Due Diligence Guide
Last updated April 25, 2026

What is a DDQ (due diligence questionnaire)?

A due diligence questionnaire (DDQ) is a structured assessment used to evaluate a third party before a business relationship starts. Buyers, investors, and procurement teams use DDQs to review financial stability, governance, legal compliance, operations, and security. DDQs are standard in vendor procurement, investment management, and M&A transactions.

Vendor AssessmentRisk ManagementProcurementInvestment Due Diligence
DDQ at a glance
  • DDQ stands for: Due Diligence Questionnaire
  • Scope: Broader than security questionnaires — covers financials, governance, legal, operations, and ESG.
  • Common in: Financial services, healthcare, government, PE/VC, and any regulated procurement.
  • Typical length: 100–500 questions across 6–10 risk domains.
  • Standard template: ILPA DDQ v1.2 (investment), custom (vendor and M&A).

What is a due diligence questionnaire?

A due diligence questionnaire (DDQ) is a structured assessment sent by buyers, investors, or procurement teams to evaluate a third party before a contract, investment, or acquisition. Most DDQs contain 100 to 500 questions across financial stability, governance, legal compliance, information security, privacy, operational resilience, and ESG.

VeriRFP handles the repeatable parts of the DDQ workflow. It drafts evidence-backed answers, routes reviews by domain, and packages approved responses for delivery.

Types of due diligence questionnaires

DDQs vary significantly depending on context. The four most common types serve different audiences and cover different risk domains.

Vendor DDQ

Audience: Procurement & vendor risk teams
Purpose: Evaluate third-party vendors before signing contracts or renewals
Typical length: 100–300 questions
Key domains: Security, privacy, financial stability, business continuity, regulatory compliance
Example: A SaaS company receiving a DDQ from an enterprise customer's procurement team before a $500K annual contract.

Investment DDQ

Audience: Limited partners, institutional investors, fund-of-funds
Purpose: Evaluate fund managers, GPs, or portfolio companies before committing capital
Typical length: 200–500+ questions (ILPA standard: ~300)
Key domains: Investment strategy, track record, risk management, operations, legal structure, ESG
Example: A pension fund sending the ILPA DDQ to a private equity GP before a $50M commitment.

M&A DDQ

Audience: Corporate development, legal, finance teams
Purpose: Evaluate acquisition targets for hidden risks before closing
Typical length: 200–400 questions
Key domains: Financial health, IP ownership, litigation, customer concentration, employee obligations
Example: An acquiring company's legal team sending a DDQ to a target company during the exclusivity period.

Regulatory DDQ

Audience: Compliance teams in financial services, healthcare, government
Purpose: Meet regulatory requirements for vendor oversight (OCC, FDIC, HIPAA, FAR)
Typical length: 150–350 questions
Key domains: Regulatory compliance, sanctions, AML/KYC, data residency, audit rights
Example: A bank's compliance team sending a DDQ to a cloud provider to satisfy OCC third-party risk management guidance.

DDQ vs security questionnaire vs RFI vs RFP

Buyers use different assessment instruments at different stages of procurement. Here is how they compare.

TypeScopeSent byLengthWhen
DDQ (Due Diligence Questionnaire)Broad: financials, governance, legal, security, operations, ESGProcurement, legal, compliance, investors100–500 questionsBefore contracts, investments, or acquisitions
Security Questionnaire (SIG, CAIQ, VSAQ)Narrow: information security controls, data protection, incident responseSecurity and IT risk teams50–300 questionsBefore granting data access or system integration
RFI (Request for Information)Capabilities overview: features, pricing, references, company backgroundProcurement, project managers20–80 questionsEarly vendor selection, before shortlisting
RFP (Request for Proposal)Detailed solution proposal: architecture, implementation, pricing, SLAsProcurement, technical leads50–200 questions + proposal narrativeAfter shortlisting, before contract negotiation

When due diligence questionnaires are required

Regulated industries

Financial services firms must comply with OCC, FDIC, and SEC vendor oversight rules. Healthcare organizations follow HIPAA Business Associate requirements. Government agencies follow FAR and DFARS. All three require formal questionnaires before contract approval.

High-value contracts

Enterprise contracts above $100K per year trigger enhanced due diligence regardless of industry. Vendors with access to sensitive data or critical workflows face deeper scrutiny.

Investment decisions

Limited partners send DDQs to fund managers before committing capital. Acquirers use them to evaluate target companies during M&A. The ILPA DDQ template is the most common standard for LP-GP due diligence.

What does a DDQ cover? 8 core domains with sample questions

Every DDQ is different, but most cover these eight risk domains. Each domain includes a sample question to show the level of detail buyers expect.

Corporate Governance

This domain covers ownership, board structure, and executive leadership. Buyers use it to confirm stable oversight and clear accountability.

Sample question: “Provide a current organizational chart including the board of directors, executive leadership team, and key personnel responsible for the services being evaluated.

Financial Stability

This domain covers revenue, profitability, debt, insurance, and audits. Buyers use it to confirm the vendor can support the contract term.

Sample question: “Provide audited financial statements for the last two fiscal years, including revenue, net income, and any material liabilities or pending obligations.

Legal & Regulatory Compliance

This domain covers litigation, sanctions, anti-bribery controls, and export rules. It matters most for vendors that operate across jurisdictions.

Sample question: “Disclose any pending or resolved litigation, regulatory investigations, or enforcement actions within the past five years that could materially affect service delivery.

Information Security

This domain covers SOC 2, ISO 27001, encryption, access controls, and incident response. It often overlaps with a separate security questionnaire.

Sample question: “List all current security certifications and the date of most recent audit. Describe your encryption standards for data at rest and in transit.

Operational Resilience

This domain covers business continuity, disaster recovery, staffing dependencies, and supply chain concentration. Buyers use it to gauge resilience during disruption.

Sample question: “Describe your business continuity and disaster recovery plan, including RTO/RPO targets, last test date, and results of the most recent DR exercise.

Privacy & Data Protection

This domain covers GDPR, DPAs, subprocessors, DSAR handling, and cross-border transfers. Buyers use it to confirm lawful and defensible data practices.

Sample question: “Identify all sub-processors that handle personal data on your behalf, including their location, purpose, and the legal mechanism for cross-border data transfers.

ESG & Sustainability

This domain covers carbon reporting, labor practices, diversity metrics, and supplier sustainability. Institutional investors and public-sector buyers ask for it more often each year.

Sample question: “Describe your organization's ESG reporting framework and provide your most recent sustainability report or carbon disclosure.

Technology & Infrastructure

This domain covers architecture, hosting, SLAs, change management, and dependencies. Buyers use it to assess technical risk and lock-in.

Sample question: “Provide an architecture diagram of the services being evaluated, including hosting provider, geographic regions, and any third-party dependencies critical to service delivery.

DDQ examples: 18 real questions by domain

These are representative questions from real vendor and investment DDQs. Use them as a reference when building your own DDQ response library.

Corporate Governance

  1. Provide a current organizational chart including the board of directors and executive leadership.
  2. Describe the ownership structure, including any parent companies, subsidiaries, or affiliated entities.
  3. List any changes in executive leadership or board composition in the past 24 months.

Financial Stability

  1. Provide audited financial statements for the last two fiscal years.
  2. Describe any material liabilities, pending obligations, or contingent liabilities.
  3. What is your current insurance coverage, including E&O, cyber liability, and general liability limits?

Information Security

  1. List all current security certifications (SOC 2, ISO 27001, etc.) with dates of most recent audit.
  2. Describe your encryption standards for data at rest and in transit.
  3. What is your incident response plan? When was it last tested?

Privacy & Data Protection

  1. Identify all sub-processors that handle personal data, including location and purpose.
  2. Describe your process for responding to data subject access requests (DSARs).
  3. What legal mechanisms do you use for cross-border data transfers (SCCs, BCRs, adequacy decisions)?

Operational Resilience

  1. Describe your business continuity plan, including RTO and RPO targets.
  2. When was your disaster recovery plan last tested? Summarize the results.
  3. Identify any single points of failure in your service delivery infrastructure.

Legal & Regulatory

  1. Disclose any pending litigation or regulatory investigations in the past five years.
  2. Describe your anti-bribery and anti-corruption policies and training programs.
  3. Are you subject to any export control restrictions? If so, describe your compliance program.

How to respond to a DDQ: 6 best practices

1
Maintain a centralized answer library
Store company facts, certifications, policies, and financials in one place. Reuse them across DDQs with minimal customization per buyer.
2
Assign domain owners before the deadline
Route financial questions to finance, legal to counsel, security to the CISO, and operations to department heads. Unclear ownership is the top cause of missed DDQ deadlines.
3
Cite evidence, not claims
Attach supporting documents — audit reports, certifications, policy documents, org charts — rather than making unsubstantiated assertions. Buyers trust documentation over prose.
4
Review for cross-domain consistency
Verify that answers across domains do not contradict each other before submission. One reviewer should check the full response for coherence. Financial figures should match audit reports. Headcount should match org charts.
5
Track what changes between submissions
When reusing answers across buyers, track which facts have changed since the last submission. Stale certifications, outdated financials, or incorrect headcount numbers erode buyer trust faster than a slow response.
6
Use automation for repeatable domains
Security, privacy, and compliance questions repeat across DDQs. Automation software drafts evidence-backed answers from your approved library. That cuts manual effort from weeks to days.

Typical DDQ response timeline

Most vendor DDQs allow 2–4 weeks for response. Investment DDQs from institutional LPs allow 4–6 weeks because the financial and operational disclosure runs deeper. Here is a realistic timeline for a 200-question vendor DDQ:

Manual process (2–3 weeks)

  • Day 1–2: Triage questions, assign domain owners
  • Day 3–8: Domain owners draft responses, gather evidence
  • Day 9–11: Cross-domain review and consistency check
  • Day 12–14: Legal review and final approval
  • Day 15: Format and submit

With automation (2–5 days)

  • Day 1: Ingest DDQ, auto-draft from evidence library (60–80% coverage)
  • Day 1–2: Domain owners review drafts, fill gaps
  • Day 2–3: Automated consistency check, legal review
  • Day 3–4: Final approval and export
  • Day 4–5: Buffer for buyer-specific customization

Related pages

Use these pages when routing a DDQ into a broader security response workflow or a buyer-facing questionnaire program.
Questionnaire automationQuestionnaire examplesQuestionnaire templateVendor questionnaire responsesGlossary: Vendor risk assessmentGlossary: TPRMGlossary: Security questionnaireAll glossary terms

Due diligence questionnaire FAQ

What does DDQ stand for?

DDQ stands for due diligence questionnaire. Buyers, investors, and procurement teams use DDQs before contracts, acquisitions, or capital commitments. Most DDQs contain 100 to 500 questions across 6 to 10 risk domains.

What is the difference between a DDQ and a security questionnaire?

A DDQ is broader than a security questionnaire. Security questionnaires focus on controls like encryption, access management, incident response, SOC 2, and ISO 27001. DDQs also cover financial stability, governance, legal exposure, privacy, and business continuity.

Who sends due diligence questionnaires?

Buyers, investors, and compliance teams send DDQs. Banking, healthcare, and government teams often require them before contract approval. Investment firms also send DDQs to fund managers and portfolio companies.

How long does it take to respond to a DDQ?

Most DDQs take one to three weeks manually. That timeline usually covers 100 to 300 questions and several internal reviewers. Drafting from a curated evidence library typically shortens that turnaround from weeks to days, since recurring questions can be answered by citing previously approved evidence rather than rewriting from scratch — actual savings vary by team and questionnaire complexity.

What happens if a vendor refuses to complete a DDQ?

A refusal usually stops the deal. Buyers treat an incomplete DDQ as a transparency and control issue. In regulated industries, teams often cannot sign without documented due diligence.

Can DDQ responses be reused across buyers?

Yes, but every DDQ still needs review. Core facts like certifications, policies, and company data come from a shared library. Buyer-specific wording, dates, and evidence still need approval before submission.

How many questions are in a typical DDQ?

Most DDQs include 100 to 300 questions. Investment DDQs often exceed 500 questions. The ILPA DDQ is a well-known benchmark with about 300 questions.

What is the ILPA DDQ?

The ILPA DDQ is a standard investment due diligence template. The Institutional Limited Partners Association created it for limited partners and fund managers. It covers strategy, operations, risk, legal, compliance, and ESG topics.

Streamline your DDQ responses

VeriRFP helps teams manage security questionnaires and DDQs from a single evidence-backed workflow. Draft from your approved library, route reviews to the right domain owners, and deliver buyer-ready packages in days instead of weeks.
Questionnaire automationVendor questionnaire responsesSee pricingBrowse all guides

Privacy controls

We use essential cookies for sign-in and service operations. With your permission we also load analytics to understand how teams use the product. Analytics stay off until you accept. See our Privacy Policy.