Component: [Component name from framework]
Vendor: [Vendor name]
Due Diligence Lead: [Name]
Date Started: [Date]
Target Completion: [Date]
Instructions
This checklist is designed to be used after you have shortlisted 1-2 vendors and need to conduct deep-dive due diligence before making a final selection.
The checklist is organized by due diligence type and mapped to the Periodic Cube of AI framework dimensions.
Status Key:
- ✅ Complete
- 🔄 In Progress
- ⏸️ Blocked/Waiting
- ❌ Not Started
- N/A – Not Applicable
Part 1: Technical Due Diligence
Primary Framework Dimensions: TRL, Build vs Buy, Human Intensity
Responsible Team: [e.g., ML/AI Engineering, Platform Engineering]
| # | Activity | Status | Owner | Due Date | Notes / Evidence |
|---|---|---|---|---|---|
| 1.1 | Review technical architecture documentation | ||||
| 1.2 | Conduct Proof of Concept (PoC) with real data | ||||
| 1.3 | Test API performance and latency | ||||
| 1.4 | Evaluate integration complexity with existing systems | ||||
| 1.5 | Assess scalability through load testing | ||||
| 1.6 | Review data model and schema compatibility | ||||
| 1.7 | Test disaster recovery and backup/restore procedures | ||||
| 1.8 | Evaluate monitoring and observability capabilities | ||||
| 1.9 | Review technical roadmap alignment with our needs | ||||
| 1.10 | Assess vendor’s technology stack and dependencies |
Technical Due Diligence Summary
Key Findings:
Technical Risks Identified:
Mitigation Strategies:
Part 2: Security Due Diligence
Primary Framework Dimensions: Criticality, SFIA Category (Strategy and Governance)
Responsible Team: [e.g., Security/Compliance, InfoSec]
| # | Activity | Status | Owner | Due Date | Notes / Evidence |
|---|---|---|---|---|---|
| 2.1 | Review SOC 2 Type II report (or equivalent) | ||||
| 2.2 | Verify ISO 27001 or other security certifications | ||||
| 2.3 | Conduct security questionnaire assessment | ||||
| 2.4 | Review data encryption standards (at rest and in transit) | ||||
| 2.5 | Evaluate access control and authentication mechanisms | ||||
| 2.6 | Review incident response and breach notification procedures | ||||
| 2.7 | Assess vulnerability management and patching process | ||||
| 2.8 | Review third-party security audit results | ||||
| 2.9 | Conduct penetration testing (if applicable) | ||||
| 2.10 | Evaluate data residency and sovereignty compliance | ||||
| 2.11 | Review vendor’s security training for employees | ||||
| 2.12 | Assess supply chain security risks |
Security Due Diligence Summary
Key Findings:
Security Risks Identified:
Mitigation Strategies:
Required Contract Clauses:
Part 3: Compliance & Legal Due Diligence
Primary Framework Dimensions: Criticality, SFIA Category (Strategy and Governance)
Responsible Team: [e.g., Legal, Compliance, Privacy]
| # | Activity | Status | Owner | Due Date | Notes / Evidence |
|---|---|---|---|---|---|
| 3.1 | Review Data Processing Agreement (DPA) | ||||
| 3.2 | Verify GDPR compliance (if applicable) | ||||
| 3.3 | Verify CCPA compliance (if applicable) | ||||
| 3.4 | Review industry-specific compliance (HIPAA, SOX, etc.) | ||||
| 3.5 | Assess data retention and deletion policies | ||||
| 3.6 | Review subprocessor list and data flow | ||||
| 3.7 | Evaluate intellectual property rights and ownership | ||||
| 3.8 | Review contract terms and conditions | ||||
| 3.9 | Assess liability and indemnification clauses | ||||
| 3.10 | Review termination and data portability terms | ||||
| 3.11 | Verify insurance coverage (E&O, cyber liability) | ||||
| 3.12 | Review SLA terms and remedies |
Compliance & Legal Due Diligence Summary
Key Findings:
Compliance Gaps Identified:
Required Contract Modifications:
Legal Risks:
Part 4: Financial Due Diligence
Primary Framework Dimensions: Cost Structure, TRL
Responsible Team: [e.g., Finance, Procurement]
| # | Activity | Status | Owner | Due Date | Notes / Evidence |
|---|---|---|---|---|---|
| 4.1 | Review vendor’s financial statements (if available) | ||||
| 4.2 | Assess vendor’s funding and runway (for startups) | ||||
| 4.3 | Verify pricing model and calculate 3-year TCO | ||||
| 4.4 | Identify all potential hidden costs | ||||
| 4.5 | Negotiate volume discounts and enterprise pricing | ||||
| 4.6 | Review payment terms and conditions | ||||
| 4.7 | Assess price escalation clauses | ||||
| 4.8 | Evaluate cost predictability and optimization tools | ||||
| 4.9 | Compare pricing against competitors | ||||
| 4.10 | Review audit rights for usage-based pricing |
Financial Due Diligence Summary
Key Findings:
Financial Risks Identified:
Negotiation Priorities:
Budget Impact:
Part 5: Operational Due Diligence
Primary Framework Dimensions: Human Intensity, Org. Ownership, SFIA Category
Responsible Team: [e.g., Operations, Platform Engineering]
| # | Activity | Status | Owner | Due Date | Notes / Evidence |
|---|---|---|---|---|---|
| 5.1 | Assess implementation timeline and effort | ||||
| 5.2 | Evaluate training requirements for our team | ||||
| 5.3 | Review ongoing operational burden (FTE hours/week) | ||||
| 5.4 | Test support responsiveness and quality | ||||
| 5.5 | Evaluate documentation quality and completeness | ||||
| 5.6 | Assess change management and release process | ||||
| 5.7 | Review customer success and account management model | ||||
| 5.8 | Evaluate professional services availability | ||||
| 5.9 | Test user experience and interface usability | ||||
| 5.10 | Assess automation capabilities vs. manual tasks |
Operational Due Diligence Summary
Key Findings:
Operational Risks Identified:
Resource Requirements:
Training Plan:
Part 6: Reference Checks
Primary Framework Dimensions: TRL, Criticality
Responsible Team: [Cross-functional]
| # | Reference Customer | Industry | Use Case Similarity | Status | Key Takeaways |
|---|---|---|---|---|---|
| 6.1 | (1-5) | ||||
| 6.2 | (1-5) | ||||
| 6.3 | (1-5) |
Reference Check Questions Template
Use these questions during reference calls:
- How long have you been using this vendor’s solution?
- What was your primary use case and expected outcome?
- How long did implementation take? Was it on time and on budget?
- What challenges did you encounter during implementation?
- How would you rate the vendor’s support and responsiveness?
- Have you experienced any major outages or issues?
- How has the solution scaled as your usage has grown?
- What has been your experience with pricing and cost predictability?
- Would you choose this vendor again? Why or why not?
- What advice would you give to a new customer?
Reference Check Summary
Overall Sentiment:
Common Themes:
Red Flags:
Positive Highlights:
Part 7: Integration & Implementation Planning
Primary Framework Dimensions: Build vs Buy, Org. Ownership, Human Intensity
Responsible Team: [e.g., Platform Engineering, Application Development]
| # | Activity | Status | Owner | Due Date | Notes / Evidence |
|---|---|---|---|---|---|
| 7.1 | Map integration points with existing systems | ||||
| 7.2 | Identify custom development requirements | ||||
| 7.3 | Estimate integration effort (person-hours) | ||||
| 7.4 | Create high-level implementation timeline | ||||
| 7.5 | Identify dependencies and blockers | ||||
| 7.6 | Assess data migration requirements | ||||
| 7.7 | Plan user onboarding and training | ||||
| 7.8 | Define success metrics and KPIs | ||||
| 7.9 | Create rollback and contingency plan | ||||
| 7.10 | Assign roles and responsibilities |
Integration & Implementation Summary
Implementation Timeline: [X weeks/months]
Critical Path Items:
Resource Requirements:
Key Dependencies:
Part 8: Risk Assessment & Mitigation
Primary Framework Dimensions: Criticality, TRL, Build vs Buy
Responsible Team: [Cross-functional]
| # | Risk Description | Likelihood (1-5) | Impact (1-5) | Risk Score | Mitigation Strategy | Owner |
|---|---|---|---|---|---|---|
| 8.1 | ||||||
| 8.2 | ||||||
| 8.3 | ||||||
| 8.4 | ||||||
| 8.5 |
Risk Score = Likelihood × Impact (1-25 scale)
Risk Levels:
- 1-5: Low Risk (Green)
- 6-12: Medium Risk (Yellow)
- 13-25: High Risk (Red)
Risk Assessment Summary
High Risks (13-25):
Medium Risks (6-12):
Overall Risk Rating: [Low / Medium / High]
Go/No-Go Recommendation: [Proceed / Proceed with Conditions / Do Not Proceed]
Part 9: Final Decision Documentation
Executive Summary
Vendor: [Name]
Component: [Name]
Recommendation: [Select / Do Not Select]
Overall Assessment:
[2-3 paragraphs summarizing the due diligence findings and rationale for the recommendation]
Framework Alignment Analysis
| Framework Dimension | Expected Classification | Vendor Alignment | Gap Analysis |
|---|---|---|---|
| Build vs Buy | |||
| TRL | |||
| Org. Ownership | |||
| Cost Structure | |||
| Criticality | |||
| Human Intensity | |||
| SFIA Category |
Decision Criteria Met
| Criterion | Weight | Met? | Notes |
|---|---|---|---|
| Technical Capabilities | ☐ Yes ☐ No | ||
| Security & Compliance | ☐ Yes ☐ No | ||
| Cost & Pricing | ☐ Yes ☐ No | ||
| Vendor Stability | ☐ Yes ☐ No | ||
| Integration Feasibility | ☐ Yes ☐ No | ||
| Operational Fit | ☐ Yes ☐ No |
Conditions for Approval
[List any conditions that must be met before final contract signing]
Next Steps
Approval Signatures
| Role | Name | Signature | Date |
|---|---|---|---|
| Due Diligence Lead | |||
| Technical Lead | |||
| Security Lead | |||
| Legal/Compliance | |||
| Finance/Procurement | |||
| Executive Sponsor |
Document Version: 1.0
Last Updated: [Date]
Framework Reference: Periodic Cube of AI multi-dimensional framework