If you've ever been involved in a business deal, an investment, or even a major hiring decision, someone has probably mentioned "due diligence." It sounds formal and complicated. But at its core, it's just about making sure you fully understand what you're getting into before you commit.
This guide breaks the whole process down, from what due diligence actually means, to the steps involved, the types that exist, and the common mistakes people make. Whether you're on the buy side, the sell side, or just trying to understand what your lawyers are talking about, this is for you.
What is due diligence?
Due diligence is the process of thoroughly investigating a business, asset, or opportunity before making a financial or legal commitment. It's the period where one party, usually the buyer or investor, digs into the details of what they're about to take on.
Think of it like test-driving a car before you buy it, except instead of checking the engine, you're reviewing financial statements, legal contracts, operational data, and sometimes the people involved.
The goal is simple: confirm that what's being presented is actually true, identify any risks you might be walking into, and decide whether the deal terms still make sense given what you find.
Due diligence isn't just for acquisitions. It applies to:
- Raising or receiving investment
- Mergers and company buyouts
- Real estate transactions
- Joint ventures and partnerships
- Onboarding a major vendor or supplier
- Taking on a new client relationship in high-risk industries
In almost every case, the process involves sharing and reviewing a large volume of sensitive documents. That's where having the right infrastructure matters. More on that shortly.
Key stages of the due diligence process (step by step)
Due diligence isn't a single event. It's a structured process that unfolds in stages, and each stage has a different focus.
Step 1: Preparing for due diligence
Before any documents are shared, the seller or target company typically organizes their materials. This means gathering financial records, legal agreements, employee information, IP documentation, and anything else a buyer might want to see.
At this stage, setting up a secure document environment is critical. Sharing sensitive files over email or a generic cloud folder is not just messy, it's a genuine risk. A virtual data room gives you structured access control, activity tracking, and a proper audit trail from day one.
This is exactly what Ellty is built for. You can set up your data room quickly, organize your documents, and control who sees what, without a lengthy onboarding or expensive enterprise contract.
Step 2: Signing an NDA
Before any confidential documents are shared, the parties involved typically sign a Non-Disclosure Agreement. This protects both sides and sets the legal framework for what can and can't be shared outside the process.
With Ellty, you can gate access to your data room with NDA signing built directly into the platform. Visitors can't see your documents until they've agreed to your terms. No need to manage separate NDA flows through email.
Step 3: Sharing the information request list
The buyer's team usually sends an information request list, sometimes called an IDL or due diligence checklist. This is a structured list of everything they want to review: financial records, corporate documents, contracts, HR policies, compliance certificates, and so on.
This list can be long. In M&A transactions, it's not unusual to see 100+ document requests.
Step 4: Document review
This is the core of the process. The buyer's team, which typically includes lawyers, accountants, and advisors, reviews all the shared documents systematically.
They're looking for:
- Accuracy: does the information match what was represented?
- Red flags: outstanding litigation, unusual liabilities, undisclosed debts
- Gaps: missing documents or information that hasn't been provided
- Deal-breakers: anything that changes the fundamental nature of the opportunity
Having a well-organized data room makes this phase faster for everyone. When documents are clearly labeled, easy to navigate, and tracked, reviewers spend less time searching and more time actually analyzing.
With Ellty real-time analytics, you can see exactly which documents buyers are reviewing, how long they spend on each one, and what they're coming back to. That kind of visibility helps you understand where interest and concern lies.
Step 5: Q&A and follow-up
As the review progresses, questions come up. The buyer may ask for additional documents, clarification on contracts, or explanation of financial items.
Managing this back-and-forth clearly and in one place is important. Undocumented side conversations create confusion. A proper data room keeps everything in context.
Step 6: Due diligence report
At the end of the review, the buyer's advisors typically compile a due diligence report. This summarizes what was reviewed, what was found, and what risks or issues were identified.
This report feeds directly into the final deal negotiation. Items flagged here may affect the purchase price, deal structure, or whether the deal proceeds at all.
Step 7: Decision and closing
Based on the findings, the buyer decides to proceed, renegotiate, or walk away. If the deal moves forward, the due diligence findings are often reflected in the final legal agreements through representations, warranties, and indemnities.
Main types of due diligence
Due diligence isn't one-size-fits-all. The type of review depends on the nature of the deal and what matters most in the context.
Financial due diligence is the most common type. It covers revenue, profit margins, cash flow, liabilities, and the quality of earnings. The goal is to verify that the financial picture is accurate and sustainable.
Legal due diligence focuses on contracts, corporate structure, IP ownership, regulatory compliance, ongoing litigation, and anything that could create legal liability for the buyer.
Commercial due diligence looks at the market position of the business. Is the customer base diversified? What's the competitive landscape? Are the growth projections realistic?
Operational due diligence examines how the business actually runs: its systems, processes, supplier relationships, and key dependencies.
HR and people due diligence is often overlooked but critical in acquisitions. Who are the key people? Are there employment contracts, equity agreements, or retention risks to consider?
Technical due diligence applies specifically to technology companies or when technology is a core asset. It covers the codebase, infrastructure, security posture, and technical debt.
Environmental and regulatory due diligence is relevant for certain industries: real estate, manufacturing, energy, and others where regulatory exposure or environmental liabilities may exist.
In most significant transactions, several of these types run in parallel.
Virtual data rooms: the backbone of due diligence (how Ellty is right)
If there's one tool that defines modern due diligence, it's the virtual data room (VDR). Before VDRs existed, due diligence meant physical rooms full of printed documents, lawyers flying to different cities, and no real way to track who had seen what.
Today, everything happens digitally. And the platform you use to manage that process matters more than most people realize.
A good VDR needs to do several things well:
- Controlled access: not everyone should see everything. You need to set specific permissions for different reviewers or groups.
- NDA gating: documents shouldn't be accessible until the recipient has formally agreed to confidentiality terms.
- Activity tracking: you need to know who opened what, when, and for how long.
- Watermarking: sensitive documents should be watermarked with the viewer's information to discourage unauthorized sharing.
- Audit logs: a clean record of everything that happened in the data room, useful for compliance and accountability.
This is exactly what Ellty delivers.
Ellty is built for anyone who needs to share sensitive documents in a controlled, trackable way. Whether you're running a funding round, a property deal, an M&A process, or a client engagement where confidentiality matters, Ellty gives you the right tools without the complexity of legacy enterprise platforms.
Here's what each plan offers in the context of due diligence:
Free ($0/month): Document tracking, real-time analytics, and secure sharing. A good starting point if you're in early conversations and want visibility into who's engaging with your materials before setting up a full data room.
Standard ($69/month): Unlimited documents, advanced analytics, eSignatures, custom branding, and data room features. Works well for smaller deals and ongoing investor or client communication.
Room ($149/month): This is where the core VDR features come in. Granular permissions, NDA gating, dynamic watermarking, and restricted visitor access. Everything you need to run a proper due diligence process, whether for a business acquisition, a property transaction, or a client deliverable that can't be freely forwarded.
Room Plus ($349/month): Group visitor permissions, full audit logs, and support for up to 4,000 assets per data room. Built for heavier document loads and multi-party deals where you need structured access control across different reviewer groups.
What sets Ellty apart from legacy VDR platforms is the pricing model. No per-user charges. No per-page fees. No enterprise quotes that take weeks to negotiate. You pick a plan, get set up quickly, and you know exactly what you're paying, whether you're sharing documents with 3 people or 30.
How long is the due diligence process?
There's no universal answer, but here are realistic timeframes based on deal type:
Startup funding rounds: Due diligence for seed or Series A deals typically takes 2 to 6 weeks, depending on how organized the company's documents are and how thorough the investor wants to be.
M&A transactions: For small to mid-market deals, expect 4 to 12 weeks. Complex deals involving multiple jurisdictions, significant IP, or regulatory considerations can take longer.
Real estate transactions: Commercial property due diligence usually runs 2 to 6 weeks, covering title searches, environmental reviews, lease reviews, and zoning checks.
Private equity buyouts: Private equity due diligence tend to be thorough and can take 6 to 16 weeks, sometimes longer for platform acquisitions.
The single biggest factor affecting timeline is document readiness. Companies that come into due diligence with organized, accessible records move through the process significantly faster. This is another reason why setting up a proper data room early, before you need it, pays off.
Due diligence examples
Example 1 - Startup acquisition
A software company is being acquired. The buyer's team requests 3 years of audited financials, all customer contracts, SaaS metrics (MRR, churn, CAC), employment agreements for key engineers, IP assignment confirmations, and a breakdown of any existing liabilities. The whole process is managed through a data room where the buyer's legal and finance teams have separate permission levels - legal can see contracts but not granular financial models, for instance.
Example 2 - Real estate deal
A commercial property is under offer. The buyer conducts due diligence across title deeds and ownership history, current lease agreements and tenant rent rolls, outstanding service charges, any environmental surveys, and planning permissions. Access to these documents is given to the buyer's solicitors through a secure room, with watermarking applied to prevent unauthorized copying.
Example 3 - Venture capital investment
A VC firm is leading a Series B round. Before committing capital, they review the founding team's equity split and any existing investor rights, the company's cap table, customer concentration, pipeline and revenue forecasts, and any pending litigation. The founders share necessary documents through a data room where the VC can see document engagement analytics in real time.
Key considerations
A few things that often get overlooked but matter a lot:
Document quality matters as much as quantity. Having 500 documents in your data room means nothing if they're poorly named, disorganized, or outdated. Reviewers will get frustrated, timelines will slip, and it reflects badly on the company.
Both sides have responsibilities. Due diligence is often framed as something done to the seller. But buyers also have obligations: to review honestly, keep information confidential, and not use the process to stall or extract sensitive information without real intent to proceed.
Legal advice is non-negotiable. For any significant transaction, you need qualified legal counsel reviewing the findings. Due diligence reports are inputs to legal agreements, and misinterpreting what's in a report can have serious consequences.
Don't wait until you have a deal to organize your documents. Companies that are deal-ready, meaning their documents are organized, up to date, and accessible, move through due diligence faster and with less stress. Setting up a data room before you're in a live process is one of the most practical things you can do.
How to avoid common pitfalls in the due diligence process
Pitfall 1: Disorganized document management
The fix is simple: use a proper data room from the start. Don't share files over email or a general cloud folder. You lose control, lose visibility, and create confusion about which version of a document is current.
Pitfall 2: Sharing too much too soon
Not all information needs to be shared at every stage. Giving full access before an NDA is signed, or before intent is confirmed, is a real risk. Use tiered access. Start with the information needed for initial review, then expand access as the deal progresses.
Pitfall 3: Not tracking engagement
If you're sharing documents but can't see whether anyone is actually reading them, you're flying blind. Data room analytics tell you what's getting attention and what isn't. This is useful information for managing the process and anticipating what questions are coming.
Pitfall 4: Undisclosed issues
Sellers sometimes hope that a problem won't be found during due diligence. It almost always is. And when it comes up late, it damages trust and can kill a deal that might have closed anyway if the issue had been handled proactively. Disclose known issues early with context.
Pitfall 5: No clear process owner
Due diligence involves multiple parties: lawyers, accountants, advisors, buyers, sellers. Without someone clearly managing the process and keeping things moving, it drifts. Assign a point person on both sides.
Pitfall 6: Ignoring cultural and people fit
Especially in acquisitions, financial and legal due diligence gets most of the attention. But people and culture are often where deals succeed or fail post-close. Don't treat HR due diligence as an afterthought.
FAQs
What is the difference between due diligence and an audit?
An audit is a formal, standardized examination of financial records, usually done by a certified external firm, and it follows specific accounting standards. Due diligence is broader and more flexible. It covers financial, legal, operational, and commercial aspects, and it's tailored to the specific deal. An audit might be part of due diligence, but due diligence is not the same as an audit.
Who pays for due diligence?
In most transactions, each party pays for their own advisors. The buyer typically funds the cost of their legal, financial, and technical review teams. The seller bears the cost of organizing materials, responding to requests, and their own legal counsel. In some deals, costs may be split or reimbursed if the deal falls through, but this is less common and deal-specific.
Can due diligence kill a deal?
Yes. And sometimes that's the right outcome. If due diligence uncovers material misrepresentation, undisclosed liabilities, or risks that fundamentally change the value of the deal, it's entirely appropriate for the buyer to walk away or renegotiate the terms. Due diligence is there precisely to catch these situations before commitment.
What happens if due diligence finds a problem?
It depends on the severity of the problem. Minor issues may be noted but not affect the deal. Moderate issues may result in a price adjustment, specific indemnities in the contract, or conditions that must be met before closing. Serious issues may be deal-breakers. The outcome is negotiated between the parties and their advisors.
Is due diligence required by law?
There's no universal legal requirement that mandates due diligence in every transaction. However, in regulated industries such as finance, healthcare, or real estate, specific checks may be legally required. Beyond legal mandates, due diligence is generally considered professional best practice, and failure to conduct it can expose buyers to significant financial and legal risk. Some institutional investors, like private equity firms and VCs, have fiduciary obligations that effectively require it.
How do I know what documents to include in a due diligence data room?
The buyer's team typically provides an information request list. If you're setting up a data room in advance, a standard checklist includes corporate documents (articles, shareholder agreements), 3-5 years of financials, all material contracts, IP documentation, employee agreements, compliance and regulatory records, and any existing litigation history. Tailoring this to your specific deal type and industry is important.
What is a virtual data room and do I need one for due diligence?
A virtual data room is a secure digital platform for organizing and sharing confidential documents during a business transaction. You don't technically need one, but in practice, it's the standard for any serious due diligence process. It gives you controlled access, document tracking, NDA gating, and an audit trail that a basic file-sharing tool simply can't provide. Platforms like Ellty make it accessible at a transparent, flat monthly price, so there's no real reason not to use one.
Final thoughts
Due diligence can feel overwhelming, especially if you're going through a significant deal for the first time. There are a lot of moving parts, a lot of documents, and a lot of people involved.
But the core of the process is straightforward: verify what you've been told, understand what you're taking on, and make an informed decision. Everything else, the checklists, the tools, the advisors, exists to support that goal.
The best thing you can do, whether you're a buyer or a seller, is to be prepared. Know what's in your documents. Understand your own business. And use the right tools to manage the process cleanly and transparently.
If you're setting up for a deal, a funding round, or any situation where sensitive documents need to be shared in a controlled way, Ellty gives you everything you need to run a professional due diligence process, at a price that makes sense.
No per-user fees. No surprise charges. Just a secure, trackable data room that works.
