Technical Due Diligence Checklist

From time to time, I get asked to perform technical due diligence on investment opportunities.  I have a checklist, and I thought I’d share it with others in the hope that it might be useful.

If you have anything you think I’ve missed or got wrong, please let me know in the comments, and I’ll [potentially] edit the list to suit.


  • Describe the overall architecture of the system.
  • Well documented?
  • Easily understood?
  • Industry standard components?
  • Many vendors (eg AWS, Azure, etc)?
  • What’s the next big architectural leap?



  • Any monitoring happening now?
  • Ever done load testing?
  • What are the potential bottlenecks and remedies?



  • Load balancing?
  • Separation of functions?
  • Any single points of failure?
  • Automatic [ability to perform] scaling?
  • Cost structures (eg licenses)
  • What isn’t automated that should be?
  • What’s the next scalability hurdle?



  • How are {passwords, sensitive information} {stored, backed up, transmitted}
  • HTTPS?
  • Protection against obvious stuff covered, eg XSS, SQL injection
  • Ever done penetration testing?
  • What requires root access; who has it?
  • What are your upgrade / patching regimes?
  • What’s backed up? Where? Ever done a disaster recovery (DR) test?
  • How would you make the site more secure?


Development processes

  • What languages and frameworks have you used? Why?
  • Who’s in the dev team?
  • How is the team organised? How do they communicate and make decisions?
  • Revision control on all platforms (eg iOS, Android, and back end)? Which – Git, Github, Bitbucket, etc?
  • Test Driven Development?
  • Doing Continuous Integration? Which tools?
  • How does deployment work?
  • Describe the accumulated technical debt, and how this is managed.
  • How would you improve the development team?



  • Is the source code readable and/or beautiful? Is there consistent style?
  • Are there copious comments in the code?
  • Is there narrative commenting for each code unit (object, method, etc)
  • Are they running on current releases of underlying software? Any big changes on the horizon?
  • Are there any unexpected or obscure dependencies?
  • How hard would it be to pick up and move to (AWS, Azure, Rackspace, etc)
  • Any long-term viability issues with specific vendors?
  • How could you improve maintainability?


Licensing issues

  • Do you own all of the code necessary to run the system?
  • How is it licensed?
  • Does anyone else have rights over the code? Could anyone else claim to have rights over the code?
  • If you’re using any licensed code, what are the terms of the license(s)? What are the risks associated with those licenses? Are there any plans to re-engineer these bits over time?
  • Is there an IP strategy, eg “SaaS black box running our proprietary code, accessible only through the web site and our API’s”



  • Are there any other interdependencies with stuff beyond your control?
  • If you were investing in this company, is there anything else you’d like to know that we haven’t asked about?
  • Any other comments?