Data + IP protection

Your data and IP are probably your most valuable assets and, in most small companies, your most poorly protected ones. A few hours of deliberate work at the right moments prevents years of pain later. The things to get right aren't complicated. They're just easy to defer until after something bad happens.

IP, what you actually own

In a normal company, your IP includes:

• Source code
• Product designs, specs, research
• Customer lists, sales playbooks, pricing data
• Trademarks, brand
• Trade secrets (internal processes, proprietary methods)
• Data you've collected

Whether you actually own all of it depends on whether the paper trail says so.

The foundational IP documents

1. IP assignment agreements

Every employee and contractor must sign an agreement assigning IP they create to the company. Without this, an employee technically owns what they built, and they can take it with them.

2. Contractor agreements (not handshakes)

Contractors are the highest-risk category. Freelancer wrote a feature? Without signed IP assignment, you might not own it. Sign agreements before work starts, not after.

3. Founder IP assignment

The IP assignment founders sign at company formation. Critical for fundraising and acquisition.

4. NDAs

Standard mutual NDA for customer/partner conversations. Asymmetric NDAs where appropriate. Don't be shy about asking, anyone who refuses to sign a standard NDA is telling you something.

5. Non-compete / non-solicit

Varies wildly by state + country (California invalid; other states enforce). Know what's enforceable and structure accordingly.

Trademark basics

• Search USPTO (or relevant registry) before committing to a name
• Register your name + logo in your primary markets
• Register in product categories you actually operate in + adjacent ones you plan to
• Monitor for infringement; the law protects what you actively defend

Data protection, the separate problem

IP is "what you create." Data is "what you collect." Both need protection but with different frameworks.

Classify your data

Not all data is equally sensitive:

• Public, marketing site, published content
• Internal, company data not public but not sensitive if leaked
• Confidential, business-sensitive (financial, strategy, salaries)
• Restricted, customer PII, security keys, payment data

Each tier gets progressively tighter access controls.

Access controls

• Least privilege, default to no access; grant access per role
• SSO everywhere, single sign-on with MFA enforced
• Offboarding checklist, within 1 business day of termination, all access revoked
• Quarterly access review, each system's admin reviews who has access

Encryption

• At rest, databases, file storage, backups
• In transit. TLS everywhere, never plaintext
• Key management, not stored in the same place as the data

Backups

3-2-1 rule: 3 copies, 2 different media types, 1 offsite. Test restores quarterly, a backup you can't restore from isn't a backup.

Compliance frameworks

If you sell to enterprises or handle regulated data:

• SOC 2 Type II, standard for B2B SaaS selling mid-market+
• ISO 27001, international alternative
• HIPAA, if you touch healthcare PHI
• PCI DSS, if you handle card data
• GDPR, if you have EU customers/users
• CCPA / CPRA. California consumer data

Start the compliance work 6 months before you need the certification. The readiness work itself surfaces risks.

Incident response plan

Before you have an incident, write the plan:

• Who declares an incident? (SRE on-call, CISO)
• Who's on the incident team? (exec sponsor, technical lead, communications)
• What's the communication tree? (internal Slack channel, customer email template, regulator notification)
• What's the legal / PR playbook?
• Who notifies customers, and when?

Then run a tabletop exercise, simulate an incident and walk through the plan. The first time you execute it should not be in production.

Regulatory notification windows

GDPR: 72 hours to notify authorities after discovery. CCPA: "without unreasonable delay." State breach laws vary. Know the clocks before you need them.

What good looks like

• Every employee and contractor has signed IP assignment
• Data is classified, access is role-based, SSO+MFA everywhere
• Backups tested quarterly with documented restore
• Written incident response plan, practiced at least annually
• Compliance certifications appropriate for stage + customer base

Related: Risk management basics · Business insurance · Vendor management