VDR glossary · Process

Due diligence

The investigation a buyer or investor runs to verify a target company’s financial, legal, and operational facts before closing a deal.

Due diligence is the structured investigation a buyer, investor, or lender carries out to confirm that a target company is worth what the deal assumes, and that no hidden liabilities are waiting after signing. It covers financial records, contracts, corporate structure, intellectual property, employment, tax, litigation, data privacy, and operations. The work is disclosure-driven: the seller answers a request list by producing evidence, and the buyer’s advisers read, cross-check, and question every material claim. Done properly, due diligence turns assumptions in a pitch deck into verified facts, and gives the acquirer a defensible basis for price, warranties, and the decision to close or walk away.

How does due diligence work in a virtual data room?

In modern deals, due diligence happens inside a virtual data room: a secure, permissioned repository where the seller uploads documents and the buyer’s team reviews them under audit. The sell side builds a numbered data room index that mirrors the buyer’s request list, so every question maps to a folder. Reviewers open files under granular access controls, ask clarifying questions through a Q&A module, and their activity is logged in an audit trail. This replaces the old physical room of paper binders with a searchable, trackable workspace that multiple bidders can use in parallel without seeing each other.

The flow below shows the four repeating stages of a data room review.

The due diligence cycle inside a data roomFour stages: request list, upload and index, review and Q&A, findings and red flags, arranged left to right.1. Request listbuyer asks2. Upload & indexseller discloses3. Review & Q&Aadvisers verify4. Findingsred flags priced in

Why does due diligence matter for M&A and security?

Due diligence is the risk-control layer of any transaction. It sits in the middle of the deal lifecycle, after a letter of intent and before signing, and its findings feed directly into price adjustments, indemnities, and closing conditions. A missed pending lawsuit, an unassignable customer contract, or a gap in data-protection compliance can turn a good deal into a loss, so buyers pay advisers to look before they leap.

Security matters just as much as thoroughness. The documents under review are the most sensitive a company holds: cap tables, salaries, source code, customer lists. Leaking them to the wrong bidder, or letting a losing party keep copies, is a real commercial and regulatory risk. That is why serious due diligence runs in a data room with encryption, watermarking, and per-file permissions rather than over email or shared drives. See our virtual data room for mergers and acquisitions guide for how deal teams structure this.

What does due diligence look like in practice?

Imagine a US software company raising a growth round. The lead investor sends a request list of about 200 items. The founders upload financial statements, the cap table, key customer and vendor contracts, employee agreements, IP assignments, and their SOC 2 report into an indexed data room. Over three weeks, the investor’s lawyers and accountants read the files, flag that two enterprise contracts have change-of-control clauses, and raise 40 questions in the Q&A module. The founders answer with amendments and a bridging schedule. The findings reduce the headline valuation slightly and add a specific warranty, then the round closes. The paper trail lives on in the audit log if anyone disputes what was disclosed.

How do you run due diligence well, and what goes wrong?

The most common failure is a disorganized disclosure. If files are dumped into one folder with cryptic names, reviewers waste days hunting, questions pile up, and confidence drops. A clean index, consistent file naming, and a maintained Q&A log fix most of this. Follow a structured due diligence checklist so nothing material is left out, and plan the timeline realistically; our note on how long due diligence takes sets expectations.

Other frequent mistakes:

  • Over-sharing too early. Grant access in stages; the whole room should not open to every bidder on day one.
  • No audit trail. Without logged activity you cannot prove what was disclosed or when.
  • Stale documents. Uploading last year’s contracts invites re-requests and erodes trust.
  • Ignoring security features. Watermarking and view-only controls are what separate a data room from a folder in the cloud.

When you evaluate providers for a deal, weigh permission granularity, Q&A workflow, audit depth, and price together. Our comparison of leading data rooms and full provider reviews score exactly these factors.

FAQ

What is the difference between due diligence and a data room? Due diligence is the investigation itself, the act of verifying a company’s facts. A data room is the secure workspace where that investigation is carried out. You run due diligence inside a data room, but the room is the tool and due diligence is the process.

Who pays for due diligence? The buyer or investor usually pays for their own advisers, since they are the party bearing the risk of the deal. The seller pays to prepare and host the data room and to answer the request list. Both sides invest time; the buyer typically carries the larger professional-fee bill.

How long does financial and legal due diligence take? For a small or mid-market deal it often runs three to eight weeks once the data room is populated, though complex or cross-border transactions can stretch to several months. A well-indexed room with prompt Q&A answers is the single biggest lever on speed.