Outsourcing software development to India: a CTO's 2026 checklist

Outsourcing software development to India in 2026 is a mature choice — the question is no longer "should we?" but "which partner, under which contract, with which controls?". This post is the checklist we walk prospective clients through before any SoW is signed. Use it whether you go with Krapton or not; the criteria are the same.

TL;DR: Control four things and the rest falls into place: IP and NDA language, data-protection alignment (GDPR + India DPDPA), timezone discipline, and a staged engagement that starts with a 2-week paid pilot before any long-term commitment.

Part 1 — Contract and IP (non-negotiable)

1. Written IP assignment in the SoW. The default under English or New York law is that work-for-hire does not automatically transfer IP without an explicit assignment clause. Make it explicit and have it cover all derivatives.
2. Mutual NDA signed before discovery calls. Our standard NDA is freely available and takes 24 hours to execute; any partner that drags NDA signing is a warning sign.
3. Clear jurisdiction and dispute-resolution clause. London Court of International Arbitration or Delhi under the Indian Arbitration and Conciliation Act 1996 are both acceptable; pick and name one.
4. Liability caps matched to project value. Unlimited liability is unreasonable; 1–2x the annual contract value is standard.
5. Exit and handover clause. 30-day notice + knowledge-transfer clause + source-code handover at project termination, documented in writing.

Part 2 — Data protection and compliance

6. GDPR Article 28 processor agreement in place. Required for any UK or EU client processing personal data, irrespective of the partner's location.
7. India Digital Personal Data Protection Act 2023 (DPDPA) readiness. The DPDPA is now in force; your partner should be able to show you their data-processing record.
8. Named Data Protection Officer. If the partner has more than 50 engineers touching your data, a DPO should exist and be contactable.
9. Standard Contractual Clauses on cross-border transfer. UK–India is a third-country transfer under GDPR; SCCs cover it.
10. Infrastructure posture. Ask explicitly: where is the code stored, who has access, is MFA enforced, is there an access-log you can review on request?

Part 3 — Operational controls

11. Timezone overlap. Minimum 4 hours daily overlap with your primary office. Delhi gives you 4–5 hours with London, 3 with New York, 1 with California.
12. Named delivery manager. Not just a "project manager" — a senior engineer accountable for delivery who joins your standups.
13. Your ticketing, your repo. Partner logs into your Jira and pushes to your GitHub, not theirs. Avoids IP leak at project end.
14. Weekly written status reports. Shipped, in-flight, blocked. If a partner cannot produce these, they will not produce code reliably either.
15. Code review by someone senior on your side. Even if you are a solo CTO — at least spot-check one PR a week.

Part 4 — The staged engagement

The biggest mistake CTOs make is signing a 12-month master service agreement before seeing a single commit. Our recommended rollout, with any partner:

1. Week 0: NDA signed; discovery call.
2. Week 1–2: Paid 2-week pilot on a self-contained piece of work. Scoped for exactly 80 engineering hours.
3. Week 3: You review the pilot output against pre-agreed acceptance criteria.
4. Week 4: Go / no-go. If go, sign a 3-month dedicated-team engagement with a 30-day exit clause.
5. Month 4 onward: Roll into annual with renegotiated rate bands.

This staged model costs you two weeks of risk, caps total exposure at the pilot fee if the partner is wrong, and gives the partner a fair shot to prove themselves.

Red flags to walk away from

• Rate card you cannot see without signing a multi-page NDA first.
• Promises of "any number of developers, any stack, any timezone" without a bench you can meet.
• No named references. At least two previous clients should take your call.
• Portfolio that cannot be verified — links go to dead domains or the partner cannot confirm which engineers built what.
• Refusal to sign your DPA or your IP clause — partner insists on their own terms only.

FAQ

Is outsourcing software development to India still risky in 2026?

Only to the same extent as any third-party vendor relationship. The risks are controllable with contract hygiene and staged engagement — and the economics remain compelling for most SaaS and product roadmaps.

How long does IP transfer take after project completion?

Immediate — IP vests in the client throughout under the assignment clause. The source-code handover itself takes one business day if repos are already in your GitHub org (as they should be from day one).

What is the biggest hidden cost of offshore development?

Management overhead. Budget 10–15% of engineering capacity on your side for code review, unblocking, and async communication. Partners that minimise this overhead (named DM, daily async reports, shared repos) are worth a 10–15% rate premium.

Next step

If you'd like the full 20-point version of this checklist, or to see how Krapton scores against it, book a free consultation. You can also read our delivered case studies or check client reviews from prior CTOs.