Build a data room that closes Series A in 60 days. Six-stream checklist covering legal, financial, tax, HR, contracts and IP for Indian startups in 2026.
Due Diligence Ready: Legal, Financial & Tax Docs You'll Need
When a term sheet lands, most founders celebrate for 24 hours β then panic for the next 90 days hunting documents. In 2026, Indian VC and PE funds typically send 80β200 document requests across six streams: corporate, financial, tax, contracts, HR and IP. The deal rarely stalls on valuation. It stalls because a startup cannot produce a clean three-year GST audit trail or has never reconciled its cap table with MCA V3. Build your data room before you pitch, and a 60-day close from term sheet to wire transfer is genuinely achievable.
Why Indian Due Diligence Is Harder Than It Looks
Indian regulatory compliance layers are unusually complex for early-stage companies. A startup that incorporated in 2022, took a small bridge round, onboarded 15 employees, and signed three SaaS customers has already touched the Companies Act 2013, the Income-tax Act 1961, CGST Act 2017, EPF Act 1952, the DPIIT Startup India framework, and β since 11 August 2023 β the Digital Personal Data Protection Act (DPDP Act). Each of these generates its own document trail.
Investors do not just want the documents. They want evidence that the documents are consistent with each other. A cap table that does not match Form PAS-3 filings on MCA V3 is an instant yellow flag. A revenue figure in the management accounts that differs from the GSTR-1 output is a red flag that can delay closing for weeks.
The six-stream checklist below is structured in the same order a typical diligence firm will work through it.
Stream 1 β Corporate & Secretarial
This stream is reviewed first because it establishes the basic legal existence and ownership of the company. Any gaps here block every other stream.
Foundational Documents
- Certificate of Incorporation and, if the company has changed its name, every successive certificate.
- Current Memorandum and Articles of Association (MOA & AOA) β investors check that your objects clause covers your current business and that your AOA contains the anti-dilution, drag-along, tag-along and pre-emption rights your earlier investors were promised.
- DPIIT Certificate (if recognised) and the Form 2 acknowledgement from the Startup India portal. DPIIT recognition unlocks Section 80-IAC tax holiday and protects against Section 56(2)(viib) angel tax β see Stream 3.
ROC Filing History
Pull every filing since incorporation from MCA V3 and build a chronological log:
- Form PAS-3 (Return of Allotment) for every round, including ESOP exercises
- Form SH-7 (Notice of Alteration of Share Capital) for any authorised capital increases
- Form MGT-14 (Filing of Board/Special Resolutions) for every significant resolution
- Form DIR-12 for each director appointment or cessation
- Annual compliance: Form AOC-4 (financial statements) and MGT-7A (annual return) for every financial year
Common gap: Many startups miss filing MGT-14 for resolutions passed at the time of a convertible note or SAFE conversion. Investors cross-check resolutions in the minutes book against MCA V3; any missing filing triggers a compounding application, which adds two to four weeks to the timeline.
Cap Table Reconciliation
Your cap table must reconcile to the day: shares outstanding per the statutory register, shares per PAS-3 filings, and share certificates in the hands of each shareholder must all agree. Include:
- Equity shares (fully paid, partly paid)
- CCPS / CCD / Warrants outstanding
- ESOP pool: granted, vested, lapsed, exercised
- Any convertible instruments not yet converted
If you raised on SAFEs (Simple Agreements for Future Equity), note that MCA does not have a prescribed form for SAFEs β your legal counsel's opinion letter explaining their treatment is a required document.
Stream 2 β Financial Records
Investors will reconstruct your P&L, balance sheet and cash flow from raw data. Give them the data before they have to ask for it.
Audited and Management Accounts
- Audited financial statements for the three completed financial years preceding the round (FY 2024-25, FY 2023-24, FY 2022-23 for a mid-2026 raise)
- Board-approved management accounts month-by-month for the current financial year (FY 2026-27)
- 18-month revenue and cash flow projections with assumptions annotated β not a single "hockey stick" slide, but a model where an analyst can change the churn assumption and see the impact
Supporting Schedules
Do not make investors extract these themselves. Attach:
- Debtors ageing schedule: show every invoice over 90 days overdue and your provisioning rationale
- Creditors schedule: outstanding vendor payables, disputed amounts
- Prepaid and accrual schedule: SaaS subscriptions paid in advance, deferred revenue
- Capex register: asset-by-asset with purchase date, cost, depreciation method and WDV
- Bank statements (all accounts, last 24 months) β reconciled to the closing balance in each month's trial balance
A Worked Numbers Example
Suppose your startup raised Rs. 4 crore at a Rs. 20 crore post-money valuation in FY 2023-24. The investor's diligence team will take your GSTR-1 turnover for that year, your audited revenue figure, and your ITR-6 return and compare all three. If your GSTR-1 shows taxable supply of Rs. 1.80 crore but your P&L shows revenue of Rs. 2.40 crore, you need a one-page reconciliation note explaining the difference (export of services, exempt supply, timing differences). Without that note, the diligence query goes to your auditor, your GST consultant and your CFO simultaneously β and the round stalls.
Stream 3 β Tax Compliance
Tax is the stream where most Indian startups are caught unprepared. Three sub-streams matter most.
Direct Tax: ITR-6, Audit Reports and Notices
For each of the last three completed assessment years (AY 2025-26, AY 2024-25, AY 2023-24):
- ITR-6 (the income tax return form for companies) with acknowledgement (ITR-V)
- Form 3CA-3CD (tax audit report) if turnover exceeded the threshold under Section 44AB
- Form 26AS, AIS and TIS downloaded from the income tax e-filing portal β investors check these against your P&L for unreported income signals
- All outstanding CPC intimations and notices under Sections 143(1), 143(2), 148 and their disposals. An open scrutiny notice is not automatically a deal-breaker, but an undisclosed one is.
TDS: The Hidden Compliance Hole
Every quarter, a company is required to file TDS returns β Form 24Q (salary TDS) and Form 26Q (non-salary TDS, e.g. professional fees, rent, interest). Due dates for FY 2026-27 are 31 July 2026, 31 October 2026, 31 January 2027 and 31 May 2027.
Late filing attracts a fee under Section 234E of Rs. 200 per day per return, up to the TDS amount. A startup that was 150 days late on a single quarterly 26Q return with Rs. 60,000 in TDS would owe Rs. 200 Γ 150 = Rs. 30,000 in late fees, plus interest under Section 201(1A) at 1.5% per month from the deduction date to the payment date. Investors will ask you to show a clean TRACES dashboard with zero defaults. Resolve any defaults before you open the data room.
Ensure you have Form 16A (TDS certificates) issued for every deductee for every quarter. Missing or late-issued Form 16A certificates break your vendors' ability to claim credit β a vendor complaint during diligence is embarrassing.
GST: GSTR-1, 3B, 9 and 9C
For each GST-registered entity, compile:
- GSTR-1 (outward supply return): monthly for turnovers above Rs. 5 crore, quarterly (QRMP) otherwise
- GSTR-3B (summary return with payment): monthly or quarterly per QRMP scheme
- GSTR-9 (annual return): compulsory for registered persons with turnover above Rs. 2 crore
- GSTR-9C (reconciliation statement, auditor-certified): compulsory above Rs. 5 crore
A common error is unreconciled differences between GSTR-1 and GSTR-3B for the same period. If your GSTR-3B declared Rs. 10 lakh of tax but GSTR-1 shows supplies implying Rs. 11.5 lakh, the Department may issue a scrutiny notice under Section 61 of the CGST Act β and an investor will find it in your GST portal login during diligence.
Section 56(2)(viib) β Angel Tax Workings
Every share allotment at a premium above fair market value must be supported by a Rule 11UA valuation report (Discounted Cash Flow or NAV method). For rounds where you took money from non-DPIIT-recognised investors (including foreign angels before FEMA approval), these workings are critical. DPIIT-recognised startups are exempt from Section 56(2)(viib) under CBDT Notification No. 13/2023, but you must have the recognition certificate and ensure it covers the allotment date.
If transfer pricing applies β i.e. you have a subsidiary, parent or overseas related party with which you have cross-border transactions β a Form 3CEB (Transfer Pricing Audit Report) is mandatory for each relevant year.
Stream 4 β Contracts & Commercial Agreements
Customer Contracts
Provide the top 20 customer agreements by revenue. For each, flag:
- Change-of-control clause: Does the customer have the right to terminate if your shareholding changes by more than 50%? This is common in government and BFSI contracts and can wipe out valuation if left undisclosed.
- Assignability: Can the contract be assigned to a NewCo in a restructuring? Critical for holding-subsidiary structures common in late-stage rounds.
- Revenue recognition terms: milestone payments, acceptance criteria, support SLAs that affect deferred revenue
Vendor, Lease and Finance Agreements
- All SaaS and cloud infrastructure contracts (AWS, Azure, GCP) β investors want to see your committed spend, termination rights, and whether any credits are offsetting your burn
- Lease deeds for office premises: registered or unregistered, escalation clauses, security deposit amount
- Loan agreements, OD facilities, debenture trust deeds and any hypothecation or charge created on assets. Cross-check charges registered with the Registrar of Companies β any charge not satisfied (Form CHG-4 not filed) is a problem
- Non-disclosure and confidentiality agreements with key partners
Stream 5 β HR, Payroll & ESOP
Employee Records
- Employee master list with date of joining, designation, CTC and current employment status
- Appointment letters for all current employees
- PF and ESIC compliance: ECR challans for the last 24 months, EPF and ESIC registration certificates, employee UAN records
Statutory Deductions β A Quick Penalty Check
For a 50-person startup in Bengaluru with a monthly payroll of Rs. 50 lakh, a single month's delay in EPF remittance attracts interest at 12% per annum under Section 7Q of the EPF Act, plus damages under Section 14B ranging from 5% to 25% of the arrear depending on the delay period. On Rs. 5 lakh of employer EPF contribution that is 60 days late, the interest alone is approximately Rs. 10,000 and damages could reach Rs. 25,000β1,25,000. Investors ask for the last two years of PF payment acknowledgements because a pattern of late remittance signals payroll management risk.
ESOP Documentation
- ESOP scheme document approved by the Board and shareholders (SH resolution + MGT-14 filing)
- Grant letters with vesting schedules for each grantee
- Exercise tracker: granted, vested, exercised, lapsed, forfeited
- Valuation report at each grant date (Rule 3(6) of Companies (Share Capital and Debentures) Rules 2014)
- Form 3 (PAS-3) filed for every ESOP exercise batch
An undocumented ESOP scheme where employees have been informally promised options but no scheme has been registered with MCA is one of the most common deal-breakers in early-stage Indian diligence. Fix this before the term sheet.
Stream 6 β Intellectual Property & DPDP Privacy Compliance
IP Documentation
- Trademark: Filing receipts from IP India, examination reports, registration certificates. If your brand name is not registered in Class 42 (software/IT services), note it as a gap β investors will.
- Patents: Provisional and complete specifications, examination and hearing records
- Copyright: For core proprietary code and original content, maintain an internal copyright register with creation dates. Copyright deposits with the Copyright Office (Register of Copyrights) are optional but admissible as prima facie evidence.
- IP assignment agreements: Every founder, co-founder, contractor and freelancer who wrote code or created content must have signed a written IP assignment agreement vesting ownership in the company. A co-founder who left without signing this is an existential issue β resolve it with a deed of assignment before diligence opens.
DPDP Act 2023 Compliance
The Digital Personal Data Protection Act 2023 (DPDP Act) is now in force. Even without all subordinate rules being notified, your data room must show investors that you are operationally prepared:
- Privacy Notice: A clear, plain-language notice provided to data principals (customers, employees) at the point of collection. Must describe the purpose of processing and the rights of the data principal.
- Consent mechanism: For each category of personal data you process, document how consent is obtained, stored and can be withdrawn. A consent management spreadsheet or a screenshot trail of your cookie/consent banner is acceptable at this stage.
- Grievance Officer appointment: You must appoint a Data Protection Officer or Grievance Officer and publish their name and contact details. This can be an internal employee. Document the appointment resolution.
- Cross-border data transfer: If your servers are outside India (most AWS India regions are Indian, but a Cloudflare or Supabase US region is not), map your data flows and show that the destination is on the permissible list once notified.
- Cybersecurity posture: ISO 27001 or SOC 2 Type II certificates are a positive signal. At minimum, have a written Information Security Policy, an incident response procedure, and a last-12-months vulnerability scan report.
How to Structure Your Virtual Data Room
A virtual data room (VDR) is not a shared Google Drive with 200 files dumped at the root level. Use a logical hierarchy that mirrors the six streams above:
``` 01 Corporate & Secretarial/ 01.1 Incorporation & Constitution/ 01.2 ROC Filings (chronological)/ 01.3 Board & Shareholder Minutes/ 01.4 Cap Table & Share Certificates/
02 Financials/ 02.1 Audited Accounts FY2022-23 to FY2024-25/ 02.2 Management Accounts FY2026-27 (monthly)/ 02.3 Projections & Model/ 02.4 Supporting Schedules/
03 Tax/ 03.1 Direct Tax (ITR, 3CA-3CD, Notices)/ 03.2 TDS Returns (24Q, 26Q) & TRACES/ 03.3 GST Returns (GSTR-1, 3B, 9, 9C)/ 03.4 Transfer Pricing & 11UA Reports/
04 Contracts/ 04.1 Customer Agreements/ 04.2 Vendor & SaaS Contracts/ 04.3 Lease & Property/ 04.4 Loan & Charge Documents/
05 HR & ESOP/ 05.1 Employee Master & Letters/ 05.2 PF, ESIC & PT Records/ 05.3 ESOP Scheme & Grant Letters/
06 IP & Compliance/ 06.1 Trademark & Patent/ 06.2 IP Assignment Agreements/ 06.3 DPDP β Privacy Notices & Consents/ 06.4 Cybersecurity Certifications/ ```
Use a dedicated VDR tool β Diligent, Firmex, or even a well-organised SharePoint with granular access controls β rather than a generic cloud storage product. Grant view-only, no-download access to the investor's counsel until NDAs are countersigned by all parties.
Common Pitfalls to Avoid
These are the most frequent issues that add 30β60 days to a close in practice:
- Cap tableβMCA mismatch: Failing to file PAS-3 promptly after each allotment means the cap table in your spreadsheet does not match the statutory register. Fix this by running a PAS-3 reconciliation before opening the data room.
- Open GST notices ignored: Many startups receive system-generated GST scrutiny notices under Section 61 and do not respond within 30 days. An unanswered notice shows as "pending" in the GST portal during diligence.
- Missing 26AS/AIS reconciliation: If an investor's payment to your startup appears in your 26AS under a TDS deduction but your P&L does not show the corresponding revenue, expect a 10-working-day query cycle.
- Undocumented ESOP grants: Verbal ESOP promises to early employees without a board-approved scheme create personal liability for directors and potentially Section 67 violations under the Companies Act.
- No IP assignment from co-founders: If a co-founder's equity has fully vested but they never signed an IP assignment agreement, the company technically does not own the code they wrote. This requires a post-facto deed and legal opinion, adding two to three weeks.
- FEMA non-compliance on foreign investment: Startups that received money from NRIs or foreign entities on a non-FEMA-compliant basis (e.g. no FC-GPR filed within 30 days of allotment) need a compounding application with RBI. Expect 8β12 weeks for compounding. Disclose this early; concealment after signing is a ground for warranty breach.
- DPDP consent logs missing: In 2026, most Series A term sheets now include a rep-and-warranty on data protection compliance. If you cannot show documented consent flows for your user data, expect a specific indemnity carve-out in the SHA.
Worked Example β A SaaS Startup's Data Room Gap Analysis
Consider Finstack Technologies Private Limited (fictional), a B2B SaaS company raising Series A in August 2026. Revenue: Rs. 6 crore (FY 2025-26), 40 employees, one overseas subsidiary in Singapore.
Gap found on Day 1 of diligence: GSTR-9C for FY 2024-25 was not filed (turnover crossed Rs. 5 crore in that year). The late fee is Rs. 200 per day (Rs. 100 CGST + Rs. 100 SGST) per the CGST Act, starting from 31 December 2025. By the time diligence opens on 1 August 2026, that is 214 days Γ Rs. 200 = Rs. 42,800 in late fees, plus a maximum cap of Rs. 50 per lakh of turnover (for reconciliation statement, the cap as per CBDT/CGST notification applies β verify the prevailing notification for exact cap). The gap had to be filed, fees paid, and a no-objection letter from the GST practitioner obtained before the investor's counsel would sign off. That took 12 working days.
Gap found on Day 4: The Singapore subsidiary had been incorporated in FY 2023-24 and had signed a cost-sharing arrangement with the Indian parent. No transfer pricing study (Form 3CEB) had been filed for AY 2024-25 because the CFO was not aware it was required for a cost-sharing arrangement. The TP filing was compulsorily required under Section 92E. Penalty for non-filing is Rs. 1,00,000 (flat) per year under Section 271BA. The startup had to engage a transfer pricing specialist, conduct a benchmarking study, and file a revised return β a three-week exercise.
Both issues were fixable. But they added 25 working days to the timeline, cost approximately Rs. 4β5 lakh in consultant fees and late fees, and required two rounds of investor investor queries. Neither would have arisen if the startup had run a half-day internal compliance audit before filing its Series A deck.
Key Takeaways
- Build your data room at incorporation, not when the term sheet arrives. Maintain it as a living folder β update it within two weeks of every board meeting, every ROC filing, and every employee joining or leaving.
- The three documents most often missing in Indian startup diligence are: (1) PAS-3 for ESOP exercises, (2) GSTR-9C for years where turnover crossed Rs. 5 crore, and (3) IP assignment agreements from departed co-founders or contractors.
- Tax consistency across three reports β GSTR-1, ITR-6, and audited P&L β is the first thing a diligence accountant checks. Reconcile these before opening the data room; prepare a one-page narrative explaining every material difference.
- Section 56(2)(viib) workings must exist for every allotment since incorporation, regardless of whether you later received DPIIT recognition. Retroactive workings require a CA certificate with contemporaneous evidence.
- DPDP Act compliance is now a standard rep-and-warranty item in Indian term sheets. Documenting your consent flows, grievance officer appointment, and cross-border data transfer map costs less than one day of a junior lawyer's time β do it now.
- Foreign investment compliance (FEMA/FC-GPR) issues are best resolved through compounding before diligence opens. Disclosure after signing a term sheet is far less damaging than discovery mid-diligence.
- Run an internal mock diligence every six months using this six-stream checklist. Assign a named owner (typically your CFO or Company Secretary) for each stream. A 60-day close is achievable only if the data room was effectively 80% ready before the term sheet was even signed.
![Read article: Founder Shareholding: 5 Critical Mistakes That Kill Fundraises [2026 Guide]](/_next/image?url=%2Fapi%2Fmedia%2Ffile%2Funnamed-file-2.png&w=3840&q=75)
![Read article: Property Due Diligence Before Buying: 12 Legal Checks Every Buyer Must Do [2025 Guide]](/_next/image?url=%2Fapi%2Fmedia%2Ffile%2FProperty-Due-Diligence.png&w=3840&q=75)