Technical Due Diligence
Post-product / pre-scale
“Is this tech sustainable as the team and user base grow?”
At seed, the product is working and the team is growing. The question shifts from 'can they build?' to 'can they scale the team and the product?' Technical debt incurred at this stage tends to compound rapidly as engineers are added and pressure to ship increases.
Key focus at this stage
Test coverage on critical paths (payments, auth, core product)
Architectural separation of concerns for parallel team work
Security posture ahead of first enterprise customers
Can multiple engineers work efficiently in this codebase?
What is the test coverage, and are critical paths such as authentication, payments, and core product logic covered?
Untested payment logic or authentication flows at seed stage is a risk worth flagging at IC level.
Is the architecture designed to allow multiple engineers to work in parallel without constant merge conflicts?
Engineering velocity slows dramatically when the codebase does not support parallel work.
Are concerns well-separated between business logic, data access, and presentation layers?
Entangled layers are the most expensive form of technical debt to unwind, especially as teams grow.
Is there evidence of deliberate refactoring, or does new code simply accumulate on top of old code?
Refactoring cadence predicts future velocity better than current code quality. No refactoring means debt is compounding.
Are API contracts between frontend and backend stable and documented?
Unstable contracts generate a hidden coordination cost across the team on every sprint.
Are there god classes or functions over 300 lines that concentrate too much logic in one place?
Complexity concentration creates knowledge silos and makes testing nearly impossible.
Is dependency management automated, with regular security patch notifications?
Manual dependency management at seed scale creates a slowly accumulating vulnerability backlog.
Is the security posture ready for early enterprise customers?
Is there a formal approach to secrets management using environment variables or a dedicated secrets manager?
Moving from hardcoded secrets to proper management is the minimum expected standard at seed.
Is authentication implemented using an established library or provider, or is it custom-built from scratch?
Custom authentication code at seed stage is almost always a mistake. It is rarely audited and hard to maintain.
Is sensitive user data encrypted at rest and in transit?
Unencrypted PII creates a regulatory liability before the company is large enough to handle a breach.
Are there rate limiting controls on login endpoints and public-facing APIs?
Without rate limiting, brute-force and credential-stuffing attacks require no sophistication to execute.
Is there a basic audit trail for significant user actions such as account changes or data exports?
Enterprise customers and regulators will ask for this. Retrofitting audit logging into an existing system is expensive.
Are third-party integrations scoped to minimum required permissions?
Overly broad OAuth scopes and API keys are a common source of supply-chain exposure.
Will this survive the growth that comes with seed funding?
Are database queries using appropriate indexes for the current read/write patterns?
Missing indexes that are invisible at 1,000 users routinely cause outages at 100,000 users.
Is connection pooling implemented for database access?
Without pooling, a traffic spike that would otherwise be manageable can exhaust database connections instantly.
Are background jobs and async queues used to offload expensive operations from the user-facing request path?
Synchronous processing of anything expensive in the request path is the fastest path to a slow product at scale.
Are application servers stateless, enabling horizontal scaling without sticky sessions?
Stateful application servers require load-balancer configuration changes to scale, adding operational complexity.
Is static asset delivery decoupled from the application server using a CDN?
Serving static assets from the app server adds unnecessary load and latency at scale.
Can a new environment be provisioned without manual configuration steps?
Manual environment provisioning creates hidden ops debt that slows every future engineer hired.
Can the team ship continuously without breaking production?
Is there a CI/CD pipeline that runs tests and deploys automatically on merge?
Manual deployment at seed stage introduces unnecessary human error and slows iteration.
Is there error monitoring and alerting in production?
Without error monitoring, the team learns about production issues from users, not from systems.
Are database migrations managed by a migration framework and applied as part of the deployment pipeline?
Ad-hoc database changes are a common source of production incidents at seed stage.
What is the deployment frequency? Is the team shipping multiple times per week, or less than once a month?
Low deployment frequency is a leading indicator of accumulated risk and slowing iteration speed.
Can the database be restored from backup within 24 hours? Has this ever been tested?
Many seed-stage companies have backups that have never been tested. Untested backups are not backups.
Are there integration or end-to-end tests beyond unit tests?
Unit tests catch logic bugs. Integration tests catch the bugs that matter to users in production.
TechSignal runs this full Seed checklist against the actual codebase using AI agents. No spreadsheets. No manual review. Results ready before the meeting.
Run a Seed assessment→