What is a DDQ (due-diligence questionnaire)?
A due-diligence questionnaire (DDQ) is a structured document one organisation sends another to evaluate it before a deal, investment, or partnership. It gathers standardised information on operations, finances, security, compliance, and risk, so the requester can make an informed decision and document why they trusted the other party.
Who sends DDQs, and why
DDQs are sent by anyone who needs to understand and document the risk of working with you before they commit. The most common senders are investors and asset allocators assessing a fund or company, procurement teams onboarding a new supplier, and partners evaluating a commercial relationship. The questionnaire gives them a consistent, comparable record across everyone they assess.
Common types of DDQ
- Investment / financial DDQ: used by investors and asset managers to assess a fund or company.
- Operational due diligence (ODD): focuses on operations, controls, and key-person risk.
- Security DDQ: how you protect data and systems (often overlapping with a security questionnaire).
- ESG DDQ: environmental, social, and governance practices.
- Vendor / third-party risk DDQ: used in procurement to onboard and review suppliers.
- AML / KYC questionnaires: anti-money-laundering and know-your-customer checks.
What a DDQ usually covers
The exact sections vary by type, but most DDQs ask about:
- Company background, ownership, and structure.
- Financials and commercial track record.
- Operations, processes, and key personnel.
- Information security and data protection.
- Compliance, legal, and regulatory standing.
- Business continuity and disaster recovery.
- ESG and, where relevant, insurance and references.
How to answer a DDQ well
- 1Read the context: who is asking, and what decision does the DDQ support?
- 2Reuse a maintained answer library so you are not rewriting standard responses each time.
- 3Ground every claim in evidence you can produce on request (policies, statements, certificates).
- 4Keep answers consistent: the same question should not get two different answers across documents.
- 5Get the right subject-matter expert and, where needed, legal sign-off before submitting.
- 6Track versions, so you know exactly what you told whom, and when.
DDQ vs RFP vs security questionnaire
These overlap but serve different goals. A DDQ assesses risk and trust before a relationship. An RFP (request for proposal) evaluates whether your product is the right one to buy. A security questionnaire is a focused slice, often a section of a DDQ or RFP, about how you protect data. The good news is that one well-maintained answer library can feed all three.
Frequently asked questions
What does DDQ stand for?
DDQ stands for due-diligence questionnaire: a structured set of questions used to evaluate an organisation before an investment, acquisition, partnership, or supplier relationship.
What is the difference between a DDQ and an RFP?
A DDQ assesses the risk and trustworthiness of an organisation before entering a relationship, covering areas like finances, operations, security, and compliance. An RFP (request for proposal) evaluates whether a specific product or service is the right one to buy. A security questionnaire is often a section within either.
How often are DDQs updated?
Requesters typically refresh DDQs at onboarding and then on a periodic cycle (often annually) or when something material changes. Because the same questions recur, maintaining a current, source-backed answer library makes each refresh far quicker.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.