Why security due diligence has become standard at Series A
Three forces converged in 2023-2024 to make security a standard DD item at Series A in India. First, the DPDP Act 2023 created personal liability for data fiduciaries — investors now price DPDP exposure into valuation. Second, high-profile startup data breaches in India made LPs ask general partners about portfolio security posture. Third, enterprise customers of B2B startups started sending security questionnaires as a condition of purchase — and investors noticed that startups without documented security posture were losing deals. A VAPT certificate is now a pre-close document at many Series A financings.
What 'SOC 2 readiness' actually means at Series A stage
SOC 2 certification takes 6-12 months and costs ₹20-50 lakh for most Indian startups. At Series A stage, investors do not expect you to be certified — they expect you to be on a credible path. A credible path looks like: VAPT completed with critical findings closed, SOC 2 gap analysis in progress, and a timeline to Type I certification before Series B. Bachao.AI's report is the starting artifact for this roadmap — it identifies technical controls that need to be in place for SOC 2 compliance, giving your engineering team a concrete remediation list.
How to use the VAPT report in investor conversations
Share the executive summary (not the full findings) with investors during DD. The executive summary shows: overall risk rating, number of critical findings found and closed, compliance posture (DPDP, CERT-In), and your remediation timeline. Sharing critical vulnerability details with parties who are not yet shareholders is a risk — the executive summary is designed to give investors the signal they need without exposing exploitable details before the deal closes.
How long before your DD close should you start?
Start the Bachao.AI Fundraising Security Package at least 6 weeks before you expect investor due diligence to begin. Here is why: 10 business days to get the report. 2-4 weeks to remediate critical and high findings (depending on your engineering bandwidth). 3-5 days for retest and closure certificate. If you start when DD has already begun, you will spend the process answering 'report in progress' — which raises more questions than a completed report.
The security questionnaire problem
Most Series A investors and their portfolio company enterprise customers send a 40-80 question security questionnaire. Questions cover: encryption at rest/transit, access controls, vulnerability management program, incident response history, third-party vendor risk, and compliance certifications. Without a recent VAPT, you are answering these questions from memory and hope. With a current VAPT report, you can answer the vulnerability management and incident response sections with specific, documented evidence — which is the difference between a questionnaire that accelerates the deal and one that creates more diligence requests.