A prep checklist for startups about to undergo technical due diligence

Previously, the author offered a detailed overview of the technical due diligence (TDD) process investors conduct before injecting cash into early stage startups.

In this follow-up, he offers a detailed checklist for C-level executives and senior managers who are responsible for helping VCs determine whether their “codebase is safe enough for investment.”

Product roadmap

1. Explain how you collect user and customer feedback.
2. Provide a sample subset of the most granular user/customer feedback you collect.
3. Provide the results of the synthesis of user/customer feedback.
4. Provide the last 12 months of product management data for Engineering (e.g. Jira tickets). How much was spent on new features / functionality compared to maintenance? What are the major items on the list?
5. Explain the roadmap for the next 12 months.

Code quality

1. How much does Finance invest in tech debt prevention and remediation? In security risk prevention and remediation? In IP risk prevention and remediation?
2. Which software languages do you use? Is the use of new languages managed?
3. Is a refactoring being considered or possibly needed?
4. Which testing methods do you use and what is their breadth? Do you perform unit tests, automated tests, manual QA testing, and user acceptance testing? Share the most recent results from each type of test.
5. Is a line-level scanning tool such as SonarQube in place? If yes, share a sample report.
6. Is third-party code managed through a manager, stored in the code, or both? Why?
7. Describe your architecture and provide architectural diagrams.

Intellectual property

1. Provide an overview of the Company’s IP. What are the core or key IP assets?
2. Investors/acquirers may choose to conduct an IP litigation search.
3. Provide evidence of ownership of the domain names you use.
4. Is the company’s software escrowed? Does any customer have access to the code?
5. Which licenses do you have, both inbound and outbound?
6. What third-party code does your software use, according to your third-party code management system, if any, and according to a scan of the code itself? How do you address CopyLeft/CopyLeft Limited license instances?
7. Does the company require employees or vendors (firms, contractors) to execute IP assignment rights and confidentiality agreements? Add all executed copies to the data room and identify who has not signed one (current and former employees).
8. How often does the company back up its data?
9. Are there any written disaster recovery plans? Share them.

Code, network and information security

1. Has the Company experienced any IT shutdowns, or any material virus, malware, or ransomware incidents within the past three years?
2. What security measures are in place? Share all reports, including in-code scans for security vulnerabilities, as well as virus/malware scans.
3. Is access to the code repositories authenticated. How?
4. Discuss recent risk assessments such as penetration testing and IT audits.
5. Discuss any security standards achieved or in process, such as SOC2 Certification.
6. What types of customer information does the company have access to? Does the company have access to the information and data files the customer uploads?
7. Has a lawyer assessed compliance with GDPR and CCPA?
8. Please discuss compliance with PCI [Payment Card Industry] standards and if the company stores or handles PCI.

Development process

1. How many version control systems are in use?
2. How much development activity has been carried out in the last 12 months by repository and application? What explains the variance?
3. Do you manage or coach on files per commit?
4. Do you manage or coach on adding unit tests?
5. Do you manage or coach on adding ticket numbers to commit comments?

Engineering team contributions

1. Provide a list of current and former software developers.
2. Identify who are the most important developers to the product — current and former employees as well as contractors and internal staff.
3. If any of the most important developers are no longer with your company, explain how you have managed without them.

DevOps

1. Is the organization in compliance with software license purchases? Provide supporting data.
2. Provide a list of product and engineering tools, like Jira, GitHub, testing tools, security tools, or cloud software.
3. Describe the company’s IT system and infrastructure? How big is the IT department? How much of it is outsourced? What is the total annual budget for IT?
4. Is IT on premises or cloud-based?
5. Do you have a budget in mind to improve IT? Do you see any additional one-time or annual expenses for IT?