Peony LogoPeony

Due Diligence Data Room Checklist: Complete Document Guide 2025

Deqian Jia
Deqian Jia
Connect with me on LinkedIn! I want to help you :)
Due DiligenceData RoomsM&AChecklists

If you are new to due diligence, the most helpful thing you can do is make a single, organized place where reviewers can quickly understand your business without asking you to hunt for files.

That place is your due-diligence data room—a secure online workspace for collecting, sharing, and tracking sensitive documents during a transaction or review.

Established industry best practices converge on the same core categories and workflows, which is why a clear structure helps every use case, from M&A to fundraising, lending, partnerships, and vendor risk reviews.

With Peony, you get an AI-native data room that makes organizing and sharing these documents effortless.

What is different in 2025 (and why your room should reflect it)

Two forces now shape both what you include and how you share it.

First, the NIST Cybersecurity Framework 2.0 (released in 2024) gives buyers a common language for assessing security governance; you should expect targeted questions about policies, accountability, and incident handling.

Second, the SEC's cybersecurity disclosure rules require faster, fuller public reporting of material incidents for listed buyers, which raises the bar for how clearly you document your security and privacy posture.

If your business touches personal data in multiple states, the expanding U.S. state privacy laws landscape also means reviewers will look for the basics: where personal data lives, who processes it, and what contracts govern it.

How to use this guide

  1. Start with the Core Folder Map below.
  2. Populate the Complete Checklist for each folder, using the “why it matters” line to keep explanations clear for first-time reviewers.
  3. Add the Use-Case Overlays that match your situation (M&A, fundraising, lending, partnerships/JVs, vendor diligence, or real estate/asset sales).
  4. Share in stages and apply simple security controls so you can grant, expire, and revoke access without drama.

Core Folder Map (works across most deals)

Create these top-level folders so reviewers can predict where things live:

00_Intro & Process
01_Corporate & Cap Table
02_Financials & KPIs
03_Tax
04_Legal & Key Contracts
05_Customers & Revenue
06_HR & Payroll
07_IP & Technology
08_Security & Privacy
09_Product & Operations
10_Regulatory & Compliance
11_Litigation & Claims
12_Insurance
13_Real Estate & Facilities
14_ESG / Environmental (if relevant)
99_Confirmatory / Disclosure Schedules (gate until late-stage)

This map follows industry-standard organization that reduces back-and-forth because reviewers recognize the structure. Peony makes it easy to set up this exact folder structure with just a few clicks.

Use a consistent file name like YYYY-MM Topic – Counterparty – vN.pdf and replace files rather than duplicating them to avoid version confusion.

For more detailed guidance on folder organization, see our data room folder structure guide.

The Complete Checklist (what to upload—and why it is asked)

Each line tells you what to include and why buyers ask. The "why" is what cuts repeat questions.

For a comprehensive overview of the entire due diligence process, check out our M&A due diligence process guide.

01) Corporate & Cap Table

  • Include: formation documents, bylaws/operating agreement and amendments, current and fully diluted cap table, stock plan and grants, board/stockholder consents, subsidiary list, good-standing certificates.
  • Why it matters: reviewers confirm authority to transact, true ownership, and any approvals needed to close without last-minute surprises.

Peony provides built-in templates for corporate documents, making it easy to organize formation documents, bylaws, and cap tables.

02) Financials & KPIs

  • Include: audited or reviewed financials (3–5 years if available), monthly P&L/BS/CF for 24–36 months, revenue waterfall (how billings reconcile to GAAP revenue), AR/AP aging, SaaS cohorts and retention where relevant, gross-margin and contribution-margin builds, and a forecast with explicit assumptions.
  • Why it matters: this set validates earnings quality, trend durability, seasonality, and forecast realism in a way that lets buyers price risk rather than guess.

Peony offers advanced analytics to track which financial documents reviewers spend the most time on, helping you prioritize follow-up discussions.

03) Tax

  • Include: federal, state, and (if applicable) international returns (3–5 years), schedules for NOLs/credits, sales and use tax filings, a nexus analysis (which states/countries you owe taxes in), and audit/exam correspondence.
  • Why it matters: clean tax posture avoids price chips and closing delays; showing filings and correspondence makes potential liabilities explicit.

04) Legal & Key Contracts

  • Include: top customer agreements, top vendor/MSP contracts, standard terms (your MSA or online ToS/EULA), debt agreements and leases, liens/UCCs. Flag clauses on change of control (consent required if the company is sold) and assignment (whether contracts can be transferred).
  • Why it matters: reviewers test whether revenue or supply could be interrupted by the deal and whether any terms could erode margin post-close.

05) Customers & Revenue

  • Include: customer list with ARR/MRR and term, concentration view (top 10/20), renewal calendar (next 12–24 months), pricing and discount policy, pipeline by stage with simple win/loss notes.
  • Why it matters: this answers three questions quickly—how concentrated is revenue, how predictable are renewals, and where growth will realistically come from.

06) HR & Payroll

  • Include: org chart and headcount table, employment and contractor templates, key executive agreements, compensation bands, variable pay plans, immigration status where relevant, benefits summary, and a brief history of claims/complaints.
  • Why it matters: buyers look for key-person risk, misclassification, and the true cost to retain and scale your team.

07) IP & Technology

  • Include: IP assignments (founders/employees/contractors), registrations (patents, trademarks, copyrights), open-source (OSS) disclosures, high-level architecture, major third-party dependencies.
  • Why it matters: reviewers confirm you own what you sell and that the technology stack is maintainable without unexpected license gaps or brittle dependencies.

08) Security & Privacy

  • Include: security policies, a short description of access control and change management, summaries of incidents and remediation, backup/DR notes, privacy notices, a simple data map (what personal data you collect and where it lives), and data-processing agreements with vendors.
  • Why it matters: governance now matters as much as control lists; NIST CSF 2.0 formalized Govern alongside Identify/Protect/Detect/Respond/Recover, and public buyers must meet the SEC's faster, fuller cyber-disclosure expectations.

If you operate in multiple U.S. states, reviewers will check how you comply with differing state privacy laws.

09) Product & Operations

  • Include: product overview and roadmap, recent release notes, customer SLAs and support processes, business continuity plans, and critical vendor SLAs.
  • Why it matters: this gives a realistic view of near-term deliverables, support obligations, and operational resilience before anyone commits to an integration plan.

10) Regulatory & Compliance

  • Include: required licenses/permits, examination reports and responses, and any active remediation plan.
  • Why it matters: reviewers need clear approval timelines and to understand whether staying compliant will require new systems or staffing.

11) Litigation & Claims

  • Include: list of pending or threatened matters, settlement agreements, and any subpoenas/notices.
  • Why it matters: legal teams quantify tail risk and plan disclosures or special indemnities rather than discovering issues during confirmatory checks.

12) Insurance

  • Include: D&O, cyber, E&O, GL, property policies; coverage summaries; claims history.
  • Why it matters: insurance can transfer identified risks or reduce the scope of indemnities; seeing coverage early keeps terms practical.

13) Real Estate & Facilities

  • Include: leases and amendments, required consents/estoppels, and deeds/encumbrances if you own property.
  • Why it matters: this confirms obligations that survive the deal and any permissions needed to keep operating without disruption.

14) ESG / Environmental (if applicable)

  • Include: environmental permits, audits, and any remediation plans; supplier ESG commitments if they affect your operations or brand.
  • Why it matters: where exposure is material, buyers want to price long-term operating risk with eyes open.

Confirmatory (gated until late-stage): keep highly sensitive schedules attached to the definitive agreement and any items that identify individual employees or customers in 99_Confirmatory; release them only when you are close to signing and both sides are aligned on terms. This staged approach is standard and keeps negotiations focused.

Use-Case Overlays (what changes by scenario)

You can keep the same folder map and simply add a few documents that fit the situation.

For more specific guidance on different transaction types, see our virtual data room complete guide.

  • M&A (buy- or sell-side): add a short "deal thesis" note, the list of change-of-control consents, and a working-capital schedule so mechanics are easy to discuss. Expect a high volume of structured questions; large providers note hundreds of Q&A items on typical projects. Peony includes built-in Q&A management tools to streamline this process.
  • Fundraising (VC/PE): add board decks for the last 6–8 quarters, key product metrics, and a concise "use of proceeds" page so investors can connect the dots from plan to capital needs.

For startup-specific guidance, see our data room for investors guide and startup due diligence checklist.

  • Lending / Credit: add debt covenants, compliance certificates, borrowing base (if applicable), and collateral schedules so lenders can underwrite quicker. (Your existing Financials/Tax folders carry most of the weight.)
  • Partnerships / JVs: add a simple responsibilities matrix, IP ownership rules for joint work, and success metrics so both sides can judge feasibility before signing.
  • Vendor / Third-Party Risk Reviews: add a security one-pager mapped to NIST CSF 2.0 functions, your privacy notices and data map, and a current sub-processor list; many reviewers use the state-privacy landscape as a checklist proxy.
  • Real estate / Asset sales: add asset lists, condition reports, inspections, and service contracts that survive transfer. Your Real Estate & Facilities folder becomes the primary focus.

Sharing Safely: a simple, staged approach

Instead of giving everyone everything, stage access: an early view with company overview and headline metrics, a shortlist view with contracts and detailed financials, and a confirmatory view right before signing.

This approach lets serious reviewers move quickly while you keep control of sensitive information.

On Peony, you can mirror that flow directly—without extra admin work:

  • Share password-protected links and add two-factor authentication (2FA) when you want identity checks.
  • Set link expiry so access ends on schedule and revoke access instantly if the process changes.
  • Apply dynamic watermarks (viewer identity/time on every page) and screenshot protection to discourage leaks.
  • Require an NDA gate before anyone enters the room when needed.
  • Use page-by-page analytics to see what reviewers actually read so you can prioritize questions and meetings.

Those are live, documented Peony capabilities: dynamic watermarks, screenshot protection, page-level analytics, password protection, link expiry, NDA protection, custom branding, create/revoke links, update files after send, and 2FA for shared files.

You get practical control without complicated setup. For a complete feature comparison, see our virtual data room feature checklist.

Common pitfalls (and easy fixes)

  • Dumping drafts and duplicates. Replace files rather than uploading new versions with similar names, and add a one-page "what's here / why it matters" note at the top of each folder to guide first-time reviewers.
  • Over-sharing too early. Keep individual-identifying and disclosure-schedule material in the confirmatory folder until the deal is mature.
  • Weak security hygiene. Use passwords + 2FA, time-limited links, watermarking, and revoke when access is no longer needed; these are baseline VDR practices in 2025.

Copy-paste starter list (compact view)

  • Corporate: charter/bylaws, amendments, cap table, board/stockholder consents, subsidiary list.
  • Financials: audited/reviewed FS, monthlies (24–36 mos), revenue waterfall, AR/AP aging, unit-economics/CAC-LTV (if SaaS), forecast and assumptions.
  • Tax: returns (3–5 yrs), NOLs/credits, sales/use filings, nexus, audit correspondence.
  • Legal & Key Contracts: top customers/vendors, standard terms, debt/leases, liens/UCCs; mark change-of-control/assignment.
  • Customers & Revenue: ARR/MRR by customer, concentration, renewal calendar, pricing policy, pipeline and win/loss notes.
  • HR & Payroll: org chart, employment/contractor templates, executive agreements, comp bands, variable pay plans, immigration, benefits, claims.
  • IP & Technology: IP assignments/registrations, OSS disclosures, architecture, major third-party dependencies.
  • Security & Privacy: policies, incident summaries, access control overview, backup/DR, privacy notices, data map, vendor DPAs.
  • Product & Operations: roadmap, release notes, SLAs/support processes, continuity plans, critical vendor SLAs.
  • Regulatory & Compliance: licenses/permits, exam reports, remediation plans.
  • Litigation & Claims: pending/threatened, settlements, subpoenas/notices.
  • Insurance: D&O, cyber, E&O, GL, property; coverage summaries; claims history.
  • Real Estate & Facilities: leases/amendments, consents/estoppels, deeds/encumbrances (if owned).
  • ESG/Environmental (if relevant): permits, audits, remediation plans.

These categories align with long-standing legal and provider checklists, so you can set up with confidence even if this is your first diligence process.

Final thought

A great data room is not the one with the most files; it is the one where a reviewer can form a clear, defensible view of your business without getting lost.

If you use the folder map above, explain briefly why each document is present, and share in stages with sensible safeguards, you will look prepared and you will keep control.

If you want a fast, professional setup with simple, trustworthy controls—Peony gives you branded data rooms, dynamic watermarks, screenshot protection, passwords and 2FA, link expiry and revoke, NDA gates, and page-by-page analytics so you can see where attention is going and steer the process with confidence.

Why choose Peony over traditional data room providers?

  • AI-powered organization: Automatically categorize and tag documents
  • Real-time collaboration: See exactly what reviewers are viewing and when
  • Advanced security: Bank-grade encryption with customizable access controls
  • Seamless integration: Works with your existing workflow tools
  • Transparent pricing: No hidden fees or surprise charges

Get started with Peony today and experience the future of secure document sharing.

Related Resources