Technical Due Diligence
Defensible technical risk,
in writing, before you sign.
Independent technical due diligence for pre-investment, pre-acquisition, and pre-fundraising. Written so a non-technical buyer can defend the call.
What this is
A second opinion the seller is not paid to give.
Pre-deal, the buyer carries the technical risk. The seller's deck answers the questions the seller wants asked. We answer the ones the buyer needs answered, with the documents to back each line.
- Independent. No implementation kickback. We do not bid for the remediation work we recommend within 12 months of the report.
- Evidence-based. Each finding cites the question, the artefact, and the person who confirmed it. No opinion-only sentences.
- Proportionate. A custom-built framework calibrated to company stage. Seed founders are not graded on enterprise checklists.
- Defensible. Written so a non-technical buyer can quote a line in front of an investment committee without needing to translate.
What we look at
Eleven axes. Tuned to company stage.
The framework comes from a hundred-plus engagements across France, Romania, and Moldova. The same eleven chapters cover a bootstrapped €2m SaaS and a €50m PE deal: the depth changes, not the surface area.
Why eleven, not seven
Most market frameworks compress the audit into five or seven categories so it fits a slide. Compression hides risk. We keep IP & Licensing, Team & Key-Person Risk, and BCP / DR as separate chapters because each has killed deals on its own.
Question depth is calibrated by stage and platform complexity. A bootstrapped founder is not graded against an enterprise SOC 2 checklist.
Sample coverage: anonymized Series A SaaS engagement. Outer ring = Green, middle = Amber, inner = Red.
Platform & Architecture
Languages, frameworks, codebase health, test coverage, deployment process, staging environment, technical documentation.
Hosting & Infrastructure
Hosting topology, failover, monitoring, patching cadence, contract terms, EU data residency readiness.
Data & Backup
Data inventory, backup regime, restoration tests, encryption at rest and in transit, retention and deletion policies.
Security
Past pentests and incidents, authentication, SSO, RBAC, secrets management, audit logging, payments scope.
GDPR & Data Protection
DPO assignment, ROPA, DPIA, sub-processor list and DPAs, DSAR handling, breach notification, international transfers.
IP & Licensing
Source-code ownership, IP assignment chain, domain registrations, third-party licences, copyleft exposure.
Third-Party Tools & Integrations
SaaS inventory with cost and term, integration map, email infrastructure split, vendor concentration.
Team & Key-Person Risk
Technical decision-maker, internal vs outsourced split, contract terms, contingency plan, handover documentation.
Remote Working & Internal IT
Collaboration tools, device management, onboarding and offboarding, credential management, secure access to production.
Scalability & Technical Debt
Concurrent-user limits, multi-language and multi-currency readiness, migration path to cloud, known debt items, interoperability standards.
Business Continuity & DR
BCP and DRP documents, RTO and RPO targets, cyber insurance coverage.
How it runs.
Four phases. Two to three weeks end to end, depending on platform complexity and how ready the data room is when we start.
Kickoff & data room
- Stakeholder map
- NDA and access
- Document checklist sent
Deep dive
- Stakeholder interviews
- Codebase walk-through
- Architecture and vendor review
Synthesis & scoring
- Per-chapter G / A / R rating
- Risk-impact matrix
- Draft report
Readout & Q&A
- 60-min executive readout
- Final report delivered
- 30-min Q&A within 2 weeks
How findings get scored
Three colours. Tied to deal materiality.
Each question is scored against what a buyer of this company at this stage should expect. The colour decides whether the finding is acceptable, fixable, or material to the deal.
Meets expectations.
No material risk for a company of this size and stage. No remediation required pre-close.
Gap, but manageable.
Real but fixable with reasonable investment post-acquisition. Quantified in the report, typically with a 90-day remediation plan.
Material to the deal.
Could affect valuation, deal structure, or earn-out. Surfaced to the named buyer with options: renegotiate, condition the close, walk.
Deliverables
What you walk away with.
Risk-scored report
Around 30 pages. Per-chapter G/A/R rating, evidence per finding, recommendations. Executive summary stands alone for non-technical readers.
Executive readout
Live 60-minute walkthrough with the named buyer's team. Q&A on the spot. Recorded if requested.
Q&A follow-up
30 minutes within two weeks of the readout. For findings the buyer needs to take back to their investment committee.
Who calls us for this
Three buyer profiles.
PE / VC pre-investment
You are weeks from term sheet. The target wrote you a one-pager about their platform. You need an independent read before the wire.
Acquirers pre-deal
Buy-side, post-LOI. The technical fold-in cost and the carve-out feasibility matter as much as the multiple.
Boards pre-fundraising
You are about to raise. The first hard question from a Series B lead will be technical. Walk in with the answer in writing.
Pricing
Scoped to deal size.
Fixed-fee engagements. Scoping call and proposal are not billable. Final scope confirmed in writing before kickoff.
Single-product platforms, <10 FTE, <3 third-party integrations. 2 weeks.
Multi-product or multi-region SaaS, 10-50 FTE, EU compliance footprint. 2-3 weeks.
Acquisition targets, carve-outs, regulated environments. Up to 3 weeks, onsite component if needed.
Travel billed at cost where applicable. Quarterly Governance Retainer available post-engagement.
Common questions
Six things buyers ask first.
How are you independent?
We do not sell the work we recommend. Qlarum does not take platform implementation, hosting, or recurring delivery for companies we have audited within the previous 12 months. The recommendation chain stops at the report.
What about confidentiality?
Mutual NDA before kickoff. Source code, data, and stakeholder conversations stay on encrypted EU-hosted infrastructure. Nothing trains an AI model. The report is delivered to the named buyer only; the target company sees it with the buyer's consent.
We already have a CTO. Why hire you?
An internal CTO has a job to keep. A buyer needs an opinion the seller's CTO is not paid to give. The two are not in competition. Several of our reports get reviewed alongside the seller's own technical pitch, that is the point.
How detailed is the report?
Around 30 pages. Per-chapter scoring (Green / Amber / Red), the question that produced each finding, the artefact that backs it, and a recommendation if remediation is in scope. Built so a non-technical buyer can defend each line in front of an investment committee.
Remote or onsite?
Default remote, document-first. We travel for kickoff or readout when the deal warrants it.* Stakeholder interviews are video calls, recorded with consent.
* Travel and accommodation are billed at cost to the client.
What tools and methodology do you use?
The framework is ours, refined over 100+ engagements. Eleven chapters calibrated to company stage; the exact question count flexes with platform complexity and deal context. We use standard static-analysis and vulnerability-scanning tools (semgrep, dependency-check, OWASP ZAP where applicable) but the rating is a human call, not a tool output.
Ready to scope
One scoping call.
Fixed proposal in 48h.
Email us a few lines about the deal. We reply within 24h, Monday to Friday.
- Target company name (under NDA if needed)
- Deal stage and your decision deadline
- Anything you already know is amber or red