Buying a SaaS business can be one of the smartest investments you make — or one of the most expensive mistakes. The difference almost always comes down to due diligence. Thorough, structured due diligence is the single best predictor of a successful acquisition. Skip it, rush it, or delegate it to someone who doesn't understand software businesses, and you're gambling with real money.
This isn't a theoretical framework. This is the practical, line-by-line SaaS due diligence checklist that experienced acquirers use before writing a check. Whether you're buying your first micro-SaaS for $20K or acquiring a $500K product with 200 paying customers, every section below applies. The depth of your investigation should scale with the deal size — but nothing here should be skipped entirely.
We've organized the checklist into seven categories: revenue verification, technical assessment, customer analysis, legal and compliance, operations, growth potential, and red flags. Each section includes the specific questions to ask, the documents to request, and the things most buyers miss. If you're still early in the buying process, start with our complete guide to buying a SaaS business for broader context.
How to use this checklist: Work through each section systematically. Don't let excitement about a deal cause you to skip categories. The items marked in the checklist boxes below are the minimum you should verify before closing any SaaS acquisition. Print it, share it with your advisor, or keep it open in a tab during your entire diligence process.
1. Revenue Verification
Revenue is the foundation of any SaaS valuation. If the revenue numbers are wrong, everything downstream — the multiple, the ROI projection, the growth thesis — falls apart. This is where you start, and where you should spend the most time. For a deeper understanding of how revenue drives valuation, see our guide on how to value an online business.
MRR Consistency and Trends
Don't accept a single month's MRR number. Request at least 12 months of monthly revenue data, ideally 24. You're looking for consistency, not just size. A business doing $8K MRR with steady growth over 18 months is more valuable than one doing $12K MRR that spiked from $3K three months ago due to a viral post.
- Request 12–24 months of MRR data, broken down by month
- Verify MRR directly in Stripe, Paddle, or the payment processor — not from seller-provided spreadsheets
- Distinguish between new MRR, expansion MRR, contraction MRR, and churned MRR
- Check for revenue seasonality — are there predictable peaks and valleys?
- Calculate the MRR growth rate (month-over-month) and check if it's accelerating or decelerating
- Confirm that reported ARR is actual recurring revenue, not annualized one-time payments
Churn and Retention
Churn is the silent killer of SaaS acquisitions. A business with 8% monthly churn loses half its customers in under 9 months. Even "small" churn compounds ruthlessly.
- Calculate both logo churn (customer count) and revenue churn (dollar amount)
- Identify net revenue retention (NRR) — is the business expanding within existing accounts?
- Review churn by cohort: are newer customers churning faster than older ones?
- Ask why customers cancel — request cancellation survey data or support ticket analysis
- Check for "hidden churn" — customers on annual plans who haven't renewed yet
Revenue Concentration
If one customer represents 30% of revenue, you're not buying a SaaS business — you're buying a consulting relationship with a single client. Revenue concentration risk is one of the most commonly overlooked factors in SaaS due diligence.
- Calculate the percentage of revenue from the top 5 and top 10 customers
- Determine whether any single customer accounts for more than 15% of total revenue
- Assess the risk of key customers leaving post-acquisition
- Verify that enterprise contracts have remaining term and are not month-to-month
2. Technical Assessment
You're buying software. The code, infrastructure, and technical architecture are the product. A beautiful dashboard sitting on top of unmaintainable spaghetti code will cost you tens of thousands in refactoring before you can ship a single feature.
Code Quality and Architecture
- Request read-only access to the full source code repository
- Review the tech stack — is it modern, maintained, and something you (or your team) can work with?
- Check for automated tests: unit tests, integration tests, end-to-end tests — what's the coverage?
- Look at the git history — regular commits from one person? Multiple contributors? Gaps?
- Assess code documentation: inline comments, README, architecture docs
- Run a static analysis tool to identify code quality issues, duplication, and complexity
- Check for hard-coded credentials, API keys, or secrets in the codebase
Dependencies and Tech Debt
- Audit third-party dependencies for known vulnerabilities (use
npm audit,pip-audit, or equivalent) - Check for deprecated or unmaintained packages that will need replacement
- Identify proprietary APIs or services that could be discontinued
- Review the database schema for normalization, indexing, and scalability concerns
- Assess technical debt honestly — what would a competent developer estimate to modernize the stack?
Hosting, Infrastructure, and Security
Infrastructure costs can quietly erode your margins. A SaaS product doing $10K MRR with $4K in AWS bills has a very different margin profile than one spending $200/month on a VPS. Security is equally critical — a data breach post-acquisition is your liability, not the previous owner's.
- Get the full monthly hosting and infrastructure cost breakdown for the past 12 months
- Identify all third-party services and their costs: email delivery, CDN, monitoring, analytics, etc.
- Verify the deployment process — is it automated (CI/CD) or manual?
- Check for SSL certificates, security headers, and basic web application security per OWASP Top 10 guidelines
- Review uptime history — request monitoring data (UptimeRobot, Pingdom, or equivalent)
- Confirm that backups exist, are automated, and have been tested for restoration
- Check whether the infrastructure can be transferred to your own cloud accounts
Tip for non-technical buyers: If you don't have the technical background to assess code quality yourself, hire a freelance developer for a paid code review. This typically costs $500–$2,000 and can save you from a catastrophic purchase. It's the highest-ROI due diligence spend you'll make.
3. Customer Analysis
Revenue tells you what happened. Customer analysis tells you why it happened and whether it will continue. Understanding how customers find the product, why they stay, and how they feel about it is essential for projecting post-acquisition performance.
Acquisition Channels
- Map all customer acquisition channels: organic search, paid ads, referrals, partnerships, Product Hunt, etc.
- Determine what percentage of new customers come from each channel
- Calculate customer acquisition cost (CAC) per channel
- Assess whether the primary acquisition channel is sustainable post-acquisition
- Check if the seller's personal brand or network is a meaningful acquisition driver (this disappears when they leave)
- Review Google Analytics or equivalent for traffic trends, sources, and conversion rates
Retention and Engagement
- Request product analytics data: DAU/MAU ratio, feature usage, session duration
- Identify the core "aha moment" — what action correlates with long-term retention?
- Segment users by activity level: how many are actively using the product vs. paying but dormant?
- Review NPS scores or customer satisfaction survey results if available
- Check social proof: reviews, testimonials, social media mentions, community activity
Support Volume and Quality
- Request support ticket volume for the past 6–12 months
- Categorize tickets: bugs, feature requests, billing issues, onboarding help
- Calculate average response time and resolution time
- Identify recurring issues that signal product problems
- Estimate the weekly hours required to handle current support load
4. Legal and Compliance
Legal due diligence is where buyers most often cut corners — and where surprises are the most expensive. A single compliance failure can result in fines, lawsuits, or the inability to operate in key markets.
Intellectual Property
- Confirm the seller has clear, undisputed ownership of all source code
- Check whether any code was written by contractors — verify IP assignment agreements exist
- Review all open-source licenses used in the project for compatibility with commercial use
- Verify domain name ownership and confirm clean transfer is possible
- Check for trademarks, patents, or pending IP disputes
- Confirm the seller owns all brand assets: logos, design files, marketing materials
Data Privacy and Compliance
If the SaaS product handles any user data — and nearly all of them do — you need to understand the compliance landscape. Post-acquisition, you inherit the liability for any pre-existing compliance gaps. The General Data Protection Regulation (GDPR) applies if you serve any EU users, and similar frameworks (CCPA, PIPEDA) may apply depending on your customer base.
- Review the existing Terms of Service and Privacy Policy — are they current and enforceable?
- Verify GDPR compliance if serving EU customers: data processing agreements, consent mechanisms, right-to-delete
- Check CCPA compliance if serving California residents
- Audit data storage practices: where is user data stored, who has access, is it encrypted at rest?
- Review cookie consent and tracking compliance
- Determine if there have been any data breaches, security incidents, or user complaints about privacy
- Check for industry-specific compliance requirements (HIPAA, SOC 2, PCI DSS) based on customer verticals
Contracts and Liabilities
- Review all existing customer contracts, especially enterprise agreements with custom terms
- Identify any commitments the seller has made that you'd inherit (pricing guarantees, feature promises, SLAs)
- Check for pending or threatened legal actions
- Review any affiliate agreements, partnership contracts, or reseller arrangements
- Confirm there are no non-compete clauses that could affect the seller's ability to transfer the business
5. Operations
A SaaS business isn't just code and customers — it's a living system that requires ongoing work. Understanding the true operational burden determines whether you're buying a mostly-passive asset or a full-time job.
Maintenance and Ongoing Work
- Ask the seller to log their time for 2–4 weeks: what tasks consume their hours?
- Distinguish between maintenance (keeping things running) and growth work (new features, marketing)
- Identify critical recurring tasks: server updates, certificate renewals, vendor payments, content creation
- Determine what happens if the product is left unattended for 30 days — does anything break?
- Assess whether the operational load is increasing or decreasing over time
Documentation and Knowledge Transfer
- Request existing documentation: technical docs, runbooks, SOPs, admin guides
- Identify critical "in the seller's head" knowledge that isn't documented anywhere
- Negotiate a transition support period (typically 30–90 days of availability post-close)
- Confirm that all accounts, credentials, and access can be transferred to you
- Create a list of every third-party account and service that needs to be transferred
Team Dependencies
- Identify if any contractors, freelancers, or employees are critical to operations
- Determine whether key team members will continue post-acquisition
- Assess the cost and feasibility of replacing any departing team members
- Check for vendor relationships that are tied to the seller personally rather than the business
6. Growth Potential
You're not just buying what the business is today — you're buying what it could become under your ownership. But growth potential should be grounded in evidence, not hopeful speculation. Distinguish between "theoretically possible" and "clearly achievable with defined effort."
- Assess the total addressable market (TAM) — is the market growing, stable, or shrinking?
- Identify the top 3–5 competitors and evaluate the product's competitive positioning
- Review the seller's existing product roadmap and unreleased feature ideas
- Analyze pricing: is there room to increase prices without significant churn?
- Identify untapped customer segments or geographies
- Evaluate expansion revenue opportunities: upsells, add-ons, higher-tier plans
- Assess SEO opportunity: what keywords does the site rank for, and what's the organic growth trajectory?
- Determine whether the product can serve as a platform for adjacent offerings
The "what would I do differently?" test: Before closing, write down your 90-day plan for the business. If you can't identify at least 3 concrete actions you'd take to grow revenue or reduce costs, you may be overpaying for the current state of the business without a clear path to return on your investment.
7. Red Flags — What to Watch Out For
Experienced acquirers develop pattern recognition for deals that look good on the surface but hide serious problems underneath. Here are the most common red flags in SaaS acquisitions:
Revenue Red Flags
- Sudden revenue spikes — A sharp increase in MRR right before listing often means the seller ran a heavy discount or lifetime deal to inflate numbers. Always ask what caused any spike.
- Lifetime deals (LTDs) counted as MRR — LTD revenue is one-time, not recurring. If LTDs make up a meaningful portion of "MRR," the real recurring revenue is much lower.
- Refusal to share payment processor access — If the seller won't give you read-only Stripe or Paddle access, walk away. There is no legitimate reason to refuse this.
- Revenue from a single channel — If 90% of revenue comes from one traffic source, one affiliate partner, or one marketplace listing, you're buying concentration risk.
- Declining MRR masked by annual plans — Monthly MRR can look stable while the business is actually losing customers, because annual subscribers haven't hit their renewal date yet.
Technical Red Flags
- No version control or git history — If the code isn't in a repository with commit history, you can't verify who wrote it, when, or how the product evolved.
- Zero automated tests — No tests means every change is a risk. Budget significant time and money for adding test coverage post-acquisition.
- Vendor lock-in to seller's accounts — Infrastructure that can't be moved off the seller's personal accounts (Google Cloud, AWS, etc.) is a serious transfer risk.
- Undisclosed technical debt — The seller claims "everything works perfectly" but can't explain the last time they updated dependencies or patched vulnerabilities.
Behavioral Red Flags
- Rushing the timeline — A seller who pressures you to close quickly and skip diligence is hiding something. Legitimate sellers understand that due diligence protects both parties.
- Vague answers to specific questions — If you ask "what's your monthly churn rate?" and get "it's really low" instead of a number, the seller either doesn't know their metrics or doesn't want to share them.
- Inconsistent stories — When the reason for selling changes between conversations, or financials don't match across different documents, trust your instincts.
- No transition support — A seller who refuses to offer any post-sale transition period may be planning to disappear once the check clears.
The golden rule of SaaS due diligence: Every claim the seller makes should be independently verifiable. "Trust but verify" isn't enough — in an acquisition, the standard is "verify, then trust." If something can't be verified, it shouldn't factor into your valuation.
Putting It All Together: The Due Diligence Timeline
For most SaaS acquisitions under $500K, a thorough due diligence process takes 2–4 weeks. Here's a practical timeline:
| Week | Focus Area | Key Actions |
|---|---|---|
| Week 1 | Revenue & Financials | Stripe access review, MRR analysis, churn calculation, revenue concentration assessment |
| Week 2 | Technical & Product | Code review, infrastructure audit, dependency check, security assessment |
| Week 3 | Customers & Operations | Customer analysis, support review, operational burden assessment, documentation review |
| Week 4 | Legal & Final Review | IP verification, compliance audit, contract review, final risk assessment, negotiation |
Smaller deals ($5K–$50K) can compress this to 1–2 weeks. Larger deals ($500K+) may require 4–8 weeks and professional advisors. The key is not to skip steps — just adjust the depth.
How ExitBid Makes Due Diligence Easier
One of the structural advantages of buying through a curated marketplace like ExitBid is that a significant portion of due diligence is handled before a listing goes live. Every business on ExitBid goes through a curation process that verifies basic revenue claims, checks for obvious red flags, and ensures the listing meets quality standards. You can see exactly how the process works on our platform page.
This doesn't replace your own due diligence — nothing should. But it means you're starting from a higher baseline of trust than on open marketplaces where anyone can list anything. When you find a SaaS business on ExitBid, you know it's already passed an initial quality filter.
Combined with the auction format, which creates natural deal momentum, you get a buying experience where diligence and competitive bidding work together rather than against each other.
Frequently Asked Questions
For acquisitions under $500K, plan for 2–4 weeks of focused work. Micro-SaaS deals under $50K can be done in 1–2 weeks. Larger deals may require 4–8 weeks with professional advisors. The key is completeness, not speed — rushing due diligence is the most expensive shortcut in acquisitions.
For deals above $50K–$100K, yes. A lawyer experienced in digital asset transactions can review contracts, IP assignments, and compliance in ways that protect you from post-acquisition surprises. Below that range, the legal risk is lower but IP ownership verification is still essential.
Revenue authenticity. Everything else — valuation, ROI, growth potential — is derived from revenue. If the revenue numbers are wrong, every other calculation is wrong too. Always verify revenue directly through the payment processor, not from seller-provided documents.
For very small deals, yes — you can check basic things like uptime, site speed, and dependency freshness. But for any meaningful SaaS acquisition, hiring a developer for a paid code review ($500–$2,000) is strongly recommended. It's the highest-ROI due diligence expense.
Any seller who refuses reasonable due diligence requests is sending you a clear signal. Walk away. Legitimate sellers understand that diligence protects both sides. Common reasonable requests include read-only Stripe access, repository access, and analytics dashboards. If they won't share these, the deal isn't worth the risk.
Related Reading
Continue your research
→ Complete Guide to Buying a SaaS Business → How to Value an Online Business → How ExitBid Works → SaaS Businesses for Sale on ExitBidFind Your Next SaaS Acquisition
Curated listings. Verified revenue. Auction-driven pricing. Only 14 active listings at any time — each one vetted before going live.