Types of Due Diligence: The 9 Main Types Explained
The main types of due diligence explained: financial, legal, commercial, operational, tax, IT, HR, environmental, and IP. What each covers and who runs it.
On this page
- What is due diligence?
- The main types of due diligence
- Financial due diligence
- Legal due diligence
- Commercial due diligence
- Operational due diligence
- Tax due diligence
- IT and technical due diligence
- HR due diligence
- Environmental due diligence
- Intellectual property due diligence
- Other due diligence types you may run into
- Who runs each type of due diligence?
- How a data room organizes due diligence
- Frequently asked questions
- What are the main types of due diligence?
- How many types of due diligence are there?
- What is the difference between financial and commercial due diligence?
- Who is responsible for due diligence in an M&A deal?
- How long does due diligence take?
- Do I need a data room for due diligence?
- Run your due diligence in a room built for it
Due diligence is the structured investigation a buyer, investor, or partner runs before a deal closes. The main types of due diligence are financial, legal, commercial, operational, tax, IT/technical, HR, environmental, and intellectual property. Each examines a different slice of the target company, and most deals run several streams in parallel inside one data room.
What is due diligence?
Due diligence is the homework you do before you commit capital or sign a binding agreement. Instead of trusting what the other side claims, you verify it: the numbers, the contracts, the technology, the team, and the risks hiding underneath.
The point is not to find a perfect company. It is to find the real one, price the risk correctly, and decide whether to proceed, renegotiate, or walk.
Different deals need different scrutiny. A SaaS acquisition leans hard on technical and financial review. A manufacturing buyout adds environmental and operational depth. A venture round focuses on financials, cap table, and IP. That is why due diligence is split into types, each owned by people who know what to look for.
The main types of due diligence
Most M&A deals, fundraises, and major partnerships draw on the same core set of due diligence streams. Here is what each one covers, who typically runs it, and the documents it produces.
| Type | What it covers | Who usually runs it |
|---|---|---|
| Financial | Historical P&L, balance sheet, cash flow, revenue quality, margins, burn, working capital, debt, quality of earnings | Accountants, FDD firms, the acquirer's finance team |
| Legal | Corporate structure, contracts, litigation, regulatory standing, shareholder agreements, permits, change-of-control clauses | M&A lawyers, in-house counsel |
| Commercial | Market size, competitive position, customer concentration, pipeline, churn, pricing power, growth assumptions | Strategy consultants, the buyer's corp-dev team |
| Operational | Supply chain, processes, systems, facilities, capacity, key dependencies, integration risk | Operations leaders, ops consultants |
| Tax | Tax filings, exposures, transfer pricing, VAT/sales tax, carryforwards, structuring of the deal itself | Tax advisors, the acquirer's tax team |
| IT / technical | Codebase quality, architecture, tech debt, security posture, infrastructure, scalability, licenses | CTOs, security firms, technical reviewers |
| HR | Org chart, key-person risk, comp and benefits, contracts, equity, culture, employment liabilities | HR leaders, employment counsel |
| Environmental | Contamination, emissions, permits, remediation liabilities, ESG exposure (mostly real assets and industrials) | Environmental consultants, specialist engineers |
| Intellectual property | Patents, trademarks, ownership and assignment, freedom to operate, open-source exposure, IP litigation | IP lawyers, technical reviewers |
You will not always run all nine. A pre-seed check rarely needs an environmental survey. But on a real M&A deal, expect most of these streams open at once.
Financial due diligence
Financial due diligence (FDD) validates the numbers behind the valuation. Reviewers test 3 to 5 years of historical P&L, the balance sheet, cash flow, and burn rate, then dig into revenue quality: is it recurring, concentrated in a few customers, or recognized too early.
The headline output is often a quality-of-earnings (QoE) report that separates real, repeatable profit from one-off accounting noise. For a SaaS company, this is where a VC validates MRR, churn, deferred revenue, and net revenue retention.
Legal due diligence
Legal due diligence maps the company's legal reality. It covers the corporate structure, every material contract, outstanding or threatened litigation, regulatory compliance, and the shareholder and option agreements that govern ownership.
A key focus is change-of-control and assignment clauses: contracts that let a customer or landlord walk away the moment the company changes hands can quietly destroy deal value.
Commercial due diligence
Commercial due diligence answers the question "is this market real and is this company winning in it." Reviewers stress-test the addressable market, competitive position, customer concentration, sales pipeline, churn, and the growth assumptions baked into the model.
This is where optimistic projections meet reality. If 60% of revenue comes from one customer, commercial diligence is where that risk surfaces and gets priced.
Operational due diligence
Operational due diligence examines how the business actually runs day to day: supply chain, core processes, systems, facilities, and the single points of failure that integration could break. For acquirers, this stream feeds directly into the integration plan.
Tax due diligence
Tax due diligence looks for exposures that could become the buyer's liability: unfiled returns, aggressive positions, transfer-pricing issues, and indirect-tax gaps. It also shapes how the deal itself is structured to be tax-efficient for both sides.
IT and technical due diligence
Technical due diligence assesses the product and the engineering behind it. Reviewers evaluate code quality, architecture, technical debt, security posture, infrastructure, and scalability, plus open-source and third-party license exposure.
For software acquisitions this is decisive. A slick demo can hide a brittle codebase, and tech diligence is what surfaces the rebuild cost a buyer would inherit.
HR due diligence
HR due diligence reviews the people side: the org chart, key-person dependencies, compensation, benefits, equity, employment contracts, and any open employment liabilities. Founder vesting and the depth of the team below the founders matter as much as headcount.
Environmental due diligence
Environmental due diligence applies mostly to deals involving physical assets, real estate, or industrial operations. It checks for contamination, emissions, permits, remediation liabilities, and broader ESG exposure that could carry long-tail financial risk.
Intellectual property due diligence
IP due diligence confirms the company actually owns what it claims to own. Reviewers check patents, trademarks, and crucially the assignment of IP from founders and contractors to the company, plus freedom to operate and open-source exposure. A startup whose core IP was never properly assigned by an early contractor is a deal-breaker waiting to be found.
Other due diligence types you may run into
Beyond the core M&A streams, a few specialized types come up in finance, compliance, and procurement:
- Customer due diligence (CDD) and enhanced due diligence (EDD): KYC and anti-money-laundering checks that banks, fintechs, and crypto platforms run to verify a customer's identity and risk. EDD is the deeper version for high-risk or politically exposed customers.
- Vendor due diligence (VDD): evaluating a third-party supplier or SaaS vendor before you depend on them, focused on SOC 2 and ISO 27001 certifications, uptime, data-processing compliance, and financial stability.
- Reputational and ESG due diligence: background and media scans on founders and the business, increasingly required by institutional investors.
These overlap with the core types, but they answer "can I safely transact with this party," not "should I buy this company."
Who runs each type of due diligence?
On a buy-side deal, the acquirer or lead investor coordinates the overall process, then assigns each stream to specialists. Finance and QoE go to accountants or an FDD firm. Legal, tax, and IP go to lawyers. Commercial goes to strategy consultants or the corp-dev team. Technical goes to a CTO or a security firm.
On the sell-side, the target's leadership assembles the documents, often working with advisors who prepare a vendor due diligence report so buyers find a clean, organized room instead of chaos. A well-run sell-side process speeds diligence and protects valuation.
Plox is a secure document sharing and virtual data room platform for founders, investors and dealmakers, and it is built for exactly this multi-stream reality: one room, many reviewers, each seeing only what they should.
How a data room organizes due diligence
Every type of due diligence is really a request for documents, and a virtual data room is where those documents live. The structure of the room usually mirrors the diligence streams themselves.
A clean top-level folder structure looks like this:
01_Corporate_and_Legal
02_Financials
03_Tax
04_Commercial_and_Market
05_Product_and_Technology
06_Intellectual_Property
07_People_and_HR
08_Operations
09_Environmental_and_ESG
Mapping folders to diligence types does three things. Reviewers find their stream instantly without asking. You can grant the FDD firm access to financials and tax while keeping HR locked. And you can see, per folder, exactly how diligence is progressing.
That last point is where a modern data room pulls ahead of a shared drive. With page-by-page document analytics, you see who opened the financial model, how long they spent on the legal contracts, and which sections nobody has touched, in real time. If a buyer's lawyer is camped in the IP folder, you know where the deal risk is before they raise it.
A few practical habits keep diligence fast:
- Use descriptive file names like
Audited_Financials_2025.pdf, notfinal_v3.pdf, so a reviewer knows the file before opening it. - Update files in place. With a trackable link the URL never changes, so when you fix the model, every reviewer sees the latest version without you resending anything.
- Gate by sensitivity, not at the front door. Open the overview, then apply email verification, a one-click NDA, or watermarking on financials, the cap table, and IP.
- Pre-load a diligence checklist. Anticipating requests with a due diligence questionnaire turns a reactive scramble into a controlled process.
Frequently asked questions
What are the main types of due diligence?
The core types are financial, legal, commercial, operational, tax, IT/technical, HR, environmental, and intellectual property due diligence. Most M&A deals run several of these streams in parallel. Compliance contexts add customer (CDD), enhanced (EDD), and vendor (VDD) due diligence, which verify identity and counterparty risk rather than assessing a company to buy.
How many types of due diligence are there?
There is no fixed number. M&A practice usually recognizes around nine core types, while regulated finance adds CDD, EDD, and VDD. The right question is not how many exist, but which streams a specific deal needs: a software acquisition emphasizes technical and financial diligence, while an industrial buyout adds environmental and operational depth.
What is the difference between financial and commercial due diligence?
Financial due diligence validates the numbers already in the accounts: profit, cash flow, revenue quality, and burn. Commercial due diligence tests whether those numbers are sustainable by examining the market, competition, customer concentration, and growth assumptions. Financial looks backward at what happened; commercial looks forward at whether it will continue.
Who is responsible for due diligence in an M&A deal?
The buyer or lead investor owns the overall process and assigns each stream to specialists: accountants for financials, lawyers for legal, tax, and IP, consultants for commercial, and technical reviewers for IT. The seller is responsible for assembling accurate, complete documents, often in a sell-side vendor due diligence report.
How long does due diligence take?
It depends on deal size. A seed or Series A round can take a few weeks. A mid-market M&A deal typically runs 4 to 12 weeks across all streams. The biggest time sink is usually document chaos, so a well-organized data room with a pre-loaded checklist is the single fastest way to compress the timeline.
Do I need a data room for due diligence?
For anything beyond a tiny deal, yes. A virtual data room gives you structured folders mapped to each diligence type, granular access control per reviewer, and analytics showing exactly where each party is spending time. Plox offers a genuinely free plan to start, so you can run early diligence with secure links and tracking before paying for anything.
Run your due diligence in a room built for it
Due diligence is many streams hitting one set of documents at once. The teams that close fast are the ones whose data room mirrors those streams: clean folders per type, the right access per reviewer, and live visibility into who is reading what.
Build a free data room with Plox. Share trackable links, control access per folder, watermark sensitive files, and see page-by-page who is doing their diligence, with a real free plan and no sales call. See Plox pricing for current plans.
Written by the Plox team
Plox builds secure document sharing and virtual data room software for founders and dealmakers. We share pricing and comparisons transparently, and recheck competitor details regularly.