👋 I am a tech legal guy focused on privacy, cybersecurity, and AI governance. Subscribe below and get my weekly newsletter straight to your email!
7 Potential Diligence Disasters
There comes a time in every startup’s life when someone important (usually a banker, a buyer, or a very expensive lawyer) asks a question that causes immediate, collective panic: “Can you send us your diligence package?”
At that moment, every GC knows whether they’re in a romantic comedy or a horror movie.
Due diligence is the legal version of a home inspection. It’s not just about what’s shiny…it’s about what’s rotting behind the walls. And if you haven’t done your pre-diligence cleanup, the buyer’s team will find:
The IP is owned by a long-departed co-founder.
Half the team is misclassified as "consultants" who work full-time and use company laptops.
The biggest customer has a contract that gives them refund rights and your firstborn.
The cap table has more versions than Taylor Swift’s last album.
This is your guide to getting ahead of all that. Because when diligence hits, you want to be the GC who hands over a clean binder. Not the one who says, "Let me get back to you on that...maybe in a week."
Disaster #1: The Orphaned IP
What happened: The founders built the MVP before incorporation. Contractors wrote the production code. An intern designed the logo. Nobody signed anything. Everyone just “assumed” the company owned everything because…startup magic?
Why buyers care: Because in the real world, IP doesn’t transfer by osmosis. U.S. law says whoever creates it, owns it, unless they sign a document saying otherwise. If your core product was coded by someone with no signed IP assignment, you don’t own it. You lease it from a ghost.
Real-life facepalm: A startup couldn’t prove it owned its own recommendation engine. A former engineer had written it from his personal GitHub before joining full-time. Diligence paused. The buyer forced a retroactive IP assignment...along with $2M in escrow. Ouch.
What you do now: Make a list of everyone who touched product or content (e.g. founders, contractors, interns, cousin Jimmy) and verify there’s a signed agreement. Use “hereby assigns” language. If they’re gone, hunt them down now, not after LOI.
Also: check for open-source dependencies. A GPL license buried in your backend code is the fastest way to turn a $100M deal into a LinkedIn "life lesson" post.
Disaster #2: The Contractor Class of 2020
What happened: Early stage companies love flexibility. So instead of employees, they hire “contractors.” Contractors who:
Work full-time.
Have a company email.
Get invited to the holiday party.
Sometimes…manage other employees.
Congratulations. You’ve just built a legal time bomb.
Why buyers care: Because misclassification = liability. Back taxes. Wage claims. Benefit issues. And, here’s the fun twist, potential IP ownership problems, since contractors don’t automatically assign work like employees do.
Real-life facepalm: A company had 30 contractors, all working full-time. One filed for unemployment. The state investigated. The buyer found out. The deal nearly died until the company converted the entire team, re-papered the IP, and added indemnities.
What you do now: Audit classifications. Clean up contracts. Don’t pretend part-time status just because someone’s on a 1099. And if you think calling them “freelancers” fixes it…congrats, you now have a lawsuit and an IRS problem.
Also: make sure HR, Legal, and Finance agree on who’s a contractor. If you ask three people and get three answers, you already know where this is going.
Disaster #3: The Customer Contract from Hell
What happened: You landed a huge customer! They asked for "a few light redlines."
You gave them:
MFN pricing,
perpetual exclusivity,
termination for convenience,
and a clause allowing them to sue you into oblivion for SLA violations.
Because at the time, you just wanted the logo.
Why buyers care: Because they’re inheriting the contract…and the mess. If one customer controls 40% of revenue and can walk away anytime with a full refund? That’s not recurring revenue. That’s a time bomb.
Real-life facepalm: A healthtech startup agreed to a termination clause where the customer could get a refund for any "unsatisfactory" service. Buyer ran the numbers and called the revenue unreliable. Valuation haircut: $8 million.
What you do now: Review your top 25 customer contracts. Flag:
Assignment clauses
Change-of-control triggers
Refund rights
Uncapped indemnity
Data ownership issues
Then fix what you can. And, yes, make future contracts less desperate.
Also: scrub for weird NDAs. You’d be shocked how many companies signed mutual NDAs that say the customer owns anything "related to discussions." Delete that. Fire whoever approved it.
Disaster #4: Export Control Blindness
What happened: You’re a SaaS company. You have users in 60 countries. You use encryption. One developer works in Vietnam. Another in Serbia. Nobody's thought about BIS, OFAC, or EAR. What could go wrong?
Why buyers care: Because export violations = fines. Especially if you’re dealing with encryption software, sanctioned regions, or foreign nationals accessing sensitive backend systems.
Real-life facepalm: A startup had a handful of users from a blocked region. Their signup flow didn’t block embargoed countries. The buyer’s trade counsel caught it. The company had to self-report, purge users, and delay closing.
What you do now:
Know your ECCN. If you don’t know what that is, ask your friendly neighborhood export lawyer.
Block embargoed countries in your product and signup flow.
Screen vendors and contractors for OFAC issues.
Add export control reps to your terms of service.
Keep in Mind: If you sell anything with end-to-end encryption, buyers will ask for classification documentation. If your team stares blankly, expect a red flag.
Disaster #5: Privacy Policy Fiction
What happened: Your privacy policy was copied from another startup in 2018. Your product tracks everything. No one has mapped what data is collected, stored, shared, or deleted. Meanwhile, you’ve onboarded 42 vendors and none of them signed DPAs.
Why buyers care: Because privacy isn’t just a checkbox anymore. It’s a reputational risk, a legal liability, and a dealbreaker, especially with global users.
Real-life facepalm: A SaaS company had 50 vendors touching user data. Only 9 had DPAs. The company had never responded to a deletion request. Buyer flagged it as non-compliant with GDPR and CCPA. Result: reduced valuation, delayed close, mandatory remediation plan.
What you do now:
Build a data map. Know what personal data you collect, where it flows, and who has access.
Get DPAs in place. No excuses.
Make sure your privacy policy isn’t promising magical rights you don’t provide.
Keep a breach/incident log. Even for close calls.
Also: check your cookie banner. If it’s a "click to accept" banner with no opt-out, congrats, you now have a CNIL problem.
And don’t forget employee privacy. Diligence isn’t just about user data. Buyers will ask what you track on employees, how you monitor them, and what surveillance software is running. If your answer is, “we installed software that takes screenshots every 30 seconds,” then…good luck.
Disaster #6: The Cap Table That Ate Your Deal
What happened: You thought your cap table was clean. Then:
A phantom grant surfaces.
A terminated employee is still vesting.
The stock ledger doesn’t match Carta.
The board never actually approved the last option pool increase.
*Check out my full write-up on the Most Common Cap Table Issues
Why buyers care: Because equity is math. And if the math doesn’t work, everything else breaks. Phantom equity, double grants, unapproved options. These are not just administrative headaches. They are lawsuits in waiting.
Real-life facepalm: A startup missed a grant approval for a founding engineer who later left. She exercised anyway. During diligence, the buyer questioned ownership. The startup had to refund the exercise and top her up with a new grant. Morale cratered. So did the price.
What you do now:
Reconcile your equity records quarterly.
Verify board approvals. Every. Single. Time.
Lock down your cap table system. No more dueling spreadsheets.
Align HR, Finance, Legal, and Payroll or be ready for chaos.
Bonus point: If you’ve got advisors or consultants on equity plans meant only for employees, or early advisors on handshake deals, now’s the time to fix it before someone insists their vesting never stopped.
Disaster #7: Missing Board Approvals & Corporate Records
What happened: The board never approved your new equity plan. The last two SAFE conversions weren’t documented. Your stock certificate book? LOL.
Why buyers care: Because the absence of governance signals one thing: you’re not in control. If you can’t prove the board approved key corporate actions, buyers assume everything is defective until proven otherwise.
What you do now:
Ensure all board consents and approvals are documented and signed.
Match stock ledgers to cap table and payroll.
Confirm all equity plans were adopted properly.
Upload everything to a central folder. No more digging through inboxes.
And if your Board Secretary is “whoever has free time,” please fix that. Now.
The GC’s Pre-Diligence Toolkit
Want to survive diligence? Here’s your playbook:
IP Assignments or Bust – Everyone who ever touched product or code must have a signed IP agreement with "hereby assigns" language.
Contractor Clean-Up – Audit, classify, and convert as needed. If it walks like an employee...
Contract Landmine Scan – Review and fix customer contracts. Know what you’ve promised.
Export Control Triage – Determine your ECCN. Screen users. Block embargoed regions.
Privacy Sanity Check – Map your data. Get DPAs. Align your policy with reality.
Cap Table Reconciliation – There should be ONE cap table. Make sure it’s clean.
Governance Hygiene – Match stock ledgers to approvals. Keep consents signed and centralized.
Run Internal Diligence Now – Do a dry-run. If it would embarrass you to hand it over, fix it before you’re under a microscope.
My 2-cents:
You don’t want to be the lawyer explaining why the company’s IP might belong to a contractor in New Jersey who left three years ago and now sells artisanal jam. You want to be the lawyer who says, “Here’s the diligence binder—IP clean, contracts assignable, no skeletons, and yes, the cap table matches payroll.”
Because the only thing worse than a diligence disaster…is watching your valuation burn because of it.
Buyers aren’t just buying what you built. They’re buying whether you built it right. Whether your house has a solid foundation or just a fresh coat of paint over a leaking basement.
And when that diligence flashlight turns your way, the GC isn’t just a supporting character. You’re the one who proves this company is real, that its value is defensible, and that the wheels won’t fall off the second the ink dries.
So clean the house. Label the boxes. Fix the wiring.
Because no one wants to be the lawyer holding a mop after midnight, whispering, “I thought someone else took care of that.”