The Complete Due Diligence Checklist for 2026
193+ items across 6 workstreams — legal, financial, commercial, technology, HR, and operations. Built for M&A advisors, deal teams, and founders preparing for an acquisition or fundraising process.
193+
Checklist items
6
Workstreams
6
Deal types
✓
Always free
What is due diligence?
Due diligence is the structured process of investigating a business, asset, or investment before completing a transaction. In an M&A context, due diligence is the period between signing a letter of intent (LOI) and signing a definitive purchase agreement — during which the buyer's advisors independently verify the seller's representations about the business.
A due diligence checklist organizes this investigation into workstreams, ensuring no material area is overlooked. Due diligence is not a bureaucratic exercise — it is the mechanism by which acquirers and investors validate their investment thesis, discover deal-breakers, and establish the factual basis for purchase price adjustments and indemnity provisions.
The scope of any due diligence checklist will vary by deal type, industry, and transaction size. The checklist below covers the standard workstreams for a mid-market M&A transaction. Deal teams should expand or contract scope based on materiality and deal-specific risks.
Types of due diligence by transaction
The due diligence process and checklist scope varies by deal type. Select your transaction type below.
M&A Sell-Side
Vendor Due Diligence
Commissioned by the seller before launching a sale process. Identifies issues proactively, prepares a clean data room, and reduces buyer uncertainty — compressing timelines and supporting valuation.
Key documents
- ·Audited financials + normalized EBITDA bridge
- ·Cap table and org chart
- ·Top 20 customer contracts
- ·IP ownership certificates
- ·Clean SOC 2 / ISO 27001 certification
M&A Buy-Side
Confirmatory Due Diligence
The buyer's independent review of the target before signing. Validates the investment thesis, confirms financial performance, uncovers risks, and informs purchase price adjustments or indemnity provisions.
Key documents
- ·Quality of Earnings (QoE) report
- ·Working capital analysis
- ·Litigation and regulatory review
- ·IT and cybersecurity assessment
- ·Key employee and compensation review
Series A Fundraising
Investor Due Diligence
VC and growth equity investors conduct due diligence on startups before term sheet or close. Shorter than M&A but covers the same core workstreams — founders should prepare a clean, organized data room before starting investor meetings.
Key documents
- ·Pitch deck + financial model
- ·Cap table and SAFEs/notes
- ·IP assignment agreements
- ·MRR/ARR waterfall
- ·Reference customers
Real Estate
Property Due Diligence
Title, environmental, zoning, and lease review for commercial property acquisitions. Involves a specialist Phase I/II environmental assessment and title search alongside financial analysis of rental income.
Key documents
- ·Title report and survey
- ·Phase I environmental assessment
- ·Lease agreements
- ·Property financials (rent roll, NOI)
- ·Zoning and building permits
Legal / Law Firm
Legal Due Diligence
Counsel-led review of contracts, litigation exposure, regulatory compliance, and IP ownership. Legal due diligence often surfaces the most deal-critical risks — change-of-control triggers, IP gaps, and undisclosed liabilities.
Key documents
- ·Material contracts with COC provisions
- ·Litigation register
- ·Regulatory licenses and compliance filings
- ·IP chain-of-title documents
- ·Data privacy compliance documentation
Life Sciences / Healthcare
Clinical & Regulatory DD
For pharma, biotech, and healthcare M&A. Adds clinical data (trial results, regulatory submissions, FDA status), HIPAA compliance, manufacturing and supply chain quality, and reimbursement analysis.
Key documents
- ·Regulatory filings (FDA, EMA, PMDA)
- ·Clinical trial data and protocols
- ·HIPAA compliance documentation
- ·Manufacturing Quality Agreements
- ·Reimbursement and payer contracts
The complete due diligence checklist — 193+ items
Organized by workstream. Each section covers documents typically requested by buy-side advisors, organized as they would appear in a virtual data room index.
Jump to workstream
Legal Due Diligence
38 itemsCorporate structure, material contracts, litigation, regulatory compliance, and change-of-control analysis.
Corporate Structure & Governance
- Certificate of incorporation and all amendments (including restated articles)
- Bylaws and all amendments
- List of all subsidiaries, joint ventures, and affiliated entities
- Corporate organization chart
- Good standing certificates for all jurisdictions
- Shareholder register / cap table (current, fully diluted)
- All share issuances, transfers, and repurchases
- Board of directors and officer list (current and last 3 years)
- Board meeting minutes and written consents (last 3–5 years)
- Annual shareholder meeting minutes (last 3–5 years)
- Shareholder agreements, voting agreements, rights agreements
- Investor rights agreements (registration rights, information rights)
- Rights of first refusal and co-sale agreements
- Anti-dilution provisions and their applicability
- Drag-along and tag-along rights documentation
Material Contracts
- All contracts with annual value exceeding $250K (or material threshold)
- Customer contracts — top 20 by revenue, including term, renewal, termination clauses
- Supplier and vendor contracts — critical dependencies
- Change-of-control provisions in all material contracts
- Assignment restrictions in key agreements
- Non-disclosure and confidentiality agreements
- Distribution, reseller, and channel partner agreements
- Licensing agreements (inbound and outbound)
- Joint venture and strategic alliance agreements
- Government and public sector contracts
- Exclusivity provisions and non-compete obligations
Litigation & Regulatory
- List of all pending and threatened litigation
- Settlement agreements from the last 5 years
- Regulatory investigations or enforcement actions
- Government inquiries and subpoenas
- EEOC claims, labor disputes, and employment lawsuits
- Product liability claims
- IP disputes and infringement claims
- Anti-trust or competition law matters
- Environmental compliance history and pending matters
- FCPA / anti-bribery compliance review
- Industry-specific regulatory licenses and permits
- Export control and sanctions compliance (OFAC, BIS)
Financial Due Diligence
43 itemsAudited financials, working capital, debt schedule, tax, and quality-of-earnings analysis.
Financial Statements & Audit
- Audited financial statements — last 3 fiscal years (P&L, balance sheet, cash flow)
- Auditor reports, management letters, and responses
- Audit committee meeting minutes (last 3 years)
- Management accounts — current year to date (monthly P&L, balance sheet)
- Prior-year management accounts for comparison
- Interim financial statements for the current stub period
- Accounting policies and any changes in accounting treatment
- Off-balance-sheet arrangements and contingent liabilities
- Related-party transactions
- Restatements or corrections in any period
Revenue & Customer Analysis
- Revenue breakdown by customer (top 20 by revenue, % of total)
- Revenue breakdown by product/service line
- Revenue breakdown by geography
- Recurring vs. non-recurring revenue split
- ARR / MRR waterfall (for SaaS/subscription businesses)
- Gross margin by product line
- Revenue recognition policy and deferred revenue schedule
- Backlog and contracted-not-yet-recognized revenue
- Customer churn rate and net revenue retention
- Pipeline and forecasted revenue (next 12 months)
- Historical win rate and sales cycle data
Working Capital & Cash
- Working capital bridge — last 12 months monthly
- Normalized working capital target for purchase price adjustment
- Accounts receivable aging schedule
- Allowance for doubtful accounts methodology
- Accounts payable aging schedule
- Inventory valuation and obsolescence reserve
- Cash and cash equivalents reconciliation
- Capex schedule (last 3 years) and planned capex
- Lease obligations (operating and finance leases under ASC 842/IFRS 16)
- Intercompany balances and settlement terms
Debt, Equity & Tax
- All credit facilities, term loans, and revolving credit agreements
- Convertible notes and outstanding SAFEs
- Letters of credit and surety bonds
- Liens, pledges, and security interests on assets
- Debt covenants and compliance certificates
- Federal, state, and local tax returns (last 3 years)
- Open tax audits and assessments
- R&D tax credits and other deferred tax assets
- Transfer pricing documentation
- Tax sharing agreements with affiliates
- NOL carryforwards and their limitations under Section 382
- Sales and use tax obligations and compliance
Commercial Due Diligence
27 itemsMarket position, customers, competitive landscape, pipeline, and commercial sustainability.
Market & Competitive Position
- Total addressable market (TAM) and serviceable market (SAM) analysis
- Company's market share and relative position
- Competitive landscape map (direct and indirect competitors)
- Competitive differentiation and barriers to entry
- Customer switching costs and stickiness analysis
- Pricing power and pricing history
- Industry growth rate and key market drivers
- Regulatory or market trends that affect the business
- Market research reports and third-party analyst coverage
Customers & Commercial Relationships
- Customer list with revenue, tenure, and contract status for top 25
- Customer concentration risk analysis
- Customer satisfaction scores (NPS, CSAT, or equivalent)
- Reference customer interviews (ideally 5–10)
- Customer attrition and retention rates (3-year trend)
- Churn reasons and patterns
- Key account management and relationship ownership
- Key customer contacts and dependency on individual relationships
- Customer credit quality and payment history
Sales, Marketing & Pipeline
- Sales organization structure and headcount
- Go-to-market strategy documentation
- Sales cycle length and conversion rates by stage
- Sales pipeline — current (by stage, value, probability)
- Historical win/loss analysis
- Marketing spend and customer acquisition cost (CAC)
- Brand and marketing assets
- Channel partner and distributor relationships
- Lead generation metrics and sources
Technology & IP Due Diligence
33 itemsSource code, IP ownership, cybersecurity, open source compliance, and data privacy.
Intellectual Property
- IP ownership schedule — patents, trademarks, copyrights, domain names
- IP assignment agreements — founders, employees, and contractors
- Work-for-hire documentation for any external development
- Open source license audit and software composition analysis
- FOSS (free and open source) compliance review
- Third-party IP licenses (inbound) — scope, exclusivity, transferability
- IP licenses granted to third parties (outbound)
- IP ownership disputes or challenges
- Patent prosecution history and pending applications
- Trade secret protections and confidentiality controls
Technology Architecture & Product
- Technology architecture diagram and system overview
- Source code repository access or escrow agreement
- Technical debt assessment
- Scalability analysis — capacity and headroom
- Third-party software dependencies and SaaS subscriptions
- Infrastructure and hosting agreements (AWS, GCP, Azure)
- Disaster recovery and business continuity plan
- Uptime and SLA compliance history
- Product roadmap (current and 12-month)
- Engineering team structure and key person dependencies
Cybersecurity & Data Privacy
- SOC 2 Type II certification and audit report
- ISO 27001 certification (if applicable)
- Penetration test results (last 12 months)
- Vulnerability disclosure policy and bug bounty program
- Security incident history and breach notifications
- Incident response plan
- Access control and identity management policies
- Data encryption standards (at rest and in transit)
- GDPR compliance documentation and DPA
- CCPA privacy policy and consumer rights procedures
- HIPAA compliance (if applicable — healthcare data)
- Data retention and deletion policies
- Third-party security assessments of key vendors
Human Resources Due Diligence
30 itemsKey employees, compensation structure, equity plans, retention risk, and labor compliance.
Organization & Key People
- Organizational chart — current, by department
- Headcount by function, location, and employment type
- Resumes or bios for all C-suite and VP-level executives
- Key person identification — who are the critical 5–10 employees?
- Succession planning or absence of coverage for key roles
- Recent departures at the management level (last 12 months)
- Employee tenure distribution
- Cultural assessment (Glassdoor, internal surveys, etc.)
Compensation & Equity
- Total compensation summary — salary, bonus, benefits, equity by employee
- Employment agreements for all C-suite and key employees
- Offer letters for recent senior hires
- Non-compete, non-solicitation, and IP assignment agreements
- Equity incentive plan (ESOP / equity plan document)
- Stock option grant schedule — all outstanding grants with strike price, vesting, and expiry
- Fully diluted cap table with option pool
- 409A valuation reports
- Change-of-control acceleration provisions in equity agreements
- Bonus plan structures and historical payout history
- Commission plans for sales team
Benefits, Compliance & Labor
- Benefits plan documentation — health, dental, vision, retirement
- 401(k) or pension plan compliance and funding status
- Workers' compensation claims history
- COBRA and WARN Act compliance
- Employee handbook and HR policies
- EEOC reports and diversity data (if applicable)
- Independent contractor agreements and classification analysis
- PEO or EOR arrangements (if applicable)
- Labor union agreements (if applicable)
- Immigration status and work authorization for key hires
- OSHA compliance and workplace safety record
Operations Due Diligence
22 itemsFacilities, supply chain, insurance, environmental compliance, and operational dependencies.
Facilities & Real Estate
- All office, warehouse, and facility lease agreements
- Lease terms — expiry dates, renewal options, termination rights
- Owned real property — title reports, surveys, mortgages
- Sublease agreements and assignment provisions
- Change-of-control provisions in property leases
- Capex commitments for facility improvements
- Equipment leases and maintenance agreements
Supply Chain & Vendors
- Key vendor and supplier contracts
- Single-source or sole-source dependency analysis
- Vendor concentration risk (which vendors represent >10% of COGS?)
- Supplier financial health (are key vendors at risk?)
- Inventory management policy and safety stock levels
- Lead time analysis and supply chain disruption history
- Quality control procedures and defect rates
Insurance & Environmental
- Insurance policies — general liability, property, D&O, E&O
- Cyber liability insurance policy and coverage limits
- Key man insurance
- Claims history (last 5 years)
- Environmental permits and compliance certifications
- Environmental liabilities — soil contamination, waste disposal
- Phase I/II environmental site assessments
- Health, safety, and environmental (HSE) incident log
Execute this checklist inside SpaceNexus
Upload your documents, track Q&A by workstream, and share securely with buyers — all in one auditable platform.
Start a free data roomDue diligence timeline — week by week
Standard timeline for a mid-market M&A transaction. Adjust based on transaction complexity and data room readiness.
Data Room Preparation
Sell-sideWeek 1- Organize and upload all documents to VDR
- Apply access permissions by workstream
- Assign Q&A categories and responsible parties
- Open NDA click-through for buyer parties
Initial Document Review
Buy-sideWeek 1–2- Review corporate structure and cap table
- Download audited financials and management accounts
- Identify top 20 customers and contracts
- Submit initial Q&A requests
Deep-Dive Workstreams
Both partiesWeek 2–4- Legal: contract review, litigation search, IP chain-of-title
- Financial: QoE, working capital, debt schedule
- Commercial: customer interviews and market analysis
- Technology: architecture review, security audit
Management Presentations
Both partiesWeek 4–6- Management team presentations by workstream
- Facility and site visits (if applicable)
- Follow-up Q&A and document requests
- Key employee retention conversations
Findings & SPA Negotiation
Buy-sideWeek 6–8- Consolidate all workstream findings
- Identify material issues requiring price adjustment or indemnity
- Prepare due diligence findings report
- Negotiate representations, warranties, and indemnities in SPA
Sign & Close
Both partiesWeek 8+- Signature closing conditions checklist
- Escrow and funds flow mechanics
- Closing deliverables (bring-down certificates, officer certs)
- Data room access withdrawal or transition
6 due diligence mistakes that kill deals
Avoidable errors that surface during due diligence and their impact on deal outcomes.
Starting with a disorganized data room
Impact: Delays the process by 2–4 weeks, signals poor management hygiene, and gives buyers grounds to lower their offer or add indemnity provisions.
Fix: Build and populate your virtual data room before launching the process. Use AI auto-categorization to index documents instantly.
Missing IP assignment agreements
Impact: If early contractors or co-founders didn't sign IP assignments, the company doesn't legally own its own product. This is a deal-breaker in technology M&A.
Fix: Audit IP assignments before launching the process. If missing, execute retroactive assignments before the data room opens.
Ignoring change-of-control provisions
Impact: Major customer or lender contracts may give counterparties the right to terminate on a change of control. One undisclosed provision can kill or significantly reprice a deal.
Fix: Review all material contracts for COC provisions in the first week of sell-side preparation. Get consent where required.
Using Dropbox or Google Drive as a data room
Impact: No audit trail, no granular access controls, no Q&A workflow, no NDA enforcement. Legal and regulatory exposure for securities-related document sharing.
Fix: Use a purpose-built virtual data room (VDR) with SOC 2 Type II certification, document-level permissions, and a tamper-evident audit trail.
Not tracking buyer engagement
Impact: Sellers lose negotiating leverage when they can't tell which buyers are serious and which are gathering competitive intelligence.
Fix: Use a VDR with real-time buyer analytics — track which parties are reading which documents and for how long.
Presenting unaudited or inconsistent financials
Impact: Revenue adjustments discovered by QoE advisors re-open price negotiations and erode trust. Restatements mid-process are deal-killers.
Fix: Have your CFO and auditor reconcile all management accounts to audited statements before the data room opens. Commission an independent QoE proactively.
Frequently asked questions about due diligence
What is a due diligence checklist?
A due diligence checklist is a structured list of documents, information, and analyses that a buyer or investor requires to evaluate a target company before completing an acquisition, investment, or other transaction. Due diligence checklists organize the review process into workstreams — typically legal, financial, commercial, human resources, technology/IP, and operations — so that all material risks are identified and documented before closing.
What are the main categories in a due diligence checklist?
A comprehensive due diligence checklist covers six main categories: (1) Legal — corporate structure, contracts, litigation, and regulatory compliance; (2) Financial — audited statements, tax records, working capital, and debt; (3) Commercial — customers, market position, competitive landscape, and pipeline; (4) Human Resources — key employees, compensation, equity plans, and retention risk; (5) Technology & IP — source code, patents, cybersecurity, and data privacy; (6) Operations — facilities, suppliers, insurance, and environmental compliance.
How long does due diligence take?
Due diligence for a mid-market M&A transaction typically takes 4–8 weeks from the time a data room is opened. Large-cap or complex transactions can run 8–16 weeks. Startup fundraising due diligence (Series A–C) is typically 2–4 weeks. The timeline depends on: how organized the seller's data room is, the complexity and size of the business, the number of workstreams running in parallel, and whether unexpected issues require deeper investigation.
What's the difference between buy-side and sell-side due diligence?
Buy-side due diligence is conducted by the acquirer (or investor) to evaluate the target before deciding to proceed and on what terms. Sell-side due diligence (also called vendor due diligence) is commissioned by the seller ahead of a process to proactively prepare documentation, identify and resolve issues before they appear during buyer review, and accelerate the timeline by having an organized data room ready at launch.
What documents should go in a due diligence data room?
A due diligence data room should contain: audited financial statements (3 years), management accounts, the cap table, corporate formation documents and board minutes, material contracts, employment agreements, IP ownership documentation, technology architecture overview, cybersecurity certifications, tax returns, insurance policies, regulatory filings, and an org chart. Organizing these documents in a purpose-built virtual data room (VDR) — rather than a shared drive — provides the granular access controls, NDA enforcement, audit trail, and Q&A workflow that a proper due diligence process requires.
What are the biggest risks found during due diligence?
The most common deal-breaking issues discovered during due diligence are: (1) Revenue quality problems — revenue is more concentrated, less recurring, or lower-margin than presented; (2) IP ownership gaps — founders or early contractors didn't sign IP assignment agreements; (3) Undisclosed liabilities — contingent legal claims, tax positions, or off-balance-sheet obligations; (4) Key person risk — a single executive holds disproportionate customer relationships or technical knowledge; (5) Contract change-of-control provisions that give major customers or lenders termination rights on the acquisition; (6) Data privacy non-compliance (GDPR, CCPA) creating regulatory exposure.
Do I need a virtual data room for due diligence?
Yes, for any transaction involving confidential financial, legal, or personnel documents, a virtual data room (VDR) is the appropriate tool. VDRs provide: mandatory NDA click-through at room entry, document-level and page-level access permissions (so advisors see documents their counterparts cannot), a tamper-evident audit trail required for legal defensibility, structured Q&A workflow to manage due diligence questions, dynamic watermarking to deter unauthorized sharing, and compliance certifications (SOC 2 Type II, ISO 27001) required by financial regulators. Using Dropbox, Google Drive, or SharePoint for M&A due diligence creates legal, compliance, and security exposure.
Ready to run a cleaner due diligence process?
SpaceNexus gives your deal team a purpose-built virtual data room — AI auto-categorization, structured Q&A, buyer engagement analytics, and SOC 2 Type II security with transparent published pricing.
No credit card required · SOC 2 Type II certified · Cancel anytime