Diligence Room Pack · Reading NorthAI in 2026

Format stub, what this is. This file defines the diligence room structure, standard VC checklist, federal-specific additions, and data room hygiene rules. The engagement populates actuals once Tim and Stephanie share current corporate, financial, legal, and technical materials. No item in this file represents a confirmed status. All statuses are placeholders until engagement-start inventory is completed.

Why Ch 2 Anchors This Artifact

Ch 2's No-Delusion Gate applies directly to a diligence room: the most common startup failure in investor diligence is not fraud. It is founders who cannot pass the five filters honestly. "Productization fails when firms import commercial assumptions into federal markets, underestimate compliance realities, or overestimate addressable demand." A diligence room that papers over these gaps with optimistic projections loses investor trust faster than one that names the gaps directly and shows the plan to close them.

The engagement builds a diligence room that passes the No-Delusion Gate. That means naming what is ready, naming what is not ready, and having a credible path to close each open item before the raise closes.

Standard VC Diligence Checklist

A. Corporate

RequiredCertificate of incorporation / articles of organization (CHN Analytics LLC, Ohio)
RequiredOperating agreement (current, signed by all members)
RequiredCap table (current, fully diluted, including any options, warrants, SAFEs)
RequiredList of all equity holders and percentage ownership
RequiredBoard resolutions authorizing the raise
RequiredAny outstanding convertible notes, SAFEs, or other instruments
ConditionalForeign entity registrations (if operating in states beyond Ohio)
ConditionalForeign Ownership, Control, or Influence (FOCI) disclosure (if any non-US investors or board members)

B. Financial

RequiredLast 2-3 years financial statements (P&L, balance sheet, cash flow)
RequiredCurrent MRR / ARR breakdown by customer and revenue type
Required12-month cash burn rate and current cash position
RequiredRevenue projections (18-36 months) with assumptions documented
RequiredUnit economics: CAC, LTV, gross margin by revenue type
RequiredUse of proceeds from current raise (specific allocation)
ConditionalTax returns (last 2 years) if investor requires
FederalContract revenue vs. commercial revenue split (recurring vs. project fees)
FederalConMon cost allocation and projection (if FedRAMP path active)

C. Legal

RequiredIP ownership documentation (all IP assigned to the company, not individuals)
RequiredEmployee and contractor agreements (IP assignment clauses confirmed)
RequiredNDAs with all material third parties (partners, channel partners)
RequiredAny pending or threatened litigation
RequiredMaterial contracts (customer contracts, vendor agreements, license agreements)
FederalPrime contractor subcontract agreements (redacted as needed)
FederalNon-compete clauses in subcontracts (scope, duration, affected customers)
FederalPast-performance authorization letters (from prime if applicable)
ConditionalFOCI mitigation agreement (if any non-US investors in current cap table)
ConditionalExport control compliance documentation (ITAR / EAR) if data or IP subject to export controls

D. Technical

RequiredTechnical architecture overview (system diagram, deployment model, data flow)
RequiredIP registry (what NorthAI owns vs. licenses vs. open-source)
RequiredKey technical dependencies (third-party APIs, data providers, LLM providers)
RequiredProduct roadmap (12-24 months)
FederalFedRAMP status: current authorization level, or ATO path memo with 3PAO name and engagement date
FederalSystem Security Plan (SSP) or draft SSP (if FedRAMP 20x in process)
FederalAuthorization boundary definition (what is inside vs. outside the ATO boundary)
FederalCMMC Level 2 readiness status (if serving DIB customers)
ConditionalFedRAMP Package Inheritance documentation (if leveraging CSP provider's inheritance)
ConditionalPOA&M log (if any open items from prior assessment)

E. Customer

RequiredCustomer list with ARR per customer (redacted for diligence purposes if needed)
RequiredPipeline (named opportunities with stage, estimated value, close date)
RequiredCustomer reference contacts (minimum 2-3 references willing to speak)
RequiredChurn or option-year non-exercise history
FederalContract vehicle access: active vehicles (GSA Schedule, SBIR, IDIQ) with expiration dates
FederalAgency-specific past-performance citations (redacted to agency, program office, CLIN, and dollar value)
ConditionalLetters of intent or intent-to-award notifications (if any pending)

Federal-Specific Additions

What standard VC diligence misses in federal-AI companies

Standard VC diligence checklists are built for commercial SaaS. Federal-AI companies have four additional diligence dimensions that matter as much as the standard set. An investor who has done federal deals asks these. An investor who has not asks them after the call through counsel.

FedRAMP Package Inheritance Documentation

If NorthAI deploys on AWS GovCloud, Azure Government, or Google Cloud for Government, a significant portion of FedRAMP controls (26-40% depending on the service model) are inherited from the CSP's existing authorization. Investors increasingly ask about this because:

The diligence room should include: (a) the CSP's FedRAMP package identifier, (b) the inheritance mapping showing which controls are inherited vs. shared vs. customer-responsible, and (c) the GRC tool (if any) tracking the customer-responsible controls.

Data Room Hygiene Rules

Federal Dimension	What Investors Want to See	Why It Matters for NorthAI
ATO Status	FedRAMP authorization level (or explicit "pre-authorization" with 3PAO engaged and SSP drafted). Not "we plan to get FedRAMP." A 3PAO engagement letter is evidence.	Zero ATO = Scenario A valuation multiple. ATO in process = Scenario B entry. ATO achieved = Scenario B confirmed. This is the single largest value-creation lever visible in diligence.
FOCI Structure	Disclosure of any foreign ownership, control, or influence. SCA or Proxy Agreement in place if applicable. Clean FOCI structure (US-only ownership) is a positive signal for DoD contracts.	NorthAI's active raise conversation with non-US investors (per call context) requires FOCI analysis before any equity transaction closes. Any allied investor at 5%+ equity triggers SCA filing (6-12 months). Investors need to know this before the term sheet.
Contract Vehicle Access	Which vehicles are active (GSA MAS, SBIR, OASIS+, SEWP, OTA), when they expire, and what CLIN structure is live on each. CHN's AFWERX STTR Phase I is the one verified vehicle. Phase II application status is the next gating question.	Without a direct vehicle, NorthAI can only transact through a prime contractor. Vehicle access determines whether the recurring-revenue thesis is achievable independently or requires a prime intermediary indefinitely.
Customer Reference Protocol	Federal customer references require CO permission to disclose in many cases. The diligence room must include a documented reference-call protocol: which customers have authorized disclosure, what scope of discussion is permitted, and whether program-office staff vs. CO is the reference contact.	OSI&A references from the 5.5-year engagement may be the most credible references NorthAI has. Whether those references can be used in diligence depends on whether the prime (or OUSD R&E directly) has authorized disclosure.

Seven rules that prevent diligence rooms from becoming liabilities

No federal agency names in customer-list documents without disclosure authorization. Use coded references (Agency A, Agency B) until disclosure is authorized. Investors know the game and respect the protocol.
No classified or controlled-unclassified information (CUI) in the data room. If any deliverable from the OSI&A engagement is marked CUI or SBU, it does not go into the data room. Reference the deliverable by type and date only.
No personal information of federal employees. Contract references should name program offices and contract numbers, not individual federal employees, unless those employees have explicitly consented.
Redact dollar amounts on sub-contracts unless the prime has authorized disclosure. The public FFATA record is the only authorized source for sub-award dollar amounts. Internal subcontract terms are confidential to the prime.
Date-stamp everything. Investors need to know when each document was created. A financial statement labeled only "FY2024" without a date is a yellow flag. Include version dates on all documents.
Do not include investor pitch decks from prior rounds. Prior pitch decks often contain projections that did not come true. Include them only if explicitly requested and with a current-state reconciliation document alongside.
Private URLs and internal file paths must not appear in any shared document. Before sharing any document, run a text search for internal path strings (file:// URLs, internal server names, laptop usernames). These are unprofessional and can expose infrastructure details.