Technical DD · Post-AcquisitionFile № 001 / M&AEvidence-backed · Audit-logged

Defensible due diligence.Every score, every citation.

Gray Ark turns the spreadsheet-and-email phase between LOI and Day 100 into a single, evidence-backed workspace. Structured assessments, cited answers, OSINT, maturity benchmarking — and one click from findings to integration plan.

Request a demo See the platform

Technical due diligence, evidence-backed end to end.◆From assessment to Day 100, in one workspace.◆Stop guessing. Score every target on the same yardstick.◆Defensible due diligence — every score, every finding, every citation.◆

The problem

Tech DD still runs on spreadsheets and trust.

Between LOI and Day 100, technical diligence is a scramble of emailed questionnaires, screenshots in shared drives, and findings that never make it past the IC deck. There's no benchmark. No citation trail. No bridge from assessment to integration.

Inconsistent coverage

Every deal gets a different questionnaire, a different reviewer, a different depth. Scores aren't comparable across the portfolio.

Unverifiable claims

Targets self-attest. Evidence sits in a shared drive nobody re-opens. By IC, no one can say which answers were checked.

Findings die at close

The DD deck ships, the deal signs, and the gaps never become an integration plan. Day 1 starts from a blank page.

The workspace

One workspace. LOI to Day 100.

Structured, repeatable assessment

Thirteen managed categories, your own custom questions, conditional logic, CMMI 0–5 maturity on every answer.

Cited evidence, enforced

AI proposes answers only when it can quote the source verbatim. Reviewers accept or reject — with attribution.

Benchmarked, not absolute

Every target scored against historical deals and your own self-assessed baseline. Same yardstick, every time.

Findings → Day-100 plan

One click converts gaps into prioritised tasks with owners, dependencies and reference durations from your playbook.

Deal workspace showing assessments in progress with maturity scores

Platform · the four moments

Evidence in. Contradictions caught. Report out. Plan generated.

Sixteen capabilities ship in the workspace. These four carry the deal from data room to Day 100 — the rest are in the full dossier.

02§ 02

Evidence ingestion with cited answers

Drop policy PDFs, SOC 2 reports, architecture diagrams or pen-test reports into a deal. The platform parses them and proposes answers — but only when it can cite a verbatim passage from the document. Every suggestion arrives with a doc + quote a reviewer can accept, reject, or amend.

▸Server-side parsing pipeline with PDF/DOCX fallbacks
▸Citation validation drops any answer whose quote isn't in the parsed doc
▸Confidence score on every suggestion; accept/reject persists who reviewed it and when

Evidence upload list with parsed documents and cited-answer review

03§ 03

AI consistency checks

Once enough answers are in, one click finds pairs of responses that contradict each other. Every flagged finding carries a severity, a confidence score, and both sides of the contradiction with their category and maturity level — so the deal team resolves the disagreement before sign-off.

Inconsistency panel with severity and confidence badges

09§ 09

Narrative DD report

The decision artifact. An AI-drafted, human-edited, eight-section written report covering executive summary, target overview, technology & hosting, security posture, key findings, evidence base, key contacts and recommendation. Editable inline, versioned, locked on publish, exportable as an A4 PDF.

▸“Save as version N” makes the version immutable
▸Editing a final version forks a new draft
▸Evidence appendix auto-generated from accepted citations

Narrative report editor with versioned sections

10§ 10

DD → integration plan, one click

Convert a closed assessment into a post-acquisition project. Gaps become prioritised tasks routed automatically to the right function owner with reference durations from your playbook. System migrations and maturity uplifts are scheduled separately.

Conversion wizard with migrate, uplift and remediate findings

Index · §01–§16

Operational telemetry

The lifecycle

Five steps. One chain of custody.

Every assessment flows through the same five stages — so the integration plan inherits the diligence findings, and the steering committee sees the same evidence base the IC did.

IStage
Create
Spin up a deal workspace, pick the question collections, invite the target.
IIStage
Assess
Target answers; conditional logic hides what doesn't apply; maturity 0–5 on every question.
IIIStage
Evidence
Upload SOC 2, policies, pen tests. Cited answers proposed; reviewers accept or reject.
IVStage
Report
Consistency check, OSINT scan, risk pattern. Narrative report drafted, edited, versioned, exported.
VStage
Integrate
One click converts gaps into a Day-100 plan with owners, dependencies and reference timing.

Why DD

Built for scrutiny, not screenshots.

Most diligence tools optimise for speed. We optimise for defensibility — so the answer to “how do you know?” is always one click away.

01Evidence-backed, not opinion-driven: Every AI suggestion carries a verifiable doc + quote; citation grounding is enforced before an answer reaches a reviewer.
02Pre and post in one place: Most tools cover assessment or integration. DD covers the full lifecycle — and the integration plan is generated from the assessment gaps.
03Self-assessed acquirer baseline: The host firm runs the same questionnaire on itself, so every target shows a true maturity delta — not a hand-entered opinion.
04OSINT and inconsistency checks built in: External surface scan, DMARC/HSTS/TLS/breach lookup; AI consistency check across answers; both surfaced with confidence and severity.
05Risk-pattern matching against history: New targets compared against prior deals on shape, not raw scores — surfaces “this looks like Northwind” with the prior integration outcome.
06Defensible by construction: Every mutation is audit-logged; every PDF is reproducible; every API response is bearer-authenticated.
07Configurable to your playbook: Risk thresholds, function owners, reference durations, maturity baseline, and question collections are all per-firm.

For whom

Built for both sides of the table.

Private equity & venture capital

Standardise tech DD across the portfolio, compress assessment timelines without cutting scope, satisfy IC and LP scrutiny.

Corporate development teams

Repeatable, auditable assessments on every acquisition target; consistent coverage; defensible recommendations.

IT & security leaders

Run rigorous infrastructure, security, code-quality and compliance assessments before signing — and inherit them as the integration baseline after close.

Integration / PMO teams

Day-1 task list with assigned owners and reference timing, on a Gantt with slip and dependency tracking.

External advisors & consultants

Respond to assessments securely without needing full platform access — category-scoped, audit-logged.

Request a demo →

Security & access

Defensible by construction.

Single-tenant per customer
Your workspace, your data. Hosted Vercel + Supabase, isolated per firm.
SSO via your IdP
SAML 2.0. Internal vs external members; respondents are invited accounts, never anonymous links.
Scoped access
Project, category and per-question permissions. External advisors see only what they're answering.
Full audit trail
Every mutation logged with action, resource, actor and IP. Exportable.
Cited claims only
AI suggestions are dropped before review unless the quote is a verbatim substring of the source document.
OSINT built in
DNS, SPF/DMARC, security headers, TLS, CT subdomain enumeration, optional breach lookup — on every target.

Integrations

Plugs into the deal stack you already run.

Mint a bearer token, point your tooling at the REST API, subscribe a webhook. SSO via your existing IdP. Documents live in your data room — we read, cite, and link back.

REST API · bearer-authenticated

GET  /api/v1/projects
GET  /api/v1/projects/:id/scores
GET  /api/v1/projects/:id/inconsistencies
GET  /api/v1/projects/:id/evidence
GET  /api/v1/me

Webhooks · HMAC-signed

project.createdproject.updatedproject.completedtask.completedreport.generated

Identity

SAML 2.0 single sign-on. Okta, Entra ID, Google Workspace, or any IdP that speaks SAML.

Admin · Integrations with API keys and webhooks

Request a demo

See it on your own deal.

Tell us about your pipeline. We’ll spin up a workspace, walk through an assessment on a redacted target, and show the conversion to a Day-100 plan. No pricing on this site — buyers who need the deep dive will ask, and we’ll answer.

→hello@grayark.io