You have a term sheet. Your lead investor has sent the due diligence request list. Item 12: "Open source software compliance documentation, including a complete inventory of all third-party software used in the product and applicable licenses."
If you are reading this before fundraising, you have time to do this right. If you are reading this after the request arrived, you have 48 hours to produce the documentation. Either way, this is the complete guide to what an open source audit for Series A due diligence requires — and how to get investor-ready output before the deadline.
Open source audits are now standard practice at Series A. According to legal teams at growth-stage VC funds, IP due diligence — including open source license review — is conducted for 100% of deals at or above $5M check size. An unclean IP audit delays term sheets, creates representations and warranties exposure, and in some cases triggers purchase price adjustments or deal breaks.
Why Open Source IP Due Diligence Matters at Series A
Before fundraising, your IP is typically your most valuable asset. For a tech startup, your IP is primarily your code, your data, and your IP registrations. The open source components in your codebase are third-party IP — and the licenses governing those components determine what you can do with your product commercially.
Investors acquiring equity in your company are, in effect, acquiring a share of that IP. Before they close a deal, they need to confirm:
- That your company actually owns (or has the right to use) the code in its product
- That open source components do not trigger obligations that impair your commercial model
- That the IP is clean enough to support the representations and warranties in the investment agreement
When a startup cannot produce open source compliance documentation, two things happen: the due diligence process extends (costing time and money), and the representations and warranties in the deal become more heavily negotiated (increasing post-close liability exposure).
What VC Legal Teams Actually Check in an Open Source Audit
Having reviewed IP due diligence requests from US and European venture funds investing in LATAM companies, the standard open source review covers the following areas. This is not a theoretical checklist — it is what the emails from fund counsel actually request:
1. License Inventory
A complete list of all open source components used in the product, including their version numbers and associated licenses. This should cover direct dependencies and, increasingly at larger check sizes, transitive dependencies.
2. Copyleft License Analysis
Identification of any components licensed under GPL v2, GPL v3, AGPL v3, or other copyleft licenses, and an analysis of whether and how the copyleft conditions are triggered by the startup's use of those components. This is where the majority of material findings occur.
3. License Compatibility Review
A review of whether the licenses in the codebase are compatible with each other and with the startup's proprietary licensing model. Specific flags: Apache 2.0 + GPL v2 mixing; AGPL in SaaS products; multiple conflicting copyleft licenses.
4. Attribution Compliance
Confirmation that required attribution notices are included in distributions or product interfaces as required by applicable licenses. MIT and Apache 2.0 both require attribution; failure to comply is a breach of copyright license.
5. IP Assignment Verification
Review of IP assignment agreements with all founders, employees, and contractors to confirm that all code contributed to the product has been properly assigned to the company. Open source license compliance is irrelevant if the company does not own the proprietary code around it.
6. Proprietary Code Confidentiality
Confirmation that proprietary source code has not been inadvertently exposed in public repositories or committed to open source projects without appropriate license controls.
| Audit Area | What Investors Want | Common Finding |
|---|---|---|
| License Inventory | Complete list with SPDX identifiers | No inventory exists; only direct deps listed |
| GPL/AGPL Analysis | Clear analysis of copyleft exposure | Transitive GPL dependency not identified |
| License Compatibility | No incompatible combinations | Apache 2.0 + GPL v2 in same compiled output |
| Attribution | NOTICES file or equivalent | No attribution file exists for 200+ packages |
| IP Assignment | Signed agreements for all contributors | Contractor agreements lack IP assignment clause |
| Secret Code Exposure | No proprietary code in public repos | .env or API keys committed to public GitHub repo |
The Complete Open Source Audit Checklist for Series A
Block 1: Dependency Inventory
- All manifest files identified (package.json, requirements.txt, pom.xml, Gemfile, go.mod, etc.)
- Full transitive dependency tree constructed and exported
- Each package matched against SPDX license database
- License versions recorded (GPL v2 vs v3 is material)
- Multi-license packages identified (some packages carry multiple licenses)
Block 2: Copyleft Analysis
- All GPL v2, GPL v3, AGPL v3, LGPL, MPL, EUPL, CC-BY-SA components identified
- Linkage analysis performed for each copyleft component (static vs dynamic, network use)
- AGPL components reviewed for SaaS trigger applicability
- GPL v2 components checked for Apache 2.0 mixing conflicts
- Dual-licensed components flagged (commercial license may be available)
Block 3: Proprietary Code Review
- GitHub/GitLab repository history reviewed for accidentally exposed secrets or credentials
- No proprietary business logic committed to public repositories without license
- All contractor-written code reviewed for third-party copyright claims
- No GPL code copied into proprietary modules
Block 4: IP Assignment Documentation
- IP assignment agreements signed by all founders
- Employment agreements include IP assignment clause for all current employees
- Contractor agreements include explicit IP assignment clause (work-for-hire is insufficient in many LATAM jurisdictions)
- No outstanding claims from former employees or contractors on contributed code
Block 5: Attribution Compliance
- NOTICES file or license credits page exists and covers all MIT/Apache 2.0 components
- Apache 2.0 NOTICE files from upstream projects included where required
- Attribution accessible to users (in app, documentation, or distribution)
Open Source Findings That Kill or Delay Series A Deals
Finding #1 — AGPL in core SaaS product: An AGPL-licensed component in the startup's backend with no commercial license and no architectural isolation. This triggers an obligation to publish the combined work's source code to users. Investors treat this as material IP encumbrance. Deal impact: conditional close or purchase price adjustment.
Finding #2 — GPL v3 in proprietary mobile app: A GPL v3-licensed library statically linked into a distributed mobile application. GPL v3's copyleft applies to distributed software. The startup would be required to release the app's source code under GPL v3. Deal impact: delayed close pending remediation, legal representation required.
Finding #3 — Missing IP assignments from contractors: Two of the startup's core modules were written by contractors in Argentina under service agreements that did not include IP assignment clauses. Under Argentine law (Ley 11.723), copyright in works created by independent contractors may remain with the contractor absent a specific written assignment. Deal impact: title defect requiring remediation before close.
LATAM-Specific Due Diligence Issues
For startups with engineering teams in Argentina, Brazil, or Mexico, standard open source due diligence includes LATAM-specific issues that US or European companies may not have encountered:
IP Assignment Under Argentine Law
Under Ley 11.723, independent contractors in Argentina retain copyright in their work unless there is an explicit written assignment. A service agreement that says "work product belongs to the client" may not be sufficient — the assignment of moral rights (derechos morales) is heavily restricted under Argentine law. Best practice: a separate, explicit IP assignment agreement for each contractor engagement, governed by Argentine law, signed at the start of the engagement.
IP Assignment Under Brazilian Law
Brazilian copyright law (Lei 9.610) similarly protects authors' moral rights. Assignments of economic rights are permitted but must be explicit and written. Contractors in Brazil do not automatically assign IP to the contracting company. An IP audit for a company with Brazilian contractors should review all contractor agreements for explicit economic rights assignments.
Free and Open Source Software in Mexico
Mexico's Ley Federal del Derecho de Autor (LFDA) and Ley de la Propiedad Industrial govern software IP. US/EU investors conducting due diligence on startups with Mexican engineering teams will check that contractor agreements include IP assignment provisions compliant with Mexican law.
Timeline and Process: Getting Series A–Ready in 48 Hours
The LexMap GitHub IP Audit Pro ($499) is designed to produce investor-grade open source compliance documentation within 48 hours. The process:
- Repository access: You provide read access to your GitHub/GitLab repositories (public or private).
- Automated scan + legal analysis: We run a full transitive dependency scan, license classification, and copyleft analysis.
- Findings review: Any material findings are reviewed by a lawyer. Minor findings (attribution gaps, etc.) are documented directly.
- Report delivery: A PDF report with: complete license inventory, risk classification (Red/Amber/Green), remediation plan for each Red/Amber finding, and investor-ready summary page.
- Follow-up: One round of questions from your legal team or the investor's counsel included.
Fixed price at $499. 48-hour delivery. Covers unlimited repositories. The output is designed to be shared directly with your investor's legal team as part of the due diligence data room. Get your report before fundraising, not during it.
Frequently Asked Questions
When in the Series A process should we do an open source audit?
Ideally, before you begin substantive conversations with investors — specifically before you share a data room. Having investor-ready open source compliance documentation in the data room from day one signals IP maturity and prevents the due diligence process from stalling at the IP review stage. If you are already in term sheet negotiations, the audit should be completed immediately — before the investor's legal team commences their own scan. Getting your audit before fundraising means you control the narrative; getting it after means you are reacting to their findings.
What is the most common serious finding in open source audits for LATAM startups?
Based on our experience, the most common material finding is a combination of two issues: (1) missing IP assignment agreements for contractor-written code, particularly for contractors in Argentina or Brazil where copyright defaults favor the author rather than the client; and (2) a GPL or AGPL component in the dependency tree that was introduced as a transitive dependency and was never known to the engineering team. Both are fixable — but both require time. Doing the audit before fundraising gives you that time.
Does the GitHub IP Audit cover private repositories?
Yes. The GitHub IP Audit Standard ($299) covers public and private repositories. The Pro tier ($499) covers the full codebase including contractor-contributed code, performs a deeper analysis of all findings, and includes the investor-ready summary page and one round of Q&A support for your legal team or the investor's counsel. For Series A due diligence, the Pro tier is the appropriate product.
What laws apply to open source compliance in Brazil, Argentina, and Mexico?
Open source licenses are copyright licenses. In Brazil, copyright is governed by Lei 9.610 and software IP by Lei 9.279. In Argentina, by Ley 11.723. In Mexico, by the Ley Federal del Derecho de Autor. All three jurisdictions also apply the TRIPS Agreement (WTO), which establishes baseline international IP protections. The GPL, MIT, and Apache 2.0 licenses are all enforceable as copyright licenses in each of these jurisdictions.
Get Series A–Ready Before Fundraising
The GitHub IP Audit Pro ($499) delivers a complete open source compliance report — license inventory, copyleft analysis, IP assignment review, and investor-ready summary — in 48 hours. Fixed price. Designed for Series A data rooms.