Every investment carries risk. The question is how much of that risk you could have seen coming, and how much of it you simply walked into unprepared.
Due diligence is what stands between those two outcomes. It is the process of checking, verifying, and understanding everything about a company, asset, or deal before you commit your money or signature to it. And yet, it remains one of the most skipped steps in investing, particularly among individual investors and smaller funds who either feel they do not have the resources for it, or assume the deal is too good to slow down.
That assumption is expensive.
This guide covers what due diligence really means in practice, the different types you will encounter depending on your investment context, a practical checklist you can use right now, and the tools that make the process faster and more secure, including how platforms like Ellty help investors and companies run cleaner, more controlled due diligence without the bloated costs of legacy software.
Whether you are reviewing a startup before writing a check, evaluating a company for acquisition, or buying into a stock, this guide gives you a clear starting point.
What is due diligence?
Due diligence is the investigation you do before making a significant financial or legal commitment. In investing, it means gathering and verifying information about a company or asset to understand its true value, risks, and potential before you decide to proceed.
The term originally comes from law, where it referred to the level of care and caution a reasonable person would exercise in a given situation. In finance, it took on a more specific meaning after the U.S. Securities Act of 1933, which required securities dealers to disclose material information to investors. If a dealer had done their due diligence, meaning they had genuinely investigated the company behind the security, they could not be held liable for information they had no way of knowing.
Today, the concept has expanded well beyond securities law. Due diligence applies to mergers and acquisitions, private equity investments, real estate transactions, venture capital deals, and even individual stock purchases.
At its core, it answers one question: does what you have been told actually hold up when you look closely?
Understanding due diligence
Due diligence is not just a document review. It is a structured process of asking the right questions and finding honest answers.
For investors, it typically involves three layers:
Financial verification - Does the company's financial position match what is being claimed? Are revenues real, recurring, and growing? Are liabilities disclosed fully?
Legal and compliance review - Are there any lawsuits, regulatory issues, or contractual risks that could affect the deal or the company's future operations?
Operational and strategic assessment - Does the business actually work the way management describes it? Is the team capable of executing? Are the market assumptions realistic?
The depth and scope of your due diligence will depend on the type of investment, the size of the deal, and what access you are given to information. In public markets, most of this information is disclosed in regulatory filings. In private markets, you often have to ask for it directly, which is where a secure document-sharing environment becomes critical.
The three pillars of due diligence
Financial | Legal | Operational |
Revenue verification | Contracts review | Business model assessment |
Cash flow analysis | IP ownership check | Team and management review |
Debt and liabilities | Litigation history | Customer and supplier dependencies |
Tax records and filings | Regulatory compliance | Technology and infrastructure |
Types of due diligence
Not all due diligence looks the same. The type you need depends on the context of your investment and what you are trying to validate.
Financial due diligence
Financial due diligence focuses on the numbers. You are looking at financial statements, tax records, revenue breakdowns, cash flow patterns, debt obligations, and any off-balance-sheet liabilities. The goal is to confirm that the financial picture presented to you is accurate, and to understand whether the business is financially healthy enough to support the deal.
Red flags here include inconsistent revenue recognition, unexplained drops in margins, significant related-party transactions, or deferred obligations that are not clearly disclosed.
Legal due diligence
Here you are reviewing contracts, intellectual property ownership, employment agreements, pending or past litigation, regulatory licenses, and any legal obligations that could affect the company post-transaction. Missing IP assignments, undisclosed lawsuits, or problematic customer contracts can derail even well-structured deals.
Commercial due diligence
Commercial due diligence looks at the market. Is the company competing in a growing space? Who are the main competitors? What does the company's customer base look like? How defensible is its position? Commercial due diligence helps you assess whether the business model will hold up over time, not just at the moment of investment.
Technical due diligence
Common in technology companies and startups, this involves evaluating the product itself: the quality of the codebase, the scalability of infrastructure, the security of data, and the strength of any proprietary technology. Often conducted by independent technical reviewers.
HR and management due diligence
Are the key people who built this business going to stay? What does the organizational structure look like? Are there unusual compensation arrangements, equity disputes, or HR liabilities? Management is often the biggest risk in early-stage deals, and this review tries to surface it.
Environmental due diligence
Environmental due diligence is typically required in real estate and industrial transactions. This assesses exposure to environmental regulations, contamination risk, or remediation obligations that could become costly liabilities after a deal closes.
Due diligence for stocks
When you are buying publicly traded stock, you are still doing due diligence, even if you do not use that word for it. The difference is that most of the information is already public.
Here is what a solid stock due diligence process looks like:
Start with the business model. How does the company actually make money? What drives its revenue? Who are its major customers, and are those relationships stable?
Review the financials. Look at the last 3-5 years of revenue, earnings, and free cash flow. Is the business growing? Are margins expanding or contracting? What does the debt load look like relative to earnings?
Understand the competitive landscape. Who are the main competitors? What keeps customers from switching? Does the company have a durable advantage, whether through brand, cost, technology, or switching costs?
Assess management quality. Look at how leadership has allocated capital historically. Do they communicate clearly and honestly? Are insiders buying or selling shares? Has the company ever restated its financials?
Look at valuation. Even a great business can be a poor investment if you overpay. Compare key multiples like price-to-earnings, enterprise value to EBITDA, and price-to-free-cash-flow against peers and historical averages.
Read the risk factors. The risk section of a company's annual filing is usually underread. It is where management is legally obligated to disclose what could go wrong, and it often contains material information that the investor presentations leave out.
Stock due diligence checklist
Category | What to check |
Business model | Understand how the company makes money and who its core customers are |
Financials | Review 3-5 years of revenue, earnings, margins, and debt levels |
Competitive position | Identify key competitors and assess how defensible the company's advantage is |
Management | Evaluate capital allocation history, communication quality, and insider activity |
Valuation | Compare P/E, EV/EBITDA, and price-to-free-cash-flow against peers and history |
Risks | Read the risk factors section in annual filings for material disclosures |
Due diligence for startups
Investing in startups is a different game. There are no years of audited financials, no established market position, and often no product revenue at all. Due diligence here is heavier on judgment and lighter on historical data.
That does not mean it is less rigorous. It means the questions change.
What to review in a startup investment
The team. At the early stage, you are largely betting on people. Have the founders built and sold companies before? Do they have relevant domain expertise? Is there equity conflict between co-founders? Have any key people already left?
The product. Does a working product exist? How does it solve a real problem? Is the market large enough to support the returns you need? Talk to actual users if you can.
The financials. Look at the cap table carefully. Are there messy earlier rounds with complicated terms? What is the current monthly burn rate? How much runway does the company have? What does the path to profitability look like, and is it realistic?
Legal documents. Review the term sheet, shareholder agreements, IP assignments, and any existing investor rights. Make sure the company actually owns its core intellectual property.
The market. Is this a growing market or a shrinking one? Who else is solving this problem? What would need to be true for this company to win?
Data room completeness. A well-prepared startup will have a data room ready. If the company struggles to produce basic documents, or the data room is disorganized and incomplete, that is itself a signal.
This last point matters more than people admit. A founder who takes document organization seriously is often a founder who runs a tighter operation overall. When reviewing startups, Ellty secure data room makes it easy to share organized document packages with full access controls, NDA gating, and real-time analytics on who is reviewing what.
M&A due diligence
Mergers and acquisitions involve the most complex and comprehensive form of due diligence. The stakes are high, the documents are numerous, and the process involves multiple workstreams running simultaneously across legal, financial, commercial, and technical teams.
Here is a structured overview of what M&A due diligence typically covers:
Pre-deal preparation
Before the formal due diligence process begins, the buyer should:
- Define the deal rationale clearly. What is the strategic purpose of this acquisition?
- Identify key risk areas specific to this target and industry
- Assemble the right team - internal leads and external advisors (lawyers, accountants, sector specialists)
- Agree on timeline and process with the seller
Financial workstream
- 3-5 years of audited financial statements
- Revenue breakdown by product, geography, and customer
- Quality of earnings analysis - what is recurring vs. one-time?
- Working capital analysis
- Capital expenditure history and forecast
- Off-balance-sheet items, contingent liabilities, and pension obligations
- Tax returns and any outstanding disputes with tax authorities
Legal workstream
- Corporate structure and ownership records
- All material contracts - customer, supplier, lease, and financing agreements
- IP ownership, registrations, and any licensing arrangements
- Litigation history and any current proceedings
- Employment agreements, non-competes, and severance obligations
- Regulatory licenses and compliance status
Operational workstream
- Organizational chart and key person dependencies
- Technology infrastructure and systems
- Customer concentration and churn rates
- Supplier relationships and any single-source dependencies
- Integration complexity and timeline
The data room in M&A
In any serious M&A process, a virtual data room is not optional. It is the central hub where all due diligence documents are organized, accessed, and tracked. Buyers upload requests, sellers populate responses, and advisors on both sides work through thousands of documents in a controlled environment.
This is where the choice of data room platform really matters. Traditional enterprise VDR vendors charge per user, per page, and often per feature. For mid-market and smaller transactions, those costs add up fast. Ellty provides all the core M&A data room functionality at flat, transparent pricing. With the Room and Room Plus plans starting at $149 and $349 per month respectively, you get granular permissions, NDA gating, dynamic watermarking, full audit logs, and support for up to 4,000 assets per data room. No per-user charges. No surprise invoices. No waiting weeks for a contract.
Virtual data rooms: the backbone of due diligence
If there is one tool that has transformed how due diligence works in practice, it is the virtual data room (VDR).
Before VDRs existed, due diligence happened in physical data rooms. Advisors flew in, sat in conference rooms, and reviewed documents under supervision. It was slow, expensive, and difficult to coordinate across large teams or multiple geographies.
Today, a well-configured VDR puts thousands of documents in front of the right reviewers instantly, with full control over who can see what, whether they can download or print, and exactly how long they spend on each file.
What a virtual data room needs to do
For due diligence specifically, a VDR needs to handle several things at once:
Organized document structure. Documents need to be findable. A well-structured VDR uses folder hierarchies that match standard due diligence workstreams, so financial documents, legal documents, and operational documents each have a home.
Access control. Not every reviewer needs access to every document. A buyer's legal team does not need the financial model, and the seller does not want the bidder's internal analysis visible. Granular permissions let you control access at the folder or document level.
NDA gating. Before any reviewer can access the data room, they should sign an NDA. This is a basic protection, and in professional VDRs it should happen automatically before access is granted.
Dynamic watermarking. Any document viewed or downloaded should carry a visible watermark identifying who accessed it. This discourages unauthorized sharing and creates accountability.
Audit trails. You need a complete, exportable log of every action taken in the data room: who accessed what, when, for how long, and what they did with it. This matters both for security and for post-deal disputes.
Real-time analytics. When you are a seller or fundraiser, knowing which documents your investors or buyers are spending the most time on tells you what they are focused on. That intelligence informs your follow-up conversations.
How Ellty is built for this
Ellty is a secure document sharing and analytics platform with full data room functionality. It is built for anyone who needs to share sensitive documents in a controlled, trackable way, whether you are raising a funding round, closing a property deal, running a consulting engagement, or managing an acquisition.
What makes Ellty different from legacy platforms is not just the features. It is the pricing model.
Legacy enterprise VDRs charge per user, per page, and often require a lengthy sales process before you can even get started. For a mid-market deal team or an early-stage founder preparing for investor due diligence, that model does not work.
Ellty offers four transparent plans:
- Free ($0/month) - Document tracking, real-time analytics, and secure sharing. A good starting point if you are in early conversations and want to see who is opening what before setting up a full data room.
- Standard ($69/month) - Unlimited documents, advanced analytics, eSignatures, custom branding, and data room features included. Works well for smaller deals and ongoing client or investor communication.
- Room ($149/month) - Granular permissions, NDA gating, dynamic watermarking, and restricted visitor access. Everything you need to run a controlled document review, whether that is a due diligence process, a property transaction, or a client deliverable that cannot be forwarded around.
- Room Plus ($349/month) - Group visitor permissions, full audit logs, and support for up to 4,000 assets per data room. Built for heavier document loads and multi-party deals where you need structured access control across different groups of reviewers.
No per-user charges. No per-page fees. No custom quotes that take weeks to negotiate. You pick a plan, get set up quickly, and know exactly what you are paying, whether you are sharing documents with 3 people or 30.
For anyone who needs a professional data room without an enterprise contract, Ellty is the place to start.
FAQs
What is the difference between due diligence and a background check?
A background check typically refers to verifying someone's personal history, such as criminal records, employment history, or credit. Due diligence is broader and more structured. In an investment context, it covers the financial, legal, operational, and commercial aspects of a company or asset. Background checks on key individuals can be one component of due diligence, but the two are not the same thing.
How long does due diligence take?
The time depends heavily on the deal size and complexity. For a stock investment, an individual investor might spend a few hours over a week reviewing public filings. For a venture capital investment, a few weeks is typical. In M&A, due diligence typically runs 4 to 12 weeks, with larger and more complex deals taking longer. Having a well-organized data room on the seller's side can significantly reduce this timeline.
Who conducts due diligence?
In institutional settings, due diligence is typically led by the deal team and supported by external advisors including lawyers, accountants, and specialist consultants. In smaller deals or individual investments, the investor may do much of the work themselves. The seller's side also has a role: preparing organized documentation in a data room is itself part of the process.
What happens if due diligence reveals a problem?
It depends on how significant the problem is and when it is found. Minor issues may be addressed through price adjustments, representations and warranties, or deal restructuring. Serious problems, such as undisclosed litigation, financial misstatements, or material IP issues, often result in deals being renegotiated or walking away entirely. Finding problems is the point of due diligence.
Is due diligence legally required?
In some contexts, yes. Certain regulated transactions, such as those involving securities, financial institutions, or public companies, have specific legal requirements around disclosure and investigation. In private deals, there is typically no legal requirement to conduct due diligence, but doing so protects the investor legally and financially. In merger and acquisition deals, board members have fiduciary duties that effectively require them to conduct adequate due diligence before approving a transaction.
What should a startup prepare for investor due diligence?
At a minimum, a startup should have ready: incorporation documents and cap table, the last 12-24 months of financial statements and management accounts, a current financial model, all material customer and supplier contracts, IP assignments, employment agreements for key team members, and any existing investor agreements. Organizing these in a secure data room before conversations begin saves time and signals professionalism to potential investors.
What is a data room, and do you need one for every deal?
A data room (or virtual data room) is a secure digital environment where sensitive documents are shared with authorized parties during a transaction or investment process. You do not need one for every single deal. A small angel investment might be handled through a shared folder. But for anything involving multiple parties, significant document volume, or high confidentiality requirements, a proper data room provides access controls, audit trails, NDA gating, and watermarking that a shared folder simply cannot offer. Platforms like Ellty make it practical to set up a proper data room even for smaller deals, without the enterprise pricing.
Final thoughts
Due diligence is not about distrust. It is about doing your job as an investor.
The deals that go wrong are rarely the ones that looked bad from the start. They are the ones that looked good on the surface, where someone skipped a step, trusted a presentation over the underlying documents, or simply did not have a process for asking the right questions.
A structured due diligence process protects your investment, clarifies your thinking, and gives you the information you need to negotiate with confidence. Whether you are reviewing a startup, evaluating a public company, or running a full M&A workstream, the fundamentals are the same: gather the right information, verify it independently, and make sure nothing material is missing.
The tools available today have removed most of the friction that used to make thorough due diligence difficult. Virtual data rooms have replaced physical ones. Analytics show you what matters to reviewers. Access controls protect sensitive information. And platforms like Ellty have made professional data room functionality accessible at every deal size, without the complexity and cost that once made it impractical for smaller transactions.
If you are preparing for a fundraise, managing an acquisition, or simply want a cleaner way to share and track sensitive documents, Ellty gives you everything you need to do it right.
Set up your data room in minutes. Start with Ellty for free.
This blog is for informational purposes only and does not constitute financial or legal advice. Always consult qualified professionals before making investment decisions.
