Founder Vetting before Series A: The Due Diligence Guide for VCs
You can sign a term sheet in 48 hours. A bad hire at the top of a portfolio company costs the fund not only the money invested, but also its reputation with limited partners. Yet a significant share of European venture capital funds still assess founding teams largely on the basis of LinkedIn profiles, reference calls within their network, and the assumption that reputable co-investors have already done the diligence properly. That is not an operational due diligence regime — it is mutual trust among institutional investors, with all the risks that premise brings.
This guide is intended for general partners, investment managers, and associates who want to move founder vetting from an informal networking exercise into a robust, documented, GDPR-compliant process — before signing the term sheet, not after.
Why founder vetting belongs on the investment committee agenda
In recent years, the venture industry has seen several cases where established funds allocated capital to companies whose founder or C-level history would have shown identifiable warning signs in a structured people-level DD. Theranos, FTX, Wirecard, and several European unicorns from the late 2010s left a clear lesson: pattern recognition across prior insolvencies, shareholder disputes, regulatory investigations, and adverse media is rarely a single clear signal, but a puzzle that only becomes visible through systematic research.
HireRight documented in a global 2017 study that 77% of all background checks conducted uncover at least one undisclosed discrepancy — from qualifications and employment history to legal incidents. PwC reports in the Global Economic Crime Survey 2024 that 46% of European companies became victims of economic crime within 24 months, with internal actors involved in a significant minority of cases. These figures come from the corporate context, but they transfer directly to the venture world: the founders who raise €5 million in seed capital today are tomorrow’s executive leadership.
Kienbaum estimates the cost of a bad hire in leadership roles at 1.5 to 3 times annual salary. In venture, that metric understates the issue: the misallocation does not hit the salary budget, but the entire investment thesis, co-investors’ appetite for follow-on funding, and the fund’s standing relationship with its LPs.
The difference between classic legal DD and individual DD
Classic legal due diligence in a Series A typically reviews four categories: corporate housekeeping (cap table, articles of association, shareholder resolutions), material contracts (customer, supplier, and license agreements), IP ownership (inventor agreements, domain registrations, open-source compliance), and, where relevant, tax and employment. At the fund level, KYC is added — meaning the identification of the beneficial owners of the fund vehicle itself, driven by anti-money laundering rules and the requirements of the fund’s custodian bank.
What this standard framework misses is the operational review of the people who will later manage the money. Individual DD covers what legal DD cannot structurally cover:
Identity verification: Does the person actually exist under the stated name, date of birth, and place of residence? For international founding teams with moves between the DACH region, the UK, and offshore jurisdictions, that is not a trivial question.
Qualification verification: Are the claimed university degrees, employers, and roles verified, or are they based solely on self-reporting in the pitch deck?
Insolvency and restructuring history: Has the person been a managing director of a company that was insolvent or entered insolvency within the last ten years? Are there personal consumer insolvencies, affidavits, or enforceable judgments?
Sanctions lists and politically exposed persons: Is the person or a close relative listed on EU, OFAC, UK HMT, or SECO sanctions lists? Under the relevant anti-money laundering rules, is the person classified as a PEP?
Adverse media: Is there coverage in local, trade, or financial press pointing to fraud, misconduct, criminal investigations, or civil proceedings?
Litigation history: Has the person been named as a defendant in material civil, commercial, or employment proceedings?
Conflict-related holdings: Does the person directly or indirectly hold shares in competitors, customers, suppliers, or supposedly independent advisors of the target company?
Only these seven dimensions together produce a usable person profile. Each one on its own — for example, an isolated sanctions hit — tells you very little unless it is placed in the full context.
The hierarchy of review depth: what, when, why
Venture funds work with tight deal timelines. An unstructured approach that reviews every founder to the same depth is not sustainable in practice and is not economically justified either. A pragmatic hierarchy looks like this:
Investment stage | Depth of review | Focus |
|---|---|---|
Pre-seed / angel round | Basic | Identity, qualifications, sanctions, insolvency |
Seed | Standard | In addition: adverse media, litigation, shareholdings |
Series A | Enhanced | All seven dimensions, extended to co-founders, CTO, CFO |
Series B and beyond | Institutional | Full C-level coverage, board candidates, key employees |
From Series A onward, the stakes are high enough that a superficial review no longer passes as diligence toward the LPs. By this point at the latest, individual DD should be a documented, repeatable process — not the investment director’s gut feeling.
The 72-hour workflow for pre-closing DD
In practice, founder vetting does not usually fail because it is not worthwhile; it fails because it cannot be completed in the 72-hour window between term sheet and closing. That is not due to the complexity of the review itself, but to organizational fragmentation: three law firms, two data providers, manual consolidation in Excel.
A workable 72-hour workflow looks structurally different:
Hour 0 to 4 — Consent and data collection: The fund has the founder or founders sign a GDPR-compliant consent statement that clearly sets out the scope of the review, the sources to be consulted, and the retention periods. In parallel, ID, proof of residence, CV, and certificates are uploaded.
Hour 4 to 24 — Automated database checks: Identity, sanctions lists (EU Consolidated List, OFAC SDN, UK HMT, SECO), PEP status, insolvency register checks (DE: insolvency notices under Section 9 InsO; CH: SHAB; AT: Ediktsdatei), commercial register extracts in all relevant jurisdictions, and adverse media screening via Moody's, LexisNexis, or comparable sources.
Hour 24 to 48 — Manual review and escalation: Every match from the automated phase is manually verified. False positives caused by identical names are removed. Genuine hits are condensed into a qualified report that separates facts, context, and risk assessment.
Hour 48 to 72 — Investment committee memo: The finished report goes into the IC pack, including a clear recommended action (green: no findings; yellow: findings that need clarification; red: material red flags requiring an IC decision).
This workflow is realistic if data sources are consolidated in a single platform and consent is collected digitally. It is not realistic if each source is queried separately and the result is copied manually into a Word document.
Legal basis: why individual DD is GDPR-compliant
The key legal question for European VCs is: on what legal basis does a fund process personal data about founders before the investment is closed? The answer is Article 6(1)(f) GDPR — legitimate interests. The fund has a legitimate, qualified interest in protecting the LP capital invested, and in a balancing test this will usually outweigh the data subject’s privacy interests, provided the review is proportionate and limited to its intended purpose.
In practical terms, a comprehensive review of the seven dimensions above before a Series A investment is legally permissible if (1) the founder is informed transparently about the review, (2) the data sources are reputable and proportionate, (3) data is not stored longer than necessary after completion, and (4) the founder can actually exercise their data subject rights (access, rectification, deletion). In addition, consent under Article 6(1)(a) GDPR is recommended as a belt-and-suspenders measure, especially for sensitive data such as health disclosures or criminal-record extracts.
Article 9 GDPR (special categories of personal data) must be considered as soon as data about criminal convictions is processed. Here, Article 10 GDPR applies: processing is permitted only under official supervision or on the basis of specific legal grounds. In practice, that means: no direct access to criminal records by the fund, but evaluation of publicly available judgments and media reports.
Red flags that are often overlooked
The obvious warning signs — an active sanctions hit, an ongoing criminal investigation, a recently opened personal insolvency — are found even in a superficial review. The more dangerous signals are the ones that slip through a cursory check:
Historical company dissolutions: A founder who served six years ago as managing director of an LLC that was struck off for insolvency no longer appears in the current commercial register extract. A full person scan across historical register data shows the event — a snapshot-based check does not.
Shareholder disputes: Civil cases between co-founders of previous companies, publicly documented in judgment databases, provide valuable clues about conflict behavior, governance capability, and integrity — long before the same patterns appear in the new company.
Adverse media from local press: National financial press covers prominent founders. What it does not cover: the local newspaper of a small town, where a founder was sued eight years ago over construction defects on a private property, or the trade journal that reported on internal disputes in a former industry association.
Offshore holdings: Direct or indirect holdings via vehicles in Jersey, the BVI, or Delaware are not visible in a purely German commercial register extract. International register aggregators and leak databases close this gap.
Spouses and close relatives: In most compliance regimes, PEP status, sanctions, and adverse media also extend to close family members and economically connected persons. Checking only the founder in isolation is not enough.
What applies in Switzerland, Austria, and across the EU?
Venture capital is cross-border, but due diligence follows national legal systems. The baseline is the GDPR, but three jurisdictions are worth a separate look.
Germany
The Federal Data Protection Act (BDSG) specifies the GDPR for the German context. For venture funds, especially relevant are Section 26 BDSG (where employment relationships are affected) and Section 31 BDSG on credit agencies. On insolvency matters, the insolvency notices under Section 9 InsO apply, which can be searched publicly at insolvenzbekanntmachungen.de. Commercial register data is accessible via the central register portal of the federal states. For anti-money-laundering purposes, the Money Laundering Act (GwG) applies, especially Section 10 GwG (general due diligence obligations) and Section 11 GwG (identification).
Switzerland
Switzerland is not formally an EU member, but the revised Data Protection Act (revDSG) has been broadly GDPR-equivalent since September 2023. For venture reviews, the Swiss Official Gazette of Commerce (SHAB) is the central source for commercial register and insolvency notices, the debt enforcement register at cantonal level (information with legal basis), and the sanctions lists of the State Secretariat for Economic Affairs (SECO) are relevant. For regulated financial startups, the FINMA also plays a role — in particular Article 3 BankG on guarantee of proper business conduct, which requires fit-and-proper checks for managers in the context of banking and fintech licenses.
Austria
Austria implements the GDPR through the Data Protection Act (DSG). The central insolvency register is the Ediktsdatei (edikte.justiz.gv.at), and company register data is obtained via the Firmenbuch at the relevant regional court or through commercial aggregators. For asset managers and venture funds, the Alternative Investment Fund Managers Act (AIFMG) applies, which also requires reliability and expertise checks for management bodies and qualified owners.
Across the EU
At EU level, the GDPR provides the framework, supplemented by the anti-money-laundering directives (currently the 5th and 6th AMLD, and prospectively the AMLR/AMLD6 reform with a central EU supervisory authority, AMLA). For alternative investment funds, the AIFMD (Alternative Investment Fund Managers Directive) applies, implemented in Germany through the KAGB, in Austria through the AIFMG, and in Switzerland through the KAG. The AIFMD requires fund managers to have appropriate processes for assessing and monitoring the people who have significant influence over portfolio companies — a requirement that European VCs have so far treated rather lightly.
US practice vs. European reality
Top-tier US funds such as Sequoia, Benchmark, or Founders Fund have worked for years with dedicated compliance partners (Kroll, Control Risks, K2 Integrity) that conduct standardized integrity due diligence before significant investments. There, the workflow is part of the playbook, not an ad hoc decision by the individual partner.
In Europe, the picture is much more uneven. Some of the largest German-speaking funds do have such processes, but the majority of Series A tickets below €20 million still go through without standardized founder vetting. The reason is rarely ideological; it is structural: the cost of a full K2 Integrity investigation (typically €15,000 to €40,000 per person) is not proportionate for a €5 million seed round. That gap — institutional-grade quality at a price that scales proportionally with deal size — is exactly what automated, GDPR-native background-check platforms are meant to close.
Conclusion: from gut feeling to a documented process
Founder vetting is not a question of trust in founders, but of diligence toward the limited partners. A European Series A fund writing tickets above €5 million and vetting founding teams solely on network references will increasingly struggle to answer defensible questions in the next LP due diligence — especially once AMLA and stricter AIFMD interpretations take hold.
The solution is not more effort per deal, but structurally better tools: GDPR-native platforms that bring Moody's and LexisNexis data sources into a consolidated 72-hour workflow, collect consent digitally, and deliver the review report to the investment committee in an audit-ready format. Indicium Technologies delivers exactly this infrastructure — for venture funds that want to bring their person-level due diligence up to institutional standards without sacrificing deal velocity.
Book a demo and see the workflow in an anonymized real-world example.
Read more — related articles
Nabil El Berr
