Free Resource

The SaaS Due Diligence Checklist

28 items serious acquirers check before wiring money. Organized by category — click each item as you work through it.

0 of 28 completed
0%
01

Code Quality & Architecture

4 items
Codebase has consistent style, formatting, and linting rules enforced in CI.
Absence of lint/format enforcement is a signal of engineering culture — not just aesthetics.
Module boundaries are clear — no spaghetti dependencies between unrelated business domains.
Check import graphs. If everything imports everything, future changes become expensive.
Critical
Core abstractions (auth, billing, data access) are centralized — not duplicated across services.
Duplication means bugs get fixed in one place and missed in three others.
Non-obvious architectural decisions are documented in READMEs or ADRs.
"Why did we pick this?" should have a written answer. If it only lives in a founder's head, that's key-person risk in code form.
02

Infrastructure & Deployment

4 items
Production deployments are automated via CI/CD — no manual SSH or FTP to ship.
Manual deployments introduce human error and make it harder to hand off operations post-close.
Critical
A rollback procedure exists, is documented, and has been tested in the last 6 months.
Ask for the last time they rolled back and how long it took. "We've never needed to" is not a good answer.
Infrastructure is defined as code (Terraform, Pulumi, render.yaml, etc.) — not click-ops.
Click-ops environments can't be audited, reproduced, or recovered from reliably.
Uptime monitoring and alerting are in place with defined on-call procedures.
Check their incident history. A company that's never had an outage may just not be tracking one.
03

Security Posture

4 items
Secrets are managed via environment variables or a vault — zero hardcoded credentials in source code.
Run a git history search for API keys before trusting verbal assurances. One leaked key can mean inherited liability.
Critical
Authentication uses established patterns (OAuth 2.0, JWT, session tokens) — no homebrew crypto.
Homebrew auth implementations consistently contain subtle vulnerabilities that only surface after acquisition.
Dependencies are scanned for known CVEs via automated tooling (Dependabot, Snyk, npm audit).
Check when the last scan ran. A passing badge from 18 months ago is not security coverage.
Important
Access control is role-based and least-privilege — no shared admin credentials or standing root access.
Shared credentials mean no audit trail. Ask to see the IAM roles or permission groups used in production.
04

Revenue Quality

4 items
MRR can be independently verified from Stripe or billing platform data — not solely from founder's spreadsheet.
Reconcile the Stripe export to the reported MRR line. Discrepancies >5% warrant explanation.
Critical
Churn is measured on a cohort basis, not just as a rolling monthly subscriber count.
Headline churn numbers hide cohort behavior. Ask for a cohort retention table, not a single percentage.
Critical
Revenue recognition is correct — prepaid annual contracts are accounted as deferred revenue, not lump-sum MRR.
This directly affects the valuation multiple. A "clean" P&L may be hiding deferred obligations.
Important
Expansion revenue (upsells, seat growth, add-ons) is separated from new-logo ARR in reporting.
Bundled growth hides whether the business grows by finding new customers or by expanding existing ones — very different stories.
05

Customer Concentration Risk

4 items
No single customer represents more than 15% of MRR.
Above 15%, one churned enterprise account can materially impact the financials you used to justify the price.
Critical
Top 5 customers' contract renewal dates and expansion options are documented.
Renewals coming up within 90 days post-close create leverage risk. Founders sometimes time exits around renewal cliffs.
Quantitative customer satisfaction signals exist — NPS scores, CSAT data, or support ticket trend analysis.
"Our customers love us" is not data. Ask for NPS over the last four quarters, not just the current number.
Important
Customer success is handled by a team or process — not personally by the founder.
Founder-dependent relationships rarely transfer cleanly. Map which customers only the founder talks to.
06

Technical Debt

4 items
Known technical debt is documented and quantified — not just tribal knowledge living in engineers' heads.
If no debt register exists, ask the lead engineer to estimate remediation effort in engineering-weeks. Their answer tells you a lot.
Important
Core dependencies (frameworks, databases, ORMs) are within two major versions of current stable releases.
EOL dependencies mean either an expensive upgrade project or permanent security exposure. Both hit post-close margins.
Critical
No critical security patches have been deferred for more than 90 days.
Ask for the vulnerability backlog and when each item was filed. Inherited CVEs can mean inherited liability.
Test coverage exists for core business-critical paths (billing, auth, data processing).
100% coverage isn't the goal. Zero coverage on payments and auth is a red flag.
07

Integration Complexity

4 items
All third-party integrations are inventoried with their costs, renewal dates, and usage volume.
Undocumented SaaS tool sprawl often surfaces $30k–100k/yr of hidden costs post-close.
Important
Customer-facing APIs and webhooks are versioned — breaking changes can be managed without mass churn.
Unversioned APIs mean any refactor breaks a customer integration. How many customers have built on the API?
Customer data is exportable — no proprietary lock-in that would block a buyer's integration roadmap.
Paradoxically, high data portability is good for acquirers even if it reduces churn moat.
Integration with acquirer's existing stack has been assessed for conflicts or migration cost.
Two companies on different auth systems, cloud providers, or billing platforms can make post-close integration a year-long project.
08

Team & Key-Person Risk

4 items
Core product knowledge is distributed — no single engineer or founder holds the system in their head exclusively.
Ask who gets called at 2am when production is down. If it's always the same person, that's your key-person risk mapped.
Critical
On-call runbooks and incident response procedures exist in writing and are used by the team.
If the runbook only exists in Notion as a draft last edited 14 months ago, it doesn't count.
Key technical employees have retention agreements or transition commitments that survive the acquisition.
The worst outcome: you wire the money, the lead engineer gives notice two weeks later. Map who needs to stay and confirm their intent.
Critical
A 30–90 day onboarding plan exists for the incoming technical lead or acquirer's integration team.
If there's no plan, build one together before close. The absence of a transition plan is a negotiating point.

Want us to run this checklist on your target?

We've done this for acquisitions from $500k to $50M. You get a written report, a Go/No-Go recommendation, and no surprises after close.

Start a Conversation →

Typical turnaround: 3–7 days · From $5,995