IP Risk Scan for VC Portfolios: Methodology

Santiago Torreira

Attorney · Torreira Abogados, Buenos Aires

IP Risk Scan for VC Portfolio Companies: Methodology

A structured IP risk scan for VC portfolio companies provides a standardized, repeatable assessment of the five core IP risk dimensions that affect LATAM startup valuations: code ownership, open source compliance, contractor classification, data protection, and trademark protection. Unlike bespoke IP due diligence that varies in scope and methodology between advisors, a standardized portfolio scan enables cross-portfolio comparison, risk concentration analysis, and consistent remediation tracking.

This guide describes LexMap's IP risk scan methodology — the assessment approach, the output format, the risk scoring framework, and the remediation priority system — so that VC funds evaluating the service understand exactly what they are purchasing and how the results should be interpreted.

Scan Scope and Input Requirements

The IP risk scan requires the following inputs from the portfolio company:

Repository access — Read access to all production GitHub, GitLab, or Bitbucket repositories. The scan uses automated license analysis tools (FOSSA API or equivalent) to generate a complete dependency map without requiring manual code review.
Contractor roster — A list of all current and former contractors who contributed to production code, with their jurisdiction, engagement start and end dates, and IP assignment status (signed/unsigned).
Employee roster — A list of all current and former employees, with their jurisdiction and employment start dates, to verify statutory IP assignment coverage.
Corporate documents — Standard incorporation documents, employment agreements (template), contractor agreement (template), and any existing IP assignment agreements.
Trademark registration status — List of registered trademarks by jurisdiction, with registration numbers and renewal dates.

Scan Methodology

Step 1: Automated Dependency Analysis

Our automated tools scan all production repositories and generate a complete dependency graph including transitive dependencies. Each dependency is matched against the SPDX license database to identify its license. Dependencies are classified by risk tier: Permissive (MIT, Apache 2.0, BSD) — no risk; Weak Copyleft (LGPL, MPL) — medium risk; Strong Copyleft (GPL v3, GPL v2) — high risk; Network Copyleft (AGPL v3) — critical risk for SaaS.

Step 2: Code Ownership Assessment

We cross-reference the contractor and employee rosters against git commit history (using git log with author email matching) to identify which code was authored by whom. For each identified contributor, we assess IP assignment status based on the documents provided. The output is a code ownership map: percentage of production code clearly owned by the company vs. potentially contested.

Step 3: Classification Risk Assessment

For each contractor relationship identified in the roster, we apply a jurisdiction-specific classification scoring tool. The tool assesses: duration of relationship, exclusivity indicators, tool provision, scope definition (deliverable vs. time), and integration into company operations (based on the description provided). Each relationship receives a risk score: Low (0-30), Medium (31-60), High (61-80), Critical (81-100). Critical relationships receive a quantified liability estimate.

Step 4: Data Protection Gap Assessment

We review the corporate documents and publicly available information to assess: LGPD/LPDP compliance documentation existence, DPA coverage for identified contractors, and privacy policy adequacy for the company's data processing activities. This is a document-level assessment, not a technical system audit — deeper LGPD compliance assessment requires access to system documentation and data processing records.

Step 5: Trademark Coverage Assessment

We verify trademark registration status in the company's operating markets using the LATAM IP office databases: INPI Argentina, INPI Brazil, and IMPI Mexico. We identify gaps between the company's operating footprint and its trademark protection coverage.

Output Format

The IP risk scan delivers a structured report with the following components:

Executive Summary — Overall IP risk rating (Green/Yellow/Red) with a one-paragraph summary of the most significant findings and recommended priorities.
Open Source Compliance Report — SBOM in SPDX format, risk-classified dependency list, and specific remediation recommendations for Critical and High-risk dependencies.
Code Ownership Map — Percentage breakdown of production code by ownership status, list of IP assignment gaps with contractor identification, and retroactive assignment recommendation.
Classification Risk Report — Risk scores for each contractor relationship, quantified liability estimates for High and Critical relationships, and recommended remediation approach.
Data Protection Gap Report — Summary of LGPD/LPDP compliance documentation status and highest-priority gaps.
Trademark Coverage Map — Visual map of trademark coverage vs. operating footprint, with priority filing recommendations.
Remediation Priority List — Ranked list of all identified issues by severity, with estimated remediation cost and timeline for each.

Pricing and Delivery

The LexMap IP Risk Scan for VC portfolio companies is priced at $499 per company with 48-hour delivery for standard engagements. For funds engaging us for portfolio-wide coverage, multi-company pricing is available — contact us via WhatsApp or the meeting link below to discuss a fund-level engagement structure.

The GitHub IP Audit Standard ($299) provides a subset of the full scan — open source compliance and code ownership — for early-stage companies where a lighter-touch assessment is appropriate. The Full IP Due Diligence ($1,200) expands the scan to include a detailed legal opinion on identified risks and is appropriate for investments above $2M or for companies approaching Series A.

Frequently Asked Questions

How long does the IP risk scan take?

Standard delivery is 48 hours from receipt of all required inputs. Complex codebases (1,000+ dependencies) or large contractor rosters (50+ contractors) may require 72 hours. We confirm delivery timeline when inputs are received.

Does the scan require installing software in the portfolio company's systems?

No. The automated dependency analysis uses read-only repository access via GitHub/GitLab API tokens. No software installation is required in the portfolio company's systems. Access tokens can be revoked after scan completion.

Can the scan be used as a substitute for full legal due diligence?

The IP risk scan is a structured risk assessment, not a comprehensive legal opinion. It identifies and quantifies risk but does not constitute legal advice on every identified issue. For the largest investment decisions, Full IP Due Diligence ($1,200) — which includes attorney review and legal analysis of significant findings — provides a more comprehensive basis for investment decisions.

Scan Your Portfolio Now

VC Portfolio IP Risk Scan — $499/company. Full IP Due Diligence — $1,200. Fixed price. 48-hour delivery.

Order Now — Fixed Price Schedule Free Call

Related Resources

VC Portfolio Legal Shield Pre-Due Diligence Checklist GitHub Dependency IP Risk Scanning

LATAM IP and Regulatory Resources

The following authoritative sources provide the legal and regulatory foundation for the topics covered in this guide. All LATAM jurisdictions are signatories to the WIPO treaties that form the international IP framework, and domestic laws implement TRIPS Agreement minimum standards.

TRIPS Agreement — WIPO — The foundational international IP treaty binding all WTO member states, including Argentina, Brazil, Mexico, Colombia, Chile, and Peru.
INPI Brazil — Brazil's National Institute of Industrial Property; administers software registration, patents, and trademarks under Lei 9.279/1996 and Lei 9.609/1998.
INPI Argentina — Argentina's IP office; manages software registration under Ley 11.723 and trademark protection.
Open Source Initiative License List — Authoritative catalog of OSI-approved open source licenses including GPL v2, GPL v3, AGPL v3, MIT, and Apache License 2.0.
SPDX License List — Machine-readable license identifiers used in Software Bill of Materials (SBOM) generation and CI/CD compliance tooling.
IMPI Mexico — Instituto Mexicano de la Propiedad Industrial; administers patents and trademarks under the LFPPI.

For startups operating across LATAM, compliance with LGPD (Brazil), LPDP (Argentina — Ley 25.326), LFPDPPP (Mexico), and the TRIPS Agreement framework is not optional. Each framework creates distinct obligations that require jurisdiction-specific legal review. Our fixed-price audit packages provide this review with 48-hour delivery, so your team can move quickly without sacrificing legal certainty.

International IP Framework Validation in the Scan

A critical differentiator of LexMap's IP risk scan from generic software due diligence tools is the integration of LATAM legal analysis into the automated scanning results. Automated tools identify dependencies, licenses, and code authors — but they cannot assess whether a GPL v3 component creates a compliance obligation under Lei 9.610 (Brazil) vs. Ley 11.723 (Argentina), or whether a contractor's IP assignment is legally effective under the LFDA (Mexico) vs. Ley 23/1982 (Colombia).

The LexMap scan integrates automated tool outputs with LATAM IP law analysis to produce findings that are legally meaningful — not just technically accurate. The open source compliance findings reference the specific LATAM copyright statutes that make each identified license obligation enforceable. The contractor classification findings apply the specific national law test (CLT four-factor test for Brazil, Ley 20.744 subordination test for Argentina) rather than a generic misclassification framework that may not reflect LATAM legal standards.

The TRIPS Agreement compliance validation layer confirms that the identified IP rights are enforceable in international markets relevant to the fund. For US and EU investors, the TRIPS validation confirms that Brazilian Lei 9.609 software registrations and Argentine Ley 11.723 copyright protections provide internationally enforceable rights in investor home jurisdictions — enabling the fund to rely on LATAM IP documentation without requiring re-documentation under US or EU law. The WIPO treaty framework, INPI Brazil, INPI Argentina, and INDAUTOR Mexico registration systems provide the public record layer that completes the international enforceability chain.

The scan output is specifically designed for VC fund use in investment committee presentations and LP reporting. The executive summary risk rating (Green/Yellow/Red) provides an immediately comparable metric across portfolio companies. The detailed findings provide the legal basis for investment committee discussions about IP risk pricing — whether to proceed at the proposed valuation, request an indemnification escrow, require pre-close remediation, or adjust representations and warranties. The SPDX-format SBOM included in the scan output satisfies the growing investor expectation that software investments can demonstrate systematic open source compliance management. Contact us via WhatsApp at wa.me/5491133548803 to discuss a fund-level engagement structure that provides standardized IP risk scanning across your full LATAM portfolio at pre-negotiated fixed prices.