Startup Legal Tech: Terms of Service, Privacy Policy, IP Assignment, and Equity

Legal issues kill startups in two ways: either they're ignored until they become expensive crises, or they're over-engineered early, burning money on legal fees that should go to product.

The right approach for most early-stage startups: handle the basics early (correctly, not cheaply), use legal tech tools to reduce ongoing cost, and save lawyer time for the genuinely complex decisions.

---

Priority Order for Startup Legal

Not everything needs to be done immediately. Here's the order that makes sense for most early-stage startups:

---

IP Assignment / PIIA

The Proprietary Information and Invention Assignment (PIIA) agreement is the most critical early legal document. It establishes that any IP created by founders, employees, and contractors belongs to the company — not the individual.

Why this matters: Without signed PIIAs from all founders before incorporation, a departing founder can claim they own the code they wrote. Courts have voided Series A rounds because of missing or incomplete IP assignment.

What it covers:

• All work done while employed/contracted belongs to the company
• Past IP (created before hire) must be explicitly carved out by the employee
• Obligation to disclose and assign future inventions related to company business
• Non-disclosure obligations

Getting it signed: Use Stripe Atlas, Clerky, or Carta Launch when incorporating. All include PIIA in their standard incorporation package. For existing companies: have a lawyer prepare, all founders and early employees sign before any equity vests.

Contractor IP: Contractors own their work by default under US copyright law — unless a written work-for-hire agreement says otherwise. Every contractor agreement must explicitly assign IP to the company.

---

Privacy Policy

A privacy policy is legally required if you collect any personal data from users — not optional for "later." GDPR (EU), CCPA (California), PIPEDA (Canada), and similar laws apply.

What must be in a compliant privacy policy:

GDPR legal bases for data collection:

• Consent: User explicitly agreed
• Contract: Necessary to perform the contract (account creation)
• Legitimate interest: Company has a legitimate business reason, doesn't override user rights
• Legal obligation: Required by law

For most SaaS products: account data is processed under "contract"; analytics is "legitimate interest" or "consent"; marketing emails require explicit consent.

Tools:

• Termly — $10/mo, generates compliant policies, handles cookie consent banner
• iubenda — $9/mo, auto-generates based on your tech stack
• Osano — $199/mo, enterprise cookie consent management

GDPR compliance for EU users:

1. Cookie consent banner (accept/reject) before any tracking cookies load
2. Privacy policy accessible from every page
3. Data subject access request mechanism (email to DPO works for startups)
4. Data Processing Agreements (DPAs) signed with all processors:
   - AWS, GCP, or Azure (they have standard DPAs)
   - Stripe, Sendgrid, Intercom, etc.
5. Don't transfer EU data to non-adequate countries without SCCs

---

Terms of Service

A Terms of Service (ToS) agreement defines the rules users agree to when using your product. It protects the company by limiting liability, defining dispute resolution, and establishing acceptable use.

Critical clauses every SaaS ToS needs:

1. Limitation of Liability

Your maximum liability to the customer is limited to the fees 
paid in the 12 months preceding the claim. You are not liable 
for indirect, consequential, or lost profits damages.

Without this clause, a customer could theoretically sue you for the full business loss they claim your product caused.

2. Acceptable Use Policy Define what users can't do: spam, illegal activity, data scraping without permission, sharing accounts, impersonating others. This is the legal basis for suspending abusive accounts.

3. Dispute Resolution Binding arbitration or jurisdiction clause. US companies typically use: "Disputes shall be resolved in binding arbitration under JAMS rules, in [State], [Country]." Avoids class action lawsuits.

4. Intellectual Property "Customer owns their data. Company owns the product, including any improvements or features developed in response to customer feedback." Critical for SaaS — prevents a customer from claiming they "invented" a feature they requested.

5. Service Level / No Warranty "Service provided as-is. No guarantee of uptime or accuracy." Paired with your SLA (if you have one), this sets clear expectations.

Tools for generating ToS:

• Termly — basic ToS generation
• Orrick startup documents — free, lawyer-drafted startup templates
• Wilson Sonsini document generator — free, VC-grade templates
• Custom lawyer ($2,000–10,000 for full suite) — worth it once you have enterprise customers

---

Equity Structure Basics

For software companies raising venture capital or offering employee equity:

Delaware C-Corp is the standard. S-Corps can't have VC investors (foreign, corporate). LLCs create tax complications for equity holders. Delaware law is predictable and investor-preferred.

Typical pre-seed equity structure:

Founders: 70–80%
Option pool: 15–20% (reserved for employees, advisors)
Angels/pre-seed: 5–15%

Post-Series A:
Founders: 50–65%
Option pool: 10–15%
Seed investors: 10–15%
Series A investors: 15–25%

Stock option agreements (ISOs vs NSOs):

• ISO (Incentive Stock Option): For employees only. Favorable tax treatment if held long enough. Requires exercise within 90 days of leaving.
• NSO (Non-Qualified Stock Option): For contractors, advisors, non-US employees. Taxed as ordinary income on exercise.

Standard vesting: 4-year vest, 1-year cliff

• Nothing vests until 12 months (the cliff)
• After cliff: 1/48th vests each month for 36 more months
• Founder acceleration clauses on acquisition (typically double-trigger)

Legal tools for cap table and equity management:

• Carta — $2,400–10,000/year. Industry standard. 409A valuations, option grants, cap table management
• Pulley — $4,000/year. Similar to Carta, often cheaper for early-stage
• Capbase — flat fee incorporation + equity management
• Angellist Stack — free for early-stage startups

---

Standard Contracts for Customers

Master Service Agreement (MSA) + Order Form structure:

• MSA covers standard terms (liability limits, IP, dispute resolution) — negotiated once
• Order Form covers specifics (price, scope, term, SLAs) — signed per deal

This is more efficient than redlining a full contract for every enterprise deal.

Key enterprise-requested clauses (and how to handle them):

• Indemnification: Customer asks you to indemnify them against third-party IP claims. Limit to: "Company will defend Customer against third-party claims that the Service infringes their IP."
• Data Processing Agreement: Required by GDPR. Sign the standard DPA, don't negotiate the substance.
• Liability cap: Customer wants unlimited liability. Counter with: "5× annual contract value."
• Source code escrow: Customer wants source code if you go bankrupt. Offer escrow instead of direct access.

---

Legal Tech Stack by Stage

The biggest mistake: spending $20,000 on lawyers at pre-revenue when $2,000 of legal tech and templates would have covered 90% of the need.

---

Working With Viprasol

We're not lawyers (and this isn't legal advice), but we help engineering teams understand the technical requirements of legal compliance — GDPR cookie consent implementation, privacy policy integration, data deletion pipelines, and the technical side of SOC 2 and enterprise security reviews.

→ Talk to our team about the technical side of compliance.

---

See Also

• SaaS Security Best Practices — security controls that satisfy legal requirements
• Fintech Compliance Software — regulated industry compliance
• SaaS Metrics and KPIs — building a business that attracts investors
• Startup CTO Responsibilities — CTO's role in legal and compliance
• Web Development Services — SaaS product development