Every business works with outside parties. Vendors, suppliers, contractors, consultants, distribution partners - the list goes on. And each of those relationships carries some level of risk.
That's not a reason to avoid third-party partnerships. Most businesses couldn't operate without them. But it is a reason to be careful about who you bring into your ecosystem and how well you understand the risks they carry with them.
That's exactly what third-party due diligence is for.
According to research, roughly 90% of Foreign Corrupt Practices Act (FCPA) enforcement actions involve a third-party intermediary. So when things go wrong - bribery, fraud, data breaches, compliance violations - the partner you chose often plays a central role. The cost falls on your business. Your reputation. Your legal standing.
A solid due diligence process helps you catch those problems before they start.
This guide covers everything you need to know: what third-party due diligence actually is, why it matters, the 8 steps you should follow, and how the right tools including a virtual data room like Ellty - can make the process far less painful.
What is third-party due diligence?
Third-party due diligence is the process of investigating and evaluating the companies or individuals you plan to work with before you formalize the relationship, and continuing to monitor them throughout.
It goes beyond just checking that a vendor has a website and a real address. A thorough due diligence review looks at financial health, regulatory compliance, legal history, ownership structure, ethical track record, data security practices, and more. The goal is to understand what risks a third party could bring into your business before you're already tied to them.
This kind of review typically comes up in a few situations:
- Onboarding a new vendor or supplier - before you sign a contract or transfer sensitive data
- Mergers and acquisitions - to understand who the target company works with and what risks those relationships carry
- Entering a new market or jurisdiction - where local compliance requirements may be unfamiliar
- Renewing or expanding an existing relationship - to make sure nothing has changed since you last reviewed them
Due diligence isn't a one-time checkbox. It's an ongoing process. A vendor that looked clean when you onboarded them two years ago might have run into legal trouble since. Their ownership might have changed. Their data security practices might not have kept pace with new regulations. Continuous monitoring is part of the job.
A good third-party due diligence strategy typically includes things like:
- Checking third-party names against global sanctions lists and watchlists
- Reviewing media coverage and public records for signs of legal trouble, corruption, or reputational issues
- Verifying ownership structure and identifying any conflicts of interest
- Cross-referencing information a third party provides themselves against what your independent research turns up
- Collecting and reviewing formal documentation - financial statements, incorporation records, compliance certifications
This is also where document management becomes critical. You're often dealing with large volumes of sensitive files from multiple parties, and you need to track who has seen what, when, and whether anything has been altered. We'll come back to that.
Why do we need third-party due diligence?
The short answer: because the risks are real and they fall on you.
When a third party you work with engages in bribery, violates data protection laws, uses unfair labor practices, or fails a regulatory audit, your business can be held liable too. The relationship you chose to form becomes your exposure.
Here are the main categories of risk that third-party due diligence is designed to address:
Compliance and legal risk. Regulations like the FCPA, UK Bribery Act, GDPR, and many others place responsibility on companies to ensure their third-party relationships don't expose them to violations. Regulators don't accept "we didn't know" as a defense if you didn't do the work to find out.
Financial risk. A vendor that's in financial distress may not be able to fulfill their obligations. A supplier facing insolvency mid-contract can disrupt your operations significantly.
Reputational risk. If a partner's ethical failings become public, the association can damage your brand - even if you weren't directly involved. Customers, investors, and media don't always make careful distinctions.
Operational risk. Third parties who lack robust security protocols or business continuity plans can become a vulnerability in your own operations, especially if they have access to your systems or data.
Data security risk. If a vendor handles your customer data or connects to your internal systems, their security posture is effectively your security posture. A breach on their end can become your breach.
The scale of third-party engagement in modern businesses makes this all the more important. Gartner estimates that around 60% of businesses work with more than 1,000 third-party vendors. Managing risk across that kind of ecosystem is not something you can do manually or informally.
The solution isn't to limit who you work with. It's to build a process that lets you assess and monitor risk in a structured, defensible way. Which brings us to the process itself.
8-step third-party due diligence process
Due diligence is not a single event. It's a structured, repeatable process that should be applied consistently across all third-party relationships. Here's how it works, step by step.
Step 1 - Map the compliance landscape
Before you can review a third party, you need to know what you're looking for. Start by identifying the regulations that apply to your business and to the third parties you work with. This varies by industry, geography, and the nature of the relationship.
GDPR applies to anyone handling EU data. Anti-bribery laws like the FCPA apply to international business dealings. Sector-specific rules apply in finance, healthcare, and other regulated industries. Map the relevant requirements so your review criteria are grounded in what actually matters legally.
Step 2 - Define your objectives
Not every third-party relationship carries the same level of risk. A freelance designer working on marketing materials is a different kind of engagement from a software vendor who has access to your customer database.
Define the objectives of your due diligence program clearly. What are the highest-risk relationships in your ecosystem? What outcomes are you trying to prevent? What level of scrutiny is appropriate for different categories of third party? This helps you apply your resources where they matter most.
Step 3 - Gather documentation
Ask third parties to provide documentation that allows you to verify who they are. For companies, this typically includes articles of incorporation, ownership disclosures, financial statements, regulatory certifications, and information about key personnel. For individuals, it might mean identity verification and conflict of interest disclosures.
This is where a secure document collection environment becomes valuable. When you're collecting sensitive materials from multiple parties, you need a place where files can be uploaded, organized, and tracked. Ellty data room features make it straightforward to request, receive, and review documents without them circulating over email or being accessible to people who shouldn't see them.
Step 4 - Vet the third party
Now you run the actual investigation. Check whether the third party and their key principals - appears on any sanction lists, government watchlists, or in any negative media coverage.
This includes checking against international databases, reviewing court records where relevant, searching for press coverage of legal issues, ethical breaches, or regulatory actions, and verifying the accuracy of the information they provided in their documentation.
Step 5 - Analyze the risk
What you find in Step 4 needs to be interpreted in the context of your business and relationship. A regulatory issue in an unrelated jurisdiction might be a minor flag for some businesses and a dealbreaker for others. How you assess risk should reflect the compliance objectives you defined earlier.
Risk analysis also involves categorizing the severity of any issues found, deciding whether they can be mitigated contractually or through monitoring, and documenting your reasoning so you can demonstrate due diligence later.
Step 6 - Document the process
This step is critical and often undervalued. Thorough documentation of your due diligence process is your defense in a regulatory investigation or legal dispute. It shows you did the work and made informed decisions.
Keep records of all documents collected, all checks performed, the results of your analysis, and the decisions made. An audit trail isn't just good practice - in many industries, it's a regulatory requirement.
Ellty full audit logs, available on the Room Plus plan, give you a detailed record of every document accessed, every permission granted, and every action taken in your data room. That's exactly the kind of traceable documentation trail that protects you.
Step 7 - Monitor third parties continuously
Circumstances change. A vendor who was compliant when you onboarded them might encounter sanctions, ownership changes, or legal issues later. Your due diligence process shouldn't end at the signing of a contract.
Set up monitoring systems that alert you to changes in third-party status. This might mean periodic re-reviews, automated alerts from watchlist databases, or regular check-ins on financial health and regulatory standing.
Step 8 - Review and improve your process
Your due diligence process itself should be reviewed regularly. Regulations change. Your business evolves. The risks you face today might not be the same risks you face in two years. Build in a cadence for reviewing your process and updating it to reflect what you've learned and what has changed.
Virtual data rooms: the backbone of due diligence
A due diligence process generates a lot of documents. Financial statements, legal filings, compliance certifications, NDAs, shareholder agreements - these pile up quickly when you're dealing with multiple third parties at once. And they're all sensitive.
How you manage those documents matters almost as much as what's in them. Files sent over email get forwarded. Spreadsheets tracking access go out of date. Shared drives give everyone the same level of visibility, regardless of whether they should have it.
A virtual data room (VDR) solves these problems. It's a secure, controlled environment where documents can be shared with specific parties under specific conditions, with full tracking of who accessed what and when.
This is where Ellty fits into your due diligence process.
What Ellty does
Ellty is a secure document sharing and analytics platform with full virtual data room functionality. It's built for situations exactly like third-party due diligence, where you need to share sensitive documents with multiple parties, control who sees what, and keep a clean record of everything.
Here's how Ellty supports each part of the process:
Access controls. Ellty lets you define exactly who can view, download, or share each document. You can set different permission levels for different reviewers, so your legal team sees different materials than your finance team, and external parties only see what they're supposed to.
NDA gating. Before a reviewer can access any materials, you can require them to sign an NDA. This happens inside the platform, so you don't need to chase signatures separately.
Dynamic watermarking. On the Room and Room Plus plans, downloaded documents are automatically watermarked with the viewer's details. If a document leaks, you can trace exactly where it came from.
Real-time activity tracking. You can see who opened which document, how long they spent on each page, and whether they downloaded or forwarded anything. In a due diligence review, this kind of visibility is genuinely useful - you can see which materials are getting attention and follow up accordingly.
Full audit logs. On the Room Plus plan, you get a complete, exportable record of all activity in the data room. This is your documentation trail for regulatory or legal purposes.
No per-user fees. Legacy VDR platforms typically charge per user or per document. Ellty pricing is flat and transparent: $0/month on the free plan, $69/month for Standard, $149/month for Room, and $349/month for Room Plus. No per-user charges, no surprise fees at invoice time. You know exactly what you're paying.
Which Ellty plan fits due diligence?
Room ($149/month) is the right starting point for most due diligence processes. You get granular permissions, NDA gating, dynamic watermarking, and restricted visitor access - everything you need to run a controlled document review.
Room Plus ($349/month) is built for heavier loads and multi-party deals. You get group visitor permissions, full audit logs, and support for up to 4,000 assets per data room. If you're managing due diligence across several third parties simultaneously or dealing with complex deal structures, this is the plan that handles it.
If you're early in conversations and want to track document engagement before setting up a full data room, the free plan gives you document sharing and basic analytics to start.
Third-party due diligence best practices
Even with a solid process in place, there are common pitfalls that can undermine your due diligence program. These best practices help you avoid them.
Centralize your third-party data. The more vendors you manage, the more data you're dealing with. Without a centralized system, it's easy to lose track of where things stand. Whether you use a dedicated third-party risk management tool or a structured data room like Ellty, keeping everything in one place makes your program more defensible and easier to manage.
Verify what third parties tell you. Don't take self-reported information at face value. Cross-reference what a vendor tells you against what your independent research turns up. Discrepancies are often the most important findings in a due diligence review.
Create risk tiers. Not every vendor needs the same level of scrutiny. A high-risk supplier who handles customer data and operates in a complex regulatory environment warrants more attention than a local office supply company. Build a tiering system that lets you focus your resources appropriately.
Extend your review to key personnel. The company itself might check out, but the people running it matter too. Conflicts of interest, past regulatory actions, or other red flags associated with key individuals should be part of your review.
Implement clear access controls. Controlling who can access your systems and data is part of managing third-party risk. Make sure your processes define how third parties interact with your internal environment and that those boundaries are enforced technically.
Don't let monitoring slip. Ongoing monitoring is the part of due diligence that most often falls away under resource pressure. Build it into your process formally, with clear owners and review schedules, rather than treating it as something you'll get to when you have time.
Document everything. This is worth repeating. Your documentation is your protection. A thorough, organized record of your process - what you checked, what you found, what you decided, and why - is what allows you to demonstrate that your due diligence was genuine and defensible.
Build a due diligence program that allows you to manage and continuously monitor risks
Third-party due diligence is not a one-time task you complete before signing a contract. It's the foundation of an ongoing risk management program. The initial review gets you to a decision. The continuous monitoring is what protects you after that decision is made.
A sustainable due diligence program has a few key elements:
A clear process that applies consistently. Everyone responsible for third-party onboarding should follow the same steps. Ad hoc reviews done differently each time create inconsistency in your risk data and gaps in your documentation.
A tiered approach that scales with risk. Low-risk vendors shouldn't consume the same resources as high-risk ones. A tiered system lets you be thorough where it counts without creating unnecessary burden.
A central place to store and track documentation. Whether you're managing five third parties or five hundred, you need a reliable place to store the documents you collect, track who has access, and maintain an audit trail. This is exactly what a virtual data room like Ellty is built for.
Regular reviews and updates. Your program should evolve as your business does. Set a schedule for reviewing your process itself - not just your third parties.
Clear ownership. Someone needs to own the program. That might be a compliance officer, a risk team, or a cross-functional group. What matters is that responsibility is defined and accountability is real.
Building this kind of program takes some upfront effort. But the alternative - discovering a third-party risk after it's already become a problem - is far more costly, in time, money, and reputation.
If you're ready to bring structure to how your team manages due diligence documents, Ellty gives you everything you need to get started today - without an enterprise contract or a complicated setup process.
Frequently asked questions
What is the difference between due diligence and third-party due diligence?
Due diligence is a broad term for any thorough investigation done before entering into a business agreement. Third-party due diligence is a specific application of that concept - it focuses on evaluating the vendors, suppliers, partners, and other external parties your business works with, rather than evaluating a company you might acquire or a deal you might enter.
When should third-party due diligence be done?
It should be done before onboarding any new vendor or partner, and then on a continuous basis throughout the relationship. Major trigger points include contract renewals, expansions of scope, mergers or acquisitions, and any time you become aware of a significant change in a third party's circumstances.
How long does third-party due diligence take?
It depends on the complexity of the relationship and the risk level involved. A low-risk vendor might be reviewed in a few days. A high-risk third party - particularly one involved in a complex transaction like an M&A deal - might take several weeks. Having a structured process and the right tools shortens the timeline significantly.
What documents are typically collected during third-party due diligence?
Common documents include articles of incorporation or business registration, financial statements, ownership and shareholder disclosures, compliance certifications, contracts, insurance documentation, and information on key personnel. The exact list depends on the nature of the relationship and the risk level involved.
What is a virtual data room and why is it used in due diligence?
A virtual data room (VDR) is a secure online environment for storing and sharing sensitive documents during a structured review process. In due diligence, it's used to collect documents from third parties, share them with the appropriate reviewers, control who can access what, and maintain a full audit trail. It replaces the insecure, untracked alternative of sharing files over email or unprotected shared drives.
Is third-party due diligence a legal requirement?
In many regulated industries and under specific laws - such as the FCPA, UK Bribery Act, GDPR, and others - businesses have a legal obligation to take reasonable steps to understand and mitigate third-party risks. Failing to do so can result in regulatory penalties, even if your business wasn't directly responsible for the violation. Even where it isn't strictly required by law, it's considered standard practice in most industries.
How does Ellty help with third-party due diligence specifically?
Ellty provides a secure, organized environment for managing due diligence documents. Key features include granular access controls, NDA gating before anyone can view materials, dynamic watermarking to protect sensitive files, real-time activity tracking so you know who's reviewed what, and full audit logs for documentation purposes. It's designed to be set up quickly without complex onboarding, and pricing is flat with no per-user fees - which makes it practical for businesses managing multiple third-party reviews at once.
Final thoughts
Third-party due diligence is one of those things that can feel like overhead until the moment it isn't. The vendor relationship that didn't get properly vetted. The supplier that turned out to have a sanctions issue. The contractor who shared access to systems they shouldn't have touched.
The businesses that take due diligence seriously - not as a box to check, but as an actual process with structure and accountability - are the ones that catch these problems early. They make better decisions about who to work with. They have the documentation to defend those decisions. And when things go wrong with a third party, they're not the ones holding the liability.
The 8-step process in this guide gives you a framework to work from. The best practices give you the habits that make the process stick. And a tool like Ellty gives you the infrastructure to run it cleanly, with proper controls and a full paper trail.
None of this requires an enterprise budget or a team of lawyers. It requires consistency, the right process, and a secure place to manage your documents.
Start your free Ellty account today and see how easy it is to set up a professional, controlled document review environment for your next due diligence process.
