IT Due Diligence
IT due diligence goes beyond source code. It’s the assessment of a company’s entire technology operations - infrastructure, security, compliance, vendor relationships, and the processes that keep everything running.
While software due diligence focuses on code and architecture, IT due diligence takes a broader view of the technology landscape.
What IT Due Diligence Covers
Infrastructure Assessment
- Cloud vs. on-premise - Where are systems hosted? Is the setup modern, cost-effective, and scalable?
- Server and network architecture - Is the infrastructure well-architected with appropriate redundancy?
- Hosting costs - Are cloud costs optimized? Are there committed contracts or spot pricing?
- Edge cases - Legacy servers, colocated hardware, or shadow IT that’s not accounted for
Security Posture
- Access controls - Who has access to what? Are permissions following least-privilege principles?
- Vulnerability management - When was the last security assessment? Are there known unpatched vulnerabilities?
- Encryption - Is data encrypted at rest and in transit? Are encryption standards current?
- Incident response - Is there a documented plan? Has it been tested?
Compliance & Regulatory
- Data privacy - GDPR, CCPA, or industry-specific regulations. Is the company compliant?
- Audit readiness - Can the company demonstrate compliance with relevant standards (SOC 2, ISO 27001)?
- Data residency - Where is data stored? Does it comply with jurisdictional requirements?
Business Continuity
- Backup strategy - Are backups regular, tested, and stored offsite?
- Disaster recovery - What’s the RTO (recovery time objective) and RPO (recovery point objective)?
- Failover capabilities - Is there redundancy for critical systems?
- Monitoring and alerting - Are outages detected quickly? What’s the typical response time?
Vendor & License Management
- Critical vendor dependencies - Which third-party services are essential? What are the alternatives?
- Contract terms - Are licenses transferable in an acquisition? Are there auto-renewal traps?
- SLA coverage - Do critical vendor contracts have adequate service level agreements?
IT DD vs Software DD
IT due diligence and software due diligence are complementary:
| Aspect | IT DD | Software DD |
|---|---|---|
| Focus | Operations, infrastructure, security | Code, architecture, engineering practices |
| Scope | Broader: all technology systems | Narrower: the product itself |
| Audience | CTO, CISO, operations | CTO, engineering leads |
| Typical for | All tech acquisitions | Software product companies |
Most engagements benefit from both. Our standard tech DD process covers both dimensions.
Who Needs IT Due Diligence?
- Family offices - Essential when you don’t have in-house technical expertise
- Micro PE firms - Critical for understanding integration complexity
- Any acquirer of a tech-enabled business - Even “non-tech” companies have critical IT systems
See our checklist for a complete list of items we assess, or learn about our pricing.
Ready to De-Risk Your Next Investment?
Get an independent tech assessment from experienced engineers. Know exactly what you're buying.