Objective: Establish that the target holds clean, unbroken legal title—from inventor or first author, through every assignment and merger, to the entity being acquired—across every jurisdiction where IP is registered or material. Title defects are the single most common reason deals fall through or attract major price chips.

A. Registered Rights — Schedules & Verification

• Comprehensive registered IP schedule, broken out by jurisdiction, with: registration / application number; filing date; grant / publication date; current owner of record; beneficial owner (if different); class(es) and goods/services; status (registered / pending / opposed / suspended / abandoned / expired); next renewal or annuity date; and the firm acting as IP agent.
• DPDT register extracts for every Bangladesh registration—not the target's internal records, which are routinely out of date. LegalSeba LLP conducts independent searches on the DPDT online database and at the registry to confirm the registered proprietor of record matches the target.
• Foreign IP office searches (USPTO, EUIPO, IP India, CIPO, IP Australia, JPO, KIPO, CNIPA, WIPO Madrid) for marks and patents claimed in the schedule, with attention to: standing in the name of a predecessor-in-interest; unrecorded assignments; lapsed annuities; security interests.
• Domain-name registrar reports via ICANN WHOIS / RDAP and the BTCL .bd registry — confirming registrant, admin contact, technical contact, expiry date, transfer-lock status, DNSSEC.
• Social-media handle audit: verify the target's name on Facebook, Instagram, LinkedIn, X, YouTube, TikTok is owned by a corporate account (not an individual employee's personal account, a perennial founder-error in Bangladesh startups).

B. Bangladesh-Specific Recordal Verification (Critical)

• DPDT recordal of every historical assignment. Per Trademarks Act 2009, s.40, an unrecorded trade-mark assignment is not effective against third parties; the target may believe it owns the mark, but a competitor could acquire superior rights from the original registered proprietor. This is the most common Bangladesh-specific red flag in M&A.
• Form TM-23 / TM-24 chain for assignments; Form TM-16 / TM-33 for name and address changes; Form TM-20 for licence recordal as a Registered User.
• Patent assignment recordal at DPDT under the Bangladesh Patent Act, 2023; verify recordal certificates exist for every transfer post-grant.
• Industrial design assignment recordal under the Industrial Designs Act, 2023—a frequently overlooked register.
• BCO copyright assignment register—note that copyright assignments in Bangladesh do not require BCO recordal to be valid, but registration provides strong prima facie evidence in disputes.

C. Founder, Employee & Contractor Assignments

• Founder IP Assignment Agreements covering all IP created from inception through to the date of formal company incorporation—often the largest single liability in a startup acquisition. A solid Founders' Agreement with a present-tense, irrevocable assignment closes this gap.
• Standard form Proprietary Information & Inventions Assignment Agreement (PIIA) for employees — examine the present-assignment language ("hereby assigns"), scope (during employment + reasonable post-employment "trailer"), and carve-outs (employee's pre-existing inventions disclosed in a schedule).
• Roster reconciliation: HR list of every current and former employee → cross-check against signed PIIAs. Identify gaps.
• Independent contractor / agency agreements—verify (i) explicit work-for-hire language, (ii) backstop assignment ("to the extent the foregoing is not work-for-hire, contractor irrevocably assigns…"), (iii) waiver of moral rights (where permitted).
• Government-funded R&D: BCSIR collaborations, ICT Division grants, university JV outputs—government funders or universities may retain marching rights, royalty entitlements, or co-ownership.
• Joint development / collaboration agreements—identify foreground IP allocation, licences-back, improvements ownership.

Objective: Even owned IP can be invalid, vulnerable to cancellation, or about to lapse. Validity diligence ensures the rights are not paper tigers.

A. Trade Marks (Trademarks Act 2009)

• Single-class coverage gap analysis: Bangladesh does not permit multi-class applications. Confirm a separate registration exists for each class of goods/services in which the target operates—especially core (e.g. Class 9, 35, 41, 42 for tech) and defensive classes.
• Renewal calendar: initial 7-year term, then 10-year cycles (s.18 Trademarks Act 2009). Identify any registrations expiring within 12 months post-closing and add renewal as a closing covenant.
• 5-year non-use cancellation exposure: per s.42 Trademarks Act 2009, any registered mark not in bona fide commercial use for a continuous 5-year period can be removed on application of an aggrieved person. Assess defensive use, token use, and evidence of use (invoices, advertising, product samples).
• Pending oppositions and rectification proceedings at DPDT—note opposition window is 60 days from publication in the Trade Marks Journal under the current law.
• Genericism / dilution: any sign that the mark is becoming a generic term for the goods.
• Distinctiveness: descriptive marks claiming acquired distinctiveness need supporting evidence.
• Foreign / Madrid registrations—Bangladesh is not a Madrid Protocol member, so each foreign filing is national.

B. Patents (Bangladesh Patent Act, 2023)

• Annuity / maintenance-fee status: lapsed annuities cannot generally be revived after grace periods. Obtain agent's confirmation of fees paid through the next renewal date.
• Claim mapping to commercialised products—a target may claim "30 patents" but only 6 read on actual revenue-generating products.
• Prosecution history estoppel: review the file wrapper for narrowing amendments that limit the doctrine of equivalents.
• Subject-matter eligibility: the 2023 Act excludes scientific discoveries, mathematical methods, medical methods, biological resources in their natural form, and matter contrary to public health/morality. Verify granted claims are not vulnerable to revocation on subject-matter grounds.
• Compulsory licence / Bolar exemption exposure—particularly relevant for pharma targets in light of LDC graduation.
• Co-inventorship and entitlement—incorrect inventorship can render a patent unenforceable; verify all inventors signed assignments.
• Foreign counterparts and family-tree: PCT national-phase entries, EP designations, Paris Convention claims; consistency of claim scope across jurisdictions.

C. Copyright (Copyright Act, 2023 — successor to 2000)

• Originality and authorship—particularly for compilation works, databases, AI-assisted works.
• Term calculations: life + 60 years for most works; corporate/anonymous works have separate terms.
• Moral rights—paternity and integrity rights; not assignable; can be waived.
• BCO registration—not constitutive but valuable for evidence; identify which works are registered.
• Derivative-works rights for translations, adaptations, screen-versions.

D. Industrial Designs (Industrial Designs Act, 2023)

• Novelty and individual-character requirements; prior-art disclosures.
• Renewal cycle and term.
• Registered design vs. unregistered design rights / passing-off overlay for product shape.

Objective: Material IP appears not only in agreements titled "Licence" but also in R&D, JV, supply, manufacturing, distribution, sponsorship, settlement, and inter-company agreements. The Skadden/Practical Law standard is to summarise every material IP-related agreement on a Due Diligence Summary Template.

A. Universe of Agreements to Capture

• In-bound IP licences (software, patents, trade marks, copyrighted content, trade secrets).
• Out-bound IP licences (revenue-generating; affect post-closing freedom).
• Cross-licences and patent-pool memberships.
• Settlement agreements, covenants not to sue, consents to use, co-existence agreements.
• R&D and collaboration / consortium agreements.
• JV and strategic-partnership agreements containing IP contribution / allocation.
• Manufacturing, supply, and distribution agreements with IP grants or restrictions.
• Sponsorship, endorsement, and influencer agreements.
• Inter-company IP-licensing arrangements (especially in groups using IP-holding-company structures).
• Source-code escrow agreements.
• SaaS, hosting, and cloud-services agreements.
• Open-source licences (treated separately—see Module 4).
• Security agreements and IP-pledge documents.

B. Key Terms to Summarise on Each Agreement

• Parties — including which entity in the target group is signatory (matters for anti-assignment analysis).
• IP scope — specific patents/marks/copyrights, or "all IP necessary for…"; defined-term scope creep.
• Field of use and other use restrictions.
• Territory.
• Exclusivity — exclusive, sole, non-exclusive; exclusive against the licensor itself?
• Sublicensing rights.
• Improvements / grant-back.
• Royalty terms — running royalty, minimums, milestones, audit rights, royalty stacking.
• ROFR / ROFO / Option for further rights or future-developed IP.
• Most-Favoured-Nation (MFN) clauses — one of the most operationally damaging provisions post-closing.
• Term and termination — including for convenience, for cause, and on insolvency.
• Assignment / Change of Control — the single most important provision in M&A diligence (see C below).
• Indemnities given or received (IP infringement indemnities flow with the contract).
• Governing law and dispute resolution.
• Recordal status at DPDT (for trade-mark licences—see C below).

C. Bangladesh-Specific: Registered User Agreements (s.44 Trademarks Act 2009)

• Trade-mark licences in Bangladesh are termed "Registered User Agreements". To be enforceable, the licensee must be recorded as a Registered User at DPDT.
• The recordal application must be filed within 1 year of the date of the licence agreement for permitted use to count as use by the proprietor (a key element in defending against non-use cancellation).
• Failure to record means the licensor cannot rely on the licensee's use to defeat non-use cancellation, and the licensee may have difficulty enforcing rights in its own name.
• In M&A, audit every trade-mark licence the target has granted (out-bound) and received (in-bound) for Registered User recordal; unrecorded arrangements are a remediation item.

D. Anti-Assignment & Change-of-Control Analysis

• Asset deal / forward merger: any transfer-of-contract clause is engaged; a deemed assignment occurs.
• Reverse merger: less likely to trigger an anti-assignment clause, but may trigger a change-of-control clause depending on drafting and equities.
• Share / stock purchase: anti-assignment clauses generally do not bite (no transfer of contract); change-of-control clauses do.
• "Successor and assigns" boilerplate: not always sufficient to permit assignment without consent; read together with the express anti-assignment language.
• Consent strategy: identify which licences need consent, prioritise by materiality, draft a consent-and-acknowledgement template, and start the licensor outreach as a closing condition where critical.

E. Encumbrances

• Security interests over IP (registered at DPDT for trade marks; registered at RJSC for charges over the company's intangible assets generally).
• Bank loan covenants restricting IP transfers.
• Exclusive out-licences that limit the buyer's post-closing freedom.
• Government-grant clawback rights.

Objective: Even non-tech targets run on software. For tech targets, software diligence is the single largest workstream. The goal is to verify (i) the target lawfully uses third-party software; (ii) the target's proprietary code is not contaminated by viral OSS; (iii) IT continuity is robust; and (iv) software-related licence terms transfer cleanly.

A. Software Inventory

• Proprietary software developed by or for the target—source code repositories, ownership of repositories, contributors, commit-log analysis.
• Customised software (third-party platforms with material customisations).
• Off-the-shelf commercial software—Microsoft, Adobe, Atlassian, Slack, etc. Confirm licence count, deployment, true-up status (audit risk from BSA / vendor compliance teams).
• SaaS subscriptions (Salesforce, HubSpot, AWS, GCP, Azure, Snowflake, etc.)—per-seat counts, data-processing scope, region.
• Mobile app store distribution agreements (Apple, Google Play)—account ownership, transferability of apps, in-app-purchase economics.
• API consumption (third-party APIs that the target relies on—Stripe, Twilio, Sendgrid, OpenAI, etc.) and rate-limit / ToS exposure.

B. Open-Source Software (OSS) Compliance — The Single Biggest Tech-Deal Risk

• OSS scan reports: require a recent run of an SCA tool—Black Duck, FOSSA, Snyk, Mend (WhiteSource), or Sonatype—covering every binary shipped to customers and every component of the build pipeline.
• Copyleft contamination analysis: identify any GPLv2 / GPLv3 / AGPL / LGPL components and map their linkage to proprietary code (static linking, dynamic linking, network use). AGPL is uniquely viral for SaaS deployments.
• Compliance with permissive licences: MIT, BSD, Apache 2.0 require notice-attribution; failure to ship notice files is technical breach, though commercially low-risk.
• OSS policy and approval workflow: written policy; designated approver; log of approved components; developer training records.
• Contribution to OSS projects: developers may have contributed code containing trade secrets; CLA / DCO compliance.
• Bundled distributions / SDKs: shipping third-party OSS bundled in the target's product (NOTICE.txt, LICENSE files).

C. IT Systems & Continuity

• Source-code escrow agreements—identify beneficiaries, release events, last verified deposit.
• Disaster recovery and business continuity plans; RPO / RTO targets; tested?
• Recent IT incidents: outages, ransomware, data breaches, DDoS.
• Backups, encryption at rest and in transit, identity management (SSO, MFA), secrets management.
• Software-development lifecycle: code review, secure-coding, vulnerability management, penetration-test reports.
• Customer SLA exposure: penalty clauses and service credits for IT outages.

D. Carve-Out IT Specifics

• Enterprise licences (e.g. ServiceNow, SAP) granted to the seller group: which entitlements transfer? Re-licensing fees on day 1?
• Shared infrastructure—how is it severed? Transitional services agreement (TSA) scope and pricing.
• Data migration plan and customer-consent architecture.

Objective: AI is the fastest-evolving DD area. Training-data provenance, model-weights ownership, generative-AI use in development, and contractor-vendor data flows are now standard items in any tech transaction.

A. Training Data Provenance

• Data source map: was data licensed (with documentation), scraped (terms-of-service compliance), purchased (chain-of-title from broker), user-generated (consent under privacy policy), or synthetic?
• Scraped-data exposure: hiQ Labs v. LinkedIn, the NYT v. OpenAI litigation, and parallel European cases have changed the risk profile of bulk web-scraping; assess litigation risk.
• User-generated content used for training: does the target's privacy policy and terms-of-service permit AI training on user inputs?
• Copyright in training corpora: any rights cleared? Indemnities from data vendors?

B. Models & Foundation Models

• Foundation-model dependencies: OpenAI, Anthropic, Google, Mistral, Meta Llama, etc.; enterprise vs. consumer terms.
• "Zero-retention" guarantees from foundation-model providers—important for customer-data-into-LLM flows.
• Open-weights models (Llama, Mistral, Qwen): note licence terms (Llama community licence has commercial-use thresholds; some "open" weights have RAIL-style use restrictions).
• Fine-tuning records: what data was used? Was customer data used? Is the resulting fine-tuned model contaminated with restricted data?
• Model evaluation reports, benchmarking, hallucination rates—relevant for product reps about performance.

C. Generative-AI in Product Development

• Did developers use GitHub Copilot, Cursor, ChatGPT, or Claude to write production code? AI-generated code currently lacks copyright protection in most jurisdictions, which can affect the "originality" claim in the IP rep.
• Marketing copy, design assets, audio content generated by AI—similar implications; check vendor terms on commercial use.
• Internal AI-use policy and developer training; logs of approved tools.

D. Customer Data Through AI Pipelines

• Customer data passed to LLM providers as prompts—data-processing agreements in place?
• Data-residency obligations vs. LLM provider data-flow.
• Whether customer data is used (or excluded) from foundation-model training.

Objective: Bangladesh has no standalone trade-secrets statute; protection rests on contract, breach of confidence (equity), and Penal Code provisions. The "reasonable steps" inquiry is therefore both factual and pivotal.

A. Trade-Secret Catalogue

• Documented register of "crown-jewel" trade secrets: algorithms, customer lists, pricing models, recipes, manufacturing processes, supplier lists, drawings, jigs.
• Trade-secret marking on documents and systems (e.g. "Confidential — Trade Secret").
• Categorisation: business secrets, technical secrets, commercial secrets.

B. Reasonable Steps to Protect Secrecy

• NDAs with every employee, contractor, vendor, prospective investor, M&A counterparty—dated, executed, retrievable.
• Tiered access controls: not every engineer needs access to the source code repository; not every salesperson needs the full price book.
• Physical security: locked premises, badge access, visitor logs, clean-desk policy.
• IT security: encryption, MFA, DLP, USB blocking, activity monitoring, egress controls.
• Onboarding: confidentiality clauses in employment contracts, secrecy training, signed acknowledgements.
• Off-boarding: exit interviews, data-return certifications, garden-leave, non-compete and non-solicit (where enforceable—Bangladesh courts tend to construe restrictive covenants narrowly).
• Vendor contracts: NDA-first; need-to-know data sharing; secure deletion on termination.

C. Trade-Secret Risk Areas

• Outsourced development to overseas agencies (very common in Bangladesh tech ecosystem)—source-code custody, NDA quality, repository access controls.
• Recent hires from competitors—"clean-room" hiring documentation; reps that hires brought no third-party trade secrets.
• Recent departures to competitors—evidence of data exfiltration; lawsuits filed or threatened.
• Joint-venture disclosures—what was given to the JV partner; survival of confidentiality obligations.

Objective: For consumer / retail / FMCG / hospitality targets, trade-mark portfolio quality often is the deal valuation. The Trademarks Act, 2009 framework imposes specific recordal and use requirements that diligence must verify.

A. Portfolio Architecture

• Word marks, device marks, composite marks, logos, slogans, product names, service marks.
• Single-class application audit (Bangladesh does not permit multi-class)—are all goods/services adequately covered? Identify under-protected expansion classes.
• Defensive registrations and house-marks.
• Sub-brands and private labels.
• Trade dress, packaging, get-up, look-and-feel.
• Geographical indications (GIs) where applicable—Jamdani, Hilsha, Fazli Mango, Bangladesh's growing GI register under the GI Act 2013.
• Certification marks and collective marks.

B. Use & Enforcement Posture

• Evidence of bona fide commercial use for each registration—invoices, packaging, advertising, dated photographs (defends against 5-year non-use cancellation under s.42).
• Trade-mark watch services and policing diligence.
• Cease-and-desist letters sent and received.
• Customs IPR recordal with the Directorate of Customs Intelligence and Investigation (DCII)—essential for FMCG / consumer brands exposed to grey imports and counterfeits.
• UDRP / domain-name complaints for cybersquatting.
• Marketplace takedown logs (Daraz, Shopee, Amazon, Alibaba).

C. Common Law Rights & Passing Off

• Bangladesh recognises common-law passing-off for unregistered marks with goodwill—evidence of acquired distinctiveness, length of use, advertising spend.
• Well-known foreign marks: protected via Paris Convention / TRIPS even without local registration; relevant where the target's mark resembles a global brand.

D. Domain Names & Social Handles

• .bd ccTLD registrations via BTCL—registrant accuracy.
• gTLD portfolio (.com, .net, .org, .co, .io, .ai)—registrar account access; transfer locks.
• Social-media handles owned by the corporate entity (not personal email accounts of founders or marketing staff).
• Trademark Clearinghouse (TMCH) registrations for new gTLD launches.

Objective: Quantify known legal liabilities; assess the strength of the target's enforcement posture; identify "skeletons in the closet" that may emerge post-closing.

A. Active & Threatened Proceedings

• Civil suits in District Court / High Court Division — pleadings, orders, judgments, settlement docs.
• Criminal complaints under trade-marks / copyright statutes.
• Registry proceedings: oppositions, rectifications, cancellations at DPDT.
• Customs detentions and DCII proceedings.
• Foreign litigation involving the target or its IP.
• UDRP and domain-name disputes.
• Royalty audits initiated by collecting societies (e.g. CCC, BSA, ASCAP-equivalents).

B. Demand Letters & Pre-Litigation

• Cease-and-desist letters sent and received—especially within the look-back window (typically 3 years).
• Settlement agreements, covenants not to sue, consents to use, co-existence agreements—these survive closing and may bind the buyer.
• Communications with non-practising entities ("patent trolls").

C. Risk Triage Framework

For each proceeding or threat, assess:

• Identity of opponent (competitor, NPE, ex-employee, customer, supplier).
• Nature of claim (infringement, invalidity, revocation, contract).
• Materiality of IP at stake.
• Revenue impact of the affected products/services.
• Stage of proceedings and procedural posture.
• Remedies sought (injunction = existential; damages = monetisable).
• Settlement positions.
• Worst-case and most-likely outcomes.
• Design-around feasibility for patent claims.
• Insurance coverage and indemnity availability.

D. Privilege & Opinions

• Existence of opinions of counsel (FTO, validity, non-infringement)—balance review value against waiver risk.
• Common-interest privilege agreements between buyer and target counsel.
• "Clean team" arrangements for highly sensitive litigation materials.

Objective: A clean ownership picture is meaningless if the target's products infringe third-party rights. FTO is the deepest, costliest layer of IP DD and is reserved for material strategic deals (Level 4/5).

A. Patent FTO

• Identify core technical features of the target's products and processes.
• Patent landscape search in core operating jurisdictions (Bangladesh, India, China, US, EU, Japan, Korea).
• Claim-mapping against shortlisted competitor patents.
• Design-around feasibility analysis for any reading patents.
• FTO opinions of counsel (with privilege protection).
• Patent expiration and family-tree analysis (a near-expiry blocking patent is a different risk profile).

B. Trade-Mark Clearance

• Target's brand names, sub-brands, product names searched at DPDT and across foreign registries (especially in expansion markets).
• Trade-mark watch reports for senior conflicting marks.
• Common-law / passing-off exposure (well-known unregistered marks).
• Domain-name and social-media handle conflicts.

C. Copyright & Content Clearance

• Stock images, fonts, music, video used in marketing—licence trail.
• User-generated content posted on the target's platforms—DMCA-style notice procedures.
• Underlying-rights chain for media targets (option agreements, screenplays, sync licences).

D. Trade-Secret Misappropriation Exposure

• Recent hires from competitors—do they sit in roles that would tempt use of their prior employer's trade secrets?
• Documentary "clean room" evidence; non-use representations.
• Any pending or threatened misappropriation claims.

Objective: Although not strictly IP, the IP team typically owns this workstream. Data is increasingly a value driver, and data-related regulatory exposure can swamp IP findings.

A. Bangladesh Statutory Framework — Now Comprehensive

The 2025 reforms transformed Bangladesh from a sectoral regime to a comprehensive data-protection and cyber-security framework. Diligence now turns on two new instruments:

• Personal Data Protection Ordinance, 2025 (Ordinance 61 of 2025, enacted 6 November 2025) — Bangladesh's first comprehensive data-protection statute. Establishes data-fiduciary / data-subject / processor framework; lawful bases for processing (s.5); rights of access, portability, correction and erasure (Ch. III); 5-year record-keeping (s.19); breach notification to the National Data Management Authority (s.20); independent data audits (s.21); Chief Data Officer mandatory for "Significant Data Fiduciaries" (s.23); data classification regime — Public, Internal, Confidential, Restricted (s.29); cross-border transfer rules (s.29(3)–(7)). Chapter III and ss.31–46 (rights enforcement and offences) phase in over 18 months from enactment.
• Cyber Security Ordinance, 2025 (Ordinance 25 of 2025, 21 July 2025) — repealing the Cyber Security Act, 2023. Establishes the National Cyber Security Agency, NCERT, and National Security Operation Centre (NSOC); Critical Information Infrastructure (CII) designation regime (s.15); offences include unauthorised CII access (s.17), unauthorised system access / hacking (s.18), system damage (s.19), cyber fraud (s.22), cyber-terrorism (s.23), unlawful e-transactions (s.24), online sexual harassment / blackmail / revenge porn / CSAM (s.25), religious or communal hate content (s.26); content takedown procedure with Tribunal oversight (s.8); 24-hour data-preservation orders (s.36).
• National Data Management Authority: the supervisory regulator for personal data, established under the parallel National Data Management Ordinance, 2025. Empowered to impose administrative fines, issue corrective directions, and approve cross-border transfers.
• Sectoral overlay (still operative): Bangladesh Bank cybersecurity and ICT-risk guidelines for financial services; BTRC for telcos and ISPs; DGHS for health data; ICT Act 2006 s.66 for residual offences not picked up by the CSO 2025.
• Foreign regulatory reach (where target serves overseas users): EU GDPR; UK GDPR; CCPA / CPRA; India DPDP Act 2023; Singapore PDPA; APPI (Japan); Thailand PDPA — diligence by reference where the target has cross-border data flows.

B. Significant Data Fiduciary ("SDF") Status — A New Diligence Trigger

• Under PDPO 2025, s.2(5), the National Data Management Authority may designate a target as a "Significant Data Fiduciary" based on: (i) potential impact on state sovereignty; (ii) volume / financial sensitivity of data processed; (iii) risk to data-subject rights; (iv) potential threat to national security, public order, public safety, economic order, or public health.
• SDF status carries enhanced obligations: appointment of a Chief Data Officer at a location designated by the Authority (s.23); higher administrative-fine ceilings (up to 5% of Bangladesh turnover under s.32(2), versus 2% for ordinary fiduciaries under s.32(1)); enhanced audit and reporting obligations.
• Diligence: confirm SDF designation status; review CDO appointment, qualifications, reporting line; review CDO-issued incident reports and policy framework; assess whether the target should reasonably expect SDF designation post-closing under the new entity.

C. Privacy Programme Audit — Mapped to PDPO 2025

• Lawful basis register: under PDPO s.5, processing requires either consent (informed, specific, freely given, withdrawable — s.5(2)) or one of seven non-consent bases (contract, legal claim, vital interests, employment law, voluntarily-public data, etc.). Verify the target's basis-mapping for each processing activity.
• Sensitive-PD inventory: per s.7, the additional consent / qualifying-condition layer applies to genetic, biometric, ethnic, religious / political-belief, trade-union, health, sexual-orientation, criminal-record, and real-time-location data. Identify all such processing.
• Consent infrastructure: granular, withdrawable consent flows; demonstrable consent records (s.5(4) places the burden of proof on the data-fiduciary); cookie banners; mobile-app permission prompts.
• Privacy notice / transparency framework: s.15 mandates disclosure of categories of data, purposes, complaint routes to the Authority, transfer information, and contact details — review current and historical versions.
• Data-subject-rights operations: documented procedures for s.11 (access & portability — including federated interoperable ecosystems), s.12 (rectification), s.13 (consent withdrawal & erasure), s.14 (system-wide propagation of corrections / deletions through mirrors, caches, backups, DR, test environments). Logs of requests received, response times, refusals.
• Children's data: s.9 bars tracking, monitoring, profiling, and targeted advertising at minors and requires verifiable parental consent for under-18 processing. Diligence is sharper for ad-tech, edtech, gaming, and social-platform targets.
• Records of Processing Activities (RoPA) and Data Processing Agreements (DPAs) with vendors, sub-processors, customers — note that s.8 deems the data-fiduciary liable for the processor's acts.
• Cross-border-transfer mechanisms: see Section D below.
• Retention & destruction: s.18 caps retention at the period prescribed by regulation for the original purpose; s.19 requires record-keeping for at least 5 years.

D. Data Localisation & Cross-Border Transfers (Critical New Diligence Item)

• PDPO classifies data into four tiers under s.29(1): Public, Internal, Confidential, and Restricted. Cross-border transfer is permitted on consent / contract / data-subject-interest grounds (s.29(3)) and only to jurisdictions or facilities prescribed as having adequate technical infrastructure (s.29(4)).
• Mandatory in-country mirroring: s.29(7)(b) requires that Restricted personal data and data of Critical Information Infrastructure (as defined in CSO 2025 s.2(1)(j)) held in cloud have at least one synchronised real-time copy maintained inside Bangladesh. This is one of the most operationally significant features of the new regime.
• "Sensitive personal identifiable data" notification: s.29(6) requires mandatory notification to the Authority of bulk cross-border transfers of national-ID, passport, TIN, biometric, genetic, and criminal-record data.
• Authority's relocation power: s.29(7)(c) empowers the Authority to order re-architecture, relocation, or shutdown of cloud usage within 60 days where it identifies a national-security or public-safety risk or evidence of breach.
• Diligence focus: cloud-region maps for AWS / GCP / Azure / Snowflake / Salesforce; presence of in-country mirror for Restricted PD and CII data; data-flow diagrams across jurisdictions; SCC-equivalent contractual mechanisms; intra-group data-sharing agreements; vendor-side data-residency commitments.

E. Cybersecurity Posture — Now Mapped to CSO 2025

• CII designation review: CSO 2025 s.15 empowers the Government to designate computer systems / networks / data infrastructures as Critical Information Infrastructure. Confirm whether the target's systems are or could be designated; if so, the target must maintain its own CIRT and SOC reporting to the National SOC (s.9(2)) and undergo annual external infrastructure audit (s.16(2)).
• NCERT / CIRT incident reporting: per s.9(4) proviso, every public, private, or autonomous body must report cyber incidents to the National CERT without delay. Review the target's incident register against this obligation.
• Information-security programme: ISMS scope and ISO 27001 / SOC 2 Type II certification; penetration-test and vulnerability-scan logs (last 12–24 months); incident-response plan and tabletop-exercise records.
• Breach register & notification: cross-check against PDPO s.20 (notification to the Authority where data-subject harm is likely) and CSO 2025 s.9 (notification to NCERT).
• Content-takedown exposure: CSO 2025 s.8 empowers the DG of the Cyber Security Agency or law enforcement (with Tribunal confirmation within 3 days) to order takedown / blocking of content threatening cyber-safety or public order. Review any takedown orders received.
• Cyber-insurance: coverage scope (PDPO regulatory fines, CSO offences, third-party claims), deductibles, prior claims, exclusions for known issues.

F. Data Asset Diligence (Where Data Is the Value)

• Origin of the dataset — was it lawfully collected for the purpose for which it is now being monetised under the PDPO lawful-basis test?
• Consent architecture for marketing, profiling, AI training, and onward sale — particular attention to PDPO s.9 (children) and s.7 (sensitive PD).
• Database rights / sui generis protection (where available under the Copyright Act, 2023).
• Data-broker agreements — chain-of-title in the data, including provenance back to the original data subject.

Objective: Verify that all IP created by employees is owned by the target, restrictive covenants are enforceable, and key-person flight risk is mitigated.

A. Employment IP Architecture

• Standard-form employment contract — IP assignment clause: present-tense, irrevocable, comprehensive scope.
• Specific carve-out for pre-existing inventions disclosed in a schedule.
• Specific assignment of moral rights / waiver where permissible.
• Confidentiality undertaking surviving termination.
• Garden-leave provisions for senior staff.

B. Restrictive Covenants — Enforceability under Bangladesh Law

• Bangladesh courts construe restraints of trade narrowly; non-compete clauses post-termination are difficult to enforce except where reasonable and ancillary to a sale.
• Non-solicit (customers, employees) more readily enforceable.
• Confidentiality clauses unaffected and broadly enforceable.
• Consider acquihire dynamics: are key employees subject to retention agreements / new-hire packages with the buyer?

C. Key-Person Risk

• Identification of individuals whose departure would materially impair the IP — solo inventors, sole architects, brand-creator.
• Retention bonus structures payable post-closing.
• Knowledge documentation and bus-factor mitigation.
• Founder lock-up / earn-out architecture in the SPA.

Objective: IP often sits in an entity different from the operating company; understanding the group's IP-holding architecture is essential for valuation, transfer-pricing, and integration planning.

A. Holding Architecture

• Identify which entity owns each material IP asset—often an offshore IP holdco (Singapore, Cayman, Mauritius) for groups with international structure; for purely domestic groups, IP may sit in the operating Bangladeshi entity or in a parent.
• Inter-company IP licence agreements between the holdco and operating entities — royalty rates, territories, fields, term.
• Are the licences transfer-pricing-compliant under NBR rules and the relevant treaties?
• Bangladesh Bank approvals for cross-border royalty remittances—both quantum and frequency.

B. IP & Tax Considerations in M&A

• Step-up / step-down basis on acquired IP (relevant for intangibles amortisation in the buyer's books).
• Withholding tax on royalty streams—Bangladesh Bank-approved withholding rates and treaty rates.
• VAT / VDS implications on royalty payments under the VAT and Supplementary Duty Act, 2012.
• Exit-tax exposure on cross-border IP migrations.
• Coordination with tax DD: see LegalSeba LLP Tax Due Diligence playbook.

C. Carve-Out Specific Issues

• Shared "platform" IP retained by seller—buyer needs a perpetual, royalty-free, sublicensable licence-back for seller-retained IP used in the divested business.
• Transitional IP licences—term-limited rights to use seller marks during the rebrand period.
• Reverse transitional IP licences—limited rights for the seller to wind down use of divested IP.
• Allocation of jointly-developed IP.