Due Diligence Checklist for Investors Backing Credit Decisioning Startups

If you are evaluating a credit decisioning startup, you are not just underwriting software. You are underwriting a system that sits in the critical path of revenue, risk, compliance, and customer experience. A weak model can approve the wrong borrowers, a brittle policy engine can create hidden losses, and a sloppy data stack can make a promising AI company look better in demos than it performs in production. That is why a serious startup due diligence process for this category must go beyond the usual checklist and examine data inputs, model explainability, controls, governance, and regulatory exposure in detail.

For investors, the stakes are especially high because credit decisioning businesses often sell into regulated or quasi-regulated workflows where trust is everything. A startup may claim that its credit decisioning engine is faster and more accurate than manual underwriting, but speed alone is not a moat. You need to assess whether the platform can explain outcomes, adapt to drift, support auditability, and survive changing rules from lenders, banks, and regulators. In practice, this means using an investor checklist that is as rigorous as a lender’s own approval standards, while also asking whether the vendor has customer concentration risk, implementation friction, and a credible path to durable gross margins.

This guide is designed for VCs, strategic investors, and growth equity teams that want a practical framework for assessing credit-decisioning businesses. It combines product, technical, commercial, and regulatory diligence into one operating playbook. Along the way, it draws lessons from adjacent topics like trust but verify data workflows, benchmarking vendor claims, and vendor selection frameworks from the broader fintech and infrastructure ecosystem.

1) Start with the underwriting problem the startup actually solves

Identify the borrower segment and decision context

Not all credit decisioning startups are built for the same market. Some focus on SMB lending, others on B2B trade credit, embedded finance, consumer lending, or collections-adjacent workflows. The diligence process should begin by pinning down the exact decision context: is the product deciding initial approvals, credit limits, payment terms, renewal eligibility, or continuous line management? A startup that is strong in one workflow may be weak in another because the data, latency requirements, and compliance obligations differ materially.

Ask whether the company is solving a real workflow bottleneck or simply replacing a spreadsheet with an interface. The most durable products usually improve three things at once: decision quality, turnaround time, and operating consistency. That is the core promise of modern credit decisioning platforms, but it must be proven with production metrics rather than slideware. A good diligence question is: what decision did the customer used to make manually, and what percentage of those decisions are now fully automated, semi-automated, or still escalated to humans?

Map the economic buyer versus the daily user

In many credit decisioning deployments, the economic buyer is a risk leader, CFO, or operations executive, while the daily user may be an analyst, underwriter, or collections manager. That split matters because product adoption often hinges on whether the system is trusted by the people closest to the edge cases. Investors should test whether the platform supports both decision-making and decision-management, including workflow routing, exception handling, and reason-code generation. If the product only appeals to technical teams but frustrates frontline risk operators, churn risk rises.

To sharpen this analysis, compare the startup’s buyer journey with platforms that have mastered repeatable workflows in adjacent categories, such as AI sourcing criteria for infrastructure buyers or repair-vs-replace decision frameworks for cost-conscious consumers. The principle is the same: when the decision carries consequences, users want transparency, reliability, and rollback options. Credit platforms that ignore this reality tend to become tactical point solutions instead of core systems of record.

Separate workflow automation from underwriting intelligence

Many founders describe their product as “AI-powered,” but investors should separate three layers: workflow automation, decision policy, and predictive intelligence. Workflow automation is the orchestration layer. Policy is the rules layer. Predictive intelligence is the model layer. A company can have excellent workflow automation and still have a weak model, or vice versa. The diligence question is not whether the platform uses AI; it is whether the AI meaningfully improves loss performance, approval rates, or throughput after controls are applied.

In other words, an investor checklist for this category should ask: which parts are deterministic, which parts are probabilistic, and which parts are human-overridden? That breakdown reveals the actual product architecture and risk posture. It also clarifies whether the startup is selling a true automated credit decisioning system or simply a configurable rules engine with marketing polish.

2) Audit the data inputs like you would audit a balance sheet

Trace every data source from origin to decision

Credit decisioning businesses live or die on data quality. You should insist on a source map that documents every input: bureau data, ERP and accounting data, bank transaction feeds, payroll data, invoicing history, tax filings, alternate data, device and identity signals, manual uploads, and any third-party enrichment. The key diligence issue is not just whether the data exists, but whether it is stable, legally usable, refreshable, and permissioned. If a model depends on fragile or delayed feeds, the startup may look strong in pilots and break in production.

Ask how the company validates freshness, deduplicates records, handles missing values, and resolves conflicts between sources. A startup may claim to ingest real-time signals, but real-time value only matters if the downstream decision engine can consume and act on the update quickly. Investors should review data lineage, change logs, and schema evolution policies. This is the same mindset engineers use when they vet generated metadata: do not trust the layer above until the layer below is verified.

Stress-test alternative data and permissioning rights

Alternative data is attractive because it can improve model coverage, but it also creates legal and reputational risk. You need to know whether the startup has contractual rights to use the data for underwriting, model training, secondary analytics, and customer reporting. If the company uses bank data, payroll data, or invoice data obtained via APIs, review the vendor agreements and customer consents carefully. A startup’s perceived data advantage can vanish if a critical feed is revoked, rate-limited, or prohibited from model retraining.

Investors should also ask whether the startup can operate with multiple data stacks. A strong company should not be over-dependent on a single bureau, a single bank aggregation provider, or a single ERP integration. In practice, resilience comes from redundancy and graceful degradation. If a startup cannot explain how its system behaves when one input source is late or missing, that is a warning sign not just for product reliability but for portfolio risk.

Evaluate dataset coverage, bias, and representativeness

A credit model is only as good as the population it learns from. You should ask whether the training data reflects the customer segments the startup wants to serve, including geography, business size, industry, and cycle conditions. This matters especially if the company sells into underserved or thin-file populations where historical labels are sparse. If the model was built primarily on one type of borrower and is now being marketed broadly, the risk of false confidence rises sharply.

Coverage and bias should be measured quantitatively, not described vaguely. Ask for segmentation by approval rate, default rate, uplift, bad-debt incidence, and manual override frequency. Strong teams can show how performance varies by cohort and can explain which features contribute to gaps. If they cannot, the company may be hiding model brittleness behind aggregate metrics. For a more portfolio-wide lens on risk selection, it helps to think the way investors do in private credit: the headline yield is only meaningful if the underlying risk distribution is understood.

3) Examine model explainability, governance, and human override controls

Demand model explanations that operators can actually use

For a credit decisioning startup, explainability is not a theoretical nice-to-have. It is a product requirement. Underwriters and risk teams need to know why a decision was made, what variables mattered, and what could change the outcome next time. If the platform uses machine learning, ask for reason-code generation, feature importance outputs, local explanations, and consistency across similar cases. Explanations should help a human understand the decision, not merely satisfy a technical stakeholder in a demo.

Good explainability also supports customer trust and regulatory defensibility. If a lender cannot explain why an applicant was declined or why a limit was reduced, customer complaints and compliance problems escalate quickly. The best products support both model-based and rule-based explanations so users can distinguish between policy rejections and statistical risk signals. Investors should test whether the system can produce audit-ready decision logs with timestamps, input snapshots, policy versioning, and reviewer actions.

Assess the governance model and control tower

The most important governance question is who can change the model, who can approve the change, and who is alerted when performance shifts. A credible platform should have role-based access, change management, model versioning, testing gates, approval workflows, and rollback capabilities. You want to see the equivalent of a control tower: clear ownership for data science, product, compliance, and operations. Without that structure, the company may accumulate hidden technical debt that only appears when a customer asks for an audit or a regulator requests evidence.

Investors should also ask whether governance extends beyond model deployment to policy management. A platform that lets customers update rules without traceability is risky. A platform that records every policy change, approval, and deployment date is much stronger. This distinction is similar to the difference between a loose content workflow and a mature editorial system in other categories—an issue highlighted in discussions like evidence-based craft and operational disciplines in complex businesses. In credit decisioning, governance is not paperwork; it is the product’s seat belt.

Test human-in-the-loop behavior at edge cases

No credit decisioning system should be fully automated for every case. High-confidence approvals may be handled straight-through, but edge cases need escalation paths. Ask for examples of exception handling: incomplete applications, conflicting data, thin-file borrowers, fraud flags, unusual seasonality, and high-value accounts that require manual review. The goal is to verify that the product does not force operators into blind automation just to preserve throughput.

One of the most useful diligence tests is to review a dozen borderline cases and compare how the startup’s system handled them versus the customer’s legacy process. Did the model reduce false positives without increasing losses? Did it surface the right documents for review? Did the customer override the model, and if so, why? The answer tells you whether the platform is a trusted decision aid or merely a black box with dashboard dressing.

4) Understand the policy engine and decision architecture

Separate rules from scores from workflows

In mature credit systems, the policy engine is the bridge between the model and the business outcome. A startup should be able to articulate how deterministic rules, score thresholds, exceptions, and approval matrices interact. For example, a customer might pass the model threshold but still be rejected due to a sanctions issue, a concentration limit, or a documentation failure. If the startup cannot clearly explain these layers, then the product may not be operationally mature enough for real underwriting use.

Investors should ask for architecture diagrams showing how decisioning happens in real time. Is the policy engine embedded in the model layer, or is it a separate service? Can rules be changed independently of the model? Is there version control for policies, and can the team replay historical decisions under a prior policy? These details matter because policy drift can create hidden revenue leakage or compliance issues even when the model itself remains stable.

Check for replayability and audit trails

A defensible system must be replayable. If a customer asks why an applicant was declined six months ago, the vendor should be able to reconstruct the decision using the exact version of the model, data inputs, and policy settings in force at that time. That means the startup must store immutable logs, input snapshots, and version metadata. Without replayability, post-incident investigations become guesswork.

Replayability also improves the quality of model governance. If a company can compare historical decisions under new and old models, it can quantify what changed, where risk moved, and whether the change was beneficial. This capability is particularly important for strategic investors who want to understand whether the startup’s customer outcomes are improving over time. The best teams treat decision history as a laboratory for continuous improvement, not just as a compliance burden.

Evaluate configurability without letting complexity explode

Credit decisioning startups often win customers by promising flexibility. That promise can become a trap if every customer implementation turns into a custom rules project. Investors should assess whether the platform’s policy layer is configurable enough to support diverse use cases without becoming unmanageable. A good test is implementation time: if each deployment requires bespoke logic, professional services margins rise but software scalability falls.

There is a sweet spot between rigid standardization and unlimited customization. The strongest vendors use reusable decision templates, modular rules, and parameterized thresholds, much like how smarter operators use structured playbooks in domains ranging from timed launches to inventory planning in volatile markets. In credit, policy engines should be adaptable but not arbitrary. If a startup’s flexibility creates endless edge cases, that is a sign the product may not scale cleanly.

5) Pressure-test model drift controls and monitoring infrastructure

Define what drift means in the company’s context

Model drift is one of the most important risks in credit decisioning, yet many founders describe it vaguely. Investors need the company to distinguish between data drift, concept drift, label drift, and operational drift. Data drift refers to changing inputs; concept drift means the relationship between features and outcomes has shifted; label drift may arise from changing repayment behavior or reporting delays; operational drift can happen when human overrides or policy changes alter the effective model. Each requires different monitoring and remediation.

Ask the startup how often it recalibrates models and what triggers intervention. A company that monitors drift with a few generic dashboards is not enough. You want to see thresholds, alerts, backtesting, champion-challenger testing, and documented remediation playbooks. If the startup has not operationalized drift controls, the product may slowly degrade while the team assumes performance is stable. In a lending context, that can translate into real losses long before anyone notices.

Require performance by cohort and vintage

Aggregate AUC or approval-rate improvements are not sufficient. Investors should ask for performance by segment, time vintage, risk band, and product line. For example, did the model still work during a rate hike cycle, a default spike, or a downturn in the customer’s target vertical? Did the model behave differently for newer applicants versus repeat customers? Vintage analysis is essential because a model can look strong on a blended basis while underperforming in the cohorts that matter most.

This is where many teams overstate maturity. A startup may have a shiny dashboard, but if it cannot show how decisions performed 30, 60, 90, and 180 days later, you do not yet have evidence of control. The best operators monitor both predictive metrics and business outcomes such as delinquency, loss given default, write-offs, utilization, and manual review rates. That discipline is similar to how serious investors compare vendors with industry data rather than brochure language.

Look for feedback loops that improve models safely

The strongest credit decisioning startups build closed-loop learning systems, but those loops must be governed carefully. You want to know how the company captures outcome labels, how long it takes for labels to mature, and whether retraining happens on a schedule or only after a threshold is breached. A good feedback loop should improve precision without creating instability. If retraining is too aggressive or poorly controlled, the model may oscillate and confuse customers.

Investors should also ask whether feedback includes user behavior. For example, if underwriters routinely override a model, that signal may indicate a blind spot or a bad workflow design. Top teams treat overrides as first-class data, not as annoying exceptions. That turns day-to-day operator behavior into a source of product intelligence and can make the system steadily more accurate over time.

6) Interrogate regulatory risk, compliance posture, and audit readiness

Map the regulatory perimeter before the customer does

Credit decisioning products often operate at the edge of multiple regimes: fair lending, adverse action, privacy, data retention, explainability, sanctions screening, consumer consent, and sector-specific lending rules. Even if the startup itself is not the regulated entity, its customers may require the vendor to support compliant workflows. Investors must ask what regulatory frameworks the company is designed around and whether it has counsel or compliance specialists who understand the category.

Regulatory risk becomes acute when AI is involved. If models influence credit outcomes, the company needs policies for fairness testing, documentation, adverse action support, and change control. In some cases, the bigger issue is not the model itself but the data pipeline and auditability of the system around it. A startup may talk about innovation, but if it cannot support transparent decision reasons and reproducible records, the buyer’s legal team may block rollout.

Review privacy, retention, and data minimization policies

Customer data in credit workflows is sensitive, and mishandling it can create reputational damage and legal exposure. Investors should confirm that the startup follows data minimization principles, role-based access controls, encryption at rest and in transit, and clear retention/deletion policies. Ask whether the company processes personally identifiable information, financial account data, tax records, or business financial statements, and whether it has specific controls for each category.

It is also worth comparing the startup’s approach to broader cloud-native risk expectations. Buyers in other sectors increasingly want privacy-first and trustable systems, a trend reflected in discussions like privacy-first features and machine-made deception. In credit, the same lesson applies: if a vendor cannot explain what data it stores, why it stores it, and who can see it, the enterprise sale will eventually stall.

Insist on evidence of audit preparedness

Audit readiness should be visible in the company’s artifacts, not just its pitch. Ask for sample SOC 2 reports, penetration test summaries, policy manuals, incident response procedures, and customer-facing compliance documentation. Also review whether the startup can deliver logs and reports in a format useful to enterprise buyers and auditors. The more regulated the customer base, the more these documents matter in renewal and expansion cycles.

Strong audit readiness can be a commercial advantage, not only a risk control. It shortens sales cycles, reduces security review friction, and helps the product move from pilot to production faster. That matters in enterprise fintech because buyers often prefer vendors that reduce legal and procurement burden. Strategic investors should therefore treat compliance maturity as a revenue enabler, not a back-office expense.

7) Evaluate customer concentration, implementation friction, and go-to-market durability

Measure concentration across revenue, verticals, and channels

Customer concentration is a classic risk in enterprise software, but it can be especially acute in credit decisioning because early revenue often comes from a handful of large lenders or platforms. Investors should examine concentration by ARR, pipeline, and dependency on one flagship logo. A startup that appears to be growing can still be fragile if one customer accounts for a disproportionate share of revenue or product learning. Concentration matters not only at the customer level but also at the vertical level if all growth comes from a single industry cycle.

Ask whether the startup’s sales motion depends on a small number of channel partners, consultants, or implementation firms. If so, evaluate how portable those relationships are. The healthiest companies create repeatable sales and deployment motions that do not rely on a single champion or one-off integration. Investors should also understand whether the startup’s revenue is usage-based, subscription-based, or tied to decision volume, because that affects how resilient the business is in a downturn.

Quantify implementation time and integration complexity

In credit decisioning, implementation friction is often the hidden killer of growth. A product may be loved in demos but take months to integrate with ERP systems, data warehouses, loan origination systems, or billing platforms. Ask for a deployment timeline by customer segment and examine what happens during the longest implementations. If integration requires extensive custom engineering, professional services may become a crutch rather than a feature.

You should also understand how the startup handles APIs, webhooks, batch processing, and exception queues. The more native and modular the integration architecture, the easier it is to scale across customers. This is analogous to the way buyers compare product ecosystems in consumer categories: flexibility and compatibility matter as much as headline features. In the same way shoppers weigh options using structured comparison frameworks, credit buyers want a platform that fits into the stack without endless friction.

Look for product-led proof, not just founder-led momentum

One common diligence mistake is to attribute all customer wins to founder charisma or industry relationships. That can hide a weak product-market fit. Investors should look for signs that the product is becoming self-propelling: shorter sales cycles, higher expansion rates, lower implementation burden, and stronger net revenue retention. If the company needs a hero founder on every deal, growth may not be durable.

This is where a startup’s documentation, case studies, and customer references matter. Ask for examples where the customer expanded usage after seeing measurable value, not simply because the team was persistent. Durable products create their own momentum because they save time, reduce losses, and improve decision consistency. The same pattern can be seen in other categories where tools become sticky after they prove operational value, such as upgrade decisions or escaping platform lock-in.

8) Underwrite unit economics, defensibility, and product moat

Understand the revenue model and gross margin profile

Credit decisioning startups may monetize per seat, per decision, per borrower, per portfolio, or via platform fees plus services. Each structure has implications for retention, scalability, and margin quality. Investors should ask how much of revenue is recurring versus implementation-related, and whether the company is building a software margin profile or a services-heavy consulting business in disguise. If professional services are large and persistent, gross margin may be overstated as the company scales.

Also look closely at variable infrastructure costs. Real-time scoring, data enrichment, and compliance logging can get expensive at volume. The startup should understand its cost per decision and how that changes as usage grows. A credible team can explain the path to efficient unit economics and how pricing aligns with the value delivered to the customer.

Assess defensibility through data, workflow, and switching costs

Defensibility in credit decisioning usually comes from three places: proprietary data advantage, embedded workflows, and the operational cost of switching. Proprietary data can improve model performance, but only if the company has enough scale and rights to use it responsibly. Embedded workflows matter because once the product becomes the system of record for underwriting policy and decision history, replacement gets harder. Switching costs also rise when the platform powers audit trails, compliance reporting, and decision analytics that are hard to migrate.

Still, a moat is not guaranteed just because a product touches sensitive data. Investors should ask what stops a better-capitalized competitor from copying the UI and connecting to the same data sources. If the answer is “our model” without a convincing explanation of why that model compounds over time, be cautious. Durable defensibility usually comes from a combination of data network effects, workflow integration, and trust built through governance.

Benchmark claims against external evidence

Founders will often cite approval lift, lower delinquencies, or faster turnaround times. Those claims should be benchmarked against public evidence, customer references, and industry norms. Investors can borrow a disciplined approach from frameworks that compare claims with outside data, such as vendor benchmarking. Ask whether the startup can show controlled experiments, before-and-after comparisons, or cohort-level outcomes that support its narrative.

When performance claims are supported by evidence, you can more confidently evaluate the upside. When they are not, the company may be overfitting its story to the pitch deck. That distinction matters a great deal in a market where many startups advertise AI capability but few can demonstrate robust, repeatable business impact.

9) Build a diligence scorecard investors can reuse

Create a weighted checklist across technical, commercial, and regulatory risk

A repeatable scorecard helps teams compare opportunities across deals. The checklist should include categories such as data quality, model explainability, policy engine maturity, drift monitoring, compliance readiness, customer concentration, implementation complexity, and economics. Assign weights based on the startup’s customer type and revenue stage. For example, if the company sells into regulated lenders, governance and auditability may deserve more weight than UI polish.

Below is a practical comparison table you can use as a starting point when evaluating credit decisioning startups. It is intentionally designed to help investors separate superficial demos from operational maturity.

Use a red/yellow/green grading system

A simple grading system makes partner discussions faster and more objective. Green should indicate strong evidence, clear controls, and low hidden risk. Yellow should indicate promising capability but incomplete proof or a manageable dependency. Red should indicate major uncertainty or structural weakness. For example, a startup may be green on product usability but red on customer concentration or regulatory preparedness.

The point is not to reduce investing to a spreadsheet. It is to make sure a complex, risk-heavy category gets evaluated with a disciplined process. If the team cannot summarize the company’s risk profile in one page, it probably does not yet understand the business well enough to underwrite it.

10) What great credit decisioning startups look like in practice

They treat governance as product infrastructure

The best companies do not bolt on governance after the fact. They design it into the product from the start. Their systems can show which data informed a decision, which policy version applied, which human approved the outcome, and how performance changed afterward. This makes the platform easier to sell, easier to audit, and easier to trust.

That kind of discipline resembles the operator mindset seen in other strong infrastructure businesses: careful sourcing, controlled experimentation, and documentation that survives scrutiny. It also echoes the difference between a hobby project and a serious platform. Investors should back the latter.

They can explain value in business terms, not just technical terms

Strong startups translate model gains into business outcomes. They can show how faster decisions reduce abandonment, how better risk selection lowers bad debt, and how automation frees staff to handle exceptions. They understand that a 20% reduction in manual review volume may matter more to a customer than a marginal gain in AUC. That business translation is a sign of maturity and often predicts stronger expansion revenue.

This is especially important in strategic partnerships, where the buyer may care less about the underlying algorithm and more about measurable process improvement. If the startup cannot speak fluently to finance, operations, legal, and IT stakeholders, it may struggle to cross from pilot to enterprise standard.

They know their limits

The best founders know where their model is strong and where it is not. They can say, for example, that the system is highly reliable for certain borrower segments but requires human review for edge cases or new geographies. They do not overpromise universal automation. That honesty is often a signal of a team that understands risk and can iterate safely.

For investors, that humility is valuable. It reduces the chance that the company is overselling capabilities it cannot sustain. In a market where the phrase AI models can mean almost anything, disciplined specificity is a competitive advantage.

Pro Tip: The fastest way to separate serious credit decisioning companies from impressive demos is to ask for three artifacts: a decision log from a real customer, a drift-monitoring report for the last 90 days, and a policy-change audit trail. If any of those are missing or improvised, dig deeper before proceeding.

Conclusion: The investor’s edge is control, not just growth

Credit decisioning startups can create real value by helping lenders and finance teams make faster, more consistent, and more profitable decisions. But the same systems that improve efficiency can also introduce hidden risk if data inputs are weak, model governance is immature, or compliance controls are incomplete. That is why a strong investor checklist must go beyond product excitement and focus on operational resilience.

If you are evaluating a startup in this category, your job is to find the company that can scale without losing explainability, policy discipline, or regulatory credibility. The winners will have clean data plumbing, auditable decision systems, robust drift controls, and a commercial footprint that is not overly dependent on one customer or one use case. In a market crowded with AI claims, the real moat is the ability to produce reliable outcomes under scrutiny.

For broader diligence frameworks and adjacent operating lessons, it is also worth revisiting guides on private credit risk, platform lock-in, and data verification. Those disciplines reinforce the same core principle: trust the pitch, but verify the system.

Related Reading

• Benchmarking Vendor Claims with Industry Data - A practical framework for validating startup performance claims.
• Trust but Verify: Vetting Generated Metadata - Useful for building rigorous data verification habits.
• Private Credit 101 for Value-Minded Investors - A useful lens on risk, reward, and underwriting discipline.
• Escaping Platform Lock-In - Lessons on switching costs and defensibility.
• How Public Expectations Around AI Create New Sourcing Criteria - A helpful guide to modern AI vendor evaluation.

The most important part is validating the full decision stack: data inputs, model behavior, policy rules, explainability, and auditability. If any one of those is weak, the product may create hidden risk even if the demo looks strong. Investors should focus on production evidence, not just feature lists.

How do I evaluate model explainability in a startup?

Ask for decision logs, reason codes, feature importance outputs, and examples where the system explained a decline or approval in plain English. The explanation should be usable by underwriters, compliance teams, and customers, not only by data scientists. If the company cannot reconstruct decisions historically, that is a major concern.

What regulatory issues matter most?

Fair lending, privacy, adverse action support, consent management, retention rules, and audit readiness are usually central. Depending on the customer segment, other obligations may apply as well. Even if the startup is not itself a regulated lender, its customers may require it to support compliant workflows and logging.

How should investors think about model drift?

Model drift should be treated as an ongoing operational risk, not a one-time technical issue. Ask how the startup monitors data drift, concept drift, and label drift, and whether it uses cohort-level performance reviews, backtesting, or challenger models. The best teams have documented thresholds and rollback procedures.

What is a red flag for customer concentration?

A major red flag is when one customer or one vertical dominates revenue, roadmap attention, or forecasting. This can make the business fragile if a large account churns or if the vertical weakens. Investors should also look for concentration in channel partners and implementation dependencies.