Updated June 2026 · 193+ checklist items

The Complete Due Diligence Checklist for 2026

193+ items across 6 workstreams — legal, financial, commercial, technology, HR, and operations. Built for M&A advisors, deal teams, and founders preparing for an acquisition or fundraising process.

193+

Checklist items

6

Workstreams

6

Deal types

Always free

What is due diligence?

Due diligence is the structured process of investigating a business, asset, or investment before completing a transaction. In an M&A context, due diligence is the period between signing a letter of intent (LOI) and signing a definitive purchase agreement — during which the buyer's advisors independently verify the seller's representations about the business.

A due diligence checklist organizes this investigation into workstreams, ensuring no material area is overlooked. Due diligence is not a bureaucratic exercise — it is the mechanism by which acquirers and investors validate their investment thesis, discover deal-breakers, and establish the factual basis for purchase price adjustments and indemnity provisions.

The scope of any due diligence checklist will vary by deal type, industry, and transaction size. The checklist below covers the standard workstreams for a mid-market M&A transaction. Deal teams should expand or contract scope based on materiality and deal-specific risks.

Types of due diligence by transaction

The due diligence process and checklist scope varies by deal type. Select your transaction type below.

M&A Sell-Side

Vendor Due Diligence

Commissioned by the seller before launching a sale process. Identifies issues proactively, prepares a clean data room, and reduces buyer uncertainty — compressing timelines and supporting valuation.

Key documents

  • ·Audited financials + normalized EBITDA bridge
  • ·Cap table and org chart
  • ·Top 20 customer contracts
  • ·IP ownership certificates
  • ·Clean SOC 2 / ISO 27001 certification

M&A Buy-Side

Confirmatory Due Diligence

The buyer's independent review of the target before signing. Validates the investment thesis, confirms financial performance, uncovers risks, and informs purchase price adjustments or indemnity provisions.

Key documents

  • ·Quality of Earnings (QoE) report
  • ·Working capital analysis
  • ·Litigation and regulatory review
  • ·IT and cybersecurity assessment
  • ·Key employee and compensation review

Series A Fundraising

Investor Due Diligence

VC and growth equity investors conduct due diligence on startups before term sheet or close. Shorter than M&A but covers the same core workstreams — founders should prepare a clean, organized data room before starting investor meetings.

Key documents

  • ·Pitch deck + financial model
  • ·Cap table and SAFEs/notes
  • ·IP assignment agreements
  • ·MRR/ARR waterfall
  • ·Reference customers

Real Estate

Property Due Diligence

Title, environmental, zoning, and lease review for commercial property acquisitions. Involves a specialist Phase I/II environmental assessment and title search alongside financial analysis of rental income.

Key documents

  • ·Title report and survey
  • ·Phase I environmental assessment
  • ·Lease agreements
  • ·Property financials (rent roll, NOI)
  • ·Zoning and building permits

Legal / Law Firm

Legal Due Diligence

Counsel-led review of contracts, litigation exposure, regulatory compliance, and IP ownership. Legal due diligence often surfaces the most deal-critical risks — change-of-control triggers, IP gaps, and undisclosed liabilities.

Key documents

  • ·Material contracts with COC provisions
  • ·Litigation register
  • ·Regulatory licenses and compliance filings
  • ·IP chain-of-title documents
  • ·Data privacy compliance documentation

Life Sciences / Healthcare

Clinical & Regulatory DD

For pharma, biotech, and healthcare M&A. Adds clinical data (trial results, regulatory submissions, FDA status), HIPAA compliance, manufacturing and supply chain quality, and reimbursement analysis.

Key documents

  • ·Regulatory filings (FDA, EMA, PMDA)
  • ·Clinical trial data and protocols
  • ·HIPAA compliance documentation
  • ·Manufacturing Quality Agreements
  • ·Reimbursement and payer contracts

The complete due diligence checklist — 193+ items

Organized by workstream. Each section covers documents typically requested by buy-side advisors, organized as they would appear in a virtual data room index.

Financial Due Diligence

43 items

Audited financials, working capital, debt schedule, tax, and quality-of-earnings analysis.

Financial Statements & Audit

  • Audited financial statements — last 3 fiscal years (P&L, balance sheet, cash flow)
  • Auditor reports, management letters, and responses
  • Audit committee meeting minutes (last 3 years)
  • Management accounts — current year to date (monthly P&L, balance sheet)
  • Prior-year management accounts for comparison
  • Interim financial statements for the current stub period
  • Accounting policies and any changes in accounting treatment
  • Off-balance-sheet arrangements and contingent liabilities
  • Related-party transactions
  • Restatements or corrections in any period

Revenue & Customer Analysis

  • Revenue breakdown by customer (top 20 by revenue, % of total)
  • Revenue breakdown by product/service line
  • Revenue breakdown by geography
  • Recurring vs. non-recurring revenue split
  • ARR / MRR waterfall (for SaaS/subscription businesses)
  • Gross margin by product line
  • Revenue recognition policy and deferred revenue schedule
  • Backlog and contracted-not-yet-recognized revenue
  • Customer churn rate and net revenue retention
  • Pipeline and forecasted revenue (next 12 months)
  • Historical win rate and sales cycle data

Working Capital & Cash

  • Working capital bridge — last 12 months monthly
  • Normalized working capital target for purchase price adjustment
  • Accounts receivable aging schedule
  • Allowance for doubtful accounts methodology
  • Accounts payable aging schedule
  • Inventory valuation and obsolescence reserve
  • Cash and cash equivalents reconciliation
  • Capex schedule (last 3 years) and planned capex
  • Lease obligations (operating and finance leases under ASC 842/IFRS 16)
  • Intercompany balances and settlement terms

Debt, Equity & Tax

  • All credit facilities, term loans, and revolving credit agreements
  • Convertible notes and outstanding SAFEs
  • Letters of credit and surety bonds
  • Liens, pledges, and security interests on assets
  • Debt covenants and compliance certificates
  • Federal, state, and local tax returns (last 3 years)
  • Open tax audits and assessments
  • R&D tax credits and other deferred tax assets
  • Transfer pricing documentation
  • Tax sharing agreements with affiliates
  • NOL carryforwards and their limitations under Section 382
  • Sales and use tax obligations and compliance

Commercial Due Diligence

27 items

Market position, customers, competitive landscape, pipeline, and commercial sustainability.

Market & Competitive Position

  • Total addressable market (TAM) and serviceable market (SAM) analysis
  • Company's market share and relative position
  • Competitive landscape map (direct and indirect competitors)
  • Competitive differentiation and barriers to entry
  • Customer switching costs and stickiness analysis
  • Pricing power and pricing history
  • Industry growth rate and key market drivers
  • Regulatory or market trends that affect the business
  • Market research reports and third-party analyst coverage

Customers & Commercial Relationships

  • Customer list with revenue, tenure, and contract status for top 25
  • Customer concentration risk analysis
  • Customer satisfaction scores (NPS, CSAT, or equivalent)
  • Reference customer interviews (ideally 5–10)
  • Customer attrition and retention rates (3-year trend)
  • Churn reasons and patterns
  • Key account management and relationship ownership
  • Key customer contacts and dependency on individual relationships
  • Customer credit quality and payment history

Sales, Marketing & Pipeline

  • Sales organization structure and headcount
  • Go-to-market strategy documentation
  • Sales cycle length and conversion rates by stage
  • Sales pipeline — current (by stage, value, probability)
  • Historical win/loss analysis
  • Marketing spend and customer acquisition cost (CAC)
  • Brand and marketing assets
  • Channel partner and distributor relationships
  • Lead generation metrics and sources

Technology & IP Due Diligence

33 items

Source code, IP ownership, cybersecurity, open source compliance, and data privacy.

Intellectual Property

  • IP ownership schedule — patents, trademarks, copyrights, domain names
  • IP assignment agreements — founders, employees, and contractors
  • Work-for-hire documentation for any external development
  • Open source license audit and software composition analysis
  • FOSS (free and open source) compliance review
  • Third-party IP licenses (inbound) — scope, exclusivity, transferability
  • IP licenses granted to third parties (outbound)
  • IP ownership disputes or challenges
  • Patent prosecution history and pending applications
  • Trade secret protections and confidentiality controls

Technology Architecture & Product

  • Technology architecture diagram and system overview
  • Source code repository access or escrow agreement
  • Technical debt assessment
  • Scalability analysis — capacity and headroom
  • Third-party software dependencies and SaaS subscriptions
  • Infrastructure and hosting agreements (AWS, GCP, Azure)
  • Disaster recovery and business continuity plan
  • Uptime and SLA compliance history
  • Product roadmap (current and 12-month)
  • Engineering team structure and key person dependencies

Cybersecurity & Data Privacy

  • SOC 2 Type II certification and audit report
  • ISO 27001 certification (if applicable)
  • Penetration test results (last 12 months)
  • Vulnerability disclosure policy and bug bounty program
  • Security incident history and breach notifications
  • Incident response plan
  • Access control and identity management policies
  • Data encryption standards (at rest and in transit)
  • GDPR compliance documentation and DPA
  • CCPA privacy policy and consumer rights procedures
  • HIPAA compliance (if applicable — healthcare data)
  • Data retention and deletion policies
  • Third-party security assessments of key vendors

Human Resources Due Diligence

30 items

Key employees, compensation structure, equity plans, retention risk, and labor compliance.

Organization & Key People

  • Organizational chart — current, by department
  • Headcount by function, location, and employment type
  • Resumes or bios for all C-suite and VP-level executives
  • Key person identification — who are the critical 5–10 employees?
  • Succession planning or absence of coverage for key roles
  • Recent departures at the management level (last 12 months)
  • Employee tenure distribution
  • Cultural assessment (Glassdoor, internal surveys, etc.)

Compensation & Equity

  • Total compensation summary — salary, bonus, benefits, equity by employee
  • Employment agreements for all C-suite and key employees
  • Offer letters for recent senior hires
  • Non-compete, non-solicitation, and IP assignment agreements
  • Equity incentive plan (ESOP / equity plan document)
  • Stock option grant schedule — all outstanding grants with strike price, vesting, and expiry
  • Fully diluted cap table with option pool
  • 409A valuation reports
  • Change-of-control acceleration provisions in equity agreements
  • Bonus plan structures and historical payout history
  • Commission plans for sales team

Benefits, Compliance & Labor

  • Benefits plan documentation — health, dental, vision, retirement
  • 401(k) or pension plan compliance and funding status
  • Workers' compensation claims history
  • COBRA and WARN Act compliance
  • Employee handbook and HR policies
  • EEOC reports and diversity data (if applicable)
  • Independent contractor agreements and classification analysis
  • PEO or EOR arrangements (if applicable)
  • Labor union agreements (if applicable)
  • Immigration status and work authorization for key hires
  • OSHA compliance and workplace safety record

Operations Due Diligence

22 items

Facilities, supply chain, insurance, environmental compliance, and operational dependencies.

Facilities & Real Estate

  • All office, warehouse, and facility lease agreements
  • Lease terms — expiry dates, renewal options, termination rights
  • Owned real property — title reports, surveys, mortgages
  • Sublease agreements and assignment provisions
  • Change-of-control provisions in property leases
  • Capex commitments for facility improvements
  • Equipment leases and maintenance agreements

Supply Chain & Vendors

  • Key vendor and supplier contracts
  • Single-source or sole-source dependency analysis
  • Vendor concentration risk (which vendors represent >10% of COGS?)
  • Supplier financial health (are key vendors at risk?)
  • Inventory management policy and safety stock levels
  • Lead time analysis and supply chain disruption history
  • Quality control procedures and defect rates

Insurance & Environmental

  • Insurance policies — general liability, property, D&O, E&O
  • Cyber liability insurance policy and coverage limits
  • Key man insurance
  • Claims history (last 5 years)
  • Environmental permits and compliance certifications
  • Environmental liabilities — soil contamination, waste disposal
  • Phase I/II environmental site assessments
  • Health, safety, and environmental (HSE) incident log

Execute this checklist inside SpaceNexus

Upload your documents, track Q&A by workstream, and share securely with buyers — all in one auditable platform.

Start a free data room

Due diligence timeline — week by week

Standard timeline for a mid-market M&A transaction. Adjust based on transaction complexity and data room readiness.

Data Room Preparation

Sell-sideWeek 1
  • Organize and upload all documents to VDR
  • Apply access permissions by workstream
  • Assign Q&A categories and responsible parties
  • Open NDA click-through for buyer parties

Initial Document Review

Buy-sideWeek 1–2
  • Review corporate structure and cap table
  • Download audited financials and management accounts
  • Identify top 20 customers and contracts
  • Submit initial Q&A requests

Deep-Dive Workstreams

Both partiesWeek 2–4
  • Legal: contract review, litigation search, IP chain-of-title
  • Financial: QoE, working capital, debt schedule
  • Commercial: customer interviews and market analysis
  • Technology: architecture review, security audit

Management Presentations

Both partiesWeek 4–6
  • Management team presentations by workstream
  • Facility and site visits (if applicable)
  • Follow-up Q&A and document requests
  • Key employee retention conversations

Findings & SPA Negotiation

Buy-sideWeek 6–8
  • Consolidate all workstream findings
  • Identify material issues requiring price adjustment or indemnity
  • Prepare due diligence findings report
  • Negotiate representations, warranties, and indemnities in SPA

Sign & Close

Both partiesWeek 8+
  • Signature closing conditions checklist
  • Escrow and funds flow mechanics
  • Closing deliverables (bring-down certificates, officer certs)
  • Data room access withdrawal or transition

6 due diligence mistakes that kill deals

Avoidable errors that surface during due diligence and their impact on deal outcomes.

Starting with a disorganized data room

Impact: Delays the process by 2–4 weeks, signals poor management hygiene, and gives buyers grounds to lower their offer or add indemnity provisions.

Fix: Build and populate your virtual data room before launching the process. Use AI auto-categorization to index documents instantly.

Missing IP assignment agreements

Impact: If early contractors or co-founders didn't sign IP assignments, the company doesn't legally own its own product. This is a deal-breaker in technology M&A.

Fix: Audit IP assignments before launching the process. If missing, execute retroactive assignments before the data room opens.

Ignoring change-of-control provisions

Impact: Major customer or lender contracts may give counterparties the right to terminate on a change of control. One undisclosed provision can kill or significantly reprice a deal.

Fix: Review all material contracts for COC provisions in the first week of sell-side preparation. Get consent where required.

Using Dropbox or Google Drive as a data room

Impact: No audit trail, no granular access controls, no Q&A workflow, no NDA enforcement. Legal and regulatory exposure for securities-related document sharing.

Fix: Use a purpose-built virtual data room (VDR) with SOC 2 Type II certification, document-level permissions, and a tamper-evident audit trail.

Not tracking buyer engagement

Impact: Sellers lose negotiating leverage when they can't tell which buyers are serious and which are gathering competitive intelligence.

Fix: Use a VDR with real-time buyer analytics — track which parties are reading which documents and for how long.

Presenting unaudited or inconsistent financials

Impact: Revenue adjustments discovered by QoE advisors re-open price negotiations and erode trust. Restatements mid-process are deal-killers.

Fix: Have your CFO and auditor reconcile all management accounts to audited statements before the data room opens. Commission an independent QoE proactively.

Frequently asked questions about due diligence

What is a due diligence checklist?

A due diligence checklist is a structured list of documents, information, and analyses that a buyer or investor requires to evaluate a target company before completing an acquisition, investment, or other transaction. Due diligence checklists organize the review process into workstreams — typically legal, financial, commercial, human resources, technology/IP, and operations — so that all material risks are identified and documented before closing.

What are the main categories in a due diligence checklist?

A comprehensive due diligence checklist covers six main categories: (1) Legal — corporate structure, contracts, litigation, and regulatory compliance; (2) Financial — audited statements, tax records, working capital, and debt; (3) Commercial — customers, market position, competitive landscape, and pipeline; (4) Human Resources — key employees, compensation, equity plans, and retention risk; (5) Technology & IP — source code, patents, cybersecurity, and data privacy; (6) Operations — facilities, suppliers, insurance, and environmental compliance.

How long does due diligence take?

Due diligence for a mid-market M&A transaction typically takes 4–8 weeks from the time a data room is opened. Large-cap or complex transactions can run 8–16 weeks. Startup fundraising due diligence (Series A–C) is typically 2–4 weeks. The timeline depends on: how organized the seller's data room is, the complexity and size of the business, the number of workstreams running in parallel, and whether unexpected issues require deeper investigation.

What's the difference between buy-side and sell-side due diligence?

Buy-side due diligence is conducted by the acquirer (or investor) to evaluate the target before deciding to proceed and on what terms. Sell-side due diligence (also called vendor due diligence) is commissioned by the seller ahead of a process to proactively prepare documentation, identify and resolve issues before they appear during buyer review, and accelerate the timeline by having an organized data room ready at launch.

What documents should go in a due diligence data room?

A due diligence data room should contain: audited financial statements (3 years), management accounts, the cap table, corporate formation documents and board minutes, material contracts, employment agreements, IP ownership documentation, technology architecture overview, cybersecurity certifications, tax returns, insurance policies, regulatory filings, and an org chart. Organizing these documents in a purpose-built virtual data room (VDR) — rather than a shared drive — provides the granular access controls, NDA enforcement, audit trail, and Q&A workflow that a proper due diligence process requires.

What are the biggest risks found during due diligence?

The most common deal-breaking issues discovered during due diligence are: (1) Revenue quality problems — revenue is more concentrated, less recurring, or lower-margin than presented; (2) IP ownership gaps — founders or early contractors didn't sign IP assignment agreements; (3) Undisclosed liabilities — contingent legal claims, tax positions, or off-balance-sheet obligations; (4) Key person risk — a single executive holds disproportionate customer relationships or technical knowledge; (5) Contract change-of-control provisions that give major customers or lenders termination rights on the acquisition; (6) Data privacy non-compliance (GDPR, CCPA) creating regulatory exposure.

Do I need a virtual data room for due diligence?

Yes, for any transaction involving confidential financial, legal, or personnel documents, a virtual data room (VDR) is the appropriate tool. VDRs provide: mandatory NDA click-through at room entry, document-level and page-level access permissions (so advisors see documents their counterparts cannot), a tamper-evident audit trail required for legal defensibility, structured Q&A workflow to manage due diligence questions, dynamic watermarking to deter unauthorized sharing, and compliance certifications (SOC 2 Type II, ISO 27001) required by financial regulators. Using Dropbox, Google Drive, or SharePoint for M&A due diligence creates legal, compliance, and security exposure.

Ready to run a cleaner due diligence process?

SpaceNexus gives your deal team a purpose-built virtual data room — AI auto-categorization, structured Q&A, buyer engagement analytics, and SOC 2 Type II security with transparent published pricing.

No credit card required · SOC 2 Type II certified · Cancel anytime