10. Legal, IP & Compliance
Structural foundations, intellectual property protection, and regulatory adherence strategy.
🏛 Recommended Structure: Delaware C-Corporation
Rationale: Given the funding request of $350K pre-seed and the high-growth SaaS model, a Delaware C-Corp is the industry standard required by virtually all venture capital and angel investors. It allows for the issuance of preferred stock, easy granting of employee options (ESOP), and establishes a predictable legal framework.
- Formation Cost: ~$500 (via Stripe Atlas or Clerky)
- Timeline: 1-2 weeks
- Action: Incorporate immediately prior to accepting first check.
Entity Comparison
| LLC | ❌ Hard to raise VC |
| S-Corp | ❌ Investor restrictions |
| C-Corp | ✅ Investor standard |
🛡 Intellectual Property Strategy
Trademark & Copyright
| Asset | Status | Priority |
|---|---|---|
| "PromptVault" | Needs Search | High |
| Source Code | Auto-Protected | Critical |
| UI/UX Design | Auto-Protected | Medium |
Risk Note: "PromptVault" is descriptive. A trademark search is critical to ensure we don't infringe on existing "Vault" tech products.
User Data vs. Company IP
- User Prompts: ToS must explicitly state that users retain 100% ownership of their prompts. PromptVault claims no IP rights, only a license to store/process.
- Company IP: The versioning logic, analytics algorithms, and testing framework are the company's trade secrets.
- AI Training: Critical Differentiator - Explicitly state that PromptVault DOES NOT train models on user data. This is a primary objection for Enterprise adoption.
🔒 Data Privacy & Protection
As a tool storing proprietary business logic (prompts) and API keys, security is a legal necessity, not just a feature.
| Regulation | Applicability | Action Items |
|---|---|---|
| GDPR / UK GDPR | Yes (Global SaaS) | Data Processing Agreement (DPA) for B2B; Cookie Banner; Right to be Forgotten mechanism. |
| CCPA / CPRA | Likely (CA Users) | "Do Not Sell My Info" link (even if we don't sell, we must disclose). |
| SOC 2 Type I/II | Future (Enterprise) | Prepare policies now (Access Control, Change Management) to simplify audit in Month 12+. |
| API Key Security | Critical | Keys must be encrypted at rest (AES-256). Legal liability if keys are leaked is massive. |
📝 Critical Agreements
Terms of Service (ToS)
- Liability Cap: Limited to 12 months of fees paid.
- AI Output Disclaimer: "As-is" basis; User assumes risk of AI hallucinations.
- API Costs: User responsible for 3rd party LLM costs if using own keys.
- Acceptable Use: Prohibition on generating illegal/harmful content.
Internal & HR
- CIIAA: (Confidential Information and Invention Assignment Agreement) for all devs.
- Founder Vesting: 4-year vesting, 1-year cliff (standard for investors).
- Contractor Agreements: Specific "Work made for hire" clauses.
⚠️ Legal Risk Register
| Risk: Data Breach (Prompts/Keys) | Mitigation: Cyber Liability Insurance; Encryption at rest; SOC 2 prep; No training on user data. |
| Risk: 3rd Party API Violations | Mitigation: ToS requires users to comply with OpenAI/Anthropic policies; Pass-through liability clauses. |
| Risk: Regulatory Changes (AI Act) | Mitigation: Maintain agility in disclaimer language; Monitor EU regulations; Focus on "Tool" status vs "Model" provider. |
Legal Budget (Year 1)
Formation (Atlas):
$500
ToS/Privacy (Custom):
$2,500
Trademark Filing:
$1,500
Contingency:
$2,000
Total:
~$6,500
Required Insurance
- General Liability (Slip & Fall)
- Tech E&O + Cyber (Critical)
- D&O (Post-Funding)
✅ Pre-Launch Compliance Checklist
Domain Secured
Entity Formed (DE C-Corp)
Privacy Policy Published
Terms of Service Published
Cookie Banner (EU)
Founder IP Assignment