A due diligence checklist template is the difference between a deal that closes on time and one that gets stuck in the data room for weeks. Whether you are buying a company, signing a new supplier, vetting an investor, or onboarding a regulated client, the same problem shows up: dozens of documents need to land in one place, from people who all have other priorities.
This guide gives you a usable due diligence checklist template you can copy today, broken down by the five most common review types: M&A, vendor, investor, customer (KYC), and real estate. You will also find the questions reviewers ask about each document, how to organize the request so the other side actually responds, and what to automate so your team stops sending the same email five times.
What a due diligence checklist template should cover
A due diligence checklist is a structured list of documents, data points, and confirmations needed to validate the other party before a transaction or partnership. A good one has three things:
- Categories. Documents grouped by topic (legal, financial, operational, technical) so the requester and responder both know where to look.
- Specificity. “Last three years of audited financial statements” beats “financials.” The first one tells the other side exactly what to upload.
- Status. A way to track what is in, what is missing, what was rejected, and what needs a follow-up.
Without all three, your due diligence becomes a thread of email attachments with no version control. The checklist below gives you the structure. The last section of this guide shows you how to run it without the email mess.
The master due diligence checklist (copy this)
This is the baseline list. Adapt it to your transaction type using the industry-specific sections below.
Corporate and legal
- Certificate of incorporation or equivalent registration
- Articles of association, bylaws, or operating agreement
- Cap table with all shareholders and equity instruments
- Board and shareholder meeting minutes (last 3 years)
- Subsidiary and affiliate list with ownership structure
- List of trade names, DBAs, and registered marks
- Power of attorney and signatory authority documents
- Beneficial ownership declaration (UBO)
- Good standing certificate from the relevant jurisdiction
- Material litigation history and pending claims
Financial
- Audited financial statements for the last three fiscal years
- Year-to-date management accounts
- Tax returns for the last three years (corporate, payroll, VAT/sales tax)
- Aged accounts receivable and accounts payable
- Bank statements for the last 12 months
- Loan agreements and debt schedules
- Capital expenditure forecast
- Revenue breakdown by customer, product, and geography
- List of off-balance-sheet liabilities and guarantees
Commercial
- Top 20 customer contracts
- Top 20 supplier contracts
- Standard customer terms and conditions
- Pricing lists and discount policies
- Distribution and reseller agreements
- Marketing collateral and brand guidelines
- Customer churn and retention reports
Operational
- Organizational chart and headcount by function
- Employment contracts for key personnel
- Compensation, bonus, and equity plans
- Employee handbook and HR policies
- Workplace safety and incident reports
- List of properties, leases, and facilities
- Insurance policies (general liability, D&O, cyber, professional indemnity)
Tax and regulatory
- Tax residency certificates
- Transfer pricing documentation
- Recent tax audit reports
- Industry-specific licenses and permits
- Regulatory correspondence (last 3 years)
- Sanctions, AML, and anti-bribery compliance program
Technology and data
- IT system inventory and architecture diagram
- Source code repositories and ownership
- Open-source license inventory
- Data processing agreements with subprocessors
- GDPR/CCPA compliance documentation
- Penetration test reports and remediation plans
- Disaster recovery and business continuity plans
Environmental, social, and governance
- ESG report or sustainability disclosure
- Environmental permits and audits
- Diversity and inclusion data
- Code of conduct and ethics policy
- Whistleblower channel reports
That is the master list. About 60 documents. Now the variations.
Due diligence checklist by transaction type
1. M&A due diligence checklist (buy-side)
Buy-side due diligence is the most exhaustive. The buyer is taking on every liability the target carries, so the checklist runs deep. Start with the master list above, then add:
Quality of earnings
- Monthly P&L for the last 36 months
- Customer concentration analysis (top 10 customers as % of revenue, 3-year trend)
- Revenue recognition policy and supporting workpapers
- Working capital schedule (12 months trailing)
- One-time and non-recurring items reconciliation
Integration
- Vendor consolidation opportunities
- Office and lease overlap with buyer footprint
- IT systems compatibility audit
- Pension and benefits plan comparison
- Change-of-control clauses in material contracts
Synergy validation
- List of customers shared with the buyer (cross-sell potential)
- Headcount overlap by function
- Real estate footprint and lease termination terms
Run this checklist in a virtual data room or a secure document upload portal so legal, finance, and operations can review in parallel without sharing folder access.
2. Vendor due diligence checklist
Vendor due diligence is lighter on financials and heavier on compliance, data security, and operational risk. If you are onboarding a new supplier, see our full vendor onboarding checklist for the broader process. For the due diligence portion specifically:
- W-9 (or W-8 series) and tax ID
- Certificate of insurance (general liability, professional liability, cyber, workers comp) with your company named as additional insured
- Latest audited financials or D&B report
- SOC 2 Type II report (for tech vendors)
- ISO 27001 certificate (for data processors)
- Business continuity and disaster recovery plan
- Subprocessor list with locations
- Data Processing Agreement (DPA) signed
- Sanctions and PEP screening results
- Reference list (3-5 comparable clients)
- Anti-bribery and anti-corruption policy acknowledgment
- Code of conduct acknowledgment
- Diversity certification (if applicable)
- Modern Slavery Act statement (UK vendors)
- Security questionnaire (your standard CAIQ or SIG Lite)
Set expiration dates on insurance certificates and certifications. SOC 2 reports refresh annually, COIs renew with the policy. A tool with document expiration tracking sends the renewal request automatically instead of relying on a calendar reminder someone will eventually miss.
3. Investor due diligence checklist (Series A and later)
When investors run due diligence on your startup, they want a structured data room with predictable categories. Pre-build this checklist before you open a round.
Entreprise
- Pitch deck (current version)
- Founder backgrounds and LinkedIn profiles
- Cap table (post-money, with option pool)
- Articles of incorporation and bylaws
- Stock purchase agreements from prior rounds
- 409A valuation report
- Stock option grant register
Financials
- 36-month financial projections (P&L, balance sheet, cash flow)
- Historical financials (monthly P&L, last 24 months)
- Annual budget for current year
- Cohort revenue retention analysis
- Unit economics (CAC, LTV, payback period, gross margin)
- Bank statements and current cash position
Product and tech
- Product roadmap (next 12 months)
- Architecture overview
- Source code ownership (no open-source contamination)
- Patent applications and IP assignments from all founders and contractors
- Security and privacy policies
- Penetration test results
Commercial
- Top 20 customer contracts (or anonymized list)
- MRR/ARR breakdown by customer and plan
- Pipeline report from CRM
- Sales playbook and pricing methodology
- Marketing channel performance (CAC by channel)
Team
- Org chart with all employees and contractors
- Employment contracts and offer letters for key hires
- Equity grant register
- Employee handbook and policies
- Compensation philosophy
Juridique
- Active litigation (or letter confirming none)
- Material contracts with change-of-control clauses
- Customer terms of service
- Privacy policy
- DPA template
- Trademarks and domains owned
4. Customer due diligence checklist (KYC and KYB)
If you are onboarding regulated customers, the due diligence is structured around AML rules. We have a deeper version in our KYC document checklist, but the core list looks like this:
For individual customers
- Government-issued photo ID (passport, national ID, driver’s license)
- Proof of address dated within the last 3 months (utility bill, bank statement, tax document)
- Source of funds declaration
- Source of wealth supporting documents (employment contract, payslip, sale deed, inheritance certificate)
- Politically Exposed Person (PEP) self-declaration
- Sanctions screening result
- Tax residency declaration (FATCA/CRS form)
For corporate customers (KYB)
- Certificate of incorporation
- Latest annual return or confirmation statement
- Memorandum and articles of association
- Beneficial owner declaration (UBO with ≥25% ownership)
- ID and proof of address for each UBO and authorized signatory
- Director and shareholder register
- Audited financial statements (last 2 years)
- VAT and tax ID certificates
- Description of business activity and source of funds
- Anti-money laundering policy (for regulated counterparties)
- Sanctions and adverse media screening report
Customer due diligence has to be repeatable. Every 12-24 months for low-risk customers, every 6-12 months for higher-risk ones. Build it as a recurring workflow so the renewal request fires automatically.
5. Real estate due diligence checklist
For property acquisitions, leasing, or financing:
Title and ownership
- Title insurance policy and commitment
- Deed and chain of title
- Survey or boundary plan
- Recorded easements and rights of way
- Liens, mortgages, and encumbrances
Physical condition
- Property condition assessment
- Phase I (and if needed, Phase II) environmental site assessment
- Roof, HVAC, electrical, and plumbing inspection reports
- Pest and termite inspection
- ADA accessibility audit
- Asbestos, lead, mold, and radon reports
Financial
- Operating statements (last 3 years)
- Current rent roll
- All tenant leases with amendments
- Tenant estoppel certificates
- Property tax bills (last 3 years)
- Utility bills (12 months)
- Capital expenditure history
Regulatory
- Zoning verification letter
- Certificate of occupancy
- Building permits and code violations
- HOA or condo association documents (if applicable)
- Insurance loss runs (last 5 years)
How to actually run a due diligence request
The checklist is the easy part. Collecting the documents is where deals stall. Three things that fix the collection process:
1. Make the request structured, not narrative
A 60-document request sent as a Word file is a guarantee that something gets missed. Break the checklist into categories, send each as a tracked request, and show the responder a clear progress bar. The data on this is consistent: structured intake forms get a 2-3x higher completion rate than email-attached lists.
2. Let the responder upload, not email
Email attachments cap out at 25 MB, mix with everyone else’s inbox, and have no version control. A branded portal where the other side uploads files into the right slot solves all three problems and gives you an audit trail for free. We have a longer write-up on why collecting documents from clients without email is now the default for regulated industries.
3. Automate the chasing
Every due diligence project has the same shape: 60% of documents arrive in the first week, 30% in the next two weeks, the last 10% take a month of nagging. The nagging is the part to automate. Schedule reminders at day 3, day 7, day 14, and day 21 for any document still missing, and the chase work disappears.
If you are running due diligence regularly (M&A team, procurement, KYC) the manual approach does not scale. Tools like Superdocu let you save your due diligence checklist as a workflow template, assign it to a counterparty in one click, and let the system handle the reminders and tracking.
Common due diligence pitfalls
Asking for everything upfront. Send the full 200-item list and the response rate craters. Phase the request: critical documents first (corporate, financials, top contracts), supporting documents second, nice-to-have third.
No document specs. “Insurance certificate” is ambiguous. “Certificate of general liability insurance, minimum $2M per occurrence, naming [Buyer Co.] as additional insured, valid through [close date]” gets you the right document on the first try.
Treating rejections as failures. Rejecting an uploaded document is a feature, not a bug. The responder needs to know why so they can re-upload the right version. Give them the reason inline, not in a separate email.
No expiration tracking. Insurance, certifications, licenses, and audit reports all expire. If your due diligence does not track expiration dates, you will be re-collecting the same documents six months from now in a panic.
Reinventing the checklist every time. Save your due diligence checklist as a template. Each new transaction reuses it. New requirements get added to the template, not to one-off requests, so the next transaction starts with everything you learned from the last.
Automating due diligence with Superdocu
Superdocu is a document collection platform built for exactly this kind of work. You define your due diligence checklist as a reusable workflow, with each document type having its own specs, file format rules, and reviewer. Then for every new counterparty:
- Invite them via a magic link, no account required
- They land on a branded portal that looks like your company, not ours
- They upload documents into the right slot, see what is missing, and get reminders automatically
- You review, approve, reject with reasons, and watch the percent complete climb
- Expiring documents get a renewal request fired automatically when the date approaches
For regulated industries, Superdocu can also auto-verify certain document types (French KBIS, URSSAF, transport licenses) against official registries, which removes the manual eyeballing step entirely. See the full simples et transparents if you want to compare plans.
Frequently asked questions
What is a due diligence checklist?
A due diligence checklist is a structured list of documents, data, and confirmations a party needs to validate before a transaction or partnership. It typically covers corporate, financial, legal, operational, tax, and technology categories, with the specific items depending on the transaction type (M&A, vendor, KYC, investment, real estate).
How long does a due diligence process take?
For mid-market M&A, expect 6-12 weeks from data room opening to closing. Vendor due diligence runs 2-4 weeks. KYC for a corporate customer runs 1-3 weeks. Real estate due diligence runs 30-60 days depending on inspections. The variable in all of them is how fast the other side returns documents, which is what an automated collection workflow speeds up.
What is the difference between due diligence and KYC?
KYC (Know Your Customer) is a specific type of due diligence required for regulated industries (banking, fintech, real estate, gaming) to verify customer identity and screen for money laundering risk. Due diligence is the broader category that also covers M&A, vendor, investor, and real estate reviews. KYC is a subset of due diligence, with the checklist defined largely by AML regulations.
Can you automate due diligence?
The document collection, reminders, expiration tracking, and basic verification steps can be automated. The judgment calls (is this contract acceptable, is this financial trend a red flag) still need a human reviewer. Tools like Superdocu, virtual data rooms, and dedicated KYC platforms handle the collection and tracking side, so the reviewer time is spent on analysis, not chasing files.
Who creates the due diligence checklist?
For M&A, the buyer’s legal counsel typically drafts it with input from the deal team. For vendor due diligence, procurement or risk management owns it. For KYC, the compliance team builds it from regulatory requirements (FinCEN, FCA, AMF, etc. depending on jurisdiction). For investor due diligence, the lead investor sets the list and the company responds.
What documents are most often missing in due diligence?
The recurring gaps: signed shareholder agreements (often verbal), updated cap tables (rarely current), IP assignments from contractors (frequently never signed), DPA signatures with subprocessors, and current insurance certificates. Pre-empt these by maintaining a permanent data room rather than scrambling when a deal starts.
Start your due diligence workflow
A due diligence checklist template is only useful if the documents actually arrive. Stop running due diligence over email and start running it on a workflow that tracks, reminds, and validates automatically.
Start your 7-day free trial of Superdocu — no credit card required. Build your due diligence checklist as a reusable workflow, invite your first counterparty, and watch the documents arrive in the right slots.