Startup Compliance Timeline:

What to do as you grow

What this is: A simple roadmap of only the compliance actions a startup needs as it grows.

How to use it: Move forward when you hit the business gate (e.g., first paid pilot), not a calendar date.

Quick Jargon Decoder (you’ll see these terms)

  • Privacy Notice: A public page that says what data you collect, why, and people’s choices.

  • DPA (Data Processing Agreement): Contract with a vendor who handles your customer data.

  • DSAR (Data Subject Access Request): A way for people to ask for, correct, or delete their data.

  • Cookie Consent: The pop‑up/controls for tracking on your site, required in some places.

  • SOC 2: A security audit framework many bigger customers expect.

  • SCCs/UK IDTA + TIA: Standard EU/UK forms and a short risk write‑up that allow sending data to other countries (like the US).

Typical Timing Bands

These are flexible - we’ve included months and years as an average example, but these are event-bound milestones, not a firm timeline.

Months 0–1: Formation

Months 1–3: Pre‑MVP

Months 3–6: MVP Build

Months 6–9: Private Beta

Months 9–12: Public Launch

Years 1–1.5: Early Traction

Years 1.5–2: Enterprise‑Ready

Years 2–3: Scale & International Expansion

Stages with Plain‑English Compliance Actions

0) Formation (Pre‑seed): Company created, founders aligned

Do now:

  • Put IP and confidentiality in writing between founders/contractors.

  • Pick your main data home (cloud region) and avoid collecting sensitive data unless truly needed.

  • Start a simple Data Map: what you’ll collect, why, where it lives, who you share it with.

  • Open a folder called “Compliance Evidence” to save docs/screenshots as you go.

  • Make a basic vendor list (hosting, analytics, email); confirm they offer DPAs and have basic security.

Advance when: Company is formed, IP assigned, and a one‑page Data Map exists.

Back to the top

1) Pre‑MVP (Design‑partner recruiting): You’re lining up early users

Do now:

  • Decide your no‑go data (e.g., kids’ data, health data) until you’re ready for it.

  • List your key vendors and make sure they’ll sign DPAs; note where they store data.

  • Set retention defaults (e.g., delete trial data after 90 days; logs after 12 months unless needed).

  • Draft the Privacy Notice and Terms (simple, honest language is fine at this stage).

  • Sketch your consent plan for email/SMS (collect opt‑ins; make unsubscribe/STOP easy).

Advance when: “No‑go” data rules are set, vendors identified, retention chosen, and policy drafts exist.

Back to the top

2) MVP Build (Demo‑ready): Product is taking shape

Do now:

  • Turn on basics buyers expect: encrypted traffic, role‑based access, two‑factor login for staff, backups, and activity logs.

  • Build consent & preferences into the product/website; keep timestamped records.

  • Make a quick cookie list (what tools set cookies) and plan a banner if you’ll have EU/UK users.

  • Write a one‑page incident plan: who does what if something goes wrong.

Advance when: Security basics work, policies are ready to publish, and you know how consent/cookies will work.

Back to the top

3) Private Alpha/Beta (Paid pilot / LOI): Real users, small scale

Do now:

  • Sign DPAs with your vendors; keep a list of their sub‑processors.

  • Turn on a DSAR inbox (email or form) and reply within ~30 days; include a simple identity check.

  • Run a 30‑minute tabletop drill for incidents; note who informs users/partners and who fixes.

  • If you target EU/UK users or monitor behavior there, do a quick risk check (DPIA threshold) and note the result.

  • Limit data in tests; confirm you can delete test accounts cleanly.

Advance when: DPAs are signed, DSAR intake works, incident drill is done, and (if relevant) EU/UK risk check is recorded.

Back to the top

4) Public Launch (Marketing go‑live): Anyone can sign up

Do now:

  • Publish your Privacy Notice, Terms, and Cookie Policy; link them in the site footer/app settings.

  • Switch on cookie consent where required (especially for EU/UK visitors) and make choices easy to change.

  • Capture consent and unsubscribe/STOP events and keep the logs.

  • Check marketing claims (fair, clear, not misleading) and include any required disclosures.

  • Put a DSAR page and privacy contact on your site.

  • Security hygiene: centralize logs, test backups, and use MFA/SSO for admin access.

Advance when: Policies are live, consent/cookies work by region, and you can produce DSAR/consent logs on request.

Back to the top

5) Early Traction (First 10–50 customers / $100k–$500k ARR): Proving reliability

Do now:

  • Build a Trust Pack you can share with buyers: data map, sub‑processors, security summary, incident plan, uptime/backup notes, and DSAR metrics.

  • Do basic vendor due diligence (why you chose each, links to their security pages/attestations).

  • Start SOC 2 readiness: pick scope, list controls with owners, and make a 90‑day plan.

  • Finalize a simple retention schedule and turn on periodic deletion where possible.

  • Do short privacy & security training for staff and log completions.

Advance when: Trust Pack is ready to send, SOC 2 plan exists with owners/dates, and retention/training are running.

Back to the top

6) Enterprise‑Ready (First enterprise logo / Seed→Series A): Bigger buyer due‑diligence

Do now:

  • Run a penetration test or vulnerability scan and track fixes.

  • Finalize customer DPAs and any security/privacy addenda.

  • If data crosses borders, put in place SCCs/UK IDTA and a short TIA (risk note).

  • Prepare standard questionnaire responses (RFP, SIG, CAIQ) and name a single POC.

  • Add specialty addenda if needed (e.g., BAA for HIPAA‑covered work).

Advance when: First enterprise security review passes and cross‑border paperwork is in place.

Back to the top

7) Scale & International Expansion (>$1–3M ARR / EU/UK entry): Make it durable

Do now:

  • Keep records of processing up to date; review access rights quarterly.

  • Run a quarterly risk & policy refresh; keep a training log.

  • For EU/UK: appoint a local representative if required; check if you need a DPO; localize notices/consent; align cookie banner.

  • Move from SOC 2 Type 1 → Type 2; consider a light bug bounty.

  • Formalize third‑party risk checks for new vendors.

Advance when: You have a steady governance rhythm and outside audits don’t require a scramble.

Back to the top

Minimal Evidence to Keep (ideally in one place):

  • Policies (versioned)

  • Data map & sub‑processors

  • Consent/cookie logs

  • DSAR tracker

  • Incident/breach playbook + tabletop notes

  • Security controls summary

  • Pen‑test/vuln scan summary

  • Transfer addenda (SCCs/IDTA/TIA)

  • Training logs

  • Marketing claim substantiation

    Back to the top

“Advance When” Triggers

  • Paid pilots starting → DPAs; DSAR inbox; incident plan tested.

  • Public marketing → Notices live; consent/cookies on; claims reviewed.

  • Enterprise inquiry → Trust Pack ready; SOC 2 plan started; pen‑test scheduled.

  • EU/UK users or vendors → SCCs/IDTA/TIA, localized cookie banner, rep/DPO assessed.

    Back to the top

How Aetos Helps

  • Formation & Pre‑MVP consult: data map, vendor/DPA checklist, “no‑go” data rules.

  • Launch Pack: policies, consent/cookies, DSAR, incident plan, marketing checks.

  • Trust Pack + Enterprise Prep: questionnaires, SOC 2 roadmap, pen‑test coordination.

  • EU/UK: counsel introductions; transfer tooling (SCCs/UK IDTA) and localization.

  • Liquidity readiness evaluations & support.

    Back to the top