Legal checklist for Indian technology businesses in FY 2026-27: entity setup, DPDP Act, IP, sector regulation, ESOPs, contracts, and funding readiness.
No applicable Coupler.io skill found for this content writing task. Proceeding directly with the blog regeneration.
Legal work involved in Technology Business
Running a technology business in India in FY 2026-27 means managing at least eight distinct legal disciplines simultaneously — entity governance, data protection, intellectual property, sector regulation, employment, funding compliance, contracts, and dispute readiness. The Digital Personal Data Protection Act, 2023 is now fully operational. RBI, SEBI, and CCI are enforcing sector-specific rules more aggressively than at any earlier point. Founders who treat legal work as back-office plumbing pay for that view in valuation discounts, regulatory shutdowns, and customer-trust collapse. This guide gives you the practical checklist.
1. Entity Setup: Getting the Foundation Right
Most Indian technology ventures incorporate as a private limited company under the Companies Act, 2013 — and for good reason. The structure supports Employee Stock Option Plans (ESOPs), allows multiple classes of shares (equity and preference), is compatible with foreign direct investment under the automatic route, and creates limited liability for founders.
Your founding documents must be drafted to survive a Series A due-diligence review, not just the incorporation filing:
- Memorandum of Association (MOA): Keep the objects clause broad enough for adjacent business lines. Narrowly drafted MOAs require expensive special-resolution amendments later.
- Articles of Association (AOA): Include drag-along, tag-along, anti-dilution, and pre-emption rights from inception — not as afterthoughts when an investor demands them.
- Founders' Agreement: Lock in vesting schedules (standard is a 1-year cliff, monthly vesting over 4 years), IP assignment from each founder to the company, and a non-compete during tenure. Oral understandings between co-founders are litigation-in-waiting.
- Shareholders' Agreement (SHA): Govern investor rights, information rights (monthly MIS, quarterly financials), board composition, and reserved matters requiring investor consent.
Register the company on MCA V3 (the current MCA portal). Post-incorporation, complete:
- PAN and TAN application (linked to entity PAN)
- GST registration within 30 days of crossing the threshold — or immediately if you provide inter-state supply of services (18 % GST applies to most SaaS and IT services)
- Shops and Establishments Act registration in the state of your principal office
- Professional Tax registration where applicable (Maharashtra, Karnataka, West Bengal, etc.)
- Importer-Exporter Code (IEC) if you intend to export software services or receive foreign remittances under FEMA
One common trap: founders incorporate in a hurry using generic MOA objects copied from the internet, then find that a particular fintech or health-tech activity is not covered. A MOA amendment requires a special resolution and ROC filing — a 4-6 week delay at a critical business moment.
2. Data Protection Under the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 (DPDP Act) is the most consequential new compliance obligation for every Indian technology business. It applies from the date the Central Government notified operational provisions — most of the substantive rules are in force by 2026.
Key obligations for a Data Fiduciary (your company):
- Obtain free, specific, informed, and unambiguous consent before collecting personal data. Blanket opt-in checkboxes or bundled consents do not satisfy this standard.
- State the purpose at the time of collection. You cannot repurpose data collected for one reason (say, delivery logistics) for another purpose (behavioural targeting) without fresh consent.
- Honour data principal rights: right to access, right to correction, right to erasure, and the right to nominate a successor for their data.
- Notify the Data Protection Board and the affected data principal of any personal data breach in the prescribed form and within the prescribed timeline (rules to be notified; build a 72-hour notification readiness as a conservative benchmark).
- Children's data: If your product may be accessed by users under 18, you need verifiable parental consent. Age-gating mechanisms must be technically robust, not just checkbox declarations.
Significant Data Fiduciaries (SDFs): If the Central Government designates your business as an SDF — based on the volume and sensitivity of personal data processed — you have additional obligations: appointment of a Data Protection Officer (DPO) (who must be based in India and accessible to data principals), appointment of an independent Data Auditor, and periodic impact assessments.
Penalties under the DPDP Act, 2023 (Schedule to the Act):
- Failure to implement adequate security safeguards resulting in a breach: up to Rs. 250 crore
- Failure to notify the Board of a breach: up to Rs. 200 crore
- Breach of obligations regarding children's data: up to Rs. 200 crore
- Other non-compliance: up to Rs. 50 crore
These are per-event penalties, not annual caps. For a 100-person SaaS company, a single breach without a proper notification mechanism could exceed the company's net worth.
Practical action today: Conduct a data inventory (what personal data you collect, where it is stored, how long it is retained, who has access). Draft a consent framework aligned with the Act. Update your privacy policy to reflect DPDP language — not just GDPR boilerplate.
3. Intellectual Property: Your Most Valuable, Most Neglected Asset
Source code, brand identity, proprietary algorithms, and user-experience design are the core assets of every technology business. They are also the assets most frequently left unprotected.
Trademark registration under the Trade Marks Act, 1999 is your first priority. File in the relevant classes — Class 42 (computer services, SaaS, software development) is almost always required; Class 35 (advertising, business management) applies if you run a marketplace; Class 9 (downloadable software, apps) applies to consumer-facing products. The Indian trademark registry now operates a fast-track examination process. A registered trademark gives you statutory presumption of ownership and the right to seek an injunction without proving actual damage.
Copyright in original source code vests automatically in the employer (if the code is written by employees in the course of employment) under Section 17 of the Copyright Act, 1957 — but only if your employment contracts are properly drafted. A freelance developer who writes your core module without an IP assignment clause owns that code. Fix this with a written Work-for-Hire and IP Assignment Agreement before any code is committed.
Design registration under the Designs Act, 2000 covers distinctive UI screens and product aesthetics — an underused protection in the Indian tech industry. A registered design gives you a 10-year monopoly (extendable by 5 years) against copying of the visual form.
Practical checklist for IP hygiene:
- Every employment offer letter must include an IP assignment clause vesting all work product in the company.
- Every contractor/vendor agreement must include a specific assignment of IP (not just a licence).
- Conduct a trademark clearance search before you launch a product name — not after you have 50,000 users and a conflicting mark surfaces.
- Maintain a source-code repository with access controls and an audit trail.
4. Sector-Specific Regulation You Cannot Ignore
A "technology company" is rarely just technology. The sector your product touches determines your regulatory universe.
Fintech: If you aggregate payments, you need a Payment Aggregator (PA) licence from RBI. The 2020 RBI Payment Aggregator Guidelines require: a minimum net worth as notified by RBI (periodically revised), a CISO, grievance redressal mechanisms, and system-audit reports. Operating as an unregistered PA is a FEMA and Payment and Settlement Systems Act offence. If you issue prepaid instruments (wallets), a PPI licence is required. Digital lending platforms must comply with the 2022 RBI Digital Lending Guidelines — including the prohibition on First Loss Default Guarantee structures not meeting prescribed conditions, mandatory loan servicing through the lending institution's own account, and KYC norms.
Health-tech: Telemedicine platforms must comply with the Telemedicine Practice Guidelines, 2020 (Appendix 5 of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations). Diagnostic apps and AI-based diagnostic tools may require CDSCO registration as a Software as a Medical Device (SaMD). Health data is sensitive personal data under the DPDP Act — requiring heightened security and explicit consent.
E-commerce: If you operate a marketplace with third-party sellers, the Consumer Protection (E-Commerce) Rules, 2020 impose obligations on you as the "marketplace entity" — mandatory seller disclosure, country-of-origin labelling, no flash-sale manipulation, and a mandatory grievance officer. FDI in e-commerce is permitted under the automatic route at 100% for marketplace models, but prohibited for inventory-based models. The distinction matters enormously for structuring.
Crypto / Virtual Digital Assets (VDAs): Deduct TDS at 1% under Section 194S of the Income Tax Act, 1961 on VDA transfers exceeding Rs. 50,000 in a financial year (Rs. 10,000 for individuals not in business). GST on VDA exchanges is under litigation (many positions taken; no settled guidance as of 2026). Register with FIU-IND as a Virtual Asset Service Provider (VASP) — mandatory under the Prevention of Money Laundering Act, 2002.
5. Employment, ESOPs, and Contractor Compliance
Employment contracts must cover: IP assignment, confidentiality during and after tenure, non-solicitation of employees and customers (typically 12-24 months post-exit), garden leave where warranted, and a clear termination procedure consistent with the Industrial Disputes Act, 1947 for employees who may be classified as "workmen."
ESOPs are the primary retention tool for Indian tech companies. An ESOP plan requires:
- Board resolution approving the scheme
- Special resolution of shareholders (with explanatory statement)
- The scheme must specify vesting period, exercise price, exercise period, and treatment on exit
- Valuation: under Section 17(2)(vi) of the Income Tax Act, 1961 read with Rule 3(8) of the IT Rules, the perquisite is calculated as FMV at date of exercise minus the exercise price actually paid by the employee
- For DPIIT-recognised startups, Section 192(1C) of the Income Tax Act allows the employer to defer TDS deduction on ESOP perquisites — payable within 14 days of (a) the 48th month from the end of the AY in which ESOPs were exercised, (b) the date of sale of shares, or (c) the date the employee ceases to be employed, whichever is earliest. This is a significant cash-flow benefit — use it.
Contractors vs employees: TDS on fees paid to contractors working predominantly on your project and supervised by you should be deducted under Section 194J (professional services, 10%) if the engagement is truly professional, or Section 194C (contractual work, 1%/2%) for specific work contracts. Misclassification — calling an employee a contractor to avoid PF and ESI — attracts EPFO/ESIC liability, interest, and penalties retrospectively.
6. Worked Example: ESOP Perquisite Tax and Startup Deferral
Consider a DPIIT-recognised startup that grants 20,000 ESOPs to a senior engineer in FY 2023-24 at an exercise price of Rs. 10 per share (nominal). The employee exercises all 20,000 options in FY 2025-26 when the FMV (as determined by a registered valuer under Rule 3(8)) is Rs. 600 per share.
| Item | Calculation | Amount |
|---|---|---|
| FMV at exercise | 20,000 × Rs. 600 | Rs. 1,20,00,000 |
| Exercise price paid | 20,000 × Rs. 10 | Rs. 2,00,000 |
| Perquisite (taxable salary) | Rs. 1,20,00,000 − Rs. 2,00,000 | Rs. 1,18,00,000 |
| TDS @ 30% + surcharge (say 35.88% effective) | ||
| ~Rs. 42,34,000 |
Without deferral: The company must deduct and deposit this TDS at the time of exercise — even though the employee has received illiquid, unlisted shares and has no cash to fund the tax. This triggers a practical crisis: the employee must either sell shares (often prohibited in a pre-IPO company) or fund the tax from personal savings.
With deferral under Section 192(1C): The startup can defer this TDS. In the above example, the exercise was in FY 2025-26 (AY 2026-27). The deferral end date is the earliest of: April 2030 (48 months from end of AY 2026-27), the date the employee sells the shares, or the date the employee leaves. If the company lists in FY 2028-29 and the employee sells shortly after, the TDS falls due then — at a time when the employee has actual cash from the sale. This deferral mechanism is available only to DPIIT-recognised startups. Ensure your DPIIT recognition is current and your Form 3CE filings are in order.
7. Funding Readiness and FDI Compliance
Foreign investment in Indian private companies flows primarily through the automatic route under the Consolidated FDI Policy. Most technology sectors are at 100% automatic route. Exceptions: e-commerce (inventory model is prohibited for FDI); defence tech; satellite services.
Post-investment compliance is where founders frequently slip:
- FC-GPR (Foreign Currency – Gross Provisional Return): Must be filed on the RBI FIRMS portal within 30 days of allotting shares to a foreign investor. Missing this deadline attracts FEMA compounding, which is time-consuming and expensive even when the penalty itself is moderate.
- FLA Return (Foreign Liabilities and Assets): Every Indian company with FDI must file the FLA Return with RBI by 15 July of each year (reporting position as at 31 March). Missing two consecutive years can result in show-cause from RBI.
- FC-TRS (Foreign Currency – Transfer of Shares): Filed within 60 days when a resident transfers shares to a non-resident or vice versa.
- SBO (Significant Beneficial Ownership) disclosures under Section 90 of the Companies Act: Maintain an updated register of persons holding ultimate beneficial ownership above 10% — investors conduct reverse-SBO checks as standard due diligence.
Cap table discipline: Use a cap table management tool (or a CA-certified Excel model at a minimum) from day one. Mis-stated share counts, unregistered share transfers, and missing Form PAS-3 filings have derailed funding rounds at the term-sheet-to-SHA stage.
8. Contracts That Actually Protect Your Revenue
SaaS Subscription Agreement: Your core commercial document must address: the scope of the licence (per-seat, usage-based, or site licence), acceptable-use policy, data-processing terms (critical under DPDP Act — you are a Data Processor for your customers' data), uptime SLAs and credit-back mechanism, limitation of liability (cap at 12 months' fees is standard), and termination for cause vs convenience with notice periods.
Master Service Agreement (MSA) + Statement of Work (SOW) structure: For enterprise clients, use an MSA that sets the framework (IP ownership, indemnity, confidentiality, governing law) with individual SOWs for each engagement. This avoids renegotiating boilerplate every time. Critically, the IP ownership clause must state whether deliverables are "work for hire" belonging to the client or whether you retain background IP and licence it.
Vendor and API Agreements: If your product depends on a third-party API (payment gateway, mapping service, AI model), your vendor agreement must cover: SLA commitments, data-handling obligations (can the vendor use your users' data?), liability on API failure, and exit rights if the vendor changes pricing or terms. Over-reliance on a single vendor API without contractual protections is an operational and legal risk.
9. Common Mistakes and Pitfalls to Avoid
These are the recurring errors seen in tech business legal reviews:
- Delayed IP assignment: A founding-stage developer writes 60% of the codebase before any employment contract is signed. The company does not legally own that code until an assignment is executed — and the developer knows it by the time there is a dispute.
- Copy-paste privacy policies: GDPR-compliant policies do not automatically satisfy the DPDP Act. The consent framework, grievance officer details, and data principal rights mechanism must be India-specific.
- ESOP plan without shareholder approval: Grants made before the required special resolution are void under the Companies Act, 2013. The company has made promises it cannot legally keep.
- FC-GPR filed late: A common oversight when a round closes in December and founders assume "we will file in the new year." Every week of delay increases compounding risk under FEMA.
- No arbitration clause in enterprise contracts: A B2B SaaS dispute without a dispute resolution clause defaults to civil courts — typically a 5-7 year journey. Arbitration with seat in Mumbai, Delhi, or Bengaluru and the Arbitration and Conciliation Act, 1996 governing produces a faster, enforceable outcome.
- Treating all contractors as Section 194C: Technical consultants engaged for their professional expertise (architect, data scientist, legal advisor) attract TDS under Section 194J at 10%, not 194C at 1-2%. The difference is material on large engagements and attracts demand notices.
- No DPO appointment after SDF designation: If the Central Government designates your company as a Significant Data Fiduciary and you have not appointed a DPO, every day of non-compliance is a separate infraction.
10. The Compliance Calendar for FY 2026-27
Build this into your board's monitoring dashboard — not just your CA's task list:
| Frequency | Task | Form / Portal | Deadline |
|---|---|---|---|
| Monthly | GST returns (GSTR-1, GSTR-3B) | GST portal | 11th / 20th of following month |
| Quarterly | TDS returns | TRACES | 31st of following month |
| Annual | DIR-3 KYC for all directors | MCA V3 | 30 September |
| Annual | DPT-3 (deposit / exempted deposit return) | MCA V3 | 30 June |
| Biannual | MSME-1 (outstanding dues to MSMEs) | MCA V3 | 30 April / 31 October |
| Post-AGM | AOC-4 (financial statements) | MCA V3 | Within 30 days of AGM |
| Post-AGM | MGT-7 (annual return) | MCA V3 | Within 60 days of AGM |
| Annual | FLA Return (foreign liabilities) | RBI FIRMS | 15 July |
| Within 30 days | FC-GPR (on each foreign allotment) | RBI FIRMS | 30 days from allotment |
| Quarterly | Board meeting with signed minutes | Internal | Once per quarter minimum |
Key Takeaways
- Incorporate correctly from day one: A private limited company with properly drafted MOA, AOA, SHA, and founders' agreement is fundable and scalable. Patch-ups after the fact are expensive.
- DPDP Act compliance is not optional: Penalties reach Rs. 250 crore per event. Conduct a data inventory and build a consent framework before you scale user acquisition.
- All IP must be formally assigned to the company — from founders, employees, and contractors — in writing, before the code is written if possible.
- ESOPs need statutory approvals: Board and shareholder resolutions first, then grants. DPIIT-recognised startups should use Section 192(1C) deferral to protect employees from cash-flow crises at exercise.
- FC-GPR within 30 days of every foreign share allotment, every time, without exception. FLA Return by 15 July annually. These are the two most commonly missed FEMA filings.
- Your SaaS contract is a legal document, not a marketing asset: Ensure it covers data-processing obligations, limitation of liability, IP ownership, and arbitration — in India-law terms.
- Build the compliance calendar into board governance: Legal compliance is a board-level responsibility, not only a finance function task. Regular review prevents the compounding of small oversights into material liabilities.
![Read article: Cyber Crime FIR in India: How to File Complaint for Online Fraud, Banking Fraud & Digital Harassment [2025 Guide]](/_next/image?url=%2Fapi%2Fmedia%2Ffile%2FCyber-Crime-Complaint.png&w=3840&q=75)