Due Diligence for IT Startups: What to Check

Nikita Veremeev

27.02.2026 | 6 min read

Updated: 27.02.2026

Since 2016 I have been developing COREDO as a partner for entrepreneurs and investors who value accuracy, speed and predictability when entering international markets. Over that time the COREDO team has executed hundreds of projects in Europe, Asia and the CIS countries: from company registrations in the EU, the Czech Republic, Slovakia, Cyprus and Estonia to launching structures in the United Kingdom, Singapore and Dubai. We have completed the full cycle of deal support: investments and M&A, obtaining financial licenses (crypto, forex, payment services and e‑money), setting up AML/KYC, as well as investment and technical due diligence of an IT startup.

In this article I have collected the pre-investment due diligence practices that we embed into comprehensive client support. My goal: to give you a methodology that saves months, reduces uncertainty and strengthens the negotiating position. Examples and tools are based on real COREDO projects: no unnecessary theory, with a focus on actionable results.

Does an IT startup need due diligence?

Illustration for the section «Does an IT startup need due diligence» in the article «Due Diligence of an IT startup – what to look at»

Investment Due Diligence of a startup is not a “compliance checkbox”, but a way to see the true picture: technology quality, IP legality, revenue sustainability and the maturity of security processes. Checking an IT startup affects the startup’s valuation before investment, the deal structure and the post-integration plan, which means — the ROI and the speed of scaling.

Our experience at COREDO has shown that it is the combination of technical due diligence, legal due diligence of the startup, financial analysis of SaaS and commercial contract review that makes the conclusions reliable. If you skip even one area, the risk of unpleasant surprises is high: from open source license defects and hidden CVEs to GDPR issues and unrecognized revenue.

I follow the principle “measure twice, cut once”. That means, before signing an SPA/SSA or SAFE you need to check IP, the cap table, regulatory constraints, ARR/MRR and technological risk at the level of architecture, DevOps and data security. This creates confidence that integration will proceed without shock to the team and clients, and that jurisdictional and tax aspects will not put you at risk.

COREDO verification model: 6 contours

Illustration for the section «COREDO verification model: 6 contours» in the article «Due Diligence of an IT startup – what to look for»

The COREDO verification model provides six assessment contours that comprehensively cover both the business and the project’s risks. One of the key contours, legal due diligence and IP matters, focuses on agreements, technology rights and potential risks that can significantly affect the startup’s fate.

Startup legal due diligence and IP

I start with IP due diligence, because rights to the source code and the brand are what protect the core value of the deal. I request an inventory of assets: code, libraries, patents, trademarks and domains, as well as assignment agreements with all employees and contractors. It’s important to ensure the founders had the authority, that the chain of title is clean and does not conflict with open source licenses (GPL, MIT, Apache).

I pay special attention to software escrow and source code release conditions: especially when there’s dependence on a key supplier. I review license agreements with clients, exit clauses and non‑compete, as well as dispute jurisdiction, arbitration, force majeure and the dispute resolution mechanism. In industries subject to export control and restrictions on cryptography or dual‑use technologies, compliance issues are included in the mandatory checklist.

Corporate structure and transactions

Cap table cleanliness is one of the common stop factors. I analyze the cap table, option plans, vesting and cliff, drag‑along / tag‑along, liquidation preference and anti‑dilution, as well as convertible notes and SAFE: conversion terms, preferences, potential dilution of investors. In some cases a cap table clean‑up is required before closing, which affects the timeline and the price.

COREDO’s practice confirms the importance of background checks on founders: judicial, commercial and media checks, adverse‑media monitoring and assessment of reputational risks. At the same time I review grants, subsidies and the terms of government aid to rule out hidden encumbrances. You cannot ignore lawsuits, claims and contingent liabilities: they determine the structure of warranties and holdbacks in settlements.

Regulatory framework for AML/KYC

Regulatory risks define scaling boundaries. For fintech models I analyze PSD2, local Licensing of payment services and KYC requirements for corporate clients. The COREDO team configured AML/KYC frameworks including embargo and sanction lists (OFAC, EU), PEP screening and transaction analytics: this is the basis for passing bank compliance and partner checks.

GDPR and local data laws remain critical. I check data security and GDPR compliance: DPA with processors, DPIA (impact assessment), international data transfers (SCC, BCR) and the consequences of Schrems II. For data residency in certain countries of Europe, Asia and Africa, architectural segmentation is required. The solution developed at COREDO typically combines legal mechanisms with technological controls: encryption, role segregation and audit trails.

Financial due diligence for SaaS

Financial KPIs: mirrors of reality. I compare ARR, MRR, churn, gross margin and burn multiple with the monetization model and the contract base. For SaaS, revenue recognition and deferred revenue, the correctness of subscription cycles and discounts are critical. We often perform cohort analysis, check retention and NPS to see the sustainability of the streams.

Unit economics, another marker: CAC, LTV, payback period and contribution margin. If CAC “eats” LTV or the payback period falls outside hypotheses, I propose correction scenarios. Tax compliance and VAT/digital services tax in the EU affect net economics; I check VAT registration, OSS/IOSS and the correctness of invoicing. For recurring payments, PCI DSS, chargeback risks and the choice of payment provider are important.

Customer and contract verification

Commercial validation: reference customers, pilot agreements, PoC and pipeline verification. I assess customer concentration risk, the terms of enterprise contracts, SLAs and downtime penalties, as well as exit clauses. The COREDO team often reaches out to customers for independent references and metric verification: to check the reality of ARR and MRR and whether customers are genuine — cross‑checks of counterparties, bank receipts and CRM reconciliation answer that.

Technical due diligence

A technological assessment is an “X‑ray” of architecture, DevOps and security. The IT startup review includes an audit of the startup’s source code, checking commit history and the Git repository, analysis of unit tests, coverage and CI/CD processes, code scanning for vulnerabilities and SAST, as well as penetration testing and pentest results. I look at governance: code review practices, branch protection rules, SBOM and management of third‑party dependencies.

Technical due diligence: the COREDO method

Illustration for the section 'Technical due diligence: the COREDO method' in the article 'Due Diligence of an IT startup — what to look at'

For assessing the product and infrastructure we use the COREDO methodology as part of in-depth technical due diligence, which allows us to identify architectural constraints and technical risks in advance. Next we’ll move on to analysis of architecture and scalability: the key aspects that determine a system’s ability to grow and withstand load.

Architecture and scalability

I start with the architecture: technical architecture — monolith vs microservices, maturity of contracts between services, the consistency model and fault-tolerance. Scalability covers horizontal and vertical scaling, performance bottlenecks (latency, throughput), as well as designing queues and backpressure. In complex products, architectural patterns like CQRS and event-sourcing with message queues (Kafka) are applicable.

The database must support sharding and replication; I check the consistency strategy, indexing and hot‑partition risks. I rate technological risk through SLI/SLO and error budget according to the SRE approach: without observability it is impossible to predict system behavior. Where there is no SLO, I help set targets and tie them to contractual SLAs.

Repository and codebase

Checking a Git repository is not just the commit history. I evaluate the reputation and provenance of the code: signed commits, CLA and contributor license agreements, authorship and involvement of external contributors. To assess technical debt I use metrics: maintainability index, cyclomatic complexity and frequency of changes in hot files.

Processes are no less important than code. I check code review and branch protection rules, the presence of unit/integration/e2e testing and % of code coverage, practices like feature flags, canary releases and blue‑green deployment. I separately review the product roadmap, backlog health and prioritization of technical debt, as well as the quality of releases and post‑mortem processes after incidents.

DevOps infrastructure and CI/CD

CI/CD maturity means pipelines, artifacts and signed builds. Ideally builds are reproducible, and artifacts are signed and stored in a trusted registry. Infrastructure as code (Terraform, Ansible) allows tracking drift and speeds up audits. Containerization (Docker) and orchestration (Kubernetes) provide flexibility, but require image controls: image signing and vulnerability scanning.

Dependency visibility: SBOM and software bill of materials are becoming a standard. This is related to SCA (Software Composition Analysis) and license management, to eliminate legal and vulnerable third‑party dependencies. The risk of supply chain attacks after examples like SolarWinds is not theoretical; I assess the build chain, access controls and environment isolation. Secrets and key management (Vault, KMS, HSM) plus IAM, RBAC, least privilege and MFA are mandatory elements.

Vulnerabilities and application security

Application security is built around the OWASP Top 10, SAST and DAST tools. I check how the team manages CVEs and vulnerability handling, and how prioritization is set via CVSS. You need not only reports, but also a remediation roadmap with deadlines and owners. Penetration testing, bug bounty programs and control over closing findings demonstrate the maturity of the security culture.

If I see outstanding vulnerabilities, I propose a containment plan: temporary mitigations, accelerated patching and contractual guarantees (escrow/holdback) until full remediation. COREDO practice confirms that a transparent remediation plan is often more important than the “perfect” current picture — an investor sees a manageable risk.

Data encryption and compliance

Data require a systematic approach: encryption at rest and in transit, classification, key policies and secret rotation. I assess logging, monitoring and observability to verify the completeness of audit trails. For mature companies it is important to check compliance with standards like ISO27001 or SOC2 — and the reality of implemented controls.

Backups, retention strategy and recovery testing are basic things that are often underestimated. I validate RTO and RPO, as well as the disaster recovery plan (DRP). Without regular recovery testing, backups are just an expensive illusion of security.

Vendors and third-party dependencies

Third‑party vendor risk assessment is not a formality: cloud providers, analytics, PSPs and KYC providers affect availability and compliance. I check DPAs, SLAs, penalties, the right to audit and migration terms. Software supply contracts, service level agreements and penalties must be synchronized with your promises to customers. For critical components we discuss software escrow and the conditions for source release.

COREDO Cases: Typical Scenarios

Illustration for the section «COREDO Cases: Typical Scenarios» in the article «Due Diligence of an IT startup – what to look for»

In COREDO’s practice we systematize typical scenarios and cases to provide practical guidance for complex cross-border operations. The first example — the purchase of a European SaaS from Slovakia by a fund from Singapore — clearly demonstrates the key legal, tax and corporate issues that participants most often face.

Singapore fund to buy a Slovak SaaS

The investor approached us with the request “how to conduct technical due diligence of a startup before acquisition”. The startup showed healthy ARR and MRR, but churn was masked by promotional periods. The COREDO team carried out financial due diligence of the SaaS, verified revenue recognition and deferred revenue, and then a commercial review of customers and contracts with a focus on enterprise SLA.

Technical due diligence revealed bottlenecks in database scalability (lack of sharding and hot partitions) and an immature DPA process. We prepared a roadmap: assessing architecture scalability and bottlenecks, implementing caching (Redis, CDN) to reduce latency and configuring SCC for international data transfers. The deal closed with a 7% price reduction and an escrow pool tied to SLO fulfillment.

Licensed fintech in Estonia

The client was developing a payment service in the EU and sought partnerships with banks. The solution developed by COREDO included licensing in Estonia, review of local regulation and licensing in the countries of operation, setting up AML/KYC (PEP screening, EU/OFAC sanctions), as well as reviewing the AML policy/KYC for corporate clients. The technical block included PCI DSS, secret management (KMS), encryption and SAST/DAST.

Following the due diligence we updated the DPIA, strengthened IAM and RBAC, implemented MFA and tailored the DRP with RTO/RPO to banking requirements. The partner bank accepted our documentation without comments; the license and compliance opened access to large enterprise clients and reduced funding costs.

Integration into a corporate portfolio and M&A

The corporation was acquiring a startup with a microservices architecture on Kubernetes. M&A risks arose: integration complexity, tech harmonization and differing ISO/SOC standards. The COREDO team developed an integration playbook: unification of CI/CD with signed builds, SCA and SBOM across the whole group, an image signing policy and a unified vulnerability matrix with CVSS prioritization.

We synchronized SLAs and SLOs, implemented a unified observability stack and conducted a vendor risk assessment for shared suppliers. The integration proceeded without downtime; commercial teams were able to aggregate the pipeline without delays, and ITSM incidents decreased by 30% over the quarter.

Checklists and questions for founders, CTO

Illustration for the section «Checklists and questions for founders, CTO» in the article «Due Diligence IT startup – what to look for»

Checklists, precise questions and checkpoints for founders and CTOs help quickly reveal gaps in the process, assess risks and understand where supporting documents are needed. Below is the mandatory list of documents and evidence that I always request to verify the stated metrics and make an informed decision.

Documents and evidence I am requesting

IP and legal: IP register, agreements transferring code rights (employees and contractors), patents and trademarks, software escrow and release terms, open source licenses and SCA‑reports.
Commercial: list of top clients, contracts, SLAs, penalties, exit clauses, non‑compete, references, pilot agreements and PoC.
Financial: reports on ARR/MRR/churn, revenue recognition and deferred revenue, cohort analysis, unit economics (CAC, LTV, payback), payment reconciliation and chargeback statistics.
Regulatory: licenses and permits (including PSD2/financial), DPA, DPIA, SCC/BCR, data residency policy, ISO27001/SOC2, PCI DSS.
Security and engineering: SAST/DAST reports, pentest results, remediation roadmap, SBOM, secret management policy (Vault/KMS/HSM), IAM/RBAC, DRP plans and recovery tests.
Corporate: cap table, option plans (vesting, cliff), SAFE/convertible notes, liquidation preferences, anti‑dilution provisions, board and shareholder minutes.
Legal and compliance: current/potential disputes, regulatory correspondence, sanctions and PEP checks of counterparties, tax compliance and VAT in the EU.

CTO questions for the pre-investment audit

What to check in the source code when investing in a startup: ownership, test coverage, complexity and dependencies.
How to assess the scalability of a SaaS architecture: target SLOs, current bottlenecks (latency/throughput), sharding/caching plan.
What the DevOps practices review includes: reproducible and signed builds, IaC and drift control, release policy (canary, blue‑green), post‑mortems.
How to assess risks of using open source: SBOM/SCA, GPL/MIT/Apache licenses, update process and CVE remediation.
How to limit risks when integrating a third‑party service: vendor risk assessment, SLA, right to audit, escrow, migration and lock‑in assessment.
What guarantees to require for backups and RTO/RPO: recovery test procedures, reports, independent verification.
How to verify GDPR compliance and cross‑border processing: DPA/DPIA, SCC/BCR, data mapping, minimization and logging.

COREDO Support: How to Reduce Risk

I structure the work in phases with clear artifacts. At the start we establish the deal hypothesis, geography and regulatory perimeter: EU, Czechia/Slovakia, Cyprus/Estonia, United Kingdom, Singapore and Dubai — COREDO’s practice is especially strong there. Next we open the virtual data room and launch parallel tracks: legal, regulatory/AML, financial, commercial and technical.

Each track has its deliverables: from a report on the startup’s legal due diligence and an IP map to a technical risk matrix with an assessment of technological risk and a remediation plan. The output is a consolidated investment memorandum where risk items are linked to the economics of the deal: price adjustments, escrow/holdback terms, warranty obligations and KPI blocks. This approach shortens negotiations and simplifies post-closing integration.

A separate vector is licensing and registration. If the model requires a license (crypto, forex, payment services), the COREDO team takes on structuring, preparation of AML/KYC policies, configuration of transaction analytics and engagement with the regulator. For registering legal entities in the EU, United Kingdom, Singapore or Dubai we prepare a set of incorporation documents, a banking package and a tax compliance plan.

How to contractually mitigate red flags

Unresolved critical CVEs and pentest failure. Solution: remediation roadmap with deadlines, escrow/holdback until closing, reps & warranties and the right to an independent re‑test.
Lack of agreements assigning code rights from part of the team. Solution: urgent assignment, cap table adjustment, partial price‑adjustment.
Customer concentration and fragile enterprise‑contracts. Solution: earn‑out, expanded SLAs, liability insurance, pilots with diversification.
Weak GDPR compliance and absence of SCC/BCR for cross‑border transfers. Solution: DPA/DPIA before closing, controlled regional rollout, architectural segmentation.
Issues with revenue recognition and deferred revenue. Solution: restatement, valuation adjustment, covenants on financial reporting.
Tax and VAT risks. Solution: price reserve, voluntary correction, post‑closing support and registration in OSS/IOSS schemes.

Hiring the core team by region

Regional risks in Europe, Asia and Africa differ in localization, licensing and provider stability. I recommend checking local regulation and licensing in countries of presence, export controls and restrictions on cryptography in advance. In some regions data residency is required, which entails infrastructure segmentation and duplication of DR processes.

Hiring requirements and visa and migration practices for the key team often affect the roadmap. The COREDO team assists with relocation, obtaining permits and adjusting option plans taking into account local regulations. ESG and corporate governance become a factor in investment evaluation: a transparent board of directors, ethics and data protection policies improve access to capital and partnerships.

Conclusions

Investment due diligence for a startup – is not a set of disparate checks, but an interconnected system in which legal, financial, commercial, and technical blocks reinforce one another. When this mechanism operates smoothly, a startup’s pre-investment valuation becomes more accurate and the deal structure safer. In my approach, COREDO acts as an integrator: from company registration and obtaining financial licenses to AML consulting and in-depth technical expertise.

I tell clients honestly: there are plenty of challenges, but they can be addressed predictably. COREDO’s practice confirms that process transparency, verifiable metrics, and well-designed contractual mechanisms mitigate key risks: from IP and GDPR to CVE and SLA. If it is important for you to make an investment decision without guesswork and with control over post-integration, this framework will become a reliable foundation, and the COREDO team your long-term partner.

Due diligence for an IT startup what to look for