Peony LogoPeony

M&A Due Diligence Process: Complete Step-by-Step Guide for 2025

Deqian Jia
Deqian Jia
Connect with me on LinkedIn! I want to help you :)
M&ADue DiligenceAcquisitionsProcess Guide

Written for first-time and repeat dealmakers who want a practical, end-to-end playbook. Friendly, but firm—like your most prepared colleague walking you through the room.

Why read this now

Diligence hasn't changed in spirit—test the story, quantify the risk, price it into terms—but 2025 adds new guardrails and tripwires. You're screening not just for revenue quality and legal exposure; you're proving cybersecurity governance against modern standards, and you're reconciling a fast-moving patchwork of state privacy laws that materially changes reps, covenants, and integration plans. Learn more about NIST Cybersecurity Framework 2.0.

If you only remember three things:

  1. Make the deal thesis falsifiable. Write down the assumptions you intend to kill or confirm in diligence.
  2. Sequence access with intent. Stage the data room, stage the questions, stage the people.
  3. Translate findings into terms. Every red/yellow flag should map to valuation, structure (escrow, R&W insurance, earn-out), or a pre-close covenant.

The 2025 diligence landscape (what's new)

  • Cyber governance is now table stakes. NIST's Cybersecurity Framework 2.0 added a Govern function; buyers increasingly test board-level oversight and program maturity—not just control lists. Expect targeted questions and specific reps.
  • Public-company buyers face hotter disclosure pressure. SEC rules require prompt current reports of material cyber incidents and expanded annual disclosures of risk management and oversight—your diligence notes may feed disclosure controls and procedures.
  • US privacy law is a moving target. Nineteen states now have comprehensive privacy laws, with more taking effect through 2025–2026. Validate applicability, exemptions, dark-pattern prohibitions, and data-broker obligations; surface remediation costs early. Track updates with the IAPP State Privacy Law Tracker.

The diligence arc: six phases you can actually run

Phase 0 — Pre-LOI “sniff test” (1–2 weeks)

Goal: Pressure-test the thesis cheaply. Do:

  • Management calls (unit economics, moat, churn, cohort health).
  • Public/desk diligence (market size, customer sentiment, regulatory headwinds).
  • Light document review (top 5 customers & contracts, gross margin bridge, org chart).

Outcome: Clear red flags list; LOI gating items and exclusivity terms.

Phase 1 — Launch & mobilize (week 1)

Goal: Set the playing field. Do:

  • Agree on scope, timeline, and decision gates.
  • Circulate the request list and VDR structure (see due diligence checklist below).
  • Establish Q&A etiquette and points of contact.

Outcome: Calendar locked; data room live; trackers and responsibilities assigned.

Peony in practice: Stand up a clean, branded data room with granular access and NDAs gated at the door; require passwords/2FA, and use link expiry for sensitive folders. Enable dynamic watermarks and screenshot protection for crown-jewel docs. If access needs to be tightened, revoke links instantly. Use page-by-page analytics to see where buyers actually spend time so you can pre-empt questions. Learn more about virtual data room features for M&A.

Phase 2 — Core diligence (weeks 2–4)

Goal: Validate financial performance, legal posture, and commercial durability. Do:

  • Financial: Quality of Earnings (QoE), revenue recognition, cohort and contribution margins, working capital profile to set the peg, tax exposures.
  • Legal: Cap table & authorization, charter and investor rights, change-of-control and assignment restrictions, litigation and claims, IP ownership, privacy/cyber compliance.
  • Commercial: Market structure, pipeline quality, retention/churn, pricing power, top-10 customer concentration and terms.
  • People & HR: Comp bands, benefits, key person risk, visa/immigration, misclassification.
  • Technology & Security: Architecture, third-party dependencies, incident history, logging/monitoring, patch cadence, security roadmap, and governance against NIST CSF 2.0.

Outcome: Updated risk register; initial legal markups; peg and net debt definitions taking shape.

Phase 3 — Deep dives & confirmatory (weeks 4–6)

Goal: Kill remaining unknowns; tie findings to terms. Do:

  • Confirmatory diligence on historical accuracy and forward assumptions (e.g., backlog convertibility, pipeline hygiene, seasonality).
  • Negotiate reps/warranties (with specific attention to cyber/privacy) and remedies; size escrows or price chips as needed. R&W insurance underwriters often act as a second set of eyes on diligence sufficiency.

Outcome: "No-surprises" memo; term sheet redlines that reflect reality.

Phase 4 — Financing & closing mechanics (weeks 6–8)

Goal: Convert diligence into executable closing steps. Do:

  • Finalize working capital peg and purchase price adjustment mechanics.
  • Resolve consents (customers, landlords, lenders), third-party approvals, and any regulatory filings.
  • Prepare disclosure schedules and bring-down certificates.

Phase 5 — Day-1 readiness & integration handoff

Goal: Avoid value leakage after signing. Do:

  • Day-1 communications, systems access, TSA (if carve-out), payroll and benefits continuity.
  • Security hardening items discovered in diligence become Day-1/Day-30/Day-90 actions.

Workstream playbooks (what an advisor actually wants to see)

Below is the short list you’ll request and the reason you’re asking—so management understands the “why,” not just the “what.”

Financial (incl. tax)

Ask for:

  • Monthly financials (36 months), by segment/product and by customer where relevant; cohort views for SaaS.
  • Revenue recognition policies; billings vs. GAAP revenue waterfall.
  • Customer-level gross margin and contribution margin; CAC/LTV proofs if subscription.
  • AR aging, inventory turns, accruals; NWC seasonality to inform the peg.
  • Tax returns, NOLs, nexus; sales/use tax exposure. You're looking for: durable margin mechanics, capital intensity, and any "adjusted EBITDA" that won't survive integration. NWC peg math avoids post-close disputes.

Legal (corporate, contracts, IP, litigation)

Ask for:

  • Charter, bylaws, cap table; consents required for the deal.
  • Top 50 customer & vendor contracts with change-of-control and MFN/pricing triggers; assignment rights.
  • IP assignment chain (employees/contractors/inventors), open-source scan results, licensing.
  • Pending or threatened claims; regulatory correspondence. You’re looking for: blockers to closing, margin leakage from downside clauses, IP gaps that will stall product roadmaps.

Technology & cybersecurity

Ask for:

  • Architecture and hosting model; system data flows and data inventory.

  • Security program docs mapped to NIST CSF 2.0, pen-test summaries, incident register, third-party risk management, backups/DR, access controls.

  • Privacy notices, DPIAs, DSAR metrics, DPA templates; state-law compliance posture and enforcement history.

    You're looking for: governance maturity (board visibility, policies enforced), breach latent risk, and cost to close gaps that could become SEC-visible for public buyers.

Commercial (market & customers)

Ask for:

  • Pipeline by stage with win/loss notes; bookings by cohort; churn and expansion drivers.
  • Top-10 customers: pricing, indexation, termination rights, change-of-control exposure.
  • Market share and competitor win/loss narratives. You’re looking for: how growth really happens, concentration risk, and where pricing power will–or won’t–stick.

People & HR

Ask for:

  • Org chart, compensation grids, variable comp plans, offer templates, PII handling.
  • Immigration/visa status; any union, co-employment, or misclassification issues.
  • Retention/Stay-bonus plan for key talent.

Environmental/Operations (as relevant)

Ask for:

  • Facility list, permits, EHS reports, supply contracts, logistics KPIs.
  • Any environmental liabilities or remediation.

The diligence request list (core) — buyer & seller view

Use this as your starter list (trim or expand per deal). It matches a standard VDR room structure so you can import quickly.

1) Corporate & Cap Table – formation docs; equity issuances; consents required. 2) Financials – auditeds, monthlies, KPIs; revenue waterfalls; NWC schedules; debt. 3) Tax – returns (federal/state), nexus, sales/use exposure, audits. 4) Commercial – top 50 customers and top 50 vendors; pricing & rebates; channel/partner contracts. 5) Legal – litigation, claims, compliance correspondence; licenses/permits. 6) Technology & Security – architecture, third-party list, incidents register, pen tests, policies mapped to NIST CSF 2.0. 7) Privacy & Data – privacy notices, DPAs, data maps, DSAR metrics; state-law coverage summary and monitoring approach. 8) IP – patents, trademarks, copyrights, trade secret processes; OSS reports. 9) HR – org chart, comp & benefits, contractor agreements, immigration status. 10) Real Estate – leases, deeds, encumbrances; CoC and assignment clauses. 11) Regulatory – sector-specific approvals; filings and exam history. 12) Environmental/EHS – permits, audits, remediation.

Seller tip: Hosting this in Peony makes it simple to grant staged access (e.g., Tier 1 "teaser" rooms vs. Tier 2 sensitive folders) and to protect crown-jewel docs with NDA gates, passwords/2FA, time-limited links, dynamic watermarks, and screenshot prevention. You can revoke any link in a click and watch per-page analytics to anticipate buyer questions. See our M&A data room setup guide for detailed implementation.

Translating findings into deal terms (where diligence pays)

  • Working capital peg & purchase-price adjustments. Use historical seasonality and normalized operations to set the peg; define included/excluded items precisely. Learn more about working capital adjustments in M&A.
  • Representations & warranties (R&Ws). Expect sharper cyber/privacy reps (incidents, controls, law compliance). Findings drive caps, deductibles, and survival periods. See our M&A process guide for more on deal structuring.
  • R&W insurance. In middle-market deals, insurers' underwriting serves as an external diligence check and can validate sufficiency of your workstreams.
  • Covenants & special indemnities. Use pre-close remediation covenants for security/privacy gaps; special indemnities for discrete known risks.

How to run the Q&A like a pro

  • Bundle questions. Weekly “packs” by workstream reduce churn and protect mgmt time.
  • Make each question actionable. Include the business “why,” acceptable forms of evidence, and a due date.
  • Stage access. Don't flood the buyer; unlock sensitive folders only when necessary (and watermark/screenshot-protect them).
  • Record decisions. Every closed issue should map to valuation, terms, or integration.

Red flags worth pausing for

  • Customer concentration + change-of-control consent exposure in the same top account set.
  • NIST-immature security with weak incident logging—and any prior unreported event in a public-company sale path (SEC scrutiny risk).
  • Privacy posture mismatched to operating footprint (e.g., state-law conflicts or data-broker obligations without controls).
  • Working capital whiplash around quarter-ends or add-backs that vanish Day-1.

Seller-side readiness in one afternoon

If you're the seller, a quick win is turning your existing folders into a buyer-friendly room:

  1. Mirror the 12-section structure above; park anything "nuclear" in a Tier-2 folder.
  2. Gate the room with NDA + password/2FA and expire links to dated drafts.
  3. Apply dynamic watermarks and screenshot protection to term-sensitive items.
  4. Create separate links per bidder; if one leaks, you'll know which one. Revoke instantly.
  5. Watch page-level analytics to pre-empt follow-ups and plan management time.

Peony does all of the above cleanly without heavy admin overhead—and without over-promising features you don't need to run a tight process. For startups, see our best data room apps for startups guide. For investment banking deals, check out our investment banking data room setup.

A 30-day diligence calendar (template)

Week 1 — Kickoff, scope, room live; financials & top contracts in; first Q&A pack out. Week 2 — QoE workstreams deep; cyber/privacy package; customer interviews begin. Week 3 — Red-flag review; initial markups; peg draft; R&W/insurance indications. Week 4 — Confirmatory tests; close open items; translate findings to terms and Day-1 plan.

Final word

Diligence is a translation exercise: turn ambiguity into a price, a protection, or a plan. If you keep the thesis sharp, the calendar disciplined, and the room secure and readable, you'll avoid the time sinks that kill deals—and you'll look composed doing it. Peony helps you present well, protect what matters, and see where buyers think the story is thin. That's the edge.

Related Resources