Startup Due-diligence Prep Checklist

Due diligence is mostly organisation and evidence. This playbook gives you a pragmatic checklist, a readiness scorecard, and an auto‑fill tracker so you can stand up an investor‑ready data room in weeks, not months. It’s founder‑friendly, uses standard terms, and links to primary references for legal docs and data‑room best practice.

Key takeaways: Start early. Build a single source of truth with permissions by role. Score your readiness weekly and close gaps before you open the room. Keep the same folder map across rounds so you don’t rebuild under pressure.

Single source of truth, weekly scoring, standard map.

Standard data room map (copy/paste)

The short version

Make a clean data room: use a standard folder map, track every doc in a register, and score readiness weekly across financial, legal, team/HR, product, and go‑to‑market.

Prepare a one‑page overview with cap table, KPIs, and key risks. Keep sensitive items behind tighter permissions. Use recognised templates (e.g., NVCA) and include exact versions of signed agreements.

Folder map (what investors expect)

Standardise the top‑level: 0‑Overview, 1‑Corporate, 2‑Finance, 3‑Product & Metrics, 4‑Commercial, 5‑People & HR, 6‑Legal/IP, 7‑Security & Compliance.

Inside each, keep numbered sub‑folders and clear file names with dates and versions. Avoid duplicates; store only the canonical file and link to it from your tracker.

Readiness scorecard (self‑assessment)

Rate each area 1–5 against clear criteria. Anything ≤3 gets an owner and a due date before you invite investors.

Score dimensions include: financial statements & reconciliations; contracts & board minutes; IP assignments; metrics quality; security policies; and regulatory artefacts. Track deltas weekly and show progress in your investor update.

Auto‑fill document tracker (single source of truth)

A spreadsheet with columns for document name, owner, source system/link, last updated, confidentiality, and folder path keeps you sane.

Add status, reviewer, and a short description. Use data validation for statuses and owners and formulas to flag missing signatures or stale dates.

30‑day preparation plan

Week 1: inventory & gaps; Week 2: generate & sign; Week 3: reconcile & label; Week 4: QA and permissioning.

Don’t wait for a term sheet. Book two standing sessions per week to close gaps. Keep decisions in writing and add them to the ‘Board & consents’ folder.

Core Web Vitals for the microsite (if you publish KPIs)

If you host a lightweight investor page, keep INP ≤200 ms, LCP ≤2.5 s, CLS ≤0.1. Fast pages reduce back‑and‑forth.

Optimise charts as WebP, preconnect to your CDN, and avoid layout shifts by reserving image dimensions.

Related reads: Seed Data‑room Checklist, Finance Stack (GCC), UAE ESOP Plan.

Finance checklist (what to include)

Evidence the numbers and reconcile everything.

• Historical P&L and balance sheet (last 24 months) with accountant sign‑off
• Cash flow & runway; bank statements; reconciliations
• Revenue breakdown (product, region); ARR/MRR (if SaaS); cohort retention
• Tax filings and correspondence; payroll summaries; benefits obligations
• Budget/forecast and a bridge from forecast → actuals

Legal & IP checklist

Make chain of title obvious.

• Articles, shareholder agreements, board minutes, consents
• Cap table (fully diluted) + option ledger; standard NVCA naming helps
• Customer and vendor contracts (top 20 by value), MSAs & DPAs
• IP assignments for all creators; patents/trademarks; open‑source policy
• Litigation or claims register; regulatory licences (if any)

Product & metrics checklist

Prove your traction and reliability.

• Activation/retention/cohorts; win/loss notes; pricing & packaging
• Architecture diagram; uptime/SLA reports; incident post‑mortems
• Analytics definitions (metric dictionary) and report links
• Roadmap and research highlights (separate from OKRs/backlog)

Security & compliance checklist

Show controls and improvements.

• Security policies; access matrix; quarterly reviews
• Third‑party audits (SOC 2/ISO) or pen‑test summaries (if available)
• Data maps and DPIAs where applicable; vendor list and risk ratings
• Backup/restore policy and tests

People & HR checklist

Clarity on team, compensation, and equity.

• Org chart; headcount table; key role descriptions
• Employment agreements; ESOP plan + grants; leaver records
• Compensation bands; benefits; hiring plan vs actuals
• Founders’ time commitments; non‑compete/non‑solicit (if applicable)

Commercial checklist

Make pipeline and concentration clear.

• Top customers with ACV, start/end dates, and renewal risk
• Sales pipeline by stage; win rate; sales cycle
• Partner agreements; channel performance
• Churn analysis and expansion motions (SaaS)

Q&A workflow (during diligence)

Keep questions structured and avoid email sprawl.

Use the data room’s Q&A feature or a shared tracker with columns for question, owner, due date, and link to the answer. Publish twice‑weekly updates. Move recurring questions into a living FAQ inside the room.

Naming & versioning (stop the chaos)

Use ISO dates and semantic names.

2025-08-01 Board-minutes-Q2.pdf, 2025-08-10 PnL-2024-2025.xlsx. Avoid “final_v7_reallyfinal”. For spreadsheets, lock a PDF copy for the room and keep the live file read‑only.

Redaction & sensitive data

Protect PII and secret sauce.

Redact customer PII and secrets in public‑facing contracts; keep an unredacted version with restricted permissions if required. Use watermarking and viewer‑only access where possible.

Scoring rubric (1–5)

Define what each score means so teams grade consistently.

ScoreDefinition1No artefacts; claims unsupported2Some artefacts; inconsistent or stale3All artefacts present; minor gaps4Complete, current; cross‑referenced to tracker5Audit‑ready; controls + change log in place

End‑of‑process archive

Capture exactly what you shared.

Export the final state of the room (including Q&A) as a zip and store it with permissions in your internal archive. It will save future you during next rounds or an audit.

Glossary (quick reference)

Data room: secure workspace for diligence. NVCA: US venture model documents. DPIA: data protection impact assessment. Q&A: investor questions workflow within the room.

Freshness & update cadence

Weekly until close; quarterly thereafter.

Set a recurring task to refresh financials, cap table, and key contracts each quarter so the room is never more than a few clicks from ready.

Investor one‑pager (anatomy)

Give reviewers a fast orientation.

Your first folder “0‑Overview” should include a single PDF that covers: mission and product in one paragraph; 12–24 months of key KPIs (MRR/ARR, growth, retention, burn/runway); cap table snapshot; team photo with roles; and the 3–5 risks you’re actively managing. Keep it to 1–2 pages with links to deeper folders.

Data integrity tips

Reduce back‑and‑forth by making numbers traceable.

• Link KPIs to their source reports (BI query, accounting system)
• Annotate one‑off adjustments and accounting policies (e.g., revenue recognition)
• Provide a sampling guide: “Pick any invoice from May; here’s how it flows to revenue”
• Lock PDFs for the room; keep live spreadsheets read‑only

FAQ

Quick answers on due‑diligence prep.

• How many docs should be in the room?
  Enough to evidence claims—typically 50–150 curated files for Seed/Series A. Avoid duplicates.
• Do I need NVCA documents?
  You don’t need them in the room, but aligning to NVCA‑style terms and naming helps later rounds and counsel reviews.
• What permissions are best?
  Start with viewer‑only for most; restrict payroll, customer lists, and IP schedules to a smaller group.
• How often should I update?
  Weekly until close. Keep a change log and version files with dates (YYYY‑MM‑DD).
• What if a doc doesn’t exist yet?
  Create a placeholder in the tracker, assign an owner, and put a due date—don’t hide the gap.

Want a clean, investor‑ready data room in 30 days?