Technical Due Diligence Checklist
50-Point Series A/B Audit Framework
subvers!ve
Ventures & Intelligence
Use this checklist to identify red flags before investment. Each section contains critical questions that reveal the true state of the technical operation.
1. Team & Leadership (10 points)
- Is there a clear technical leader (CTO/VP Eng) with >5 years experience?
- What is the ratio of senior (5+ years) to junior engineers? (Red flag if <1:5)
- Do engineers have equity? What is the vesting schedule?
- What is the average tenure of engineers? (Red flag if <12 months)
- Has there been a CTO/VP Eng change in the last 12 months?
- Are there documented engineering levels and career progression paths?
- What percentage of the team is contractor vs. permanent? (Red flag if >40%)
- Are there dedicated roles for DevOps, Security, and QA?
- Is there a hiring plan for the next 6 months? Are offers out?
- What is the Glassdoor/Trustpilot score for the engineering team?
2. Architecture & Code Quality (12 points)
- Is there an up-to-date architecture diagram showing all services/components?
- Are there automated tests? What is the test coverage percentage?
- Is there a "Bus Factor" of 1 for any critical component? (Red flag)
- Is the codebase documented? Are there ADRs (Architecture Decision Records)?
- What is the code review process? Are PRs mandatory?
- Are there linters and code quality checks enforced in CI/CD?
- How much technical debt exists? Is there a plan to address it?
- Are third-party dependencies managed and regularly updated?
- Is the database schema versioned and migration-controlled?
- Are there API specifications (OpenAPI/Swagger) for all services?
- Is the architecture monolithic, microservices, or serverless? Why?
- Are there known scalability bottlenecks? What's the load testing strategy?
3. Development Process & Velocity (8 points)
- Can a new developer deploy to production on day 1 with proper access?
- How often do they deploy to production? (Red flag if less than weekly)
- What is the sprint/iteration length? Is there a backlog grooming process?
- Is there a product roadmap aligned with engineering capacity?
- What is the average time from commit to production? (DORA metrics)
- How is technical work prioritized vs. feature work? (Red flag if no tech time)
- Is there a definition of "done" and quality gates?
- Are retrospectives held regularly? Are action items tracked?
4. Infrastructure & DevOps (8 points)
- Is infrastructure managed as code (Terraform, CloudFormation, etc.)?
- Is there automated CI/CD for all environments?
- Are production and staging environments identical (except data)?
- What is the cloud provider? Are there multi-region deployments?
- Is there container orchestration (Kubernetes, ECS) or serverless architecture?
- What is the monthly cloud spend? Is there cost monitoring/alerting?
- Are there auto-scaling policies for traffic spikes?
- Is there a disaster recovery plan? When was it last tested?
5. Security & Compliance (6 points)
- Has there been a recent security audit or penetration test?
- Is there SOC2, ISO27001, or GDPR compliance? What is the status?
- Are secrets managed securely (Vault, AWS Secrets Manager)?
- Is data encrypted at rest and in transit?
- Are there automated security scanning tools in the pipeline?
- Is there an incident response plan? Has it been tested?
6. Monitoring & Observability (6 points)
- Is there centralized logging (ELK, Datadog, CloudWatch)?
- Are there application performance monitoring tools (APM)?
- What is the uptime SLA? What was the actual uptime last quarter?
- Are there alerting rules for critical failures? Who is on-call?
- Is there a public status page? Are incidents documented?
- What is the MTTR (Mean Time To Recovery) for production incidents?
Red Flag Summary
- • 3+ unchecked items in any category = Serious concern
- • 10+ total unchecked items = High risk investment
- • 20+ total unchecked items = Do not proceed without remediation plan
© 2026 Subversive Ventures. All rights reserved.
subversive.ventures