Why Messaging Infrastructure Is Underweighted in IT Due Diligence
Standard M&A IT due diligence covers the expected territory: network architecture, security posture, data center inventory, application landscape, and licensing costs. Messaging infrastructure — the platforms where employees spend 4–6 hours per day — is routinely treated as a footnote.
This is a mistake with predictable consequences. When due diligence does not surface the target's messaging architecture, the acquiring IT team discovers post-close surprises: a Slack environment with 800 undocumented third-party integrations, a Microsoft Teams tenant with 12 years of compliance-sensitive chat history that must be retained under the acquiring company's FINRA obligations, or a Google Chat environment where every conversation has been archived in a system the acquiring company does not operate.
This checklist is designed to surface those surprises before close.
Section 1: Platform Inventory
Primary messaging platforms
| Question | Why It Matters |
|---|---|
| What messaging platforms are in active use? (Slack, Teams, Google Chat, Zoom, Webex, other) | Determines the bridging architecture and migration complexity |
| What is the user count on each platform? | Drives licensing cost projections and migration timeline |
| Are any platforms in trial or pilot status? | Identifies uncommitted platforms that could be dropped without migration cost |
| Are there department-level platforms not managed by central IT? | Shadow IT platforms create data retention and compliance blind spots |
Communication data volume
| Question | Why It Matters |
|---|---|
| What is the monthly message volume across all platforms? | Informs bridge capacity requirements and migration effort |
| What percentage of communication is in public vs. private channels/DMs? | Private DMs are typically excluded from enterprise migration exports |
| How many years of chat history exist? | Retention and export cost; compliance archive requirements |
Section 2: Compliance and Retention
Data retention configuration
This is the highest-risk area in messaging due diligence for regulated industries. Ask for written documentation of:
- Retention policy settings — how long messages are retained on each platform before deletion
- Legal hold configuration — how legal holds are applied to user accounts or channels
- Compliance export capability — whether the target has an active e-discovery integration (Global Relay, Smarsh, Theta Lake, Microsoft Purview)
- DLP policy configuration — whether data loss prevention is active and what it covers
If the target is in a regulated industry (financial services, healthcare, legal) and does not have documented answers to all four questions, treat this as a significant finding. The acquirer may inherit compliance obligations that are not covered by the target's current configuration.
Pending litigation and legal holds
Ask specifically: Are any messaging accounts or channels currently under a legal hold order? If yes:
- Obtain a list of held accounts/channels
- Understand the legal hold system and whether it is compatible with the acquirer's e-discovery infrastructure
- Flag for legal team review — migrating or altering held accounts without coordination is a legal risk
Section 3: Third-Party Integration Audit
OAuth grant inventory
Every Slack workspace and Microsoft Teams tenant accumulates third-party OAuth grants over time. Request an export of all active OAuth grants with:
- Application name
- Granted scopes
- Last used date
- Authorizing user
Red flags to escalate:
- Applications with broad read scopes (channels:history on Slack, ChannelMessage.Read.All on Teams) that are no longer in active use
- Applications from vendors the target no longer has a commercial relationship with
- Applications authorized by employees who have since left the company (orphaned grants)
A target with 200+ undocumented OAuth grants in their messaging platform represents a months-long remediation effort post-close, not a days-long one.
Webhook and bot inventory
Request a list of all webhooks (incoming and outgoing) and custom bots configured in each messaging platform. Classify each as:
- Business-critical — active integrations that drive workflows (Jira, Salesforce, PagerDuty)
- Departmental — integrations owned by specific teams (marketing analytics bots, etc.)
- Unknown / orphaned — integrations with no documented owner
Unknown/orphaned webhooks should be revoked before close if the target can do so without operational impact.
Section 4: Identity and Access
Guest account inventory
Request a full export of all guest accounts in both Slack and Teams. Analyze:
- How many guests are active (signed in within last 30 days)?
- What channels do guest accounts have access to?
- Are any guests former employees or contractors whose commercial relationship has ended?
Guest accounts are a common attack vector in the post-merger period — attackers who compromise a former contractor's guest account have access to channels that may now contain merged-organization data.
Admin and owner account inventory
Request a list of all workspace admins and channel owners. Specifically flag:
- Former employees who still hold admin rights
- Service accounts with admin rights but no documented owner
- Shared/generic admin accounts (security anti-pattern)
SSO and provisioning configuration
- Is SSO enforced for all users? (If not, what percentage of users can log in with username/password only?)
- Is SCIM provisioning configured for automatic deprovisioning when employees are terminated?
- What is the offboarding process for a messaging account — is it documented and consistently followed?
Section 5: Data Residency and Sovereignty
For multinational acquisitions, data residency becomes a due diligence requirement, not a preference.
| Question | Why It Matters |
|---|---|
| In which region(s) is messaging data stored? | GDPR Article 44-49 transfers; EU AI Act implications for AI-processed messages |
| Is the target's messaging platform configured for a specific data residency region? | Cannot be changed post-close without a migration; some regions are irreversible |
| Are there employees in jurisdictions with local data sovereignty laws (Germany, China, Saudi Arabia, Australia)? | May require jurisdictional analysis before cross-border bridging is established |
Section 6: Post-Close Risk Summary
Structure your due diligence findings in a risk matrix:
| Finding | Severity | Time to Remediate | Estimated Effort |
|---|---|---|---|
| 800+ undocumented OAuth grants | High | 60–90 days | 2–3 person-weeks |
| No SCIM deprovisioning | High | 14–30 days | 1 week |
| Active legal hold, no compatibility | Critical | Before close | Legal + IT review |
| No DLP on messaging | Medium | 30–60 days | Integration work |
| 200 orphaned guest accounts | Medium | 14–21 days | 1–2 days |
| 3 messaging platforms in use | Medium | 90+ days | Architecture decision |
The output of messaging infrastructure due diligence should be a risk-adjusted integration cost estimate — the true cost of the acquisition includes the IT remediation work that due diligence surfaces, not just the deal price.
Read the Day 1 connectivity guide → | See SyncRivo's M&A deployment case study →
