Startup Legal Compliance Checklist India 2026: Incorporation to Series A

Every year, thousands of Indian startups lose weeks — sometimes months — of fundraising momentum because their legal house is not in order. A missing IP assignment deed, a poorly drafted co-founder agreement, or a non-existent privacy policy under the DPDP Act 2023 can stall an otherwise promising Series A round.

The truth is, most of these problems are entirely preventable. They stem not from complex legal questions but from founders simply not knowing what needs to be done and when.

This checklist changes that. We have mapped every critical legal and compliance step an Indian startup must complete — from the first co-founder conversation through to the data room that will sit in front of a VC partner. Each phase includes the specific contracts you need, the regulatory registrations you must file, and the deadlines you cannot afford to miss.

Whether you are a first-time founder incorporating your company tomorrow or a startup counsel preparing for an upcoming funding round, use this as your definitive reference for 2026.

---

Phase 1: Pre-Incorporation — Laying the Legal Foundation

Before you file a single form with the Registrar of Companies, there are agreements that must be executed between co-founders and early contributors. Skipping this phase is the single most common source of founder disputes and fundraising delays.

1.1 Co-Founder Agreement

This is arguably the most important document your startup will ever sign, yet the majority of early-stage Indian startups operate without one.

A co-founder agreement must cover:

• Equity split and vesting schedule — Define who holds what percentage, subject to what vesting terms. A standard four-year vesting period with a one-year cliff is the norm for Indian startups.
• Roles and responsibilities — Who is CEO, CTO, COO? Who handles what? Ambiguity here breeds conflict.
• IP ownership — All intellectual property created by founders must be assigned to the company (once incorporated). This clause is non-negotiable for investors.
• Exit provisions — What happens if a co-founder leaves? Define good leaver and bad leaver scenarios, buyback terms, and non-compete obligations.
• Decision-making and deadlock resolution — How are major decisions made? What happens when founders disagree?
• Confidentiality and non-compete — Protect the startup's interests from day one.

1.2 IP Assignment Deed

If any founder or early contributor has built technology, written code, designed a product, or created any intellectual property before incorporation, that IP must be formally assigned to the company once it is incorporated.

This requires a standalone IP Assignment Deed — a simple clause in the co-founder agreement is not sufficient for most VCs.

Key elements:

• Identification of all pre-existing IP being assigned
• Irrevocable assignment of all rights, title, and interest
• Consideration (even nominal consideration of ₹1 is acceptable)
• Warranties that the IP is original and does not infringe third-party rights
• Governing law clause (Indian law)

1.3 NDA Templates

You will need NDAs before you start talking to potential employees, contractors, vendors, and even some investors. Prepare two versions:

• One-way NDA — For conversations where only you are disclosing confidential information (e.g., pitching to a contractor or early hire).
• Mutual NDA — For conversations where both parties share sensitive information (e.g., partnership discussions, some investor conversations).

1.4 Advisor Agreement (If Applicable)

If you are engaging advisors in exchange for equity or other compensation, formalise the arrangement before incorporation. The agreement should cover:

• Scope of advisory services
• Equity or compensation terms (typically 0.25%–1% equity with vesting)
• IP assignment (any work product belongs to the company)
• Confidentiality obligations

---

Phase 2: Incorporation — Getting Officially Registered

Once your pre-incorporation agreements are in place, it is time to incorporate. For the vast majority of startups in India, incorporating as a Private Limited Company under the Companies Act, 2013 is the correct choice. LLPs and OPCs have structural limitations that make them less attractive for venture funding.

2.1 Company Incorporation (ROC Filing)

File the following with the Registrar of Companies via the MCA portal:

• SPICe+ Form (INC-32) — The integrated incorporation form that also allows you to apply for PAN, TAN, GSTIN, EPFO, and ESIC registration simultaneously.
• eMoA (INC-33) — Electronic Memorandum of Association.
• eAoA (INC-34) — Electronic Articles of Association.
• AGILE-PRO-S — For GSTIN, EPFO, ESIC, and Profession Tax registration.

Documents required:

• Digital Signature Certificate (DSC) for all directors
• Director Identification Number (DIN) for all directors
• Proof of registered office address
• Identity and address proof of all directors and subscribers
• No Objection Certificate from the property owner (for registered office)

Timeline: 7–15 business days for incorporation certificate, assuming no objections from ROC.

2.2 PAN and TAN

These are automatically applied for through the SPICe+ form. Your company PAN and TAN will be issued alongside the Certificate of Incorporation.

2.3 GST Registration

If your startup's turnover exceeds ₹20 lakh (₹10 lakh for special category states) or if you are engaged in inter-state supply of goods or services, GST registration is mandatory. For most SaaS startups and those planning to invoice clients in other states, register from day one.

Timeline: Applied via AGILE-PRO-S during incorporation. GSTIN typically issued within 7 working days.

2.4 Bank Account Opening

Open a current account in the company's name immediately after receiving the Certificate of Incorporation. You will need:

• Certificate of Incorporation
• MOA and AOA
• PAN card of the company
• Board resolution authorising account opening and signatories
• KYC documents of all directors

2.5 DPIIT Recognition (Startup India)

Register your startup with the Department for Promotion of Industry and Internal Trade to avail benefits under the Startup India initiative:

• Tax exemption under Section 80-IAC (three consecutive years of tax holiday out of the first ten years)
• Self-certification for compliance under six labour laws and three environmental laws
• Fast-tracked patent examination at reduced fees
• Easier public procurement norms

Eligibility criteria (2026):

• Entity incorporated as a Private Limited Company, Partnership Firm, or LLP
• Incorporation date not older than 10 years
• Annual turnover not exceeding ₹100 crore in any financial year
• Working towards innovation, development, or improvement of products/processes/services

Timeline: Apply via the Startup India portal. Recognition typically granted within 2–5 working days.

2.6 Professional Tax Registration

Required in states that levy professional tax (Maharashtra, Karnataka, West Bengal, and others). Apply through the respective state government portal.

2.7 Shops and Establishment Act Registration

Register your place of business under the applicable state's Shops and Establishment Act. This is mandatory in most states and must be done within 30 days of commencing business.

---

Audit your startup's contract stack → Batch Upload & Review Free

---

Phase 3: Post-Incorporation (0–6 Months) — Building Your Contract Stack

This is the phase where most startups accumulate legal debt. You are hiring your first employees, engaging contractors, launching your product, and moving fast. The temptation to defer "legal stuff" is enormous — and enormously costly later.

3.1 Employment Agreements

Every employee must have a written employment agreement. This is not optional — it is a legal requirement under various labour laws and an absolute necessity for investor due diligence.

Your employment agreement must include:

• Job title, role, and reporting structure
• Compensation — Salary breakdown (basic, HRA, special allowance, etc.), payment frequency, and bank details
• Probation period — Typically 3–6 months, with clear terms for confirmation or termination
• IP assignment clause — All work product created during employment belongs to the company. This is the single most scrutinised clause during VC due diligence.
• Confidentiality obligations — Extending beyond the term of employment
• Non-compete and non-solicitation — Keep these reasonable; Indian courts routinely strike down overly broad non-competes post-termination
• Termination provisions — Notice period (typically 1–3 months), grounds for termination with and without cause, severance terms
• Governing law and dispute resolution — Specify Indian law and your preferred arbitration/jurisdiction

3.2 Contractor/Consultant Agreements

For freelancers, consultants, and agencies, use a separate contractor agreement (not an employment agreement). Key differences:

• No employer-employee relationship (to avoid misclassification risks)
• Clear deliverables and timelines
• IP assignment clause (work-for-hire does not automatically vest IP in the hiring party under Indian law — you need an explicit assignment)
• Payment terms and invoicing requirements
• GST implications (reverse charge mechanism, if applicable)
• Termination with defined notice period

3.3 Terms of Service (ToS) and Privacy Policy

If you are launching a product — especially a SaaS product, mobile app, or any digital service — you need both of these before your first user signs up.

Terms of Service must cover:

• Acceptable use policy
• Intellectual property rights
• Payment terms and refund policy
• Limitation of liability
• Indemnification
• Governing law and dispute resolution
• Termination and suspension rights

Privacy Policy must comply with the Digital Personal Data Protection Act, 2023 (DPDP Act):

• Purpose of data collection (purpose limitation)
• Types of personal data collected
• Legal basis for processing (consent mechanism)
• Data retention periods
• Rights of data principals (access, correction, erasure, grievance redressal)
• Details of the Data Protection Officer or designated contact
• Cross-border data transfer disclosures
• Consent mechanism for minors (if applicable)
• Security safeguards description

3.4 DPDP Act 2023 Compliance

The DPDP Act received Presidential assent in August 2023, and the rules under the Act are now being progressively enforced. As of 2026, startups must take the following steps:

1. Appoint a Data Protection Officer (DPO) or a designated person responsible for data protection compliance — mandatory for Significant Data Fiduciaries, but practically advisable for all startups handling user data.
2. Implement a consent mechanism — Obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data. Your consent forms must be clear and in plain language.
3. Establish a grievance redressal mechanism — Data principals must have a clear channel to raise grievances, and you must respond within the timelines prescribed under the rules.
4. Maintain records of processing activities — Document what data you collect, why, how long you retain it, and who you share it with.
5. Implement reasonable security safeguards — Technical and organisational measures to protect personal data. The Act requires you to notify the Data Protection Board of India in case of a personal data breach.
6. Review cross-border data transfers — The Act permits transfers to countries not on the government's restricted list. Verify that your cloud infrastructure and third-party services comply.

3.5 ESOP Plan (Employee Stock Option Plan)

If you plan to attract top talent with equity, set up your ESOP plan early. Under the Companies Act, 2013:

• Pass a special resolution at a general meeting approving the ESOP scheme
• File Form MGT-14 with the ROC within 30 days of passing the resolution
• Define the ESOP pool (typically 10%–15% of fully diluted share capital)
• Establish vesting schedule (minimum one-year cliff as per Companies Act)
• Define exercise price, exercise window, and exercise period
• Include provisions for good leaver and bad leaver scenarios
• Address tax implications — ESOPs are taxed at two stages in India: (1) at exercise (as perquisite under "Income from Salary") and (2) at sale (as capital gains)

3.6 Board Resolutions and Statutory Registers

From the date of incorporation, maintain the following:

• Minutes of board meetings (first board meeting within 30 days of incorporation)
• Minutes of general meetings
• Register of members (Form MGT-1)
• Register of directors and KMP (Form MBP-1)
• Register of charges
• Register of contracts (where directors are interested)

Statutory filing deadlines:

| Filing | Deadline | |--------|----------| | First board meeting | Within 30 days of incorporation | | Subsequent board meetings | At least 4 per year, with not more than 120 days between two meetings | | Annual General Meeting | Within 6 months of end of financial year (for first AGM, within 9 months) | | Annual Return (Form MGT-7A) | Within 60 days of AGM | | Financial Statements (Form AOC-4) | Within 30 days of AGM | | DIR-3 KYC | Annually, by 30 September | | Commencement of Business (Form INC-20A) | Within 180 days of incorporation |

---

Phase 4: Growth Stage (6–18 Months) — Scaling Your Legal Infrastructure

As your startup grows — hiring more people, signing more customers, engaging more vendors — your contract volume increases dramatically. This is where template discipline and contract management systems become essential.

4.1 Vendor and Service Provider Agreements

As you engage vendors for cloud infrastructure, payment processing, marketing, logistics, and other services, each engagement must be governed by a written agreement covering:

• Scope of services and SLAs
• Pricing, payment terms, and escalation mechanisms
• Data processing obligations (if vendor handles personal data — reference DPDP Act)
• IP ownership of any work product
• Confidentiality and non-disclosure
• Indemnification and limitation of liability
• Termination provisions and transition assistance
• Governing law and dispute resolution

4.2 Customer Contracts and SaaS Agreements

If you sell to businesses (B2B), you need a robust Master Service Agreement (MSA) or SaaS Subscription Agreement covering:

• Service description and scope
• Subscription terms, pricing, and payment
• SLA commitments (uptime, support response times)
• Data protection and security obligations
• IP ownership (your platform IP vs. customer data)
• Limitation of liability (cap it — uncapped liability is a fundraising red flag)
• Indemnification (mutual, with carve-outs)
• Termination, data portability, and data deletion
• Auto-renewal and price escalation mechanisms
• Governing law (Indian law) and dispute resolution (arbitration preferred)

For B2C products, ensure your Terms of Service and Privacy Policy are updated to reflect your current product functionality and data practices.

4.3 Licensing Agreements

If your business model involves licensing technology, content, or IP to third parties, create a licensing agreement template covering:

• Scope of licence (exclusive vs. non-exclusive, territory, duration)
• Permitted use and restrictions
• Royalty or licence fee structure
• IP warranties and indemnification
• Audit rights
• Termination and post-termination obligations

4.4 Trademark Registration

File trademark applications for your:

• Brand name (word mark)
• Logo (device mark)
• Tagline (if distinctive)
• Product names (if you have multiple products)

Filing process:

1. Conduct a trademark search on the IP India portal
2. File application (Form TM-A) with the Trademarks Registry
3. Examination and potential objections (4–8 months)
4. Publication in the Trademark Journal (4 months opposition period)
5. Registration (if no opposition)

Total timeline: 12–24 months for registration, but you get protection from the date of filing.

Cost: Government fee of ₹4,500 per class for startups recognised by DPIIT (₹9,000 otherwise).

4.5 PF and ESI Registration

Once you have 20 or more employees, registration under the Employees' Provident Fund and Miscellaneous Provisions Act, 1952 becomes mandatory. For ESI (Employees' State Insurance), the threshold is 10 or more employees in most states.

PF registration:

• Register on the EPFO Unified Portal
• Employer contributes 12% of basic salary; employee contributes 12%
• File monthly returns by the 15th of the following month

ESI registration:

• Register on the ESIC portal
• Applicable to employees with gross salary up to ₹21,000 per month
• Employer contributes 3.25%; employee contributes 0.75%
• File half-yearly returns

4.6 Other Regulatory Registrations (Industry-Specific)

Depending on your industry, you may need additional registrations:

| Industry | Registration/Licence | |----------|---------------------| | Food & beverage | FSSAI licence | | Fintech/lending | RBI NBFC licence / payment aggregator licence | | Healthtech | CDSCO approvals (if medical devices), state drug licences | | Edtech | No specific licence, but consumer protection and DPDP Act compliance critical | | E-commerce | Consumer Protection (E-Commerce) Rules, 2020 compliance | | Drone/mobility | DGCA approvals | | Insurance | IRDAI registration (broker/corporate agent/web aggregator) |

---

Generate all essential startup contracts with AI → Start Free

---

Phase 5: Pre-Series A (12–24 Months) — Investor Readiness

This is where all your earlier legal work pays off — or where the absence of it costs you dearly. When a VC begins due diligence, they will request a comprehensive set of documents. The speed and completeness of your response directly correlates with the speed of your fundraise.

5.1 Shareholders' Agreement (SHA) Cleanup

If you raised a seed round or angel funding, you likely signed a SHA or a SAFE/convertible note. Before approaching Series A investors:

• Review existing SHA terms for anti-dilution provisions, liquidation preferences, board composition rights, and information rights
• Identify any provisions that conflict with standard Series A terms (e.g., unusual veto rights, disproportionate liquidation preferences)
• Negotiate amendments with existing investors if necessary — it is far easier to clean up a SHA before a new investor is at the table than during negotiations
• Ensure all SHA obligations have been complied with (board meeting frequency, information rights, consent requirements for key decisions)

5.2 ESOP Grant Letters

If you have promised ESOPs to employees, ensure:

• Individual grant letters have been issued to each grantee
• Grant letters reference the ESOP scheme document
• Board resolutions approving each grant are on file
• A cap table reflecting all grants (vested and unvested) is maintained and current
• Exercise notices and share transfer documentation for any exercised options are complete

5.3 Data Room Preparation

Prepare a virtual data room with the following documents organised by category:

Corporate documents:

• Certificate of Incorporation and all amendments
• MOA and AOA (current versions)
• All board resolutions and minutes
• All general meeting resolutions and minutes
• Register of members (updated)
• Share certificates issued
• Annual returns and financial statements filed with ROC

Equity and capitalisation:

• Cap table (fully diluted, showing all shares, ESOPs, convertible instruments)
• ESOP scheme document, board resolutions, and individual grant letters
• All previous investment documents (SHA, SSA, SAFE notes, convertible notes)
• Valuation reports (for past rounds and ESOP exercises)

Contracts:

• All co-founder agreements
• All employment agreements (current employees)
• All contractor/consultant agreements (current engagements)
• Customer contracts (top 10–20 by revenue)
• Vendor agreements (material ones)
• IP assignment deeds (from founders, employees, contractors)
• NDAs (template and any material bespoke NDAs)

Regulatory and compliance:

• GST registration certificate and recent returns
• PF and ESI registration certificates
• DPIIT recognition certificate
• Trademark registration certificates or application receipts
• Professional tax registration
• Shops and Establishment Act registration
• Any industry-specific licences

IP and technology:

• List of all IP owned (patents, trademarks, copyrights, domain names)
• IP assignment deeds from all founders, employees, and contractors
• Open-source software usage audit (list of OSS libraries and their licences)
• Technology architecture overview

Data protection and privacy:

• Privacy Policy (current version)
• DPDP Act compliance documentation
• Data processing agreements with vendors
• Records of processing activities
• Consent mechanism documentation
• Data breach response plan

Litigation and disputes:

• List of all pending, threatened, or settled litigation
• Details of any regulatory investigations or notices
• Material disputes with employees, customers, or vendors

5.4 Contract Audit

Before the data room goes live, conduct a comprehensive contract audit:

1. Inventory all contracts — Create a master list of every agreement your company has signed
2. Check for missing contracts — Are there employees without signed agreements? Contractors without IP assignment clauses? Vendors without data processing terms?
3. Review key terms — Examine termination provisions, auto-renewal clauses, change of control provisions, and assignment restrictions across all material contracts
4. Identify red flags — Uncapped liability, unusual exclusivity provisions, onerous termination penalties, missing governing law clauses
5. Remediate — Execute missing agreements, amend problematic clauses, and document any contracts that cannot be amended (with a risk assessment)

5.5 Compliance Certificates

Prepare or obtain the following compliance confirmations:

• Secretarial compliance certificate — From a practising Company Secretary confirming all ROC filings are up to date
• Tax compliance certificate — From your CA confirming all income tax, GST, TDS, and other tax filings and payments are current
• Labour law compliance confirmation — PF, ESI, professional tax, gratuity, bonus, and other applicable labour law obligations
• DPDP Act compliance self-assessment — Document your current state of compliance, steps taken, and any gaps being addressed

---

What VCs Actually Check: The Investor Due Diligence Contract Checklist

Having worked with numerous startups through the fundraising process, here is what experienced Indian VC legal teams scrutinise most closely:

Tier 1: Deal-Breakers (Will Delay or Kill the Round)

1. Missing IP assignment — If founders, employees, or key contractors have not assigned their IP to the company, the VC's lawyers will flag this immediately. No IP ownership = no deal.
2. No co-founder agreement or SHA — If there is no written agreement governing the founder relationship, VCs see this as a ticking time bomb.
3. Cap table discrepancies — If your cap table does not match your ROC filings, share certificates, and SHA provisions, the round will stall until this is reconciled.
4. Non-compliant employment agreements — Missing IP assignment clauses, non-existent confidentiality obligations, or no signed agreements at all for key employees.
5. Undisclosed litigation or regulatory issues — Anything material that surfaces during due diligence but was not disclosed upfront.

Tier 2: Significant Concerns (Will Require Remediation)

6. DPDP Act non-compliance — No privacy policy, no consent mechanism, no data processing agreements with vendors.
7. Missing statutory registrations — PF, ESI, professional tax, or industry-specific licences that should have been obtained.
8. ESOP documentation gaps — Scheme approved but no individual grant letters, or grants exceeding the approved pool.
9. Trademark not filed — Investors expect at least a trademark application for the brand name and logo.
10. Poor contract management — Inability to locate signed copies of material contracts, unsigned agreements, or contracts executed without proper board authorisation.

Tier 3: Yellow Flags (Will Be Noted but Usually Not Deal-Breaking)

11. Minor ROC filing delays — Late filing of annual returns or financial statements (correctable with late fees).
12. Informal vendor arrangements — Verbal agreements with minor vendors (should be formalised but unlikely to block a round).
13. Outdated Terms of Service — ToS that does not reflect current product functionality (should be updated but not a deal-breaker).

---

Common Pitfalls That Delay Fundraising

Based on patterns observed across hundreds of Indian startup fundraises, here are the most frequent legal pitfalls that delay Series A rounds:

1. The Missing IP Assignment Problem

The scenario: Three founders build a product over six months before incorporating. After incorporation, they transfer the domain name and deploy the code on the company's cloud account but never execute a formal IP assignment deed.

The consequence: Eighteen months later, during Series A due diligence, the VC's lawyers discover that the company does not legally own its core technology. The round pauses while IP assignment deeds are retroactively executed — often complicated if a co-founder has since departed.

The fix: Execute IP assignment deeds immediately upon incorporation. Make it part of your incorporation checklist, not something you do "when you get around to it."

2. The Handshake Co-Founder Agreement

The scenario: Two friends start a company together. They agree on a 50/50 split over coffee. No written agreement. No vesting schedule.

The consequence: One founder stops contributing after eight months but retains 50% equity. The remaining founder cannot raise capital because no VC will invest in a company where a non-contributing co-founder holds half the equity — and there is no legal mechanism to address it.

The fix: Written co-founder agreement with vesting. Always. No exceptions.

3. Non-Compliant Employment Agreements

The scenario: A startup hires its first 10 employees with offer letters but no formal employment agreements. Or the agreements are downloaded templates that do not contain IP assignment or confidentiality clauses.

The consequence: The VC's lawyers flag that the company does not own the code its engineers have written. Each employee must be asked to retroactively sign IP assignment deeds — some may refuse or demand compensation.

The fix: Use comprehensive employment agreements from day one. Ensure every agreement contains clear IP assignment, confidentiality, and non-solicitation clauses.

4. No SHA from Seed Round

The scenario: A startup raises angel funding through informal convertible notes or even direct equity issuance without a proper SHA or investment agreement.

The consequence: Series A investors cannot determine the rights of existing shareholders, making it impossible to structure the new round's terms without first negotiating a retroactive agreement with existing investors.

The fix: Even for small angel rounds, execute a proper SHA or SAFE note with clearly defined terms.

5. DPDP Act Non-Compliance

The scenario: A SaaS startup processes personal data of thousands of users but has no privacy policy, no consent mechanism, and no data processing agreements with its cloud providers.

The consequence: The VC's legal team identifies regulatory risk. At minimum, the startup must implement compliance measures before closing — at worst, it raises questions about management's approach to regulatory obligations.

The fix: Implement DPDP Act compliance from the day you start collecting user data. It is far easier (and cheaper) to build compliance into your product from the start than to retrofit it later.

---

Regulatory Registrations Timeline — Quick Reference

Here is a consolidated timeline of all regulatory registrations an Indian startup should complete:

| Registration | When to File | Where | Approximate Timeline | |-------------|-------------|-------|---------------------| | Company incorporation (ROC) | Day 0 | MCA portal (SPICe+) | 7–15 days | | PAN and TAN | With incorporation | Automatic via SPICe+ | With incorporation | | GST registration | With incorporation (if applicable) | AGILE-PRO-S / GST portal | 7 working days | | Bank account | Within 1 week of incorporation | Chosen bank | 3–7 days | | DPIIT recognition | Within 1 month | Startup India portal | 2–5 working days | | Shops & Establishment | Within 30 days of commencing business | State portal | 7–15 days | | Professional tax | Within 30 days | State portal | 7–15 days | | INC-20A (Commencement of Business) | Within 180 days of incorporation | MCA portal | 3–5 days | | Trademark application | Within 6 months (recommended) | IP India portal | 12–24 months for registration | | PF registration | When employee count reaches 20 | EPFO portal | 7–15 days | | ESI registration | When employee count reaches 10 | ESIC portal | 7–15 days | | FSSAI licence | Before commencing food business | FSSAI portal | 30–60 days | | Import-Export Code (IEC) | Before first import/export | DGFT portal | 3–5 days |

---

DPDP Act 2023 Compliance Timeline for Startups

Given the importance of data protection compliance in 2026, here is a focused timeline:

Immediate (if not already done):

• Draft and publish a DPDP Act-compliant Privacy Policy
• Implement a valid consent mechanism (opt-in, not pre-checked boxes)
• Establish a grievance redressal mechanism with a designated contact person

Within 3 months:

• Conduct a data mapping exercise (what data you collect, where it is stored, who has access, how long you retain it)
• Execute Data Processing Agreements with all vendors who process personal data on your behalf
• Implement technical security safeguards (encryption, access controls, audit logs)

Within 6 months:

• Establish a personal data breach response plan and notification procedure
• Implement data retention and deletion policies
• Review and update consent mechanisms for any new data processing activities
• Train your team on DPDP Act obligations

Ongoing:

• Regular review and update of privacy documentation
• Respond to data principal requests within prescribed timelines
• Document all processing activities and maintain records
• Monitor regulatory updates from the Data Protection Board of India

---

Your Complete Checklist — Summary

Use this as a printable reference:

Pre-Incorporation

• [ ] Co-founder agreement (with vesting, IP, exit provisions)
• [ ] IP assignment deed (for pre-existing IP)
• [ ] NDA templates (one-way and mutual)
• [ ] Advisor agreement (if engaging advisors)

Incorporation

• [ ] Company incorporation via SPICe+ (ROC)
• [ ] PAN and TAN obtained
• [ ] GST registration completed
• [ ] Bank account opened
• [ ] DPIIT recognition obtained
• [ ] Professional tax registration
• [ ] Shops and Establishment Act registration

Post-Incorporation (0–6 Months)

• [ ] Employment agreements (all employees)
• [ ] Contractor/consultant agreements
• [ ] Terms of Service
• [ ] Privacy Policy (DPDP Act compliant)
• [ ] DPDP Act compliance measures implemented
• [ ] ESOP plan approved and filed
• [ ] Board meeting minutes maintained
• [ ] Statutory registers set up
• [ ] INC-20A filed (commencement of business)

Growth (6–18 Months)

• [ ] Vendor agreements (all material vendors)
• [ ] Customer contracts / SaaS agreements
• [ ] Licensing agreements (if applicable)
• [ ] Trademark applications filed
• [ ] PF registration (if threshold crossed)
• [ ] ESI registration (if threshold crossed)
• [ ] Industry-specific licences obtained
• [ ] Data processing agreements with vendors

Pre-Series A (12–24 Months)

• [ ] SHA reviewed and cleaned up
• [ ] ESOP grant letters issued to all grantees
• [ ] Cap table reconciled and updated
• [ ] Data room prepared and organised
• [ ] Contract audit completed
• [ ] All IP assignment deeds on file
• [ ] Compliance certificates obtained
• [ ] Open-source audit completed
• [ ] DPDP Act compliance documented

---

Frequently Asked Questions

What is the minimum set of legal documents a startup needs before approaching investors?▾

At the absolute minimum, you need: (1) a co-founder agreement with vesting provisions, (2) IP assignment deeds from all founders and key contributors, (3) employment agreements with IP assignment clauses for all employees, (4) your certificate of incorporation, MOA, and AOA, (5) a current and reconciled cap table, (6) a DPDP Act-compliant privacy policy, and (7) any previous investment agreements (SHA, SAFE notes). Missing any of these will delay your fundraise.

How long does it take to incorporate a company in India in 2026?▾

Using the SPICe+ form on the MCA portal, incorporation typically takes 7–15 business days from the date of form submission, assuming all documents are in order and there are no objections from the ROC. Obtaining the DSC (Digital Signature Certificate) for directors takes an additional 1–3 days if not already obtained. The entire process from preparing documents to receiving the Certificate of Incorporation usually takes 2–4 weeks.

Is DPDP Act compliance mandatory for early-stage startups?▾

Yes. The Digital Personal Data Protection Act, 2023 applies to any entity that processes digital personal data within India or processes personal data of individuals in India. There is no exemption based on company size or stage. If your startup collects user names, email addresses, phone numbers, or any other personal data, you must comply. The penalties for non-compliance can be significant — up to ₹250 crore per instance of violation. More practically, VCs in 2026 actively assess DPDP compliance during due diligence.

When should a startup set up an ESOP plan?▾

Ideally within the first six months of incorporation, and definitely before making any equity promises to employees. Setting up the ESOP plan early gives you a formal framework for grants, avoids informal "we will give you equity later" commitments that create legal complications, and demonstrates to investors that you have a structured approach to talent retention. The process requires a special resolution, so plan for a general meeting.

What happens if a co-founder leaves and there is no vesting schedule?▾

Without a vesting schedule, the departing co-founder retains their full equity stake regardless of how long they contributed. This creates a "dead equity" problem — a significant portion of the cap table is held by someone no longer contributing to the company. Most VCs will not invest in such a scenario, or will require a restructuring of the cap table as a condition to investment. This restructuring often involves difficult negotiations and, in worst cases, litigation. A well-drafted co-founder agreement with a standard four-year vesting schedule and one-year cliff prevents this entirely.

Do I need separate agreements for employees and contractors?▾

Absolutely. Using an employment agreement for a contractor (or vice versa) creates serious legal risks. If a contractor is treated as an employee under Indian labour laws (based on the nature of the relationship, control exercised, and exclusivity), you may face claims for PF, ESI, gratuity, and other employment benefits — plus penalties for non-compliance. Use employment agreements for employees and independent contractor agreements for freelancers and consultants. The key differentiators are control, exclusivity, and integration into the organisation.

What is the cost of trademark registration for DPIIT-recognised startups?▾

For DPIIT-recognised startups, the government fee for trademark filing is ₹4,500 per class per application (compared to ₹9,000 for non-startup entities). Most startups file in 1–3 classes (e.g., Class 9 for software, Class 42 for SaaS services, Class 35 for business services). Additional costs include trademark attorney fees, which typically range from ₹5,000 to ₹15,000 per application depending on the firm. In total, expect to spend ₹10,000–₹50,000 for comprehensive trademark protection, which is a fraction of the cost of rebranding or fighting infringement later.

How should I prepare for Series A due diligence?▾

Start preparing at least three to six months before you expect to begin fundraising conversations. Create a virtual data room organised by category (corporate, equity, contracts, regulatory, IP, data protection, litigation). Conduct a contract audit to identify and remediate gaps. Reconcile your cap table against ROC filings and SHA provisions. Ensure all IP assignments are on file. Update your DPDP Act compliance documentation. Obtain compliance certificates from your CS and CA. The goal is to have every document a VC might request available within 24 hours of the request. Delays in document production signal disorganisation and erode investor confidence.

Can I use the same privacy policy template for web and mobile applications?▾

You can use a single privacy policy that covers both your web and mobile applications, but it must address the specific data collection and processing activities of each platform. Mobile apps often collect additional data (device information, location data, push notification tokens, camera/microphone access) that your web application may not. Your privacy policy must accurately describe all data collected across all platforms, the purposes of collection, and the consent mechanisms used. Under the DPDP Act, your notice to data principals must be specific and accurate — a generic template that does not reflect your actual practices is non-compliant.

What are the penalties for late ROC filings?▾

Late filing of annual returns (Form MGT-7A) attracts a penalty of ₹100 per day of delay, with no cap on the maximum penalty. Late filing of financial statements (Form AOC-4) also attracts ₹100 per day. For persistent default (filing not done for three consecutive years), the company can be struck off by the ROC, and directors face disqualification under Section 164(2) of the Companies Act. Director disqualification means the individual cannot be appointed as a director in any company for five years — a severe consequence that can derail fundraising if a founder-director is disqualified. Keep your filings current. Always.

---

Final Thoughts

Building a startup in India in 2026 is more accessible than ever — but the legal and regulatory landscape has grown proportionally more complex. The DPDP Act, evolving labour codes, GST compliance, and increasingly rigorous VC due diligence standards mean that "we will sort out the legal stuff later" is no longer a viable strategy.

The good news is that none of this is insurmountable. With a systematic, phase-by-phase approach — starting from pre-incorporation and building through to Series A readiness — you can stay compliant, avoid the pitfalls that delay fundraising, and present a clean legal profile to investors.

The checklist in this post covers every major legal and compliance requirement you will encounter in your first 24 months. Use it as your roadmap. Revisit it quarterly. And when your VC's lawyers send over their due diligence request list, you will be ready.

Get your startup investor-ready → Start Free with LexiReview