Educational content only — not legal, tax, accounting, or HR advice. Laws vary by jurisdiction and change over time. Talk to qualified counsel for your specific facts.
Why this exists: Most startup “legal disasters” aren’t dramatic… they’re quiet missteps that surface later during fundraising, a major customer deal, or acquisition diligence. This checklist is designed to help founders prevent the most common early-stage legal mistakes before they become expensive.
How to use this checklist
- Print it or drop it into Notion/Asana. Treat it like a “minimum viable legal” operating system.
- Don’t aim for perfection on Day 1. Aim for “no unforced errors.”
- Work in order. Entity → founders → IP → fundraising → hiring → customer contracts → privacy/security → insurance.
Legend: ☐ Not started ☐ In progress ☐ Done ☐ Review quarterly
Table of contents
- 1) Entity selection & formation
- 2) Corporate housekeeping & cap table hygiene
- 3) Brand names, logos, and domain names
- 4) Founders: roles, equity, vesting, exits
- 5) Intellectual property (IP): ownership, protection, open source
- 6) Raising capital without breaking securities laws
- 7) Hiring + labor & employment compliance
- 8) Equity incentives: options, restricted stock, 83(b), 409A
- 9) Social media, marketing, privacy, and data security
- 10) Customers, suppliers, contractors: contracts & risk allocation
- 11) Insurance & risk management
- 12) 15-minute quick audit: “Are we fundable?”
1) Entity selection & formation
Common mistake: Choosing an entity type because it’s “easy” (or because a friend did it), then paying time + money later to unwind it when investors, equity comp, or taxes require a different structure.
Checklist
- ☐ We chose an entity type that matches our likely future: hiring, equity compensation, and fundraising (not just “today’s simplicity”).
- ☐ We understand the practical tradeoffs of LLC vs. C-Corp for equity incentives and venture funding.
- ☐ We formed the entity before conducting real business (selling, hiring, signing contracts, raising money).
- ☐ We conduct business through the company (not individual founders) — contracts, invoices, payments, accounts.
- ☐ Founders avoid personal liability traps (e.g., informal “partnership” behavior, signing personally, commingling funds).
- ☐ We opened a dedicated business bank account and use it consistently.
Example: A startup starts as a casual “partnership,” signs a few customer contracts under a founder’s name, then forms a company. Later, investors insist those contracts be formally assigned and worry about hidden liabilities tied to the founder personally.
2) Corporate housekeeping & cap table hygiene
Common mistake: “We’ll clean it up later.” Later is usually during fundraising — when speed matters and diligence pressure is high.
Checklist
- ☐ We have core formation documents completed and signed (governing docs + initial consents).
- ☐ Board and stockholder approvals are documented for key actions (equity issuances, option grants, major contracts where required, etc.).
- ☐ We have a clean cap table that reconciles to actual issuances (founders, early investors, advisor grants, option pool, SAFEs/notes).
- ☐ Every equity issuance is documented (purchase agreement / award agreement) and stored in a single system.
- ☐ We track who owns what, what’s vested, what’s subject to repurchase, and what happens on termination.
- ☐ We track outstanding SAFEs/notes (amounts, caps, discounts, MFN terms, pro rata rights, side letters).
- ☐ We can quickly produce a diligence folder (entity docs, cap table, IP assignments, key contracts, employment docs).
3) Brand names, logos, and domain names
Common mistake: Spending time and money building a name, logo, and domain… and then learning you can’t legally use it (or can’t protect it) where you want to operate.
Checklist
- ☐ We cleared the name/logo before investing heavily (basic trademark clearance + common-sense checks).
- ☐ We secured key domains and consistent social handles for our brand.
- ☐ We have a plan for trademark protection in the U.S. and (if relevant) internationally.
- ☐ We understand that many jurisdictions are effectively “first to file,” and we’ve prioritized where we’ll file first.
- ☐ We have internal rules for how the brand is used (to avoid weakening rights and consistency).
Example: A company launches, gains traction, then receives a cease-and-desist. Rebranding is expensive: new domain, new collateral, lost SEO, customer confusion, and investor concern.
4) Founders: roles, equity, vesting, exits
Common mistake: Co-founders avoid hard conversations early. Then someone leaves, and the company is stuck with a “ghost founder” owning meaningful equity with unclear obligations.
Checklist
- ☐ Founder roles and day-to-day responsibilities are clearly defined (who owns product, sales, hiring, finance, etc.).
- ☐ Founder equity split is documented, with the “why” understood by everyone.
- ☐ We have a clear decision-making process (including tie-breakers).
- ☐ We have a dispute resolution plan (what happens if founders deadlock).
- ☐ Founder equity is subject to vesting or repurchase rights that protect the company if a founder leaves early.
- ☐ We have written rules for founder exits: what happens to unvested shares, voting rights, and ongoing obligations.
- ☐ We considered restrictive covenants where enforceable (confidentiality, non-solicit; non-competes only where legally permissible and appropriate).
Example: Two founders split 50/50 with no vesting. One leaves after 3 months. The remaining founder can’t raise money because investors won’t accept a large inactive owner with full voting rights and no ongoing obligations.
5) Intellectual property (IP): ownership, protection, open source
Common mistake: Assuming the company “owns the code” because it paid for it. Without proper agreements, IP may belong to individuals or contractors — a major red flag for investors and acquirers.
Checklist: ownership first
- ☐ Every founder has signed an IP assignment to the company (covering pre-formation and post-formation work where applicable).
- ☐ Every employee signs confidentiality + invention assignment agreements before accessing sensitive information.
- ☐ Every contractor/consultant agreement includes clear IP ownership/assignment terms (and work-for-hire language where applicable).
- ☐ We track open source use and have a policy to avoid license surprises.
- ☐ We have a process to ensure third-party content (images, music, text, code) is properly licensed.
Checklist: protection strategy
- ☐ We decided what we protect as trade secrets vs. what we consider for patent filings.
- ☐ Confidential information is labeled and handled consistently (access control, least privilege).
- ☐ We use NDAs appropriately (and understand where NDAs help vs. where they create friction).
- ☐ We use copyright notices and register key works where strategic.
- ☐ We protect and document ownership of valuable data and databases (including rights and licenses).
Example: A contractor builds your MVP, then later claims ownership and demands a buyout. Even if you “win,” the uncertainty can kill a financing or acquisition timeline.
6) Raising capital without breaking securities laws
Common mistake: Treating fundraising like “just taking checks.” In the U.S., offers and sales of securities are regulated — including money from friends and family.
Checklist
- ☐ Before raising any money, we confirmed what we are selling (equity, SAFE, note) and what exemption we’re relying on.
- ☐ We understand what “accredited investor” means in practice and we’re careful with non-accredited investors.
- ☐ We understand that state “blue sky” filings may still apply even if we use a federal exemption.
- ☐ We avoid public statements that could create securities-law problems (especially if relying on exemptions that restrict general solicitation).
- ☐ We track investor information and maintain clean subscription paperwork and disclosures.
- ☐ We have a process for handling “bad actor” and other diligence items where relevant.
Example: A founder posts “We’re raising!” on social media while planning to rely on a private placement pathway that limits general solicitation. The company later has to restructure the round or delay closing under investor counsel pressure.
7) Hiring + labor & employment compliance
Common mistake: Startups move fast and accidentally misclassify people, underpay overtime, skip required notices, or assume “we’re too small to matter.” These issues show up in diligence — or when someone leaves unhappy.
Checklist: hiring fundamentals
- ☐ Every hire (employee or contractor) has a written agreement before work begins.
- ☐ Offer letters clearly state at-will employment (where applicable), role, pay, and key policies.
- ☐ We classify employees correctly as exempt or non-exempt based on duties and salary rules (and applicable state law).
- ☐ We handle work authorization verification (Form I-9 process) properly for U.S. hires.
- ☐ Contractors are classified carefully (and not simply because “it’s easier” or “they asked for a 1099”).
- ☐ Interns are handled cautiously — unpaid internships have strict requirements.
Checklist: payroll, benefits, and policies
- ☐ Payroll is set up correctly (with withholding, required filings, and timely payments).
- ☐ We comply with state/local rules (paid sick leave, wage notices, pay frequency, reimbursements, etc.).
- ☐ If using a PEO, we understand the company may still be responsible for compliance failures.
- ☐ We have baseline policies (confidentiality, acceptable use, security, harassment prevention where required).
- ☐ Founders understand personal liability risks in some jurisdictions for unpaid wages.
Example: A startup calls engineers “contractors” but controls schedule, tools, and work like employees. Later, the company faces back wages, tax issues, and benefit claims—often triggered by a single separation.
8) Equity incentives: options, restricted stock, 83(b), 409A
Common mistake: Promising equity in an offer letter, then improvising the legal/tax structure later—creating 409A issues, securities compliance issues, or unhappy employees when the numbers change.
Checklist: plan design
- ☐ We decided which equity tools we’ll use at our stage (restricted stock vs. options vs. RSUs later).
- ☐ We adopted an equity incentive plan (and reserved an option pool if appropriate).
- ☐ The board approves equity awards and the company maintains clean grant documentation.
- ☐ We have a standard vesting schedule and clear rules for termination and change-in-control treatment.
Checklist: tax & valuation hygiene
- ☐ We understand that option strike prices must generally be set at fair market value to avoid 409A problems.
- ☐ We obtain independent valuations when needed (and refresh appropriately after material events).
- ☐ For restricted stock or early exercise, we educate recipients about 83(b) elections and timing.
- ☐ We keep proof of any 83(b) filings that employees/founders make (important in diligence).
Example: A company issues options with a too-low strike price without a defensible valuation. Later, a buyer/investor discovers it during diligence and requires a painful cleanup (and potentially taxes/penalties for holders).
9) Social media, marketing, privacy, and data security
Common mistake: Treating privacy/security/marketing compliance as “later.” But once you collect user data, run ads, or use influencers, you have real legal obligations.
Checklist: social + marketing
- ☐ We have rules for who can speak publicly for the company.
- ☐ Employees are trained not to post about fundraising, material metrics, or confidential product roadmaps.
- ☐ Influencer/affiliate endorsements include clear disclosures when required.
- ☐ Promotions/contests/sweepstakes have rules and terms (don’t “wing it” on Instagram).
Checklist: privacy + data security basics
- ☐ We have a privacy notice that matches what we actually do (no copy/paste fiction).
- ☐ We minimize data collection (collect what we need, not what’s “nice to have”).
- ☐ We maintain a data map (what we collect, where it’s stored, who we share with, retention/deletion).
- ☐ We have baseline security controls (access control, MFA, least privilege, secure backups).
- ☐ We have an incident response plan (who does what if there’s a breach).
- ☐ Vendor security is considered (what your SaaS providers can access and how they protect it).
Checklist: website/app basics
- ☐ Website/app Terms of Use are in place (especially if you have users, subscriptions, or payments).
- ☐ E-commerce flows cover refunds, chargebacks, shipping/fulfillment, and customer support expectations.
- ☐ We have a process for handling user requests and complaints related to privacy/security.
Example: A startup runs an influencer campaign without clear disclosure. The marketing works—then a regulator complaint arrives. Fixing it after-the-fact is harder than building the rule into the process.
10) Customers, suppliers, contractors: contracts & risk allocation
Common mistake: Relying on friendly emails or verbal promises—then discovering you have unlimited liability, unclear deliverables, missing IP rights, or obligations hidden in a counterparty’s online terms.
Checklist: “no more handshake deals”
- ☐ Key relationships are documented in writing (customers, suppliers, contractors, advisors, partners).
- ☐ Every contractor agreement addresses confidentiality and IP ownership clearly.
- ☐ We don’t automatically accept large-company contract terms without reviewing risk allocation.
- ☐ We understand and negotiate: indemnification, warranty scope, limitations of liability, exclusive remedies.
- ☐ We check whether website terms/policies are incorporated by reference (and what we’re agreeing to).
- ☐ We use standardized templates for repeatable deals (NDAs, MSAs, SOWs, contractor agreements).
Checklist: protect goodwill and relationships
- ☐ Employment/contractor docs include appropriate protections for confidential info and customer relationships.
- ☐ We consider non-solicit provisions where enforceable and appropriate.
- ☐ We avoid “no-poach” or overly broad restrictions that could create antitrust risk.
Example: A startup signs a big customer’s paper with unlimited liability and a broad indemnity. One bug, one claim, or one data incident can become an existential event.
11) Insurance & risk management
Common mistake: Assuming “we’re an LLC, so we’re protected.” Entity structure helps, but insurance often determines whether a claim becomes a nuisance or a company-ending event.
Checklist
- ☐ We identified which insurance is legally required (varies by state and workforce).
- ☐ We reviewed common coverages relevant to our risk profile:
- ☐ General liability
- ☐ Professional / errors & omissions (E&O)
- ☐ Product liability (if applicable)
- ☐ Cyber / data breach coverage (if we handle personal or sensitive data)
- ☐ Employment practices liability (EPLI) as we hire and manage employees
- ☐ D&O (often expected when institutional investors join)
- ☐ Workers’ comp (often required if you have employees)
- ☐ We can comply with customer/vendor insurance requirements (COIs, additional insured, notice terms).
- ☐ We review coverage annually as the company grows and risk changes.
12) 15-minute quick audit: “Are we fundable?”
If you’re preparing for fundraising, a major enterprise customer, or an acquisition conversation, answer these quickly. Any “no” is a priority fix.
- ☐ Entity formed correctly, and business conducted through the entity
- ☐ Clean cap table with documented issuances and board approvals
- ☐ Founders and workforce have signed IP assignment + confidentiality agreements
- ☐ Contractor IP is assigned to the company (not the contractor)
- ☐ Fundraising paperwork and securities compliance story is clean and consistent
- ☐ Hiring classifications are defensible (employee vs contractor; exempt vs non-exempt)
- ☐ Equity plan and grants are board-approved and valued appropriately
- ☐ Privacy notice exists and matches actual data practices
- ☐ Security basics are in place (MFA, access control, backups)
- ☐ Customer/supplier agreements are written and risk allocation is understood
- ☐ Insurance coverage matches the real risk profile
Optional: High-authority resources (official links)
You can include these in your post, or keep them as internal references.
SEC – Exempt Offerings (Reg D, accredited investors, etc.) https://www.sec.gov/resources-small-businesses/exempt-offerings SEC – Rule 701 (equity compensation exemption) https://www.sec.gov/resources-small-businesses/exempt-offerings/employee-benefit-plans-rule-701-0 IRS – Forms & Publications (Form 15620 for 83(b) election) https://www.irs.gov/forms-instructions-and-publications DOL – Overtime and FLSA resources https://www.dol.gov/agencies/whd/overtime DOL – Independent contractor classification (FLSA) https://www.dol.gov/agencies/whd/fact-sheets/13-flsa-employment-relationship USPTO – Trademarks https://www.uspto.gov/trademarks USPTO – Patents https://www.uspto.gov/patents FTC – Endorsements and testimonials (influencers/reviews) https://www.ftc.gov/legal-library/browse/federal-register-notices/16-cfr-part-255-guides-concerning-use-endorsements-testimonials-advertising FTC – Data security guidance https://www.ftc.gov/business-guidance/privacy-security/data-security NIST – Cybersecurity Framework https://www.nist.gov/cyberframework SBA – Business insurance overview https://www.sba.gov/business-guide/launch-your-business/get-business-insurance
Tip: If you want this checklist turned into a downloadable one-page PDF lead magnet (for email capture), you can reuse the exact checklist items above.
