Due diligence questionnaire guide: 10 DDQ examples

If you've ever spent hours tracking down the same compliance answers across five different spreadsheets, you already know DDQs are a necessary pain. Buyers send them to verify you're who you say you are, and your job is to prove it without burning a week every time. We're walking through the 10 DDQ examples that cover most of what you'll face, the questions that repeat across all of them, and what actually speeds up the process when you're stuck answering the same things over and over.

TL;DR:

• DDQs verify risk and compliance before contracts, while RFPs compare vendor capabilities
• Standard 100-question DDQs take 4-5 hours per response without automation
• 87% of private equity funds now use the ILPA DDQ framework as baseline
• Common questions focus on SOC 2, encryption, incident response, and third-party access
• Wolfia (used by Amplitude, Miro, and ThoughtSpot) auto-fills DDQs, RFPs, and customer security questionnaires across Excel, PDF, Word, and portals so teams review instead of writing

A due diligence questionnaire (DDQ) is a structured set of questions one organization sends to another to assess risk before entering a business relationship. Buyers send DDQs to vendors to vet security practices. Investors send them to fund managers before committing capital. Acquirers send them during M&A transactions to audit financials, legal exposure, and operations.

What separates a DDQ from other procurement documents is intent. Where a request for proposal asks what a vendor can do, a DDQ asks what they are. It's an investigation, not an invitation. The goal is verifying that a potential partner meets your organization's standards before any agreement is signed.

RFPs and DDQs often get lumped together, but they serve different purposes at different stages.

An RFP comes early. It's how buyers gather proposals from multiple vendors, comparing capabilities, pricing, and fit. Security questionnaires often follow later in the process. The questions are forward-looking: what can you build, what will it cost, how will you deliver it?

A DDQ comes later, often after a vendor has already been shortlisted. The questions shift from "what can you do" to "prove who you are." Security posture, compliance certifications, financial stability, how you run the business. The buyer isn't shopping anymore. They're stress-testing.

In practice, some organizations send both. An RFP winnows the field; the DDQ closes the loop before a contract is signed.

Most DDQs follow a recognizable structure, even if the questions vary by industry. Whether you're sending one or filling one out, knowing what's inside helps you move faster.

The core sections you'll find in nearly every DDQ:

• Company overview: basic corporate info, ownership structure, key personnel, and business history
• Financial information: audited statements, revenue trends, debt obligations, and funding sources
• Compliance and regulatory: certifications held (SOC 2, ISO 27001, GDPR adherence), audit history, and any regulatory violations
• Information security: data handling practices, access controls, incident response plans, and third-party risk management
• Day-to-day processes: business continuity plans, vendor dependencies, SLA track records
• ESG considerations: environmental policies, diversity practices, and governance standards

Longer or more specialized DDQs add sections on legal disputes, insurance coverage, or AI usage policies. The depth of each section typically scales with how much risk the relationship carries.

DDQ structure varies widely depending on the context in which it's being used. Here are the four most common types you'll encounter.

These are the most common type in B2B software. Enterprises send them to vet a vendor's security posture before signing. Expect questions on SOC 2, penetration testing, data residency, and incident response.

Investors use DDQs to vet fund managers before committing capital. The ILPA DDQ is the industry standard here. Questions focus on performance history, fee structures, portfolio risk, and governance.

Acquirers send these during transactions to surface legal liabilities, financial exposure, and IP ownership questions. Higher stakes mean longer questionnaires.

Industries like healthcare and finance that face strict compliance requirements send standalone cybersecurity DDQs. These go deep on controls, vulnerability management, and third-party risk, often mapped to frameworks like NIST or ISO 27001.

The Institutional Limited Partners Association (ILPA) DDQ is the closest thing private equity has to a universal standard. Created to reduce the chaos of every LP sending a different questionnaire to every GP, it gives both sides a shared language for due diligence.

The numbers tell the story of how seriously it's been adopted. 87% of private equity funds now receive DDQs that follow the ILPA framework, and the questionnaire itself has grown from 8 sections to 21 as the asset class has matured.

Those 21 sections cover a wide range of GP information:

• Fund strategy and investment philosophy
• Team background, key person risk, and succession planning
• Historical performance data and attribution
• Fee structures, carried interest, and co-investment terms
• Risk management and portfolio monitoring processes
• ESG policies and responsible investing commitments
• Legal disclosures and regulatory filings
• Infrastructure and cybersecurity controls

The weight placed on any given section changes depending on the LP. A pension fund may care most about ESG disclosures. A family office may focus almost entirely on fees and governance. The framework sets the structure; the LP decides where to dig.

For GPs, responding to the ILPA DDQ thoroughly is table stakes. Gaps or vague answers raise flags faster than almost anything else in the fundraising process.

Here's a quick breakdown of ten DDQ types you're likely to encounter, what drives them, and where each one focuses.

Templates for these exist across ILPA, NIST, and various industry bodies. Most SaaS vendors get hit hardest by types 3 and 5, often receiving both in the same sales cycle.

Across every industry and transaction type, certain questions show up almost everywhere. Knowing them in advance lets you prepare answers before the questionnaire even arrives.

• Do you have a SOC 2 Type II report, and is it current?
• How do you handle data encryption in transit and at rest?
• What is your incident response process if a breach occurs?
• Do you conduct regular penetration testing? How often?
• What is your business continuity and disaster recovery plan?
• Who has access to customer data, and how is that access controlled?
• Are you compliant with GDPR, HIPAA, or other applicable regulations?
• What third-party vendors do you share data with?
• Have you experienced any security incidents in the past 24 months?
• What certifications does your organization currently hold?

Security and compliance questions dominate, but financial and process questions follow close behind. Expect questions about audit history, revenue stability, key person dependencies, and vendor concentration risk. The more sensitive the data or capital involved, the deeper those questions get.

A standard 100-question DDQ takes an average of 4 to 5 hours just for a first draft. That's before revisions, SME reviews, or legal sign-off.

Three factors push that number higher:

• Questionnaire complexity: ILPA or M&A DDQs routinely run 200+ questions with multi-part answers required, each demanding sourced, verifiable detail instead of a quick summary
• Internal coordination: security, legal, finance, and operations teams often all need to weigh in, and scheduling that review adds days even when the answers themselves are ready
• Documentation gaps: if your SOC 2 report is outdated or your policies aren't written down, answering takes research first

First-time responses are always slower. Teams without a central knowledge base waste hours hunting down answers that should already exist.

Three forces are driving the surge in DDQ volume and complexity.

Regulatory pressure keeps expanding. GDPR, HIPAA, SEC cybersecurity rules, and DORA in Europe all push enterprises to document vendor risk more formally. When your buyer faces a regulator, your DDQ answers become their paper trail.

Supply chain anxiety is real. An estimated 60% of security incidents originate from third-party vendors. Enterprises have learned this the hard way, so third-party risk programs now require deeper questionnaires before any contract is signed.

Enterprise security requirements have also scaled. What once fit in 50 questions now runs 150, with sub-questions on AI usage, data residency, and subprocessor lists that didn't exist five years ago.

The math here is simple. A 100-question DDQ takes 4 to 5 hours from scratch. Field 200+ per year and that's a part-time job that never ends.

AI changes the equation. Instead of rebuilding answers for every new DDQ, AI pulls from your existing documentation and auto-fills responses across Excel, PDF, Word, and web portals. Every answer cites its source, so reviewers can verify without guessing. Teams review pre-filled answers instead of writing them cold.

The result is less time per DDQ and fewer mistakes from copying stale answers across documents.

Managing DDQs and RFPs shouldn't require a dedicated team member, but for many companies it already does. The math is simple: 200 questionnaires at 5 hours each is 1,000 hours of work your team could spend elsewhere. Schedule a quick walkthrough if you want to see how other teams cut that time by 90%+ without sacrificing accuracy. Your DDQ volume will keep climbing, your response time doesn't have to.

A standard 100-question DDQ takes 4-5 hours for a first draft, before any internal reviews. That number climbs higher for ILPA or M&A DDQs that run 200+ questions, especially if your team is hunting down missing documentation or coordinating answers across security, legal, and finance.

An RFP comes early in vendor selection to compare capabilities and pricing across multiple vendors. A DDQ comes later, after you've shortlisted a partner, to verify their security posture, compliance certifications, and how they run the business before signing a contract.

No. DDQ structure varies by industry and risk profile. A SaaS vendor security DDQ focuses on SOC 2 and encryption controls, while a private equity ILPA DDQ digs into performance history and fee structures. Your DDQ should match the type of relationship and data exposure involved.

Expect questions about SOC 2 reports, data encryption methods, incident response processes, penetration testing frequency, business continuity plans, access controls, regulatory compliance (GDPR, HIPAA), third-party vendors, past security incidents, and current certifications. Having these answers documented saves hours per response.

Three factors drive the increase: expanding regulations like GDPR and SEC cybersecurity rules require formal vendor risk documentation, enterprises face real supply chain risk (60% of security incidents originate from third parties), and security questionnaires themselves have grown from 50 to 150+ questions as requirements around AI usage and data residency became standard.