Due Diligence Questionnaire (DDQ)

The buyer or limited partner (LP) is more than just evaluating your features or fund strategy; they're asking:

• Can we trust you with our data or capital?
• Will your team respond if something breaks or performance deteriorates?
• Do you understand the risks of operating at scale?
• Are you compliant, or just saying so in your pitch deck or placement memorandum?

A sloppy or delayed DDQ response can derail a high-value deal. In venture capital and private equity, the Institutional Limited Partners Association (ILPA) DDQ has become the industry standard, helping LPs conduct consistent, thorough due diligence across fund managers.

What is the ILPA DDQ?

The ILPA DDQ is a standardized due diligence questionnaire developed by the Institutional Limited Partners Association specifically for limited partners evaluating general partners (fund managers). It covers operational, compliance, legal, and governance topics critical to institutional investors committing significant capital.

‍

The ILPA DDQ framework provides consistency across fundraising processes, reducing duplication for both general partners (who answer the same questions repeatedly) and limited partners (who need comparable data across fund managers). The questionnaire spans firm structure, investment strategy, operations, compliance, conflicts of interest, fees, and reporting.

‍

For general partners, maintaining updated ILPA DDQ responses is essential for efficient fundraising. For limited partners, the ILPA DDQ ensures systematic evaluation of operational risks beyond investment performance.

When do DDQs show up in the sales process or fundraising cycle?

If you're selling into enterprise, regulated industries, strategic accounts, or raising institutional capital, expect a DDQ to surface in these moments:

• Late-stage sales cycles for 6 or 7-figure contracts: When procurement, legal, or IT teams get involved to validate vendor claims before contract execution.
• During mergers and acquisitions, investment, or partner onboarding: Acquirers and investors conduct operational due diligence to assess risks beyond financial performance.
• When the buyer's risk management teams get involved: Enterprise buyers with formal vendor risk management programs require DDQ completion before onboarding new software vendors.
• When you're being audited or re-certified: SOC 2, ISO 27001, HIPAA, or other compliance frameworks trigger DDQ updates to reflect current controls.
• Fundraising cycles: General partners raising new funds from institutional LPs face ILPA DDQ requirements as standard practice. LPs use responses to compare operational maturity across fund managers.

If you've positioned your product well and built internal champions, the DDQ is often the last major hurdle before signature. In fundraising, a complete, transparent ILPA DDQ response accelerates commitments by demonstrating operational readiness.

What a good DDQ typically covers

Most DDQs span multiple domains and owners across your organization. Expect questions in the following areas:

‍

‍

ILPA DDQ-specific domains include:

• Firm governance: Management structure, decision-making processes, board composition
• Investment process: Strategy, sourcing, due diligence, valuation methodologies
• Portfolio management: Monitoring, value creation, exit planning
• Conflicts of interest: Policies, disclosure practices, related-party transactions
• Fees and expenses: Management fees, carried interest, expense allocation
• ESG and DEI: Environmental, social, governance policies, diversity initiatives
• Reporting and transparency: Frequency, content, and format of LP communications

If your DDQ responses contradict your sales pitch, website claims, or placement memorandum, trust erodes fast. Inconsistencies signal either operational immaturity or lack of internal alignment, both concerning sophisticated buyers and investors.

What best-in-class DDQ processes look like

1. Pre-built response libraries: Your team shouldn't start from scratch every time. Maintain a centralized repository of approved answers for recurring questions across security, compliance, legal, and financial domains. For general partners, keeping an updated ILPA DDQ master document eliminates redundant work across fundraising conversations.

‍

2. Version-controlled content: Especially for technical and compliance answers that evolve. When certifications renew, products change, or policies update, version control ensures responses reflect the current reality. Outdated answers create liability when buyers or LPs discover discrepancies during implementation or audits.

‍

3. Role-based reviewers: Legal signs off on contract terms; security validates architecture responses; finance confirms revenue recognition practices; compliance reviews regulatory attestations. Clear ownership prevents bottlenecks and ensures subject matter expert verification.

‍

4. Automated search and retrieval: Let your proposal, security, or investor relations team pull from a curated library of pre-approved language. Modern DDQ response platforms use natural language processing to match incoming questions against existing approved responses, dramatically reducing drafting time.

‍

5. Tracking and workflow management: DDQs often contain 100+ questions requiring coordination across multiple stakeholders. Workflow tools that track assignment, completion status, and approval chains prevent questions from falling through gaps.

‍

The faster you respond with clarity, the more likely your deal closes on time, or your fund commitment accelerates. In competitive fundraising environments, operational responsiveness differentiates otherwise similar investment opportunities.

Internal red flags to watch for

If any of these are true, your DDQ process is costing you deals or commitments:

• Security answers live in a shared drive last updated two years ago: Stale responses citing expired certifications, deprecated technologies, or obsolete policies undermine credibility immediately.
• No one knows who owns the privacy or data processing agreement response section: Ambiguous ownership creates response delays and quality inconsistencies. Every DDQ domain needs a designated owner.
• Legal terms are still being reviewed line by line for every new customer: Repeating legal review for standard DDQ questions wastes time. Pre-approved language for common legal queries (indemnification, limitation of liability, intellectual property) accelerates response.
• Product changes haven't been reflected in documentation: New features (especially AI capabilities, data processing, or third-party integrations) create new compliance obligations. DDQ responses must stay current with product evolution.
• ILPA DDQ responses diverge from actual practices: General partners whose ILPA DDQ responses describe aspirational policies rather than operational reality face reputational damage when LPs discover discrepancies during onboarding or annual reporting.

Responses lack quantitative specificity: Vague answers like "we take security seriously" or "we maintain adequate staffing" don't satisfy sophisticated due diligence. Specific metrics (response times, staffing ratios, incident frequency) build credibility.

In the enterprise world and institutional investing, your DDQ response is often your company's or fund's first impression with legal, IT, compliance, or investment committee stakeholders. Done well, it builds trust and momentum. Done poorly, it invites delays or, worse, disqualification.

The ILPA DDQ in private equity and venture capital

For general partners managing private equity or venture capital funds, the ILPA DDQ has become the de facto standard for operational due diligence. Limited partners, i.e., pension funds, endowments, foundations, and family offices, use the ILPA DDQ to evaluate fund managers' operational infrastructure, governance, compliance, and reporting capabilities.

The ILPA DDQ complements financial due diligence (returns, performance attribution, track record) with operational due diligence (controls, processes, team stability). LPs recognize that operational weaknesses, inadequate compliance, key-person risk, and poor governance can undermine even strong investment performance.

General partners benefit from the ILPA DDQ's standardization. Rather than responding to unique questionnaires from each LP, firms maintain one comprehensive ILPA DDQ response that satisfies most institutional investors. This reduces fundraising friction and accelerates commitment timelines.

However, maintaining an accurate, current ILPA DDQ requires ongoing effort. Annual updates should reflect changes in: firm structure (new hires, departures, promotions), compliance status (new certifications, policy revisions), fund terms (fee structures, reporting practices), and conflicts of interest (new investments, side vehicles).

How to optimize DDQ response workflows

• Centralize approved content: Build a knowledge base of verified, pre-approved responses organized by topic. Tag content by domain (security, legal, finance), date last updated, and approval status.
• Automate matching: Use tools that analyze incoming DDQ questions and suggest relevant responses from your content library. This reduces the time spent searching for answers and ensures consistency.
• Implement workflow tracking: For complex DDQs with 50+ questions and multiple contributors, project management tools that track assignments, due dates, and approval status prevent bottlenecks.
• Schedule regular content reviews: Quarterly reviews ensure responses reflect current certifications, product capabilities, policies, and team structure. Outdated responses create more work downstream when discrepancies surface.
• Measure response time and quality: Track average days to complete DDQs, percentage of questions requiring new content versus reuse, and whether DDQ completion correlates with deal velocity. These metrics reveal optimization opportunities.

DDQs can be optimized using automation, keeping them compliant, minimizing turnaround time, and maintaining quality. The investment in building systematic DDQ processes pays dividends across every new customer, partner, or investor conversation.

Frequently Asked Questions

What's the difference between a DDQ and an RFP?

DDQs verify operational, compliance, and security claims during due diligence, focusing on risk assessment. RFPs (Requests for Proposal) solicit solution proposals and pricing during vendor selection, focusing on capabilities and cost. DDQs often follow RFPs. After a vendor is selected, buyers issue DDQs to validate claims before contracting. In fundraising, DDQs occur after initial interest but before LP commitment.

How long should it take to complete a DDQ?

Timeline depends on complexity and preparation. With a well-maintained content library, typical DDQs take 3-7 days. First-time DDQs without pre-built responses can take 2-4 weeks. ILPA DDQs, given their comprehensiveness, often require 1-2 weeks even with prepared content. Delays typically stem from coordinating multiple stakeholders, not the question of difficulty.

Who should own the DDQ response process?

Ownership varies by organization. In SaaS companies, security teams, legal, and sales operations often coordinate. In fund management, investor relations, or compliance typically owns the ILPA DDQ. Regardless of the owner, cross-functional participation is essential; no single person can answer questions spanning security, legal, finance, and operations.

Can we reuse DDQ responses across different customers or LPs?

Yes, with caveats. Core responses about your security architecture, compliance status, or fund structure remain consistent. However, avoid copying responses that reference specific customer names, deal terms, or LP-specific customizations. Version control ensures reused content stays current as your operations evolve.

What happens if we can't answer a DDQ question?

Transparency matters more than having every answer. If a question addresses capabilities you lack (certain certifications, specific controls), acknowledge the gap honestly and explain any compensating controls or roadmap plans. Fabricating capabilities damages trust irreparably when discovered. For ILPA DDQs, LPs prefer honest gaps to misleading affirmatives.

How often should we update our DDQ master document?

Quarterly reviews work for most organizations. Update immediately when certifications renew or expire, material product changes occur, key personnel join or leave, compliance policies change, or new regulations take effect. For ILPA DDQs, annual updates align with fundraising cycles, but material changes warrant interim updates.

Should we customize DDQ responses for each requester?

Core operational facts (certifications, architecture, policies) remain constant. Customize context and emphasis based on the requester's priorities. Enterprise healthcare buyers emphasize HIPAA; financial services focus on SOC 2 and data residency; LPs prioritize conflicts of interest and fee transparency. Tailor explanations without changing underlying facts.