Technical Due Diligence Prep Checklist

Oct 29, 2022
min read

Product Roadmap

  1. Explain how you collect user and customer feedback.
  2. Provide a sample subset of the most granular user/customer feedback you collect.
  3. Provide the results of the synthesis of user/ customer feedback.
  4. Provide the last 12 months of product management data for Engineering (e.g. Jira tickets). How much was spent on new features / functionality vs. maintenance? What are the major items on the list?
  5. Explain the next 12 month roadmap.

Code Quality

  1. What investment does Finance make in tech debt prevention and remediation? In Security risk prevention and remediation? In IP Risk prevention and remediation?
  2. What software languages do you use? Is new language use managed?
  3. Is a refactoring being considered or possibly needed?
  4. What testing methods do you use and what is their breadth? Such as unit tests, automated tests, manual QA testing, User Acceptance Testing. Share the most recent results from each type.
  5. Is a line-level scanning tool such as SonarQube in place? If yes, share a sample report.
  6. Is third party code managed through a manager, stored in the code, or both? Why?
  7. Describe your architecture, including providing architectural diagrams.

Intellectual Property

  1. Provide an overview of the Company's IP.  What are the core or key IP assets?
  2. Investor/ acquirer may choose to conduct an IP litigation search. 
  3. Provide evidence of ownership of the domain names you use.
  4. Is the Company’s software escrowed?  Does any customer have access to the code?
  5. What licenses do you have- inbound and outbound?
  6. What third party code does your software use, according to your third party code management system, if any? How do you address CopyLeft/ CopyLeft Limited license instances? * Not technically part of the scan but we will review it as part of the scan- this should be included in the data request.
  7. What third party code does your software use, based on a scan of the code itself?  How do you address CopyLeft/ CopyLeft Limited license instances?
  8. Does the Company require employees to execute IP assignment rights and confidentiality agreements? Add all executed copies to the data room and identify who has not signed one (current and former employees).
  9. Does the Company require vendors (firms, contractors) to execute IP assignment rights and confidentiality agreements? Add all executed copies to the data room and identify who has not signed one (current and former employees).
  10. How often does do you back up Company data?
  11. Are there any written disaster recovery plans? Share them.

Code, Network and Information Security

  1. Has the Company experienced any IT shutdowns, material virus, malware, or ransomware incident within the past 3 years?
  2. What security measures are in place? Share all reports, including In Code scanning for security vulnerabilities, and Virus/malware scanning.
  3. Is access to the code repositories authenticated and if so how?
  4. Discuss recent risk assessments, such as penetration testing and IT audits.
  5. Discuss any security standards achieved or in process, such as SOC2 Certification.
  6. What types of customer information does the Company has access to.  Does the Company have access to the information and data files the Customer uploads?
  7. Has a lawyer assessed compliance with GDPR and CCPA?
  8. Please discuss PCI [Payment Card Industry] standards compliance and if the Company stores or handles PCI.

Development Process

  1. How many version control systems are in use?
  2. How much development activity has been carried out in the last 12 months by repo and by application? What explains the variance?
  3. Do you manage or coach on files per commit?
  4. Do you manage or coach on adding unit tests?
  5. Do you manage or coach on adding ticket numbers to commit comments?

Engineering Team Contributions

  1. Provide a list of current and former software developers. 
  2. Identify who are the most important developers to the product, current and former employees, and contractors and internal staff. 
  3. If any of the most important developers are no longer with your company, explain how you have managed without them.


  1. Is the organization in compliance with software license purchases? Provide supporting data.
  2. Provide a list of product and engineering tools. E.g. Jira, GitHub, testing tools, security tools, cloud software.
  3. Describe the Company’s IT system and infrastructure? How big is the IT department or is it outsourced? What is the total annual budget for IT?
  4. Is the IT on premises or cloud-based?
  5. Do you have a budget in mind to improve IT? Do you see any additional one time or annual expenses for IT?
No items found.

Table of contents

Gain insights into your code
Get in touch

Are you ready?

Sema is now accepting pre-orders for GBOMs as part of the AI Code Monitor.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.