You are about to invest HK$10 million in a startup. The pitch deck is compelling, the market opportunity is real, and the founders are impressive. But the product — the technology that the entire business depends on — is a black box. How do you know the code is not held together with duct tape? How do you know the architecture can scale to the numbers in the financial projections? How do you know the single developer who built it all is not about to leave?
Technology due diligence is the process of systematically evaluating a target company's technology assets, capabilities, and risks before making an investment or acquisition decision. In Hong Kong's growing tech ecosystem — with startups raising from Cyberport, HKSTP, and regional VCs — the need for rigorous tech assessment has never been greater. Yet many investors rely on the founding team's self-assessment or skip technical evaluation entirely.
This guide provides a structured, actionable checklist covering 10 assessment areas, a scoring framework, red flags that should stop a deal, stage-specific expectations, and Hong Kong-specific compliance considerations. Whether you are a VC evaluating a seed investment or a corporate buyer assessing an acquisition target, this is the checklist your CTO (or hired technical assessor) should work through.
The 10 Assessment Areas
A thorough technology due diligence examines 10 interconnected areas. Each contributes to the overall picture of technical health, risk, and scalability potential:
| # | Assessment Area | What We Evaluate | Weight | Key Questions |
|---|---|---|---|---|
| 1 | Architecture | System design, component separation, API design, data flow, technology choices | 15% | Is the architecture appropriate for current and projected scale? Are technology choices defensible? |
| 2 | Code Quality | Code structure, readability, patterns, consistency, test coverage, linting | 12% | Can a new developer understand and modify the code? Are there automated quality checks? |
| 3 | Security | Authentication, authorisation, data encryption, vulnerability management, incident response | 15% | Are there known vulnerabilities? Is customer data protected? Has a security audit been done? |
| 4 | Scalability | Performance under load, horizontal scaling capability, database scalability, caching strategy | 10% | Can the system handle 10x current traffic? Where are the bottlenecks? |
| 5 | Technical Debt | Workarounds, shortcuts, outdated dependencies, TODO comments, known unfixed issues | 10% | How much refactoring is needed to support the next 12 months of roadmap? |
| 6 | Team & Knowledge | Team composition, bus factor, skill distribution, hiring needs, documentation of tribal knowledge | 12% | What happens if the lead developer leaves? Is knowledge documented or in people's heads? |
| 7 | IP & Licensing | Code ownership, open-source license compliance, third-party dependencies, patent considerations | 8% | Does the company clearly own all its code? Are open-source licenses compatible with the business model? |
| 8 | Compliance | PDPO compliance, industry regulations, data residency, accessibility, regulatory requirements | 8% | Is the company compliant with PDPO? Are there regulatory risks in the technology stack? |
| 9 | Infrastructure | Hosting, deployment, CI/CD, monitoring, disaster recovery, backup procedures | 5% | Can the team deploy reliably? Is there monitoring and alerting? What is the DR plan? |
| 10 | Documentation | API docs, architecture diagrams, onboarding guides, runbooks, decision records | 5% | Can a new team member get productive within 2 weeks? Are critical processes documented? |
Red Flags: When to Walk Away or Renegotiate
Some findings are yellow flags — issues that can be fixed with investment and effort. Others are red flags that should materially affect your investment decision, valuation, or deal structure. Here are the red flags we look for:
Critical Red Flags (Deal-Breakers)
- No version control. The codebase is not in Git. There is no history of changes, no ability to revert, and no proof of who wrote what. This is exceedingly rare in 2026 but still occurs in non-tech companies that built internal tools.
- Single point of failure (bus factor of 1). One person wrote the entire system, holds all credentials, and has not documented anything. If that person leaves, the company cannot maintain or develop its own product.
- No clear IP ownership. The code was written by freelancers or an outsourcing firm without proper IP assignment agreements. The company may not legally own its own technology.
- Critical security vulnerabilities. Customer data is stored unencrypted, passwords are in plaintext, API keys are hardcoded in the codebase, or there are known unpatched vulnerabilities in production.
- Open-source license violations. The product uses copyleft-licensed code (GPL, AGPL) in ways that could require the entire codebase to be open-sourced. This can invalidate the IP value entirely.
Serious Red Flags (Valuation Impact)
- Zero automated tests. No unit tests, integration tests, or end-to-end tests. Every change is tested manually — or not at all. This is not unusual at seed stage but is a concern at Series A and beyond.
- Massive tech debt with no remediation plan. The team acknowledges significant tech debt but has no plan or budget to address it. This means every future feature takes longer and costs more.
- Vendor lock-in without alternatives. The entire system depends on a single vendor's proprietary technology with no migration path. If that vendor changes pricing or shuts down, the business is at risk.
- No deployment automation. Deploying to production requires manual steps performed by a specific person. This limits deployment frequency, increases error risk, and creates bottlenecks.
- PDPO non-compliance with customer data. The company collects and processes personal data without proper consent mechanisms, data protection policies, or breach notification procedures.
Every red flag has a remediation cost. A system with no tests needs a testing strategy — budget HK$100,000-300,000 and 2-3 months. A bus factor of 1 needs hiring and knowledge transfer — budget HK$300,000-500,000 and 3-6 months. Use these costs to adjust your valuation or structure the deal with technical milestones and holdbacks.
What to Expect at Each Stage
Technical expectations should be calibrated to the company's stage. Holding a seed-stage startup to enterprise standards is unreasonable. But certain basics should be in place at every stage:
| Assessment Area | Seed / Pre-Series A | Series A | Growth / Acquisition |
|---|---|---|---|
| Architecture | Monolith is fine. Clean separation of concerns expected. | Modular monolith or early service separation. API-first design. | Scalable architecture. Services appropriately decomposed. Clear data boundaries. |
| Code quality | Readable code, consistent style. Linting configured. | Code review process. CI checks. Some test coverage (>40%). | High test coverage (>70%). Code review mandatory. Quality metrics tracked. |
| Security | HTTPS, hashed passwords, no secrets in code. Basic auth. | OWASP top 10 addressed. Dependency scanning. Access controls. | Security audits completed. Penetration testing. Incident response plan. |
| Scalability | Handles current load. No premature optimisation needed. | Can handle 5-10x current load. Scaling strategy documented. | Proven at scale. Auto-scaling configured. Performance SLAs defined. |
| Tech debt | Acceptable — speed was priority. Known and acknowledged. | Managed. Top debt items tracked. Remediation in progress. | Minimal. Systematic reduction process. Not blocking feature velocity. |
| Team | 1-3 developers. Bus factor of 2 minimum for core systems. | 5-10 engineers. Defined roles. Knowledge shared across team. | Structured engineering org. Multiple team leads. Hiring pipeline. |
| IP / Licensing | IP assignment agreements with all contributors. | IP audit completed. License compliance reviewed. | Full IP portfolio documented. Patent strategy if applicable. |
| Compliance | Basic PDPO awareness. Privacy policy exists. | PDPO compliant. Data processing documented. Consent mechanisms. | Full regulatory compliance. Audit trail. DPO or equivalent assigned. |
| Infrastructure | Hosted on PaaS. Manual but documented deployment. | CI/CD pipeline. Staging environment. Basic monitoring. | IaC. Full monitoring & alerting. DR tested. Multi-region if needed. |
| Documentation | README, basic setup guide, inline code comments. | API documentation. Architecture overview. Onboarding guide. | Comprehensive docs. ADRs. Runbooks. Knowledge base. |
Scoring Framework
Each of the 10 assessment areas receives a score from 1-5, weighted by importance. The weighted total produces an overall technology health score:
| Score | Rating | Description | Investment Implication |
|---|---|---|---|
| 4.0 - 5.0 | Strong | Technology is well-built, well-maintained, and positioned for growth. Minor issues only. | Proceed with confidence. Technology supports valuation claims. |
| 3.0 - 3.9 | Adequate | Technology works and is maintainable. Some areas need investment. No critical risks. | Proceed. Budget HK$100-300K for remediation in first 6 months. |
| 2.0 - 2.9 | Concerning | Significant issues in multiple areas. Requires substantial investment to reach acceptable standards. | Proceed with caution. Negotiate valuation reduction or milestone-based payments. |
| 1.0 - 1.9 | Critical | Fundamental problems. Technology may need partial or complete rebuild. High risk. | Reconsider deal. If proceeding, structure as acqui-hire or heavily discount technology value. |
A seed-stage startup scoring 3.0 is in good shape — they have built a working product with reasonable practices and can improve with investment. A growth-stage company scoring 3.0 is a concern — they should be more mature by now. Always interpret scores in context of the company's stage, team size, and the time they have had to build.
Hong Kong-Specific Considerations
Technology due diligence in Hong Kong involves several jurisdiction-specific factors that global frameworks often miss:
PDPO Compliance
The Personal Data (Privacy) Ordinance is Hong Kong's primary data protection law. A target company's PDPO compliance posture directly affects risk and valuation. Evaluate:
- Data collection transparency. Does the company have a Personal Information Collection Statement (PICS) that clearly states what data is collected and why?
- Consent mechanisms. Are users providing informed consent for data collection? Is consent recorded and auditable?
- Cross-border data transfers. If data is stored or processed outside Hong Kong (common with cloud hosting), are appropriate contractual safeguards in place?
- Data access and correction procedures. Can the company fulfil data access requests within the PDPO's 40-day requirement?
- Breach notification readiness. Does the company have a data breach response plan? While HK does not yet have mandatory breach notification, it is expected and best practice.
Licensing and IP in Hong Kong
Hong Kong's legal framework for IP is robust, but common issues arise:
- Contractor IP assignment. Under Hong Kong employment law, IP created by employees during employment generally belongs to the employer. But for contractors and freelancers, IP ownership must be explicitly assigned in writing. Verify that all code contributors have signed IP assignment agreements.
- Outsourcing firm agreements. If development was outsourced (common in HK), review the outsourcing contract for IP clauses. Some firms retain IP rights unless explicitly assigned — this can invalidate the target's core asset.
- Government funding IP conditions. Companies that received Cyberport or HKSTP funding may have specific IP-related obligations or reporting requirements. Review the funding agreement terms.
Post-Acquisition Integration Planning
Due diligence findings should directly inform the post-acquisition technology integration plan. Here is a framework for the first 100 days:
| Phase | Timeline | Activities | Priority |
|---|---|---|---|
| 1. Stabilise | Days 1-30 | Secure all credentials and access. Set up monitoring. Document current state. Identify single points of failure. Establish communication with the engineering team. | Prevent anything from breaking during transition |
| 2. Assess & Plan | Days 15-45 | Deep-dive into codebase beyond due diligence findings. Identify critical fixes (security, stability). Build remediation roadmap. Evaluate team capabilities and gaps. | Understand true state and create realistic plan |
| 3. Quick Wins | Days 30-60 | Fix critical security issues. Set up CI/CD if missing. Implement monitoring and alerting. Begin knowledge documentation. Address the highest-impact tech debt items. | Reduce risk and demonstrate progress |
| 4. Integrate | Days 45-90 | Integrate with acquirer's development processes. Align coding standards. Set up shared tooling. Begin cross-team knowledge transfer. Implement compliance requirements. | Operational alignment |
| 5. Optimise | Days 60-100 | Execute tech debt remediation. Improve test coverage. Refactor high-risk areas. Plan long-term architecture evolution. Establish ongoing metrics and reporting. | Build foundation for future growth |
The biggest risk in post-acquisition integration is losing the engineering team. In Hong Kong's competitive tech job market, engineers with experience at acquired companies are highly sought after. Implement retention packages (typically 12-24 month vesting), give engineers clear roles in the combined entity, and involve them in integration planning. Losing 2-3 key engineers in the first 6 months can set back the integration by a year.
Frequently Asked Questions
A focused assessment for a seed-stage startup takes 1-2 weeks. Series A companies require 2-4 weeks. Growth-stage or acquisition targets with complex systems may take 4-8 weeks. The timeline depends on code access (how quickly it is granted), team availability for interviews, and the scope of systems to review. Parallel workstreams (code review, infrastructure audit, compliance review) can compress the timeline.
A basic code review and architecture assessment for a seed-stage company costs HK$30,000-60,000. Comprehensive due diligence covering all 10 areas for a Series A company costs HK$80,000-200,000. Full due diligence with penetration testing and compliance review for acquisition targets costs HK$200,000-500,000. This is typically a fraction of a percent of the investment at stake — a small insurance premium against significant risk.
The five most critical red flags are: bus factor of 1 (one person holds all knowledge), no clear IP ownership documentation, hardcoded secrets in the codebase, no version control, and critical unpatched security vulnerabilities in production. Each of these represents a fundamental risk to the business — not just a technical issue, but a business continuity or legal liability concern.
Both, ideally. Your CTO understands strategic technology requirements and can evaluate architectural decisions in business context. An external firm brings objectivity, structured methodology, and experience across many codebases — they know what "normal" looks like at each stage. The external firm produces the assessment report; your CTO interprets the business implications and informs the investment decision. For investments above HK$5M, external due diligence is strongly recommended.
Yes, materially. The target company's PDPO compliance posture is a significant finding. Non-compliance creates legal liability that transfers to the acquirer. Key areas to assess: personal data collection and processing practices, consent mechanisms, cross-border data transfer arrangements, data retention policies, breach notification procedures, and access request handling capabilities. Serious PDPO gaps should be factored into the valuation or addressed with indemnification provisions in the deal structure.
Get an Expert Technology Assessment
At Astera Technology, we conduct technology due diligence assessments for Hong Kong investors, VCs, and corporate acquirers. Our structured methodology covers all 10 assessment areas, produces a scored report with actionable findings, and includes a remediation cost estimate that informs your investment decision. We have assessed startups from Cyberport, HKSTP, and private portfolios across SaaS, fintech, e-commerce, and healthtech.
Whether you are evaluating a seed investment or an acquisition target, book a confidential consultation and we will scope the assessment, provide a timeline and fixed fee, and deliver an objective, thorough technology evaluation that protects your investment.