How Handpickd met investor security requirements and closed a $15M Series A without losing momentum

CASE STUDIES

VAPT + CSPM
deployed for due diligence

Series A closed
$15M led by Bertelsmann

Security checklist cleared
investor due diligence satisfied

About Handpickd

Handpickd is India’s first zero-stock fresh commerce platform, founded in 2024 by Anant Goel, co-founder of Milkbasket, alongside Nitin Gupta and Sahil Madan. The company operates on a fundamentally different model from every other fresh produce startup in the country: no inventory, no warehouses, no dark stores, and no demand forecasting.

Instead, Handpickd collects orders from customers first, then procures the exact quantity directly from farmers, and delivers to homes in the early morning hours. The entire cycle from order to delivery runs in under six to seven hours using advanced just-in-time processes. The model eliminates wastage across the supply chain while enabling a level of personalisation no traditional model can match: customers can specify ripeness, sweetness, crunch, size, and pesticide-free preferences down to the individual piece of fruit.

Handpickd operates in Gurugram, Noida, and Bengaluru. In September 2025, the company raised $15 million in a Series A round led by Bertelsmann India Investments, with participation from Titan Capital Winners Fund and existing investors.

A technology-first business at scale

Handpickd’s model runs on technology: demand collection, supply chain coordination, farmer procurement, logistics, and customer personalisation are all software-driven. That makes the platform’s security posture a legitimate investor concern, not a box-ticking exercise. A breach or infrastructure failure doesn’t just create a data risk; it threatens the operational backbone of the entire business.

The challenge: security was a condition of closing the term sheet

When Handpickd received a term sheet from their Series A investors, it came with a mandatory security checklist as part of shareholder due diligence. This is not unusual at Series A and above. Institutional investors writing cheques of this size have their own obligations to LPs, and they take vendor and portfolio company risk seriously. The checklist covered multiple security parameters, with two standing out as the most substantive requirements.

01
Penetration testing (VAPT). The investors required evidence that Handpickd’s platform had been independently tested for vulnerabilities. A VAPT report from a qualified assessor was a non-negotiable item on the checklist.
02
Cloud infrastructure security findings. The checklist required visibility into Handpickd’s cloud environment: whether misconfigurations existed, what the findings were, and how they were being tracked and remediated.

Without satisfying both requirements, the term sheet would not convert to a signed agreement. The deal was conditional on security. Handpickd came to Osto.

About Osto

Osto is a unified security and compliance platform built for startups and growth-stage companies. Rather than selling individual point solutions, Osto bundles the security and compliance modules that companies need across their growth journey, including WAF, CSPM, endpoint protection, VAPT, source code assessment, SOC 2, ISO 27001, and security questionnaire response, into a single platform that deploys in days.

For companies like Handpickd, growing fast with institutional capital on the line, this means the security requirements that arrive with a term sheet can be addressed without the months-long procurement cycles that enterprise security vendors typically require.

The solution: VAPT and CSPM deployed for the due diligence checklist

Osto addressed both investor requirements directly.

1

VAPT: Vulnerability Assessment and Penetration Testing
Osto conducted a structured penetration test of Handpickd’s application and infrastructure. The VAPT process systematically attempts to identify and exploit security vulnerabilities in the same way an attacker would, producing a detailed report of findings, their severity, and the remediation steps taken. For institutional investors, a VAPT report from a qualified assessor is the standard evidence they require to satisfy the penetration testing line on a due diligence checklist. Handpickd’s VAPT was near completion at the time of engagement.

2

CSPM: Cloud Security Posture Management
Osto deployed CSPM to give Handpickd continuous visibility into their cloud environment. CSPM automatically scans for misconfigurations — publicly accessible storage, overly permissive access policies, missing logging, unencrypted resources — and flags them for remediation. For the investor due diligence requirement around cloud infrastructure findings, CSPM provided both the active control and the documented evidence of what was found and how it was being addressed.

Security checklist satisfied. Term sheet converted.
With both requirements addressed, Handpickd submitted the required evidence to their investors. The due diligence checklist was cleared. The Series A closed.

“When the term sheet came through with the security checklist, we needed someone who could move at startup speed, not enterprise procurement speed. Osto got us what we needed to close the round.”

[Founder name], Handpickd

Results


Investor security checklist cleared. Both the VAPT and cloud infrastructure requirements on the due diligence checklist were satisfied with documented evidence.

$15M Series A closed. The security requirement that was a condition of closing the term sheet was resolved. The round proceeded with Bertelsmann India Investments and Titan Capital Winners Fund.

Security program continues to expand. The engagement goes beyond what was needed for the round, with code review and additional security modules planned as Handpickd scales.

What comes next

Closing the Series A was the starting point for Handpickd’s security program, not the end of it. As the company scales into more cities and handles more customer and supplier data, the security and compliance expectations from future investors, enterprise partners, and the platform’s own growing team will only increase.

Phase What was done
Phase 1 · Complete VAPT and CSPM deployed to clear the investor due diligence security checklist.
Phase 2 · Planned Source code review and additional security assessments.
Phase 3 · Planned Further security modules as the business scales across cities and customers.

Security isn’t always demanded by your customers

The Handpickd story illustrates something that surprises many early-stage founders: the demand for security does not always come from enterprise customers. It comes from investors too.

At Series A and beyond, institutional investors routinely include security requirements in their shareholder due diligence. They are writing large cheques into platforms that hold customer data, process transactions, and operate at scale. A security failure in a portfolio company creates reputational and financial risk for the fund. The security checklist is how they manage that risk.

This means the founders who arrive at their Series A with a security program already in place are in a fundamentally different position from those who encounter the checklist for the first time in the term sheet. One closes faster. One scrambles.

Osto helps companies who need to move fast without getting security wrong.

Whether the requirement is coming from an enterprise customer, a government regulator, or your investors, the security question will come. We work with startups and growth-stage teams to build the security program that means you are ready when it does.

Talk to us at Osto

At a glance
Company
Handpickd
Location
Gurugram, India
Industry
Fresh Commerce
Stage
Series A ($15M, led by Bertelsmann India Investments)
Challenge
Mandatory security checklist from Series A investors as a condition of closing the term sheet
Osto solutions
VAPT, CSPM, Source code review (planned)
Outcome
Investor security checklist cleared. Series A closed.

Leave a Reply