves a documented sequence.
Term sheet. Non binding (mostly) summary of commercial terms. Valuation, investment amount, type of security (typically Compulsorily Convertible Preference Shares for India deals or equity), liquidation preference, anti dilution, board composition, reserved matters, drag along, tag along, ROFR, ROFO, information rights, employment of founders, ESOP top up. The term sheet sets the framework. Negotiation here is more flexible than in definitive documents.
Due diligence. Investor diligence on legal, commercial, financial, tax, and operational matters. The legal diligence reviews everything outlined in this page. Findings translate into: deal proceeds with conditions, deal repriced, deal restructured, or deal aborted.
Definitive documents. Shareholders Agreement (SHA), Share Subscription Agreement (SSA), amended Articles of Association. The SHA governs ongoing investor rights. The SSA documents the investment transaction. The Articles incorporate the share rights and restrictions.
Conditions precedent. Tasks the company must complete before closing: regulatory approvals, statutory amendments, third party consents, tax clearances, repair of due diligence findings.
Closing. Investment funded. Shares issued. Board reconstituted. Director appointments and resignations. Statutory filings.
Post closing. Updated cap table. Updated statutory registers. ROC filings. Implementation of investor reserved matters and information rights.
Pre Series A clean up is a 4 to 6 month effort. Starting clean up after the term sheet is signed delays closing and creates leverage for the investor. Smart founders begin clean up before fundraising starts.
Short, direct, on the record.
For startups planning institutional fundraising, Private Limited Company is the answer. Investors fund Pvt Ltd companies because the share structure is investible. Equity can be issued, ESOPs can be structured, term sheets standardise around Pvt Ltd governance, and exit mechanisms (acquisition, IPO) require Pvt Ltd structure. LLPs are unsuitable for institutional investment because LLPs do not issue equity shares. LLP partnerships have profit shares which are not the same as equity. LLP suits service partnerships, bootstrapped operations, and family businesses where institutional investment is not contemplated.
DPIIT (Department for Promotion of Industry and Internal Trade) recognition is granted to startups meeting eligibility criteria: incorporated as a Private Limited Company, LLP, or registered partnership, less than ten years old, annual turnover under one hundred crore in any of the financial years since incorporation, working towards innovation, development, or improvement of products, processes or services or having a scalable business model with high potential of employment generation or wealth creation, and not formed by splitting up or reconstruction of an existing business. Recognition unlocks income tax exemption under Section 80 IAC, angel tax exemption under Section 56 (2)(viib), patent and trademark fast tracking with rebate, access to the Fund of Funds for Startups, self certification under nine labour and environmental laws, and easier public procurement.
Section 56(2)(viib) of the Income Tax Act taxes the share premium received by closely held companies (essentially Pvt Ltd companies) if the issue price exceeds the fair market value of the shares as determined under prescribed rules. The excess is taxed as income from other sources. For startups raising at high valuations from angels and seed investors, this can result in significant tax on capital received. DPIIT recognised startups receive exemption from angel tax provided they meet specified conditions. Effective April 2024, the angel tax exemption was substantially expanded to include investments from non residents (foreign investors), removing one of the most contentious tax issues for Indian startups raising international capital.
The base set: PAN (Permanent Account Number), TAN (Tax Deduction Account Number), GST registration if turnover exceeds threshold (typically 40 lakh for goods, 20 lakh for services, varies by state), Shops and Establishments registration in the state of operation, Professional Tax registration if applicable in the state, EPF and ESI registration once employee count crosses thresholds (20 for EPF, 10 for ESI in most states), MSME registration for benefits, IEC (Import Export Code) for international trade, FSSAI for food businesses, trademark registration, and ISO certifications where customer requirements demand. Each registration has its own timeline, documentation, and fees.
Before incorporation. The founders agreement is the contract between co-founders that governs equity split, vesting, IP assignment, decision making, founder exit, and dispute resolution. Drafting it after incorporation creates problems: existing shareholding may not align with intended split, IP created before incorporation needs retroactive assignment, vesting cannot be applied to already issued shares without restructuring. Founders who postpone the agreement until after raising capital discover they cannot impose vesting on themselves at that stage because their shares have already been issued without restrictions.
IP is often the most valuable asset of an early stage startup. Without protection, the IP is at risk and the startup is unfundable. Specifically: brand identity should be trademarked before public launch (if a competitor registers your brand first, you may have to rebrand). Software code should have clear assignment to the company (if developed by founders before incorporation, a written assignment is needed). Patents on novel technology should be filed before public disclosure. Trade secrets (algorithms, customer lists, business processes) require NDAs and access controls. Copyright registers automatically but registration provides evidence in disputes. Domain names should be registered defensively in adjacent variations. The cost of day one IP protection is small. The cost of remediating IP gaps before Series A diligence is large.
Even with two employees, statutory obligations begin: appointment letter or employment contract, deductions under the Income Tax Act, professional tax in applicable states, EPF registration once 20 employees are hired (some states have lower thresholds), ESI registration once 10 employees are hired, gratuity provisioning once five years of service is reached for any employee. Beyond statute: NDAs and IP assignment agreements with all employees, ESOP plan and grant letters for early team members, employee handbook documenting policies, POSH (Prevention of Sexual Harassment) committee and policy, anti bribery policy. Documentation matters because Series A diligence reviews all of this.
Yes. DPDPA 2023 has no startup exemption. Any startup processing personal data of Indian residents is a Data Fiduciary subject to DPDPA. The full set of obligations applies: privacy notice in plain language, valid consent architecture, security safeguards, data breach notification within 72 hours to the Data Protection Board, Data Principal rights facilitation. Practical implication: build DPDPA compliance into the product from day zero. Retrofitting compliance after product market fit is more expensive than building it in. Investors increasingly diligence DPDPA compliance during Series A.
Investors at Series A perform legal due diligence covering: corporate (incorporation documents, share register, board resolutions, statutory registers, secretarial compliance), founders (founders agreement, vesting status, IP assignment), capitalisation (cap table, ESOP plan, employee grants, prior round documentation), commercial (key customer contracts, key vendor contracts, leases), employment (contracts, policies, statutory compliance), IP (trademarks, copyrights, patents, software licences), data protection (DPDPA compliance status), litigation (any disputes, claims, or threatened proceedings), tax (returns, payments, assessments, GST compliance), and regulatory (sector specific licences and approvals). Pre Series A clean up is a 4 to 6 month effort. Starting clean up after the term sheet is signed delays closing.
An ESOP (Employee Stock Option Plan) is a board approved scheme under the Companies Act 2013 (Section 62(1)(b) and Rule 12 of the Companies (Share Capital and Debentures) Rules 2014). The plan must be approved by special resolution of shareholders. ESOP grants are made under grant letters specifying number of options, exercise price, vesting schedule (typically four years with one year cliff), exercise window after vesting, and treatment on termination or company exit. ESOPs are taxable at exercise (as perquisite under salary income) and again at sale (as capital gains). DPIIT recognised startups receive deferred taxation under Section 192(1C) of the Income Tax Act, allowing tax payment within 14 days of the earliest of five years from exercise, share sale, or employment termination. ESOP design impacts attraction, retention, and tax outcomes for the team.
AMLEGALS advises Indian startups from incorporation through Series C: founders agreement, DPIIT, IP, employment, ESOP, DPDPA, fundraising. Speak with us at [email protected].