Vendor Due Diligence (VDD) — Guide and Question List 2025

The due diligence process is one of the most important risk management tools in business. Although it is mainly associated with the moment of a transaction, its value extends far beyond buying and selling a company. It is a systematic, multi-area review of a business that gives the investor confidence that decisions are based on facts and gives the owner an opportunity to demonstrate the real value of the business and prepare it for the future.

Why Due Diligence Matters for the Investor

For an investor, due diligence is the foundation of a rational investment decision. In a world where cash flows, liabilities, legal status and financial condition can be interpreted in many ways, an objective perspective is required.

An investor expects answers to several key questions:

• Is the company in the condition the seller claims?
• Are there hidden risks beneath the surface — tax, legal, technological, environmental?
• Are processes, personnel and organizational structure stable enough to support growth after the transaction?
• Do contract terms, commercial agreements and financial obligations pose a risk of unforeseen losses?
• Does the strategy and market in which the company operates offer potential return on investment?

Lack of due diligence or a superficial review means operating “in the dark,” which rarely ends well in M&A. Industry statistics are clear: undiscovered risks are often what cause failures or unsuccessful integrations after acquisitions.

Why Due Diligence Matters for the Owner

Owners often treat due diligence as an “exam” the company must pass for an investor. In reality, it is a unique opportunity to:

• Identify weaknesses before an external party finds them.
• Organize documentation, procedures and processes — elements crucial both for sale and future development.
• Understand how the company looks from the perspective of someone who may invest millions in it.
• Increase valuation by professionally preparing information and avoiding a “risk discount.”
• Build an image of a responsibly and transparently managed company.

In practice, preparation for due diligence determines whether a transaction will succeed. Attention to financial data, legal matters, property condition, the quality of commercial contracts and strategy — all influence credibility and attractiveness to buyers.

Why It’s Worth Preparing the Company Early — Even If Sale Is Only an Option

Many owners postpone preparation until an investor knocks. This is a mistake that can cost hundreds of thousands or even millions.

The reasons are simple:

1. A company’s attractiveness increases as risk decreases

Companies that are organized, with complete documentation, clear structures and financial data, achieve higher valuations. Buyers view companies that are audit-ready more favorably than those that “only start looking for papers” when a sale becomes a possibility.

2. Ongoing document cleanup during a transaction destroys negotiation momentum

Transactions lose momentum when the seller scrambles to fix documentation gaps. This can lead to price renegotiation or investor withdrawal.

3. Early preparation minimizes tax and legal risk

Resolving arrears, removing risky clauses and organizing agreements all take time. Done in advance, they bring peace of mind and savings.

4. A company ready for sale is also ready for succession

Owners planning to transfer the business to family or managers need the same organized data and procedures as those looking to sell.

5. Early actions increase operational predictability

Many entrepreneurs discover during Vendor Due Diligence that their company relies on knowledge dispersed in employees’ heads rather than in documented processes. This risk is easy to remove if addressed early.

Why Vendor Due Diligence Is Becoming the New Standard

Vendor Due Diligence (VDD) is due diligence initiated by the seller. It allows the owner to control the narrative, professionally prepare the company and avoid a situation in which the buyer imposes the pace and scope of the review.

Well-conducted VDD:

• minimizes risks discovered by the buyer,
• increases transparency,
• shortens negotiation time,
• allows preparation of answers to difficult questions,
• strengthens the seller’s negotiating position.

It is at this stage that a comprehensive initial question set appears — a broad, multi-dimensional audit covering all key areas of the company’s operations.

New 2025 Standard: Clean Room / Data Room Ready at Teaser and CIM Stage

In 2025 the best sellers (and their advisors) provide access to a so-called Clean Room — a limited but fully organized set of key documents (without NDA or under a light NDA) — already at the teaser or CIM (Confidential Information Memorandum) stage.

Typical Clean Room contents at this stage:

• last 3 years of audited financial statements + QoE summary
• financial fact book (key metrics, EBITDA bridges, working capital, net debt)
• basic corporate data (company register extracts, shareholder ledger, cap table)
• list of key commercial agreements (top 10–20 customers/suppliers)
• short legal & tax summary (no major disputes, clean history)
• ESG & sustainability one-pager

Thanks to this, a serious investor can determine within 48–72 hours whether they want to sign an NDA and proceed further. Lack of a Clean Room leads to automatic rejection by 70–80% of top funds.

Sample Initial Question List for Vendor Due Diligence 2025

Below is a very detailed, up-to-date (2025) list of questions you can expect from a reputable investor or a buy-side advisory firm. Important note: this is not an exhaustive list. Each answer of “yes / no / partially” typically generates 3–15 follow-up questions. Companies that do not have this information readily available often lose control of the process and the negotiations.

Vendor Due Diligence – Initial Questions 2025

A. Corporate Records

• Company registration number, tax ID, statistical ID, registration date.
• Articles of association, rules of corporate bodies, organizational regulations.
• Current shareholder ledger / share register.
• Shareholder/General Meeting resolutions from the last 5 years.
• Current extract from the commercial register and list of shareholders with % ownership.

C. Company Culture and Values

1. What are the company’s values?
2. What are the company’s objectives?
3. What are the company’s development plans for the next 3–5 years?

D. Legal Status / Intellectual Property / Key Contracts

1. List of licenses and permits held.
2. List of patents, utility models and industrial designs owned.
3. Inventory of software and licenses (including open-source with license type noted).
4. List of trademarks (national, EUIPO, international).
5. Does the company hold any know-how protected by NDAs or as trade secrets?
6. Are there agreements with MAC/MAE clauses, change-of-control clauses, transfer restrictions or pre-emptive rights?
7. Has the company granted or received product guarantees, warranties, or bank/corporate guarantees?
8. Is the company a party to joint ventures, consortia or strategic alliances?
9. M&A history in the last 10 years (acquisitions, disposals, mergers).

E. Real Estate and Related Documents

1. List of properties.
2. Extracts from land and mortgage registers, maps, site drawings.
3. Extracts from land records (with map excerpt) and building registers.
4. List of properties encumbered with mortgages or lease agreements.
5. Administrative decisions related to real estate (including zoning conditions).
6. Construction documentation (building permits etc.).
7. Occupancy permits.
8. Current list of lease and tenancy agreements.
9. Information on properties with unresolved legal status / board declaration that none exist.
10. Building object registers.
11. Has the company received public aid (COVID relief, PFR grants, furloughs)? Settlement status and possible repayment risks.

F. Commercial Contracts

1. Current summary of commercial contracts with counterparties (key terms, durations, termination options, penalties).
2. List of the top 10–20 largest counterparties in the last year (name, % revenue, length of relationship).
3. Does the company keep a central contract register? If so:
   • format: electronic / paper / hybrid;
   • repository location (DMS, SharePoint, OneDrive, other) and access levels;
   • metadata stored (counterparty, signing date, expiry date, termination terms, responsible person, key clauses).
4. Are there standard contract templates approved by legal? Provide examples and versioning.
5. Contract circulation and approval procedures (who approves, escalation path, e-signature vs handwritten signatures).
6. Contract archiving policy — retention periods by contract type, destruction/archiving rules and evidentiary duties for electronic contracts.
7. Is the contract register audited or reviewed (who and how often)? Please provide the latest report.
8. Procedures for managing contract changes (amendments, renegotiations) and monitoring notices/automatic renewals.
9. Do all contracts include data protection and data transfer clauses (if applicable)?

G. Banks and Financing

1. Summary of credit/loan agreements with financial parameters.
2. Summary of lease agreements with parameters.
3. Overview of security provided to financiers (pledges, assignments, transfers of ownership).
4. Summary of bank account agreements.
5. Summary of banking services and products (cards, collections, factoring).
6. List of loans received by the company (parameters).
7. List of loans granted by the company (parameters).
8. Any contingent liabilities (potential penalties, employment claims)?

H. Environmental Protection and ESG

1. List of emission sources.
2. Permits and administrative decisions concerning environmental protection (protected zones).
3. Information on waste generation and disposal methods.
4. Costs related to environmental use for the last 3 years.
5. Information on contamination or land remediation risk.
6. Information on properties containing asbestos (area in m2), if applicable.
7. Are there renewable energy installations (which)?
8. Main sources of electricity consumption identified?
9. Does the company operate renewable installations (what, capacity, commissioning date)?
10. Has the company calculated CO₂ emissions Scope 1, 2 and 3 for the last 3 years?
11. Does the company have an ESG or sustainability strategy/policy?
12. Will the company be subject to CSRD from 2025/2026 and have preparations begun?
13. Diversity and equality policy (gender pay gap, % women in management and leadership roles).

I. Grants and Public Aid

1. Is the company currently a beneficiary of grants?
2. Does the company participate in grant programs?
3. Are there obligations tied to grants?
4. Did the company receive COVID-era aid? Settlement status.

J. Policies and Insurance

1. Current list of policies and insurance with coverage amounts.
2. Does the company have cyber risk insurance?
3. Does the company have D&O insurance?

K. Disputes and Proceedings

1. List of enforcement proceedings (company as debtor/creditor).
2. List of court cases involving the company.
3. List of administrative proceedings involving the company.

L. Taxation and Tax Optimizations (2025)

1. Tax structure of the group (including foreign subsidiaries and holdings).
2. Does the company use tax incentives (R&D, IP Box, Estonian CIT, SEZ, robotics relief, prototyping relief)?
3. Transfer pricing documentation for the last 3 years + any APA.
4. Is the company a WHT payer on cross-border payments (interest, royalties, services)?
5. Tax and customs audits in the last 5 years – results and status of disputes.
6. Does the company use any tax optimization schemes (intra-group or external)?
7. Is the company VAT-registered in other EU countries (OSS/IOSS)?

M. Subsidiaries / Affiliates

1. Current registry extracts for subsidiaries.
2. Financial statements of subsidiaries for the last three years.

N. Accounting — Documents and Analyses

1. Financial statements for the last three years.
2. Trial balance and turnover listings with analytics for the last three years.
3. Chart of accounts.
4. JPK files (CSV) for the last three years and the current year.
5. Fixed assets listing by groups.
6. Fixed assets under construction list with progress and last inventory reconciliation.
7. Information about write-downs on inventory.
8. Summary from the warehouse system.
9. Inventory age structure.
10. Work in progress listing.
11. Receivables listing.
12. Allowances for receivables with commentary.
13. Receivables aging structure.
14. Long-term liabilities listing with payment dates.
15. Liabilities in foreign currencies listing.
16. Short-term liabilities with aging.
17. Declarations affecting tax liabilities.
18. Overdue liabilities listing.
19. Current-year cash flow and financial plan.
20. Off-balance sheet liabilities listing.
21. Insurance contracts listing.
22. Current certificates of no arrears to social and tax authorities.
23. External audits/inspections information (date, scope, findings).
24. Property tax declarations for the prior year and municipal certificates.
25. Register of accounting/financial agreements (loans, leases, factoring) — location, metadata, retention period.
26. Procedure for storing accounting documents electronically (DMS usage, scan storage, OCR policy, linkages to accounting entries).

O. Employment and HR

1. Salary and remuneration rules (including management, sales incentive systems).
2. Work regulations, remuneration regulations, social benefits rules.
3. Standard employment contract template and B2B contract template.
4. Contracts with board members and key managers (non-compete clauses, severance, golden parachutes, transaction bonuses).
5. Are there incentive programs based on shares/phantom shares/options?
6. Number of employees reaching retirement in the next 5 years.
7. Number of employees in special/hazardous conditions.
8. Information on labor union agreements.
9. Organizational chart.
10. Anonymized employee list (net/gross salary, employment type, hire date, department).

P. Employee Training

1. Is there an L&D policy? Provide annual budget and allocation method.
2. Onboarding and mandatory training programs (HSE/RODO/specialist) — description and metrics (hours/person/year).
3. Register of key trainings (who completed, certificates, mandatory trainings for critical roles).
4. Procedures for measuring training effectiveness (surveys, KPIs, performance impact).
5. Competency development plan for the next 12–24 months (critical roles and hiring plan).

Q. Costs and Cost Control

1. How is cost information circulated internally?
2. Invoice approval procedure.
3. Cost recording procedures.
4. Cost breakdown with deep analytics.
5. Other operating income and costs specification.
6. Financial income and costs breakdown.

R. Market and Strategy

1. Industry growth prospects.
2. Observed market trends.
3. Opportunities and threats for the company.
4. Company’s market position.
5. Unique selling points versus competitors.
6. Research process for new market opportunities.
7. New product introduction process.

S. Sales

1. Description of the current sales process.
2. Has the sales process been changed recently?
3. Main sales channels (percentage split).
4. Is CRM used? If so — objectives and methodology.
5. Sales incentive policies — describe rules.
6. Goal-setting mechanism for sales.
7. Sales monitoring (performance vs target) — mechanisms described.
8. Sales budgets — creation process, limits and spending controls.
9. Product sales list for the last three years (preferably monthly) with: counterparty, product, quantity, list price, discount %, margin, currency, salesperson.

T. Production and Supply Chain

1. Information about used technological processes.
2. Production organization.
3. Quality control procedures.
4. R&D/project department information: organization, tools, investment needs.
5. Production work system.
6. Product recipes/formulations.
7. New product development process.
8. Cost of production analysis and use of these data.
9. Supply chain map for key raw materials/components (country of origin, % cost share).
10. Are there critical single-source suppliers and plans for diversification?
11. Safety stock levels and buffer policies.

U. Suppliers

1. Supplier relationships.
2. Dependence on specific suppliers and diversification possibilities.

V. Procurement

1. Is there a centralized procurement policy? Describe stages and approval limits.
2. Supplier catalog (KPIs, SLAs, framework agreements). List critical suppliers and risk assessments.
3. Use of framework agreements / master purchase orders? Provide copies and auto-renewal clauses.
4. Controls on procurement costs and approval thresholds.
5. Are tenders/RFx used (rules, documentation from last 24 months)?

W. Marketing — Websites and E‑commerce

1. Website URLs.
2. Website objectives and functions.
3. Description of user personas/segments.
4. Technology and maintenance model (in‑house vs outsourced).
5. Analytical tools used on the site (Google Analytics, Mixpanel, Hotjar, Amplitude).
6. Is integration via Google Tag Manager? If not — describe integration.
7. Defined events as conversions (form fills etc.).
8. Web analytics reports used by the company.
9. Is the site connected to Google Search Console and other tools (Bing, Yandex)?
10. Identified key phrases supporting company objectives.
11. Keyword monitoring process.
12. Results for keywords: average position (12/3 months), average impressions (12/3 months), average CTR (12/3 months).
13. SEO activities and campaign outcomes.
14. Are product development and formulation tasks done internally or by external firms?
15. SEM activities (Google Ads, Facebook Ads) — description.
16. Defined Google/Facebook audiences?
17. E‑commerce site URLs.
18. Product descriptions and personas.
19. Platform technology (open source / proprietary).
20. Analytics tools used for e‑commerce.
21. Integration via Google Tag Manager — yes/no and details.
22. Is the e‑commerce site connected to Search Console and other tools?
23. SEO for e‑commerce — description.
24. Conversion events (add-to-cart, purchase) — how implemented.
25. SEM activities for e‑commerce — description.
26. Google/Facebook Audiences — are they defined?
27. Marketing Automation for newsletters — tools and metrics (volume, avg CTR, avg conversion % and revenue).
28. Fields/tags for mail records.
29. Marketing Automation in ad campaigns (CPC, CPA) — tools and usage assessment.
30. Integrations with marketplaces (e.g., Allegro) and integration tools.
31. Procedure for e‑commerce cost analysis.
32. Are customer e‑commerce data synchronized with CRM?
33. ROAS, CAC, LTV averages for last 24 months (if tracked).
34. Share of marketplace sales and commission costs.
35. Social media activities (organic + paid) — platforms, budgets, outcomes.

X. Marketing Budgets

1. Annual marketing budget — breakdown by channel.
2. Budget approval process and review cycle.
3. Campaign ROI reports: metrics used (ROAS, CAC, LTV) and availability for last 12–24 months.
4. Budget for tests/experiments (A/B, pilots) — amount and success criteria.
5. Agreements with agencies/outsourcers + SLA/settlement terms.

Y. Technology and Cybersecurity

1. IT systems and solutions used (ERP, CRM, WMS, MES etc.).
2. Use of SaaS/cloud solutions — list and costs.
3. Own IT solutions (purpose, technologies, documentation, inline code comments).
4. GDPR implementation — record of processing activities, policies, last DPIA.
5. Last IT security audit / penetration test — copy of report.
6. Certifications (ISO 27001, SOC 2 etc.).
7. Is the company an operator of a critical service under national cyber security law (NIS2)?
8. Number and nature of GDPR/incidents/data breaches in last 3 years.
9. Does the company use AI/ML in processes or products?
10. Inventory of AI/ML models (name, business purpose, deployment date, status: prod/test/PoC).

Z. Software

1. Complete inventory of software and licenses (name, version, license, owner, expiry, annual cost).
2. Code repositories and access (GitHub/GitLab/Bitbucket/on‑prem) — access policy, backups, CI/CD.
3. SaaS agreements and SLAs.
4. Open source dependencies and management policy (vulnerability scanning, OSS licenses).
5. Patch and update policy and schedules.
6. Is there technical documentation (architecture, integration diagrams, API specs)?

AA. AI and ML

1. Does the company train its own AI/ML models or use external solutions (OpenAI, Google Vertex, Azure, Hugging Face)?
   – If training own models:
   a) size and type of training datasets (anonymized / not, owned / external, size in GB/TB),
   b) do training datasets contain personal or sensitive data (if so — describe anonymization/pseudonymization procedures),
   c) where training data are stored/processed (on‑prem/cloud/private).
2. Infrastructure for training and serving models (own GPUs/TPUs, cloud rentals — AWS/GCP/Azure/OVH; estimated monthly/yearly cost).

AB. DMS and Data Retention Policy

1. Is there a documented data retention policy? Provide retention periods by data category (accounting, personal, contractual, analytics).
2. Where production data and documents are stored (on‑prem/cloud/provider; indicate regions/data centers).
3. Backup procedures and retention (frequency, retention periods, DR test reports) — include DR policies/reports.
4. Data encryption in transit and at rest; key management policy.
5. IAM policy — account lifecycle procedures, access logging and permission audits.
6. Who oversees retention/DMS policy (role) and audit schedule?

AC. GDPR and Data Privacy

1. Location and version of the Record of Processing Activities (ROPA) — responsible person and update date.
2. Anonymization/pseudonymization policy — procedures and examples.
3. Procedures for handling data subject requests (access/erasure) — number of requests in last 24 months.
4. Does the company use large language models (LLMs) like GPT‑4, Claude, Llama, Mistral, Gemini? If so — in what use cases and what is the monthly API/token cost.
5. Are AI/ML solutions critical to competitive advantage or significant revenue? Estimate %.
6. Does the company own IP rights to trained models, weights, or outputs (fine‑tuned models, RAG, embeddings)?
7. Has an AI risk assessment been performed per EU AI Act (risk classification)?
8. Is there an ethics policy for AI use (bias mitigation, explainability, human oversight)?
9. Is there insurance for AI/ML risks (model errors, copyright issues in training)?
10. AI/ML development plans for next 24 months (projects, budget, hiring).
11. AI/ML team — number of specialists and roles.
12. Is there potential to monetize datasets or models (selling APIs, licensing)?
13. If all AI/ML stopped tomorrow — estimated impact on revenues/costs next 12 months (PLN and %).
14. Does the company have datasets or models that could be licensed or sold as standalone products?

AD. Operations and Oversight

1. Operational planning — budgeting and strategy processes.
2. Does the board/owners set targets (sales, optimization) and how are they monitored?

AE. Investments and M&A

1. Planned CapEx in next 3 years — schedule and cost estimate.

2. Alternative M&A scenarios being considered by owners (sale, acquisition, merger).

3. Planned CapEx in next 3 years — schedule and cost estimate.

4. Alternative M&A scenarios being considered by owners.