Due diligence is the structured evaluation process VCs run before closing an investment. It spans commercial, technical, financial, legal, and people dimensions.

The six diligence pillars

1. Commercial diligence

• Market size and growth: TAM / SAM / SOM with primary research.
• Competitive landscape: Direct, indirect, substitutes.
• Customer references: 5–20 reference calls.
• Pricing and unit economics: LTV, CAC, payback, gross margin.
• Retention and churn: Cohort analysis.
• Sales motion maturity: Lead volume, conversion rates, sales cycle.

2. Technical diligence

• Architecture review: Scalability, latency, security.
• Code quality: Review sample modules or run static analysis.
• Talent depth: Can the team ship without any one key engineer?
• Technical roadmap: Realistic vs aspirational.
• AI specific: Model quality, data moat, training cost discipline.

3. Financial diligence

• Historicals: Revenue, gross margin, burn, runway.
• Forecast realism: Assumptions behind the model.
• Accounting hygiene: QuickBooks or NetSuite reconciliations; revenue recognition.
• Cash management: Bank balances, AR/AP health.
• Unit economics: Customer-level P&L where relevant.

4. Legal diligence

• Corporate formation: State of incorporation, good standing.
• Cap table: Every share, option, SAFE, and convertible documented.
• IP assignment: From founders, contractors, and employees — clean transfers.
• Employment and contractor agreements: Non-competes, non-solicits, at-will.
• Material contracts: Customer MSAs, supplier contracts, landlord leases.
• Regulatory compliance: Industry-specific (HIPAA, GDPR, SOC2, PCI).
• Litigation: Pending or threatened.

5. People / culture diligence

• Founder references (back-channel): 5–10 calls with former colleagues, investors, customers.
• Leadership team cohesion: Have they built together before?
• Hiring pipeline: Are they attracting A-players?
• Glassdoor / culture signals.

6. Regulatory and policy diligence (as relevant)

• Export controls (ITAR/EAR) for defense tech.
• Health compliance (HIPAA) for digital health.
• Financial compliance (SOC2, PCI, regulatory licenses) for fintech.
• Data privacy (GDPR, CCPA, state privacy laws).

What a great data room looks like

• Corporate docs: Formation, bylaws, cap table, option plan, board minutes.
• Financial: Historical P&L, balance sheet, cash flow; current 18-month model.
• Commercial: Pipeline, customer list, retention cohort data, references.
• Technical: Architecture diagrams, security posture, key technical docs.
• Legal: IP assignments, material contracts, employment docs.
• Fundraising history: Previous SPAs, side letters, disclosure schedules.

Red flags that kill deals

1. Cap table surprises — unregistered grants, pre-money SAFEs not modeled.
2. IP assignment gaps — founders or contractors without clean assignments.
3. Tax or regulatory exposure — unfiled state returns, wage compliance issues.
4. Founder conflicts — undisclosed co-founder disputes.
5. Customer concentration — one customer > 30% of revenue without stickiness.

Practical takeaway

1. Founders: Prepare your data room 3–6 months before fundraising. Hygiene beats polish.
2. Investors: Don’t skip back-channel founder references; they predict outcomes more reliably than any single metric.
3. Operators: Fix IP and cap table issues early — diligence surfaces them eventually.

Further reading

• NVCA model documents: https://nvca.org/model-legal-documents/