Tech Due Diligence Checklist

A thorough tech due diligence covers a lot of ground. Whether you’re a VC evaluating a startup, a search fund acquiring your first business, or a PE firm running bolt-on assessments, this checklist ensures you don’t miss the critical items.

Code Quality & Architecture

• Code repository access - Do you have access to all source code repositories?
• Language and framework currency - Are they using maintained, up-to-date technologies?
• Code consistency - Is there a consistent coding style? Are linters/formatters configured?
• Test coverage - What percentage of code is covered by automated tests? Are they meaningful tests?
• Architecture documentation - Is the system architecture documented and current?
• Dependency management - Are third-party dependencies up to date? Any known vulnerabilities?
• Technical debt inventory - Does the team track and prioritize technical debt?
• Code review practices - Are pull requests reviewed before merging?

Infrastructure & DevOps

• Hosting and cloud setup - Where is the application hosted? Is the setup documented and reproducible?
• CI/CD pipeline - Is there automated build, test, and deployment? How often do they deploy?
• Monitoring and alerting - Are there dashboards and alerts for key metrics? Who responds to incidents?
• Backup and disaster recovery - Are there regular backups? Has the recovery process been tested?
• Environment parity - Do staging/dev environments mirror production?
• Infrastructure as code - Is infrastructure defined in code (Terraform, CloudFormation, etc.)?
• Cost visibility - Are hosting costs tracked and optimized?

Security & Compliance

• Authentication and authorization - How are users authenticated? Are access controls properly implemented?
• Data encryption - Is data encrypted at rest and in transit?
• Secrets management - Are API keys, passwords, and tokens stored securely (not in code)?
• Vulnerability scanning - Are there regular security scans? When was the last penetration test?
• GDPR / data privacy - Is personal data handled according to applicable regulations?
• Audit logging - Are security-relevant events logged and retained?
• Incident response plan - Is there a documented process for security incidents?

Team & Processes

• Team composition - What roles exist? Are there gaps?
• Key-person dependencies - Is critical knowledge concentrated in one or two people?
• Documentation culture - Are systems, processes, and decisions documented?
• Onboarding process - How long does it take a new developer to become productive?
• Development methodology - Agile, Scrum, Kanban? How mature is the practice?
• Communication tools - What tools does the team use? Is communication effective?

Product & Scalability

• Performance benchmarks - Are there load tests? What are the current performance characteristics?
• Scalability plan - Can the architecture handle 10x growth? What needs to change?
• API design - Are APIs well-designed, versioned, and documented?
• Mobile/cross-platform - If applicable, how is cross-platform handled?
• Third-party integrations - What external services does the product depend on? What’s the fallback plan?
• Data architecture - Is the data model clean? Are migrations managed?

Licensing & IP

• Open source compliance - Are open source licenses compatible with the business model?
• IP ownership - Is all code owned by the company? Are contractor agreements in place?
• Third-party licenses - Are all commercial software licenses current and transferable?

Using This Checklist

Not every item carries equal weight. The relative importance depends on the deal context:

• VCs should focus heavily on architecture, scalability, and team
• Search funds should prioritize key-person risk, documentation, and infrastructure
• Micro PE should emphasize integration compatibility and technical debt quantification
• Family offices should focus on security, compliance, and overall risk exposure

For a professional assessment, see our process and cost guide. We cover every item on this checklist and more, delivering actionable results in 1-3 weeks.