Due Diligence Questionnaire (DDQ): Template and Checklist

A due diligence questionnaire (DDQ) is a structured list of questions an investor, acquirer, or partner sends a company to verify its legal, financial, commercial, and operational standing before a deal. You answer it with evidence, usually documents hosted in a data room. This guide gives you a complete, copy-pasteable DDQ template by category.

What is a due diligence questionnaire (DDQ)?

A due diligence questionnaire is the formal request for proof that backs up everything you claimed in a pitch deck, teaser, or vendor profile. The other side has heard your story; the DDQ is where they check it.

It arrives during fundraising, an acquisition, an enterprise procurement review, or a fund-into-fund (LP) assessment. Sometimes it is a tidy spreadsheet with 40 questions. Sometimes it is a 12-page Word document with 300. Either way, your job is the same: answer each item clearly and attach the document that proves it.

A DDQ is not the same as the diligence itself. The questionnaire is the checklist; the diligence is the investigation that follows when reviewers open your documents and pull on threads. A clean DDQ makes that investigation fast and boring, which is exactly what you want. For the wider picture of what reviewers actually examine, see the breakdown of the different types of due diligence.

Why a DDQ matters

For the company answering one, the DDQ is the moment trust is won or lost. Vague answers, missing documents, and contradictions between what you said and what the files show are the fastest way to cool a deal.

A strong DDQ response does three things:

• It speeds the deal up. Reviewers who find every answer on the first try keep moving. Reviewers who have to email you for the cap table lose momentum and confidence.
• It signals operational maturity. A founder who can produce clean financials, signed contracts, and a current cap table on demand looks like someone who runs a tight company.
• It surfaces your own risks first. Working through a DDQ before anyone asks forces you to find the gaps, the unsigned agreement, the lapsed filing, the IP a contractor technically still owns, while you still have time to fix them.

For the reviewer, the DDQ is risk management. It is the structured way to find liabilities, compliance gaps, and red flags before money or access changes hands.

The complete due diligence questionnaire template

Below is a comprehensive, copy-pasteable DDQ organized by category. Use it two ways: as a founder, work through it to assemble your data room before a raise; as a reviewer, send the relevant sections to a target company. Trim the sections that do not apply to your deal. Not every early-stage startup has real estate or a union contract, and that is fine.

1. Corporate and structure

• What is the full legal name, entity type, and jurisdiction of incorporation?
• Provide the certificate of incorporation, bylaws, and certificate of good standing.
• Describe the corporate structure: parent, subsidiaries, and any holding entities.
• Provide a current, fully diluted cap table showing every shareholder and ownership percentage.
• List all option pools, SAFEs, convertible notes, and warrants outstanding.
• Provide all shareholder agreements, voting agreements, and side letters.
• Who sits on the board, and provide recent board minutes and consents.
• List all prior financing rounds, amounts, valuations, and lead investors.

2. Financial

• Provide audited or reviewed financial statements for the last three years (or since inception).
• Provide the most recent management accounts: income statement, balance sheet, cash flow.
• Provide the current financial model and forward forecast.
• Break down revenue by product, customer, and geography.
• What are gross margin and contribution margin, and how are they trending?
• Provide the current burn rate, runway, and cash position.
• List all debt, loans, credit facilities, and their terms.
• Provide federal, state, local, and foreign tax returns for recent years.
• List any outstanding tax liabilities, disputes, or audits.
• Detail accounts receivable and payable aging.

3. Legal and regulatory

• List all material contracts and provide copies (customer, supplier, partnership, lease).
• Detail current, past, and threatened litigation, and any settlements or injunctions.
• Which laws, licenses, and permits apply to the business, and are all current?
• List any regulatory investigations, fines, or consent decrees.
• Provide all insurance policies (liability, D&O, key person, property, cyber).
• Are there any change-of-control provisions in key contracts triggered by this deal?
• Could the transaction raise antitrust or competition concerns?

4. Commercial and market

• Describe the customer base and key segments.
• Who are your largest customers, and what share of revenue does each represent?
• Provide key metrics: CAC, LTV, payback period, net revenue retention, churn.
• Describe the competitive landscape and your differentiation.
• Provide the sales pipeline and conversion data.
• What is the pricing model, and what is the discounting history?
• Detail any customer concentration or single-channel dependency risk.

5. Intellectual property

• List all IP: patents, trademarks, copyrights, domains, and trade secrets.
• Who legally owns each asset, and provide registration documents.
• Provide signed IP assignment agreements from all founders, employees, and contractors.
• List all inbound and outbound licenses.
• Detail any IP disputes, infringement claims, or freedom-to-operate concerns.
• What open-source software is used, and under what licenses?

6. Human resources and team

• Provide an org chart and headcount by function.
• Provide employment agreements for all key personnel.
• Provide the option plan (ESOP) documentation and grant ledger.
• List compensation, benefits, and any deferred or contingent payments.
• Detail any key-person dependency and retention risk.
• Provide contractor and consultant agreements.
• Are employees unionized, and if so provide the collective agreement.
• List any past or pending employment disputes or claims.

7. Technology and product

• Describe the technology stack, architecture, and hosting providers.
• Provide the product roadmap.
• Detail security practices: encryption, access controls, and certifications (SOC 2, ISO 27001).
• Describe data protection and privacy compliance (GDPR, CCPA, HIPAA where relevant).
• Provide the disaster recovery and incident response plan.
• List any past security breaches or data incidents.
• What technical debt or scaling constraints exist?

8. Compliance and risk

• Detail your anti-bribery and anti-corruption (ABAC) controls.
• Provide AML/KYC procedures where applicable.
• Detail compliance with sector regulations (financial, healthcare, payments).
• List the company's data processing agreements and sub-processors.
• Provide any ESG policy and relevant disclosures.
• Detail the third-party and vendor risk management process.
• List any sanctions, PEP, or adverse-media exposure.

A modern fundraising data room maps neatly onto these eight categories. If you want a folder-by-folder structure tuned specifically to early-stage investors, the data room checklist of what VCs want is the companion to this template.

How to answer a DDQ efficiently using a data room

The slowest way to handle a DDQ is to answer questions one at a time and email files back and forth as attachments. Versions drift, the reviewer ends up with three different cap tables, and you have no idea what anyone actually read.

The fast way is to build a data room once and map every DDQ question to a document inside it.

1. Mirror the eight categories as folders. Number them so they sort in order: 01_Corporate, 02_Financial, 03_Legal, and so on. A reviewer should be able to find the answer to any question without asking you.
2. Name files so they explain themselves. Cap_Table_2026_Q2.xlsx beats final_v3.xlsx. The reviewer should know what a file is before opening it.
3. Answer the questionnaire with links, not attachments. Next to each DDQ item, reference the exact document. Because a Plox link never changes, you can update the underlying file the night before a meeting and the reviewer always sees the current version.
4. Gate the sensitive folders, not the front door. Apply a passcode, email verification, or a one-click NDA to financials, the cap table, and legal, while keeping the overview open. Demanding an NDA to glance at a deck slows your raise.
5. Watch the analytics. Page-by-page tracking tells you who opened the financials, how long they spent, and whether they reached the end. An investor re-reading your model at midnight is a hotter lead than one who skimmed the deck.

Plox is a secure document sharing and virtual data room platform for founders, investors and dealmakers, and this is exactly the workflow it is built for. You get trackable links, per-viewer watermarking, access controls, and a built-in AI assistant, Ploxie, that answers reviewer questions straight from your documents so you field fewer late-night emails. For the full picture of what a data room is and why dealmakers use one, start with the pillar on data rooms: features, uses and benefits.

Common DDQ mistakes to avoid

• Starting late. Assembling a data room mid-raise, while you are also pitching, is how deals stall. Build it before you open the round.
• Stale documents. A cap table that does not reflect your last SAFE, or a model from two quarters ago, reads as carelessness. Update files in place so the link always shows the latest.
• Answers that contradict the deck. If your DDQ revenue does not match your pitch number, the reviewer now distrusts both. Reconcile every figure first.
• Emailing files as attachments. You lose version control, you lose tracking, and confidential documents end up sitting in inboxes forever with no way to revoke them.
• Over-sharing. Personal employee data, draft financials, informal investor chats, and side agreements do not belong in the room. Clutter and surprises slow diligence.
• No access control. Sending the whole company in one unprotected link means anyone forwarded it can read your cap table. Use expiry, revoke, and per-viewer watermarking on the sensitive material.
• Ignoring the signals. If analytics show no one opened the financials, the deal is colder than you think. Read the data and follow up accordingly.

Frequently asked questions

What is the difference between a DDQ and due diligence?

The DDQ is the questionnaire; due diligence is the investigation. The questionnaire is the structured list of questions and the documents you provide in response. Due diligence is the broader process where reviewers verify those answers, pull on threads, and assess risk before closing.

Who sends a due diligence questionnaire?

Anyone evaluating a company before committing: venture capital and private equity investors during a raise, acquirers in M&A, limited partners assessing a fund, and enterprise buyers running vendor and security reviews. The categories overlap, but the emphasis differs by deal type.

How long is a typical DDQ?

It varies widely. A lightweight vendor or partner screen might be a single page. A seed round DDQ often runs 30 to 60 questions. An institutional LP questionnaire (like the ILPA standard) or an M&A request can run to several hundred items across every category in this guide.

Are there standard DDQ templates I should know?

Yes. The ILPA questionnaire is the standard for private equity LP diligence, AFME publishes a framework for regulated financial firms, Invest Europe has a thorough ESG sample, and ABAC and FCPA questionnaires cover anti-bribery controls. For a startup raise, the category template in this guide is a more practical starting point than the institutional ones.

Should I require an NDA before sharing my DDQ responses?

Gate the sensitive folders, not the whole room. Most early-stage investors will not sign an NDA to look at a deck, and demanding one slows your raise. Share the overview openly, then apply a one-click NDA or email verification to financials, the cap table, and legal documents.

How do I keep DDQ documents secure once I share them?

Share them as trackable links inside a data room rather than as email attachments. That lets you set passcodes, verify emails, watermark every page per viewer, disable downloads, set link expiry, and revoke access entirely if a deal goes cold, none of which is possible once a file leaves your inbox as an attachment.

How current do the documents need to be?

Current to the last reporting period. Update the cap table, the model, and the metrics in place rather than uploading new copies. With a trackable link the URL never changes, so reviewers always see the latest file without you resending anything.

Build your DDQ data room free

The cleanest way to answer a due diligence questionnaire is to have the answers waiting in an organized, secure data room before anyone asks. Build a free data room with Plox: trackable links, page-by-page analytics, per-viewer watermarking, and access controls, with a genuinely free plan and no credit card required.