What is a Fractional General Counsel?

A Fractional GC gives you senior-level legal leadership — the kind of judgment you'd get from a $250K+ in-house hire or $900/hour Big Law partner — on a predictable monthly retainer. You get the expertise without the overhead.

What types of startups do you work with?

We work primarily with venture-backed startups from pre-seed through Series B across SaaS, fintech, healthtech, and emerging technology.

How is this different from a traditional law firm?

Traditional firms bill by the hour, staff junior associates on your work, and take days to respond. Flux provides senior counsel directly, charges a flat monthly fee, and communicates on Slack, email, or video — however your team works.

What does flat-fee pricing include?

Each tier includes a defined scope of legal support. No hourly tracking, no surprise invoices. If something falls outside your plan, we'll tell you upfront before any additional work begins.

Can you help with fundraising?

Yes — from SAFEs and convertible notes to priced equity rounds. We handle investor negotiations, term sheet review, deal documentation, and closing execution for Seed through Series B.

What's the relationship between Flux and Rubicon Law?

Flux is a productized offering powered by Rubicon Law, a boutique firm with 20+ years of experience advising hundreds of startups. You get Rubicon's depth of experience in a streamlined, subscription-based format.

How quickly can I get started?

Book a free intro call. If we're a fit, most clients are onboarded within a week. No lengthy engagement letters or committee approvals.

What Founders Need to Know About CFIUS and Foreign Investment

You've been fundraising for months. A foreign venture fund offers a term sheet with a strong valuation, no unusual governance terms, and a partner who genuinely understands your space. It looks like the best deal on the table.

Then your lawyer asks: "Have you thought about CFIUS?"

The Committee on Foreign Investment in the United States (CFIUS) is an interagency body that reviews — and can block or unwind — transactions that give foreign persons control over, or certain access to, U.S. businesses. For startups working in artificial intelligence, biotechnology, quantum computing, semiconductors, or any sector touching sensitive personal data, CFIUS is no longer an edge case. It is a core diligence item for any round involving foreign capital.

This post covers what CFIUS is, when it applies, which sectors and deal structures trigger review, and the practical steps founders should take to protect their companies.

What Is CFIUS?

CFIUS is a committee chaired by the Secretary of the Treasury and composed of representatives from nine federal departments and agencies, including the Departments of Defense, State, Commerce, Energy, and Homeland Security. Its mandate is to review transactions that could result in foreign control of, or foreign access to, U.S. businesses — particularly those involving critical technology, critical infrastructure, or sensitive personal data.

CFIUS derives its authority from Section 721 of the Defense Production Act, as significantly expanded by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). FIRRMA broadened CFIUS jurisdiction beyond traditional acquisitions to cover certain non-controlling investments in sensitive U.S. businesses — a change that brought venture capital squarely into scope.

What CFIUS Can Do

CFIUS has substantial power:

Block transactions before they close
Impose conditions on closing (mitigation agreements)
Unwind completed transactions — even years after closing
Refer transactions to the President for a final decision, which is not subject to judicial review

The last point is critical. If CFIUS determines a completed investment threatens national security, it can force divestiture. This has happened. In 2019, CFIUS ordered Beijing Kunlun Tech to divest its acquisition of Grindr. In 2024, it forced a Chinese-backed investor to divest from a U.S. AI company. The risk is not theoretical.

Mandatory vs. Voluntary Filings

CFIUS review can be triggered two ways: through a mandatory filing requirement or through a voluntary notice. Understanding the difference is essential.

Mandatory Declarations

FIRRMA created a mandatory filing requirement for two categories of transactions:

1. Critical Technology Transactions

If a foreign person acquires a direct or indirect interest in a U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies" — and the foreign person would receive certain rights (board seats, access to material nonpublic technical information, involvement in substantive decisionmaking, or access to critical technology) — a mandatory declaration is required.

"Critical technologies" is a defined term that includes:

Items controlled under the Export Administration Regulations (EAR) — including many AI/ML models, semiconductor designs, and encryption technologies
Items controlled under the International Traffic in Arms Regulations (ITAR)
Certain emerging and foundational technologies identified by the Commerce Department
Items requiring government authorization for export under specific ECCNs

The practical implication: if your startup's technology would require an export license to ship to the investor's home country, there's a good chance a mandatory CFIUS declaration is required.

2. Foreign Government Investors

Any transaction that results in foreign government control of a U.S. business requires a mandatory declaration, regardless of the sector.

Timing

Mandatory declarations must be filed at least 30 days before the transaction closes. CFIUS then has 30 days to clear the declaration, request a full notice, or initiate a unilateral review.

Voluntary Notices

For transactions that don't trigger mandatory filing, parties may still file a voluntary notice. There is no obligation to do so — but there's a strong incentive. CFIUS can (and does) review non-notified transactions on its own initiative. Filing voluntarily provides a "safe harbor": once CFIUS clears a transaction, it generally cannot reopen the review absent material misrepresentation or omission.

Without a voluntary filing, the transaction remains subject to potential CFIUS review indefinitely. This creates lingering risk that can surface during later funding rounds, M&A due diligence, or IPO preparation.

When to File Voluntarily

Consider a voluntary filing when:

The investor is from or has significant ties to a country of concern (China, Russia, Iran, North Korea — though CFIUS looks broadly)
Your company handles sensitive personal data on U.S. citizens
You operate in or adjacent to critical infrastructure sectors
You expect a future exit to a strategic acquirer that will conduct thorough CFIUS diligence
Investors in later rounds will ask about CFIUS clearance as a condition to investing

Which Sectors Trigger CFIUS Review?

FIRRMA expanded CFIUS jurisdiction to cover non-controlling investments in three categories of U.S. businesses. If your startup falls into any of these, even a minority investment by a foreign person can trigger review.

1. Critical Technology

This is the broadest and most relevant category for startups. It captures companies that produce, design, test, manufacture, fabricate, or develop critical technologies, including:

Artificial intelligence and machine learning — particularly dual-use AI systems, autonomous systems, and models trained on sensitive datasets
Semiconductors — chip design, fabrication, EDA tools, advanced packaging
Quantum computing — hardware, algorithms, and quantum networking
Biotechnology — synthetic biology, gene editing (CRISPR), genomics, and biomanufacturing
Advanced materials — metamaterials, advanced composites
Cybersecurity — offensive cyber tools, vulnerability research, zero-day exploits
Hypersonics and advanced weapons systems
Space technology — satellite systems, launch technology, space-based sensors

The Commerce Department continues to identify "emerging and foundational technologies" through ongoing rulemakings. The list has expanded steadily since FIRRMA's enactment and now covers several AI-related ECCNs.

2. Critical Infrastructure

Companies that own, operate, manufacture, supply, or service critical infrastructure in 28 identified sectors. For startups, the most relevant include:

Telecommunications and internet services
Energy (including clean energy and grid technology)
Financial services infrastructure
Water systems
Transportation technology

3. Sensitive Personal Data

Companies that maintain or collect sensitive personal data on U.S. citizens. CFIUS regulations define this to include:

Identifiable data on more than one million individuals
Genetic or biometric data — increasingly relevant for healthtech and biotech startups
Financial data — fintech companies handling transaction or credit data
Geolocation data — any app or service that tracks precise location
Health data — digital health platforms, telemedicine companies
Government personnel data — particularly if you have government contracts

The sensitive personal data category catches many consumer-facing startups that wouldn't consider themselves "national security" companies. A healthtech startup with a million users' health records, a fintech company processing consumer financial data, or a consumer app collecting precise geolocation — all potentially within CFIUS jurisdiction.

How Foreign VC Participation Creates Issues

Many founders assume CFIUS only applies to acquisitions. It doesn't. Under FIRRMA, CFIUS has jurisdiction over non-controlling investments that afford a foreign person any of the following:

Access to material nonpublic technical information
Board membership or observer rights
Any involvement in substantive decisionmaking regarding sensitive personal data, critical technology, or critical infrastructure

This maps directly onto standard venture capital deal terms. A foreign VC that takes a board seat, receives information rights, or negotiates protective provisions over technology decisions may trigger CFIUS jurisdiction — even with a 5% ownership stake.

Common Scenarios That Create CFIUS Risk

Foreign-headquartered VC funds. The most obvious case. A fund organized in China, Singapore, the UAE, or even a close ally like the UK or Germany can trigger CFIUS review if the underlying investors include foreign government-linked entities.

U.S. funds with foreign LPs. A Delaware-incorporated VC fund may still be a "foreign person" for CFIUS purposes if foreign nationals or governments hold significant interests or have governance rights over the fund. This is increasingly scrutinized — particularly for funds with sovereign wealth fund LPs from countries of concern.

Strategic investors. A corporate venture arm of a foreign company (e.g., a Chinese tech company's CVC fund) almost always triggers CFIUS analysis. These investors often seek information rights and board access that fall squarely within CFIUS coverage.

Accelerators and incubators with foreign government backing. Some international accelerator programs are funded by foreign governments. Accepting investment from these programs can create CFIUS exposure.

SPVs and syndicates. Rolling funds, AngelList syndicates, and SPVs may include foreign investors whose participation isn't immediately visible to the founder. If foreign persons participate and the startup is in a covered sector, CFIUS risk exists.

The LP Look-Through Problem

CFIUS can "look through" a U.S.-domiciled fund to examine the fund's own investors. If a U.S. fund has a sovereign wealth fund LP from a country of concern, and that LP has certain governance rights over the fund's investment decisions, the fund itself may be treated as a foreign person.

This means founders need to ask not just "where is this fund based?" but "who are the fund's LPs, and do any of them have governance rights?"

Most established U.S. venture funds have already structured their LP agreements to avoid CFIUS issues. But newer funds, crossover investors, and non-traditional capital sources may not have done this work.

The 2025 Outbound Investment Rule

In addition to inbound CFIUS review, the Treasury Department's Outbound Investment Security Program (effective January 2, 2025) restricts U.S. persons from investing in Chinese, Hong Kong, and Macau entities engaged in semiconductors, quantum computing, and AI. While this primarily affects U.S. investors making outbound investments, it creates an additional layer of complexity for startups with China-linked investors or operations.

If your startup has a subsidiary or joint venture in China, or if your U.S. investors also invest in Chinese companies in covered sectors, the outbound rules may be relevant. The interaction between inbound CFIUS review and outbound investment restrictions is an evolving area — consult counsel if your cap table or operations have a China nexus.

Practical Steps Before Accepting Foreign Capital

1. Know Your Investor

Before signing a term sheet, conduct basic diligence on the investor:

Country of organization and principal place of business. Where is the fund actually managed?
LP composition. Ask directly whether any LPs are foreign government entities, sovereign wealth funds, or nationals of countries of concern. Reputable funds will answer this question.
GP nationality and residency. Who controls the fund's investment decisions?
Other portfolio companies. Has the fund invested in other U.S. companies in sensitive sectors? How did those investments handle CFIUS?

You're not conducting a full national security review. You're identifying red flags that warrant further analysis with counsel.

2. Map Your CFIUS Exposure

Work with counsel to determine whether your company falls within CFIUS jurisdiction:

Export control classification. Has your technology been classified under the EAR? Would it require an export license to the investor's home country? This is the single most important technical question.
Sensitive personal data. Do you collect identifiable data on more than one million U.S. persons? Do you handle genetic, biometric, health, financial, or precise geolocation data?
Critical infrastructure. Do you operate, supply, or service any of the 28 identified critical infrastructure sectors?
Government contracts. Do you have or anticipate contracts with U.S. government agencies, particularly DoD, intelligence community, or DHS?

3. Structure the Deal to Minimize CFIUS Risk

If CFIUS risk exists but the deal makes strategic sense, structuring can help:

Limit information rights. Exclude the foreign investor from receiving material nonpublic technical information. This may mean creating a separate "clean" information package that omits sensitive technical details.
No board seat. Replace a board seat with a board observer role — and further limit observer rights to exclude attendance during discussions of sensitive technology or government contracts. Better yet, offer no board-level role at all.
Carve out protective provisions. Ensure the foreign investor does not have protective provisions over decisions related to critical technology, sensitive data handling, or government contract matters.
Passive investment structure. Structure the investment so the foreign investor has no governance rights beyond standard economic rights (dividends, liquidation preference, pro rata). A purely passive investment in a non-TID U.S. business generally falls outside CFIUS jurisdiction.

4. Consider Filing Proactively

If you determine a mandatory declaration is required, you must file. If filing is voluntary but the risk profile is elevated, consider filing anyway. The benefits:

Legal certainty. CFIUS clearance provides a safe harbor against future review.
Clean cap table for future rounds. Later-stage investors and acquirers will ask about CFIUS. Having clearance in hand eliminates a diligence issue.
Faster M&A exit. Acquirers conducting their own CFIUS analysis will view prior clearance favorably.

The cost of a CFIUS filing is meaningful — legal fees typically range from $50K-$150K for a full notice — but it's small relative to the cost of an unwinding order years later.

5. Build CFIUS Awareness Into Your Fundraising Process

For companies in covered sectors, CFIUS should be part of your standard fundraising process:

Include CFIUS representations in your term sheet. Require the investor to represent that the investment does not trigger a mandatory CFIUS filing, or that the parties will cooperate on any required filing.
Add CFIUS closing conditions to your investment documents. Make closing contingent on CFIUS clearance (or the expiration of the review period without action).
Budget for CFIUS legal costs. If you're in a covered sector, budget $25K-$75K per round for CFIUS analysis and potential filing.

Mitigation Strategies: What CFIUS Asks For

If CFIUS identifies national security concerns but doesn't want to block the transaction outright, it typically negotiates a mitigation agreement — a set of conditions the parties must accept as a condition of clearance.

Common mitigation measures include:

Security Control Agreements

The company must implement specific security protocols:

Appointment of a U.S. government-approved security officer
Restrictions on foreign national access to sensitive technology or data
Annual security audits by a third-party monitor (at the company's expense)
Physical and cybersecurity requirements for facilities handling sensitive information

Board and Governance Restrictions

The foreign investor may be excluded from the board entirely
A "security board" or "government security committee" may be required — composed of U.S. citizens with security clearances who oversee sensitive matters
Certain corporate decisions (technology licensing, government contracting, data handling) may require approval of the security committee

Technology and Data Restrictions

Specific technology or data may be "walled off" from the foreign investor
The company may be prohibited from sharing certain technical information with the investor, even under NDA
Export control compliance programs must be implemented and monitored

Divestiture and Unwinding Rights

CFIUS may retain the right to require divestiture if mitigation conditions are violated
The government may appoint a "monitoring trustee" with ongoing access to company records

What Mitigation Means in Practice

Mitigation agreements are not trivial. They impose real operational costs and constraints:

Annual compliance costs of $100K-$500K+ for monitoring, audits, and security infrastructure
Management time spent on compliance rather than building the business
Restrictions on information sharing that can impair the investor relationship
Potential conflicts with other investors' information rights

For early-stage startups, the operational burden of a mitigation agreement can be disproportionate. This is why prevention — structuring deals to avoid CFIUS issues — is almost always preferable to mitigation.

The Enforcement Landscape

CFIUS enforcement has intensified significantly since 2020:

Non-notified transactions. CFIUS has a dedicated team that identifies covered transactions that were not filed. The team monitors news reports, SEC filings, patent databases, and other public sources to identify potential violations.
Penalties. Failure to file a mandatory declaration can result in civil penalties up to the value of the transaction. CFIUS imposed its first-ever penalty in 2023.
Retroactive review. There is no statute of limitations on CFIUS review. A transaction completed in 2021 can be reviewed in 2026.
Interagency coordination. CFIUS works with the Commerce Department (export controls), DOJ (Foreign Agents Registration Act), and intelligence agencies. A CFIUS review may trigger parallel investigations.

The practical takeaway: ignoring CFIUS doesn't make it go away. It creates a latent risk that compounds over time and becomes most problematic exactly when you least want it — during an acquisition, IPO, or government contract opportunity.

Special Considerations for AI Companies

AI startups deserve specific attention because they sit at the intersection of multiple CFIUS risk factors:

Dual-use technology. Many AI/ML systems have both commercial and military applications. Foundation models, computer vision, natural language processing, and autonomous systems are all areas of intense government interest.
Training data. AI companies that train models on sensitive personal data (health records, financial data, biometric data) may trigger both the critical technology and sensitive personal data prongs.
Compute infrastructure. Access to advanced computing resources is itself a national security concern. If your AI company operates GPU clusters or has relationships with cloud providers that handle sensitive workloads, this adds to the CFIUS profile.
Export controls on AI models. The Commerce Department has expanded export controls on AI-related technologies, including certain model weights, training techniques, and inference engines. If your model would require an export license, CFIUS mandatory filing is likely triggered.
Executive Order on AI. While the Biden-era AI Executive Order was partially rolled back, the national security provisions relating to AI and CFIUS remain active. AI companies should assume heightened scrutiny.

When CFIUS Isn't the Issue (But Related Risks Are)

Even if your transaction falls outside CFIUS jurisdiction, related regulatory regimes may apply:

Export controls (EAR/ITAR). Sharing technical information with foreign nationals — including foreign investor personnel — may require an export license, independent of CFIUS.
ITAR registration. Companies that manufacture, export, or broker defense articles must register with the State Department. Foreign investment can complicate ITAR compliance.
Government contract requirements. DFARS and NIST SP 800-171 requirements for defense contractors may restrict foreign national access to controlled unclassified information.
State data privacy laws. Some state laws restrict the transfer of resident data to foreign entities, adding another layer of complexity.
Outbound investment restrictions. As noted above, the Treasury Department's new outbound investment program restricts certain investments in Chinese entities in AI, semiconductors, and quantum computing.

The Bottom Line

CFIUS is not a reason to refuse all foreign capital. Many of the world's best venture investors are based outside the United States, and foreign capital has funded some of the most successful American startups. But CFIUS is a reason to be deliberate about how you accept foreign investment — particularly if your company operates in AI, biotech, semiconductors, data-intensive consumer applications, or any sector touching national security.

The key actions:

Know your CFIUS profile. Before you start fundraising, work with counsel to determine whether your company is in a covered sector. This analysis should happen once, early, and be updated as your technology and data practices evolve.
Diligence your investors. Ask about fund structure, LP composition, and foreign government ties. This is standard practice for sophisticated founders.
Structure deals to minimize risk. Limit governance rights, information access, and board participation for foreign investors in sensitive sectors.
File when required — and consider filing when smart. Mandatory declarations are non-negotiable. Voluntary filings provide legal certainty that pays dividends at exit.
Don't ignore the problem. CFIUS risk doesn't expire. Addressing it proactively is always cheaper than dealing with an enforcement action or a blown acquisition.

Raising a round with foreign investors? Book a free call — we help startups navigate CFIUS, structure foreign investment, and close rounds without regulatory surprises.