Preparing for Investor Due Diligence ==================================== Slide 1: Preparing for Investor Due Diligence Narration Anna: This section sets up Preparing for Investor Due Diligence. Treat it as the frame for the decisions, handoffs, and evidence that appear in the next slides. Greg: The practical question is simple: by the end, what should a junior IT professional be able to explain, check, or document in a real workplace? On-screen text Preparing for Investor Due Diligence Give investors confidence that controls match the story Slide 2: Why diligence heats up post-Seed Narration Anna: [confident] Sarah's seed deck promised investors she could scale without burning the place down—or turning the office into a literal or metaphorical dumpster fire; now Series A questions are landing in her inbox daily. Greg: The slides we’re about to walk through are the playbook for proving that promise isn’t just marketing glitter. Anna: Think of due diligence prep like running production change management—clear owners, change logs and rollback plans. Greg: And just like change management, the calm comes from having evidence ready before anything breaks in front of the board. On-screen text Why diligence heats up post-Seed - Series A/B investors expect proof that security, finance and compliance scale with revenue. - Unanswered questions slow down term sheets and spook co-investors. - Sarah's seed deck promised "enterprise-ready"—now she must show evidence. - Preparing early buys founders time when the data room inevitably expands. Slide 3: Core workstreams to coordinate Narration Anna: Core workstreams to coordinate focuses attention on a concrete part of the work. Financial & operational – cash runway, burn, vendor commitments, SOC 2 roadmap, Security & infrastructure – access controls, incident history, backup testing evidence, and Product & customers – roadmap dependencies, SLAs, churn and expansion metrics. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Security & infrastructure – access controls, incident history, backup testing evidence; Product & customers – roadmap dependencies, SLAs, churn and expansion metrics; Assign an owner per stream (CFO, CTO, RevOps) with a single program manager stitching updates together. On-screen text Core workstreams to coordinate - Financial & operational – cash runway, burn, vendor commitments, SOC 2 roadmap. - Security & infrastructure – access controls, incident history, backup testing evidence. - Product & customers – roadmap dependencies, SLAs, churn and expansion metrics. - Assign an owner per stream (CFO, CTO, RevOps) with a single program manager stitching updates together. Slide 4: Building a living data room Narration Anna: Building a living data room focuses attention on a concrete part of the work. Centralise policies, architecture diagrams, vendor contracts and board minutes with version control, Include short context notes so outsiders understand why a document matters, and Track open actions with due dates—investors value visibility more than perfection. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Include short context notes so outsiders understand why a document matters; Track open actions with due dates—investors value visibility more than perfection; Keep sensitive exports (e.g. customer lists) in controlled folders with watermarking and access logs. On-screen text Building a living data room - Centralise policies, architecture diagrams, vendor contracts and board minutes with version control. - Include short context notes so outsiders understand why a document matters. - Track open actions with due dates—investors value visibility more than perfection. - Keep sensitive exports (e.g. customer lists) in controlled folders with watermarking and access logs. Slide 5: Security questionnaire watch-outs Narration Anna: Security questionnaire watch-outs focuses attention on a concrete part of the work. Identify common asks: MFA coverage, penetration test cadence, disaster recovery drills, privacy compliance, Expect specifics like "What percentage of privileged accounts enforce MFA?"—"82% today, moving to 100% by Q2 via YubiKeys" beats evasive answers, and Flag red signals early—shared admin accounts, missing asset inventory, stale incident response plans. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Expect specifics like "What percentage of privileged accounts enforce MFA?"—"82% today, moving to 100% by Q2 via YubiKeys" beats evasive answers; Flag red signals early—shared admin accounts, missing asset inventory, stale incident response plans; Draft honest mitigation plans instead of hand-waving; investors reward realism. On-screen text Security questionnaire watch-outs - Identify common asks: MFA coverage, penetration test cadence, disaster recovery drills, privacy compliance. - Expect specifics like "What percentage of privileged accounts enforce MFA?"—"82% today, moving to 100% by Q2 via YubiKeys" beats evasive answers. - Flag red signals early—shared admin accounts, missing asset inventory, stale incident response plans. - Draft honest mitigation plans instead of hand-waving; investors reward realism. - Maintain a FAQ that translates technical control names into plain language for partners and board members. Slide 6: Map policies to governance expectations Narration Anna: Map policies to governance expectations focuses attention on a concrete part of the work. Tie each policy to the board committee or advisor who sponsors it (e.g. audit, risk, security), Summarise decision rights: who approves exceptions, how often reviews occur, what evidence is logged, and Highlight how legal, finance and engineering collaborate on compliance checkpoints. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Summarise decision rights: who approves exceptions, how often reviews occur, what evidence is logged; Highlight how legal, finance and engineering collaborate on compliance checkpoints; Share a governance calendar: Q1 risk committee + SOC 2 readiness review, Q2 audit committee + PCI scan, Q3 full board + cyber tabletop, Q4 certification renewals. On-screen text Map policies to governance expectations - Tie each policy to the board committee or advisor who sponsors it (e.g. audit, risk, security). - Summarise decision rights: who approves exceptions, how often reviews occur, what evidence is logged. - Highlight how legal, finance and engineering collaborate on compliance checkpoints. - Share a governance calendar: Q1 risk committee + SOC 2 readiness review, Q2 audit committee + PCI scan, Q3 full board + cyber tabletop, Q4 certification renewals. Slide 7: Evidence and metrics investors trust Narration Anna: Evidence and metrics investors trust focuses attention on a concrete part of the work. Share quarterly security posture reports, uptime SLAs achieved (99.5%+ is Series A table stakes, 99.9% a stretch goal), mean-time-to-recover trends, Bundle SOC 2 gap assessments, vulnerability remediation stats (e.g. 95% of critical vulns closed <14 days) and third-party attestations, and Pair qualitative narratives with dashboards so numbers land with context. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Bundle SOC 2 gap assessments, vulnerability remediation stats (e.g. 95% of critical vulns closed <14 days) and third-party attestations; Pair qualitative narratives with dashboards so numbers land with context; Show how risk registers flow into product and operations backlogs for execution. On-screen text Evidence and metrics investors trust - Share quarterly security posture reports, uptime SLAs achieved (99.5%+ is Series A table stakes, 99.9% a stretch goal), mean-time-to-recover trends. - Bundle SOC 2 gap assessments, vulnerability remediation stats (e.g. 95% of critical vulns closed <14 days) and third-party attestations. - Pair qualitative narratives with dashboards so numbers land with context. - Show how risk registers flow into product and operations backlogs for execution. Slide 8: Rehearse the diligence conversation Narration Anna: Rehearse the diligence conversation focuses attention on a concrete part of the work. Run a mock Q&A with advisors posing as investors; record it for coaching, Equip every exec with a "two-sentence answer + escalation" script for their domain—"Our incident response playbook assigns roles within 15 minutes, then hands to the CISO-led war room; want to see the drill notes?", and Prepare backup slides for deeper dives—architecture, vendor matrix, privacy controls. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Equip every exec with a "two-sentence answer + escalation" script for their domain—"Our incident response playbook assigns roles within 15 minutes, then hands to the CISO-led war room; want to see the drill notes?"; Prepare backup slides for deeper dives—architecture, vendor matrix, privacy controls; Log follow-ups immediately so nothing slips between meetings. On-screen text Rehearse the diligence conversation - Run a mock Q&A with advisors posing as investors; record it for coaching. - Equip every exec with a "two-sentence answer + escalation" script for their domain—"Our incident response playbook assigns roles within 15 minutes, then hands to the CISO-led war room; want to see the drill notes?". - Prepare backup slides for deeper dives—architecture, vendor matrix, privacy controls. - Log follow-ups immediately so nothing slips between meetings. Slide 9: Roles, traits and progression Narration Anna: Roles, traits and progression focuses attention on a concrete part of the work. Program manager / Chief of staff – orchestrates data room updates, keeps stakeholders aligned. Typical comp: $140k–$190k + equity at Series A/B, Security or compliance lead – translates questionnaires into actionable backlog items. Expect $160k–$210k, often paired with bonus tied to audit milestones, and Finance & RevOps partners – validate metrics and customer contract obligations; senior managers sit $130k–$170k with upside at close. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Security or compliance lead – translates questionnaires into actionable backlog items. Expect $160k–$210k, often paired with bonus tied to audit milestones; Finance & RevOps partners – validate metrics and customer contract obligations; senior managers sit $130k–$170k with upside at close; Thrives on diplomacy, attention to detail and appetite for structured storytelling. On-screen text Roles, traits and progression - Program manager / Chief of staff – orchestrates data room updates, keeps stakeholders aligned. Typical comp: $140k–$190k + equity at Series A/B. - Security or compliance lead – translates questionnaires into actionable backlog items. Expect $160k–$210k, often paired with bonus tied to audit milestones. - Finance & RevOps partners – validate metrics and customer contract obligations; senior managers sit $130k–$170k with upside at close. - Thrives on diplomacy, attention to detail and appetite for structured storytelling. - Career paths lead to VP Operations, Head of Trust & Safety or venture portfolio advisor roles. - Map progression milestones (owning first diligence cycle, leading certification renewals, joining board meetings) so the team sees a runway. Slide 10: Legal and regulatory readiness Narration Anna: Legal and regulatory readiness focuses attention on a concrete part of the work. Catalogue applicable regulations early: GDPR/UK GDPR, CCPA/CPRA, HIPAA or SOC 2 depending on vertical, Document lawful bases for processing, data retention standards and DPA coverage for every critical vendor, and Show international scaling awareness—data residency in the EU, onshore support SLAs for APAC, breach notification variations. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Document lawful bases for processing, data retention standards and DPA coverage for every critical vendor; Show international scaling awareness—data residency in the EU, onshore support SLAs for APAC, breach notification variations; Partner legal and security leads on a quarterly compliance checkpoint so surprises surface before term sheet negotiations. On-screen text Legal and regulatory readiness - Catalogue applicable regulations early: GDPR/UK GDPR, CCPA/CPRA, HIPAA or SOC 2 depending on vertical. - Document lawful bases for processing, data retention standards and DPA coverage for every critical vendor. - Show international scaling awareness—data residency in the EU, onshore support SLAs for APAC, breach notification variations. - Partner legal and security leads on a quarterly compliance checkpoint so surprises surface before term sheet negotiations. Slide 11: Timeline and critical path Narration Anna: Timeline and critical path focuses attention on a concrete part of the work. Typical diligence cycles span 6–10 weeks from data room access to close; plan backward from your cash runway, Week 1–2: data room review and follow-up questions; Week 3–5: deep dives with functional leaders; Week 6–8: confirmatory audits and customer calls, and Highlight dependencies—SOC 2 Type II report delivery, customer reference availability, legal opinion drafting. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Week 1–2: data room review and follow-up questions; Week 3–5: deep dives with functional leaders; Week 6–8: confirmatory audits and customer calls; Highlight dependencies—SOC 2 Type II report delivery, customer reference availability, legal opinion drafting; Maintain a RAID log so risks, assumptions, issues and decisions stay visible to executives and investors. On-screen text Timeline and critical path - Typical diligence cycles span 6–10 weeks from data room access to close; plan backward from your cash runway. - Week 1–2: data room review and follow-up questions; Week 3–5: deep dives with functional leaders; Week 6–8: confirmatory audits and customer calls. - Highlight dependencies—SOC 2 Type II report delivery, customer reference availability, legal opinion drafting. - Maintain a RAID log so risks, assumptions, issues and decisions stay visible to executives and investors. Slide 12: Case study: NimbusPay Series A Narration Anna: Case study: NimbusPay Series A focuses attention on a concrete part of the work. Day 0: pre-seeded data room with 120 curated artifacts, ownership tracker in Notion, Day 14: investors flagged MFA gaps; remediation plan committed to 100% hardware keys in 45 days with $15k budget, and Day 35: cross-border payroll expansion triggered GDPR transfer impact assessment and Canadian PIPEDA review. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Day 14: investors flagged MFA gaps; remediation plan committed to 100% hardware keys in 45 days with $15k budget; Day 35: cross-border payroll expansion triggered GDPR transfer impact assessment and Canadian PIPEDA review; Day 52: diligence closed after mock board review confirmed policy-to-governance alignment and incident drill readiness. On-screen text Case study: NimbusPay Series A - Day 0: pre-seeded data room with 120 curated artifacts, ownership tracker in Notion. - Day 14: investors flagged MFA gaps; remediation plan committed to 100% hardware keys in 45 days with $15k budget. - Day 35: cross-border payroll expansion triggered GDPR transfer impact assessment and Canadian PIPEDA review. - Day 52: diligence closed after mock board review confirmed policy-to-governance alignment and incident drill readiness. Slide 13: Red flags hall of fame (and fixes) Narration Anna: Red flags hall of fame (and fixes) focuses attention on a concrete part of the work. "Security lead" is a contractor 5 hours/week → solution: interim virtual CISO backed by engineering manager accountable for controls, No incident response drill since founding → schedule tabletop within 30 days, document after-action and add to board pack, and Customer data stored in shared S3 bucket with ex-employee access → run access audit, enable object lock, revoke stale keys same week. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: No incident response drill since founding → schedule tabletop within 30 days, document after-action and add to board pack; Customer data stored in shared S3 bucket with ex-employee access → run access audit, enable object lock, revoke stale keys same week; Legal can't articulate data residency commitments → map contractual obligations, document sub-processors, update privacy notice. On-screen text Red flags hall of fame (and fixes) - "Security lead" is a contractor 5 hours/week → solution: interim virtual CISO backed by engineering manager accountable for controls. - No incident response drill since founding → schedule tabletop within 30 days, document after-action and add to board pack. - Customer data stored in shared S3 bucket with ex-employee access → run access audit, enable object lock, revoke stale keys same week. - Legal can't articulate data residency commitments → map contractual obligations, document sub-processors, update privacy notice. Slide 14: Resources and templates Narration Anna: Resources and templates focuses attention on a concrete part of the work. Diligence tracker template: executive owner matrix + follow-up SLA checklist, Recommended tools: Tugboat Logic or Drata for control evidence, Notion/Confluence for playbooks, Vanta-style dashboards for KPIs, and Reading list: NIST CSF profiles for startups, AICPA SOC 2 implementation guide, "Secure SaaS" podcast episodes 12–15. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Recommended tools: Tugboat Logic or Drata for control evidence, Notion/Confluence for playbooks, Vanta-style dashboards for KPIs; Reading list: NIST CSF profiles for startups, AICPA SOC 2 implementation guide, "Secure SaaS" podcast episodes 12–15; Share a partner directory (fractional CFOs, privacy counsel, IR advisors) to scale support as demands grow. On-screen text Resources and templates - Diligence tracker template: executive owner matrix + follow-up SLA checklist. - Recommended tools: Tugboat Logic or Drata for control evidence, Notion/Confluence for playbooks, Vanta-style dashboards for KPIs. - Reading list: NIST CSF profiles for startups, AICPA SOC 2 implementation guide, "Secure SaaS" podcast episodes 12–15. - Share a partner directory (fractional CFOs, privacy counsel, IR advisors) to scale support as demands grow. Slide 15: Key takeaways Narration Anna: [analytical] Series A partners now assume you've got discipline around finance, security and customer retention. Greg: When they ask, "Show me your churn cohorts and your incident history," they're testing whether growth has guardrails. Anna: That pivot from pipeline to pen tests is their way of confirming discipline, so the fastest way to erode confidence is to stall or improvise—every "let me get back to you" adds friction to the deal. Greg: That’s why we start aligning evidence months before the outreach email ever hits an investor’s inbox. On-screen text Key takeaways - Start gathering evidence six months before you fundraise; aim for annual-physical calm, not emergency-room chaos. - Treat the data room as a living product with owners, release notes and guardrails. - Red flags are inevitable—own them, show remediation progress and connect it to board oversight. - Investor confidence grows when policies, metrics and narratives reinforce one another.