Although electronic timestamping is mostly used when electronically signing documents, as you will see today, it is useful in many other areas for proof and traceability purposes. Vaultinum, a trusted third party, regularly provides support to its customers through its reliable, adaptable and secure timestamping system.

I developed a software. How can I protect myself against possible appropriation by a third party? How can I prove that I developed it before a third party?

According to article L111-1 of the Intellectual Property Code, “the author of a work of the mind shall enjoy in that work, by the mere fact of its creation, an exclusive incorporeal property right which shall be enforceable against all persons.” In other words, and subject to fulfilling certain conditions such as originality, copyright protection exists from the moment a work is created and does not require any additional formality, contrary to a trademark or an invention. This remains true throughout the 179 signatory countries of the Berne Convention. 

In the absence of compulsory registration with an office, it can, however, be difficult to provide proof of the existence and the content of a digital creation on a specific date, that is to say before that claimed by a possible infringer.  It is therefore recommended to create a so-called “evidentiary repository” with a trusted third party such as a bailiff, a notary, or Vaultinum. 

Due to its technology involving the use of symmetric and asymmetric encryption algorithms, hash functions/fingerprint creation and electronic timestamping guaranteeing the integrity of the transmitted elements, the deposit made with Vaultinum: 

 materialises the content of the digital creation;

All preparatory documents necessary to file a patent application can also be filed.  Indeed, the procedure for filing a patent with a patent granting authority (such as the European Patent Office, the Federal Institute of Intellectual Property in Switzerland, the National Institute of Industrial (INPI) in France, the National Intellectual Property Office in China or the United States Patent and Trademark Office) is a long and complex procedure which very often responds to the rule of "first come, first served".  In this context, the evidentiary repository presents several advantages:

It limits the risks of appropriation of an invention by partners and/or third parties;

It affixes a date certain to ideas, projects, preparatory documents, etc. pending validation of a patent application;

It records the results of research (especially laboratory notebooks) as and when discoveries are made so as to preserve prior rights and ensure a fair distribution of rights between employees;

It proves that an invention kept secret was developed before a third party filed a patent on it, allowing the inventor to continue to use it (right of prior personal possession). 

In accordance with the GDPR, I use the email addresses of prospects to send them offers if I have their prior consent. I also delete this data three years as from the last contact with the individual concerned. In the event of a CNIL control, how can I prove my compliance with the GDPR?

In cases where the legal basis for processing is consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of personal data concerning them.[1] 

In practice, compliance with this obligation can be complicated as the text does not specify how this evidence can be reported. It is therefore essential for the data controller to be equipped with a tool ensuring the conservation and traceability of the following elements: 

the information communicated at the time of consent; and

if applicable, the date of withdrawal of consent. 

On this point, the French Data Protection Authority (CNIL) indicated, in March 2017, that "the digital timestamping of the indication of consent (by means of a click or a ticked box) and the implementation of a procedure for obtaining consent, duly documented, must be considered as a valid means of establishing proof of consent”.[2] 

Vaultinum offers a reliable, adaptable and secure solution for timestamping and automated archiving thanks to its API. In addition, Vaultinum is a partner of CMP (Consent Management Platform) and as such, ensures the timestamping and, if necessary, the archiving of consent records. 

As a businessperson, I offer discounts on certain items sold on my e-commerce site. Regulations require me to justify the reference price from which the reduction is applied. How can I do this?

The authenticity of discounts offered during promotional operations is assessed with regard to unfair commercial practices (Article L. 121-2 to L. 121-5 of the Consumer Code). Price reduction announcements to consumers are governed by the decree of 11 March 2015.[3] Under article 2 of this decree, sellers are required to indicate, in addition to the announced price reduction, the reference price on the basis of which the announced reduction is calculated. 

Although professionals are free to determine the reference price of their choice (for example, regular price, competitors’ price, recommended price), they must be able to "justify the reality of the reference price on the basis of which the price reduction is announced”.[4]  To do this, they may use notes, slips, order forms, sales receipts, catalogues, advertising leaflets or any other documents; all the means of proof first set out in the circular of 7 July 2009 specifying the provisions of the decree of 31 December 2008 (repealed)[5].  However, these means are costly and difficult to execute, especially when price reductions are offered online and repeatedly. They also necessitate tremendous data collection and evidence-based archiving. 

With a view to limiting the impact of these regulations and simplifying the application of price reductions, professionals are recommended to use an automated timestamping tool to ensure the preservation, traceability and integrity of the following elements:

the chosen reference price (example: price applied by a competitor);

the location of the chosen reference price (example: a website page);

the date of application of the chosen reference price. 

The implementation of reliable and recognized means of proof to justify the reference price is all the more important as the General Directorate for Competition, Consumption and Fraud Control (DGCCRF) has for several years now, been closely monitoring online sales and particularly misleading price reduction announcements, as can be seen from its recent surveys.[6] 

Vaultinum provides support to e-commerce companies by offering them a turnkey solution for timestamping and archiving proof related to the applied reference price. Through this adaptable, reliable and secure solution, the e-merchant can connect to an API and thus manage thousands of data at a time, in an automated manner. 

An employee repeatedly logged on to sites expressly prohibited by the company’s IT charter. How can I prove this in a reliable way?

Whether human or technical, each action taken in an IT system is likely to leave tracks which must be recorded. These could be: 

successful connection to an application; 

attempted intrusions into the information system;

The National Information Systems Security Agency (ANSSI) emphasizes that event logs are an essential technical component to manage the security of information systems. However, these can serve as evidence only if the log files reliably connect certain events to a particular point in time. 

To ensure this reliability, events cannot be timestamped through sole use of the computer's internal clock, as this is easily falsified and deviates naturally over time. The ANSSI first recommends synchronizing the clocks of IT equipment with several internal time sources that are coherent with each other, themselves synchronized with several reliable external sources.[7] Secondly, a logging system must be set up in accordance with applicable regulations and the recommendations of the CNIL insofar as the main objective of logging is to allow the person or the equipment causing an event to be identified directly or indirectly. Finally, logs must be signed and timestamped as soon as they are created so as to ensure their integrity. 

As a large-scale distributor, I would like to ensure the traceability and transparency of some of my products of animal origin. How can I do this?

Following a number of scandals that testified to a lack of supply chain transparency in the food industry, regulation no. 178/2002 of 28 January 2002 introduced a requirement for food traceability at all stages of production, processing and distribution[8] in order to identify sources of contamination more quickly. 

The same question arises with regard to environmental protection.  Soon, food and product traceability will allow for the display of information on the environmental footprint of a product. 

 In terms of supply chain (agro-food, luxury goods, wine, pharmaceutical industry), electronic timestamping and, more generally, timestamping applied to "blockchain" technology (a chain of records allowing to keep track of a set of information, in a decentralized, transparent and secure way), has a real potential to ensure timestamping, traceability and control of the origin of a product.  

At every stage of the supply chain (producer, processor, distributor), a certain amount of information (dates, origin) concerning a food product, from its manufacture to its sale, will be recorded in a timestamped blockchain register. Depending on the case, the recording on the register could be done either by means of human intervention such as a photograph of the items, or automatically, through the use of connected sensors.[1]  Each actor in the supply chain can access the blockchain register to learn the identity of the person who first entered the information, the content of information itself (the integrity of which is guaranteed), and the date of registration of this information.  

And yet, blockchain has its limits.  Distributors and other importers need to protect their commercial networks and other trade secrets. The transparency of blockchain prevents this protection, but another solution exists. It consists of validation by a trusted third party by virtue of the presence of secure, timestamped register systems at each stage of the supply chain. 

In practice, a leading European brand has already chosen blockchain timestamping for its chicken industry. Each actor in the supply chain can enter and timestamp traceability information which is of interest to them, and which will, for the most part, be communicated to the consumer by means of a QR Code[2]. 

Vaultinum provides support to its clients in setting up a timestamping system to date the events registered throughout the supply chain. Using the Vaultinum API, client or blockchain systems can interface with Vaultinum’s timestamping solution and continuously and automatically timestamp thousands of events in a reliable, secure and adaptable manner.

6. Quality assurance and monitoring of document versions

To play it safe, my service provider has put in place a business continuity plan ("BCP") to manage force majeure or crisis situations. This BCP is essential for my business. It is updated every year. How can I be sure that the plan I have is the latest version and that it has not changed?

Business continuity plans (BCPs) have long been required by buyers of products and services.  These plans are generally tested and updated annually.  They are essential because they provide information on the measures taken to avoid service interruptions on the supplier's side, for example, in the event of unforeseeable events or natural disasters and, and in turn, on the buyer's side. As such, it is essential that tests and updates are timestamped and securely archived in order to maintain documentary evidence over time and ensure the legal protection of all parties concerned.

Vaultinum provides secure and reliable archiving and timestamping services.

Data and information are often submitted online and are sometimes used to generate positions, offers or assessments. In order to avoid any dispute related to the content of the information submitted and its date of submission, and to guarantee that requests are dealt with properly and within a given timeframe, content should be archived securely and with a timestamp token.

Vaultinum supports banks and insurance companies by offering them a turnkey solution for timestamping and secure archiving of online requests.  This adaptable, reliable and secure solution enables the automation of certified timestamping and secure archiving, thanks to the Vaultinum API. 

Invoicing has a number of consequences, particularly in terms of payment deadlines but also with regard to deadlines for taxes and other fees. How can I make sure that I can provide proof of electronic invoicing and the date it was issued/sent? 

The digitalization of invoicing processes promises significant efficiency gains and cost reductions. At the tax level, article L 102 B of the French Tax Procedure Code, amended by article 16 of the Amending Finance Law for 2016 allows taxpayers to digitize their paper invoices received and issued and to keep them in digitized format for the fiscal retention period of 6 years. The regulations specify that digitized invoices must meet two conditions; they must be secured to ensure their integrity, and they must be timestamped. Although the timestamp can be internal, a timestamp certified by a trusted third party or a qualified timestamp process is essential to avoid disputes, especially since the timestamping of invoices is also used to enforce payment deadlines and calculate late payment penalties. 

Vaultinum has developed an API to which clients can connect to obtain an automated certified timestamp of each document with the additional possibility of secure archiving.

With the digitalization of entire sectors of the economy, certified timestamping will become increasingly important in commercial relations since it will be the best way to demonstrate that an action has been taken. In addition, electronic timestamping does not only affix a date to a document, it also attests to the integrity of the content of the document it dates, which is a definite evidential advantage.

If you would like more information on the services offered by Vaultinum in the area of timestamping, you can contact the legal department at the following address: legal@vaultinum.com.

[1] Regulation (EU) 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, art. 7.

[2]Commission nationale de l’informatique et des libertés, Consultation publique sur le règlement européen, mars 2017.

[3] Decree of 11 March 2015 relating to price reduction announcements to consumers.

[5] Circulaire du 7 juillet 2009 concernant les conditions d’application de l’arrêté du 31 décembre 2008 relatif aux annonces de réduction de prix à l’égard du consommateur, p. 6.

[6] Communiqué de presse, Pratiques commerciales des enseignes de vente en ligne : la DGCCRF a transmis à l’autorité judiciaire les conclusions de ses investigations concernant le site vente-privee.com, 10 janvier 2019.

[7] Agence nationale de la sécurité des systèmes d’information, Note technique – Recommandations de sécurité pour la mise en œuvre d’un système de journalisation, 2 décembre 2013.

[8] Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety, art. 18.

[9] Etude réalisée par Blockchain Partner, Supply Chain, Traçabilité & Blockchain, 10 juillet 2017.

[10] Dalila BOUAZIZ, Carrefour lance la première blockchain alimentaire d’Europe, E-commerce mag, 6 mars 2018.

With the digitalization of entire sectors of the economy, certified timestamping has become increasingly important in commercial relations as it is one of the best ways to demonstrate that an action has been taken.  This article will explore the many areas where electronic timestamping is useful for proof and traceability purposes.

How can electronic timestamping be useful for proof and traceability purposes in commercial relations ?

It has been customary throughout the centuries to record events and all related information, notably the date of the event, in registers. Record-keeping has been an essential element in the development of organized human societies. Thus, already in ancient Rome, bankers chronologically recorded all deposit and withdrawal transactions in their registers. The same applied to auction records, trade records, and others. The Templars used similar registers in the 12th and 13th centuries and even created a secret code verification system that allowed pilgrims to travel without having to carry any belongings, goods or cash on their person. In the 9th century, the ancestor of the banknote, called "flying money" or "Fey-thsian", made its appearance under the Tang dynasty and involved a system of deposit registers and dated receipts. In 14th-century France, the Church established the use of parish registers, precursors of civil registries, in which baptisms, marriages and burials were recorded and dated and which were often used as evidence during trials.

 The practice of associating a date or even a time with an event or a document, also called “timestamping”, has its roots in the need to produce evidence to assert or confirm a right or an obligation during a dispute or litigation. Administrations often ask citizens to provide an extract of a birth certificate not older than three months. The reason for this request is not related to the birth as such, but to the person's status at the time of the request. Indeed, the birth certificate also mentions important events creating rights or obligations (marriage, divorce, civil partnership, guardianship, etc.). The affixing of the stamp and the date by a registrar on the extract provides this proof.

 But how do you verify the existence of electronic data? The digitalization of entire sectors of economic activity has led to the need for electronic timestamping, to verify both timing and content. In many areas such as intellectual property, personal data protection and IT, it has become essential to prove the existence of specific data at a specific date and time. In the absence of such proof, a person could be denied rights which are rightfully theirs and/or be wrongly penalised.

 In our previous article we briefly introduced you to the general principles of timestamping.  Today we are going to go deeper and guide you through the process of electronic timestamping; what it is, how it works and lastly, how it operates in a legal context.  On this last point, electronic timestamping raises many questions, notably as to the reliability of the process. The debate on the probative value of emails is still recent. Everyone knows how easy it is to change the local time on a computer or a computer system. Consequently, a new law had to be introduced to regulate electronic timestamping systems and thus set certain technical requirements to guarantee their reliability as evidence. 

All computer systems are equipped with a real-time clock which indicates the current date and time for various operations carried out on the device, such as creating a file or sending an email. These clocks keep accurate time even when the device is turned off, because not only are they powered by a battery located on the computer's motherboard, but they are also connected to the Internet. As such, this internal computer clock already provides a form of electronic timestamping, but it is unreliable. Not only can we manipulate the date and time within the software, but we can also tamper with the system clock to change the date and time associated with records in the event logs, the file system or in database transactions.

To achieve the same reliability as provided by a registrar stamping a certificate, the initial regulations called for the participation of a trusted third party in the electronic timestamping process.  Timestamping was defined for the first time in article 1 of the decree of 20 April 2011 as the “mechanism associating a representation of data at a particular time and attesting to the existence of the representation of this data at this instant by means of a timestamp token [which] includes a stamp from the electronic timestamping service provider established using the signature data of the timestamp token”. This definition of electronic timestamping therefore presupposes the use of a trusted service provider, which de facto excludes certain forms of electronic timestamping. 

A few years later, in 2014, the European Union regulation on electronic identification and trusted services for electronic transactions in the internal market, known as the eIDAS regulation, was adopted. It aims to allow the free circulation of timestamp tokens and therefore facilitate trade for more than 400 million people. In this regulation, electronic timestamping is defined more largely as "data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time".

In other words, electronic timestamping is a process whereby a date and time can be electronically bound to other data in electronic form to certify, either with or without the intervention of a trust service provider, of its existence or execution at a given moment and also to attest to its content at that precise time.

What are the two recognized types of electronic timestamping?

The eIDAS regulation mentions two categories of electronic timestamps: 

Non-qualified or simple electronic timestamping;

The regulation does not provide a specific definition for simple electronic timestamping. It is understood that a timestamping process that does not meet the conditions indicated in the eIDAS regulation is of the non-qualified type. 

Conversely, article 42 defines qualified electronic timestamping as fulfilling the following conditions:

It binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably;

It is based on an accurate time source linked to Coordinated Universal Time; and

It is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method.

Regarding this last condition, the eIDAS regulation leaves room for innovation and the development of a method ensuring a level of security equivalent to the advanced electronic signature or the advanced electronic seal. It is up to the trust service provider to demonstrate that its method meets the requirements set out in the eIDAS regulation.

Electronic timestamping (with use of a trust service provider) is a “process which links the representation of a data to a particular time". To apply a timestamp to data in electronic form (example: a contract, software source code, an invoice, an electronic medical prescription, a price indication, a ticked box on a form, access to an information system), a unique identifier must be generated through use of the hash function. This step is essential in order to create a reliable and unique representation of the data; that is, a virtual fingerprint. This is then transmitted to the timestamping service authority, which combines the digital fingerprint with the exact date and time based on Coordinated Universal Time (UTC). The reliability of this combination is guaranteed by means of a timestamp token, which is a type of signed certificate containing:

-          the digital fingerprint or representation of the data;

-          the UTC date and time;

-          the timestamp token seal. 

Under the French decree on electronic timestamping, the timestamp token seal allows the identification of “the electronic timestamping service provider that issues it and ensures a link with the timestamp token to which it is attached.” It is the combination of the timestamping authority’s private key and a public key, communicated to the user by means of an electronic certificate.

At the end of the timestamping process, the timestamping authority sends all these items to the user and also archives them. 

The legal admissibility of electronic timestamping as evidence

Timestamps, even when electronic, are admissible as evidence in the courts of the European Union.

Thus, a non-qualified electronic timestamp is admissible in court, in particular when evidence can be produced by any means. In point of fact, article 41§1 of the eIDAS regulation establishes a principle of non-discrimination as regards electronic timestamping, accepting it as evidence in court at the same level as manual timestamping, even if it does not meet the requirements of qualified electronic timestamping. The same holds true for non-qualified electronic registered delivery services. 

In Switzerland, the SCSE regulation of 2016 provides a legal framework that is similar to eIDAS.  Although SCSE does not provide specifications on the technical standards that need apply, the Swiss Federal Council recognizes as valid, processes that have been implemented in line with eIDAS standards.  As with eIDAS, SCSE grants a higher probative value to certificates issued by qualified trust service providers.

Presumption of reliability in favor of qualified electronic timestamps

Contrary to the simple electronic timestamp, a qualified electronic timestamp shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound (article 41§2 of the eIDAS regulation). This provides a significant advantage in the event of litigation or dispute, as it allows to reverse the onus of proof and the burden of proof can be shifted onto the party challenging the reliability of a qualified timestamping system. In this context, a part of the doctrine equates qualified electronic timestamping with the electronic version of the legal concept of "certain date".

By extension, in France, article L100 of the postal and electronic communications code states that electronic registered delivery is the equivalent of physical registered mail as long as it meets the requirements of article 44 of the eIDAS regulation, especially as regards the use of a qualified electronic timestamp. In this case, the data sent and received by means of a qualified electronic registered delivery service benefits, among other things, from a presumption as to the integrity of the data and the correctness of the date and time of sending and reception. In fact, an electronic timestamp applied to registered mail has an advantage over physical registered mail, because electronic timestamping not only certifies the date but also the content, which physical registered mail does not.

Thus, when Vaultinum, a trusted third party in the electronic timestamping process, timestamps electronic documents such as an invoice, a reference price or a deposit, the Vaultinum stamp both provides a certain date to the documents in question as well as attests to their content at the time of affixing the timestamp token. As such, this content cannot be altered.

Vaultinum has long been providing physical and electronic timestamping services as part of its activities as a trusted service provider, particularly for the deposit and archiving of digital assets or records.  Visit us at https://vaultinum.com/timestamping to learn more about our timestamping solutions.  

The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.

The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.

The practice of associating a date and time with an event, also called “timestamping”, has its roots in the need to produce evidence to assert a right during a dispute or litigation.  But how do you verify the existence of electronic data? The digitalization of entire sectors of economic activity has led to the need for electronic timestamping.  This article will review the ‘what’ and ‘how’ of electronic timestamping in the overall legal context.  

The practice of associating a date and time with an event, also called “timestamping”, has its roots in the need to produce evidence to assert a right during a dispute or litigation. S what is Electronic Timestamping and how does it work?

What is Electronic Timestamping and how does it work? 

Due diligence has become one of the buzzwords of the 21st century. And there is a good reason for it. After all, we live in an age of data explosion where information is easily available, but its veracity itself is in question. In such a situation, due diligence and due diligence mechanisms are essential tools in the digital economy.

 But what exactly does due diligence mean, and how it is it carried out? Are there different kinds of due diligence that apply in different situations? These are some of the questions that we'll attempt to answer today.

What Is Due Diligence And Why Is It Important?

Due diligence is a process that involves checking the validity of a position, action or status. It is the opposite of negligence, or the accepting of things at face-value. 

 The origins of the term "due diligence" can be traced back to US legislation that sought to protect investors against misinformed investments. Here, investment brokers were required to disclose all essential information about the business being invested in. In case they failed to do so, they could be held liable and faced prosecution.  However, brokers raised concerns regarding the fact that they themselves might not always have access to the required information, and in such cases, they should not be held responsible for withholding the same.  To protect brokers from wrongful lawsuits, the legislation was adapted such that so long as they exercised "due diligence" in their investigations, then they were not liable to be prosecuted for not disclosing any information they were not privy to.

 Due diligence plays an important role not just in business but, as you will see, in the overall proper functioning of the economy.  We will take a brief tour through a few of the areas that you may have encountered due diligence and in doing so, you will understand what it is and begin to see the outsize role this process has in everyday life.

 The most obvious is in the context of employment; a reference or background check is an example of due diligence.  For example, a prospective employee claims that they graduated from a prestigious university and have extensive work experience in a certain area.  The employer would verify this information with the university as well as former employers.  This type of due diligence may also involve criminal background screening.  

 In some industries criminal background screening is compulsory.  The human resources department of the potential employer, for example, conducts due diligence in this respect so as to verify the criminal status of the candidate.  

 A bank also conducts due diligence for loan applicants to make sure that they have not defaulted on previous loans or that they are not over-stretched financially and at risk of defaulting.

 Another example is that of a client who conducts due diligence on potential suppliers to check that they will be able to perform the expected services or deliver the goods at the required quantity and quality levels.  This due diligence may entail verifying references or researching a supplier’s track record or their reputation in the market.

 But due diligence is not only directed at others. Introspective due diligence is also an important part of company management and operations.  A company who has set principles for sustainable growth would want these applied at all times and across the board.  In conducting its own due diligence, it will check that:

it has appropriate policies and processes in place to comply with regulations, grow the business in a healthy and sustainable manner, maintain a culture of ethical business dealings, show that it is serious about what it represents and expects in terms of ethics and behavior,

its policies and processes are properly implemented on an ongoing basis, and

relevant information about the organization is gathered and stakeholders are aware of any issues.

Company due diligence is also essential when dealing with other businesses.  For example, clients will often expect that their suppliers or subcontractors abide by the same kind of principles as they themselves adhere to.  Why define standards and principles if these are not applied consistently across the supply chain?  

 Another important aspect of due diligence is its status as a recognized defense in litigation.  For example, in the context of an Initial Public Offering (IPO), certain parties who participated in the preparation of the IPO documentation, including the registration statement, may be able to use a due diligence defense if the registration statement contains misleading information or material misinformation.  

 Underwriters, lawyers, accountants, officers, and directors will try to show that they conducted a reasonable investigation of the information contained in the registration statement and that it was their belief, following such investigation, that such document contained no material misinformation or misleading statements. Demonstrating that such due diligence was indeed conducted will enable them to avoid liability.  

Finally, due diligence is sometimes imposed by law, and failure to conduct effective due diligence in accordance with legal guidelines can trigger liability.  For example, the US Bank Secrecy Act requires financial institutions to adopt an anti-money laundering program which is basically a due diligence policy and process.  Financial institutions need internal systems and controls, including policies and procedures, designed to help employees detect and prevent money laundering activities, a compliance officer in charge of monitoring the implementation of the program, training and awareness raising exercises and certification for senior employees, independent third-party audits to check, with impartiality, that the program is fully implemented.

As you have seen from the various examples above, in today’s world, due diligence has become a necessary aspect of conducting any business transaction. Whether you're hiring a new employee or looking to acquire a company, due diligence is an essential part of the process.

And due diligence need not be restricted to business alone. In every aspect of life today, we need to exercise due diligence in order to ensure that the required safeguards are in place to protect our interests. Whether to secure investments, perform a security risk assessment, or undertake vulnerability tests, the appropriate due diligence processes must be used to ensure the veracity of the operation.

Here, the question arises: is all due diligence the same? The short answer is: yes and no. While the basics of conducting due diligence remain the same, the exercise takes on different meanings and objectives in different settings. In the following section, we're going to look into some of the common types of due diligence that can be performed in various business situations.

What Are The Different Types Of Due Diligence?

Are you looking to open a new bank account? Or maybe you're interested in digital investments? Whatever the case, due diligence is either required or useful. In the sections that follow, we're going to introduce you to the many types of due diligence that are required to get the task done appropriately.

Acquisition due diligence is necessary when one business entity is looking to take over another business. This is a matter of common sense. After all, if you're buying something as substantial as a large business, it is essential that you perform the required background checks.

 Acquisition due diligence involves investigating the financial as well as technical prospects and viability of the business you're looking to acquire. This itself has multiple dimensions, such as:

And this is just the tip of the iceberg. Mergers and acquisitions are complex processes that require caution on multiple levels. Not only do you, as the acquirer, need to be sure that you're making a sound investment, you also have to make the seller comfortable and get as much information as possible from them. Acquisition due diligence aims to help you do just that.

Everyone who has a bank account has, knowingly or not, experienced KYS or Know Your Customer due diligence.  When providing the bank with detailed and personal information in order to open an account, the customer is helping the banks to “check the box,” so to speak.  The information provided is required in order for the banks to comply with regulations and demonstrate to regulators that they have done their “homework” in performing effective due diligence.  Banks take the information provided and check it against databases of known criminals or sanctioned persons such as the UN, OFAC, AUSTRAC and EU. The KYC information is proof that they have been diligent in ensuring that they checked who their customers are.  

 KYC due diligence is good business practice but it is not voluntary.  

 In today's complex business landscape, it's not sufficient to know just the financial side of your dealings. You also need to keep a close watch on who you're dealing with. Not performing the right background checks on business partners and customers can expose some businesses to hefty fines and lawsuits.

 That's exactly where KYC due diligence comes into the picture. This is a process aimed  at ensuring that you're entering into a business transaction with the right person. Especially in the case of financial institutions such as banks and insurance firms, KYC due diligence takes on a vital role. KYC due diligence is usually performed by financial entities when opening a new account or investment portfolio. KYC due diligence lets you know more about the person you're dealing with, their past business records, and financial performance. All this information can come in handy when assessing whether a customer is indeed a reliable entity or a risk.

 However, KYC due diligence goes beyond mere regulatory requirements. It helps your business gain greater insights into the customer and their unique needs and requirements. In this way, you can better serve your customers and enhance your business in turn.

 Another type of due diligence that must be mentioned here is enhanced due diligence. It's a stricter form of KYC due diligence and involves deeper background checks.

Also known as pre-IPO due diligence, this is a form of due diligence that involves checking whether a business is ready for its Initial Public Offering. It's essential that a financial institution carries out complete, rigorous, and thorough due diligence in order to understand the maturity status of the market before a business launches its IPO.

In IPO due diligence, experts conduct a detailed analysis of the business's legal, financial, and tax-related status. The emphasis is  on operations, IT, and HR aspects. Seen in this light, IPO due diligence is similar to acquisition due diligence.

Further, in this form of due diligence, it's important to conduct a detailed analysis of the company's business model so as to understand its feasibility and long-term sustainability. The entire process also needs to take into account the competition levels, risks, and strengths. In other words, a thorough SWOT analysis.

IPO due diligence is an essential part of the IPO process, as it helps the business understand whether they are ready for the IPO or not. It's also important for proving to the regulatory authorities, such as the SEC, that the claims made by the business are legitimate.

This form of due diligence is vital for candidates who are about to accept a position on a company board of directors. While it's no secret that joining the board as a director is a massive responsibility, with commensurate professional returns, still in recent times, top executive roles have come under intense public and legal scrutiny. As a result, it's important for any candidate to the board to conduct the required due diligence into the background of the company they're joining.

Thorough due diligence will help potential board members understand more about the role they are going to take on. It will also help them gain a detailed understanding of the company culture, business model, and general knowledge of how the board functions. Some important questions to ask include:

What is the experience level of the board, and what's their work culture?

How is the board's relationship with its investors?

Why are you being asked to join the board?

The very last question on the above list shows that the director's due diligence should not be focused only on the board but also on the candidate. Potential directors should perform a detailed self-assessment to understand how they can contribute to the board, what their limitations are, and whether they are ready to join the board at all. All this will help them to perform the role better.

Investment due diligence refers to the investigation that you should do in order to understand whether a particular investment instrument is right for you. Here, the potential investor needs to assess the product to understand its viability. This can include detailed steps such as reviewing the performance of the business in the long and short terms, taking stock of their financial records, and also public perception.

Investment due diligence is essential for corporate as well as individual investors, as it helps them understand whether to go forward with the investment. It also lets them get a clear idea of the returns they stand to gain in the short and long term. For digital investments, as well as any technology investment, due diligence is vital.

Investment due diligence, in the international context, will also involve looking at political risk and corruption issues.  

IP due diligence is usually conducted as part of acquisition due diligence. This involves assessing a business's intellectual assets before acquisition or investment. Particularly in tech-driven industries, a company's IP assets go a long way towards determining its value. These include copyrights, patents, and trademarks, among others.

This type of due diligence is vital in the context of today's environmental impact awareness. It involves assessing the health, safety, and environmental issues associated with the business. Other aspects that should be taken into account are environmental regulatory compliance, sustainability assessment, and contamination studies.

Apart from the above-mentioned types of due diligence, different industries may have additional and different forms of due diligence. Due diligence can also be divided into hard and soft due diligence.

Hard due diligence is where the entire exercise is dependent on factual and quantitative data. This is the kind of due diligence that's traditionally carried out, and the most significant portion of due diligence exercises fall under this bracket.

Soft due diligence, on the other hand, is more people-centric and concerns the human segments of a business. Recently, this has become an integral part of the due diligence process and looks at the cultural and organizational structure of a company.

Due diligence is no doubt one of the essential aspects of any modern business transaction. However, it requires expertise, experience, and insights that a regular team of professionals might not always possess. While it's always an enticing option to conduct due diligence yourself, the best and most objective results can only be obtained from an independent agency.

Companies specializing in due diligence services can help with background check screening, supplier checks, and credit checks.  

Vaultinum is a provider of a specific type of due diligence service.  As a technology company, Vaultinum has developed a due diligence platform to help:

private equity investors evaluate potential investment or acquisition targets,

Vaultinum’s Know Your Software (KYS) solution is a due diligence tool focused on helping clients to understand a digital asset from a variety of perspectives, including sustainability, corporate governance, software sustainability, IP protection and management, and security.  

With a dual expertise in IT and Legal, and over 40 years of experience, Vaultinum is here to help you with all your technology due diligence needs.    

Due diligence plays an important role not just in business but, as you will see, in the overall proper functioning of the economy.  This article will take you on a brief tour of the different types of due diligence and in doing so, you will understand what it is and begin to see the outsize role this process has on our everyday lives.

What is Due Diligence and why is it important? This article explains the different types of due diligence and in doing so, you will understand what it is and begin to see the outsize role this process has on our everyday lives.

Protect your innovations and investments

Protecting and Securing your Digital Universe

They trust Vaultinum

Our safety

Latest articles

Various uses of electronic timestamping

What is Electronic Timestamping and how does it work?

Why Is Due Diligence Important?