Validate MRR quality, uncover churn risk, and assess cybersecurity exposure before acquiring a cloud MSP in the $1M–$5M revenue range.
Acquiring a cloud services provider offers compelling recurring revenue economics, but the due diligence process requires technical and financial depth that goes well beyond standard business acquisitions. Buyers must scrutinize the quality of reported MRR, validate customer contract defensibility, audit the underlying technology stack for obsolescence risk, and honestly assess whether the business can operate without its founder or one or two critical engineers. This checklist organizes the most important due diligence activities into five focused categories — revenue quality, customer contracts, technology and vendor risk, cybersecurity and compliance, and team and operational continuity — to help buyers avoid expensive surprises and close with confidence.
Validate that reported recurring revenue is real, stable, and defensible by analyzing churn, cohort retention, and revenue composition in detail.
Request a month-by-month MRR bridge for the trailing 24 months showing new, expansion, contraction, and churned revenue.
Reveals true net revenue retention and whether MRR growth is driven by new logos or expansion of existing accounts.
Red flag: MRR bridge shows consistent contraction or churn that is masked by new customer additions inflating the headline number.
Separate recurring MRR from one-time project revenue and professional services fees in all financial statements.
One-time revenue inflates EBITDA and purchase price if not stripped out; true recurring percentage must exceed 70%.
Red flag: More than 25% of reported revenue is project-based or non-recurring with no clear pipeline to replace it annually.
Calculate net revenue retention by customer cohort for each of the past three years.
NRR above 100% signals that existing customers are expanding spend, a key indicator of platform stickiness.
Red flag: NRR consistently below 95% across cohorts indicates a leaky bucket that will erode enterprise value post-acquisition.
Reconcile MRR figures against actual invoices and bank deposits to confirm reported numbers match cash received.
Ensures MRR is not overstated through deferred billing, inactive accounts, or accounts receivable that will never collect.
Red flag: Significant variance between reported MRR and bank deposits, or AR aging showing invoices 90-plus days outstanding.
Review all customer agreements for enforceability, renewal terms, and concentration exposure that could destabilize revenue post-close.
Obtain and review fully executed contracts for all customers representing more than 2% of total revenue.
Confirms revenue is contractually committed versus verbal or month-to-month arrangements with no cancellation penalty.
Red flag: Major revenue relationships lack signed contracts or operate on month-to-month terms with no minimum commitment.
Map customer concentration by identifying any client exceeding 15% of total MRR.
Single-client concentration creates catastrophic downside risk if that relationship churns or reprices post-acquisition.
Red flag: One or two clients represent more than 30% of total revenue with no long-term contract providing protection.
Review auto-renewal clauses, notice periods, and change-of-control provisions in all material contracts.
Change-of-control clauses can give customers the right to cancel at acquisition, eliminating contracted revenue immediately.
Red flag: Multiple enterprise contracts contain change-of-control termination rights that have not been pre-negotiated with customers.
Confirm all SLA commitments, uptime guarantees, and penalty clauses are documented and historically met.
Undisclosed SLA penalties or breach history create unquantified liability and signal operational quality issues.
Red flag: Recurring SLA breach incidents or penalties paid to customers not reflected in financial statements or disclosed in the CIM.
Audit the underlying infrastructure, third-party platforms, and vendor relationships to assess obsolescence risk and transferability post-close.
Document the full technology stack including hyperscaler partnerships, licensing tiers, and reseller agreement terms with AWS, Azure, or Google Cloud.
Hyperscaler partner status and margin tiers may not transfer automatically and can significantly affect unit economics post-acquisition.
Red flag: Business relies on a partner tier that requires annual revenue thresholds the combined entity cannot confidently maintain.
Identify all third-party software licenses, monitoring tools, and automation platforms and confirm transferability at close.
Non-transferable licenses or vendor agreements requiring re-negotiation create post-close disruption and unexpected costs.
Red flag: Key operational tools are licensed to the founder personally or contain clauses prohibiting assignment without vendor consent.
Assess the age and scalability of the proprietary platform, tooling, or managed service delivery infrastructure.
Outdated or poorly documented proprietary tools create technical debt and require significant capex to maintain or modernize.
Red flag: Core delivery platform has not been updated in two or more years and lacks documentation or a dedicated engineering owner.
Review all vendor payment terms, outstanding credits, and any hyperscaler marketplace commitments or spend obligations.
Committed spend agreements with hyperscalers that are not backed by customer contracts create financial exposure post-close.
Red flag: Active AWS or Azure committed-use contracts exceed contracted customer obligations, creating stranded cost liability.
Evaluate security certifications, incident history, and compliance standing to quantify liability exposure before committing to a purchase price.
Request SOC 2 Type II report, ISO 27001 certificate, or equivalent compliance audit completed within the past 12 months.
Compliance certifications signal enterprise-grade security controls and are often required to retain or win enterprise clients.
Red flag: Business serves enterprise or regulated-industry clients but has never completed a formal third-party security audit or certification.
Obtain a full disclosure of all cybersecurity incidents, data breaches, and ransomware events in the past five years.
Undisclosed breaches create legal liability, reputational damage, and potential regulatory penalties that transfer with the business.
Red flag: Incident disclosure reveals a material breach that was not reported to affected customers or relevant regulatory authorities.
Review cyber insurance policy limits, coverage scope, and claims history for adequacy relative to customer data exposure.
Inadequate cyber insurance leaves the acquirer exposed to costs that can exceed the acquisition price in a major incident.
Red flag: Cyber insurance is absent, lapsed, or covers less than $1M in liability for a business managing enterprise client infrastructure.
Conduct a penetration test or review the most recent third-party vulnerability assessment for open findings.
Unresolved critical vulnerabilities in production infrastructure represent immediate liability that must be priced into the deal.
Red flag: Penetration test reveals critical or high-severity open findings that have been unaddressed for more than 90 days.
Assess whether the business can operate and retain customers without the founder or a small group of critical technical staff post-acquisition.
Map all technical responsibilities currently held by the owner and identify which functions have a designated backup or successor.
Founder-held technical knowledge with no documented successor creates immediate operational risk at close.
Red flag: Owner is the sole administrator for critical customer environments, vendor portals, or billing systems with no trained backup.
Review employment agreements, non-solicitation clauses, and retention packages for all engineers and technical leads.
Key engineers without retention incentives or restrictive covenants can depart post-close and take institutional knowledge or clients.
Red flag: Top two or three technical employees have no employment contracts, non-solicits, or equity incentives tying them to the business.
Evaluate the completeness of operational runbooks, network diagrams, and customer environment documentation.
Documented processes allow a new owner or team to manage customer environments without direct founder involvement.
Red flag: Critical customer runbooks or environment configurations exist only in the founder's head or personal notes with no written record.
Assess customer relationship ownership by determining which accounts are managed by the owner versus the broader team.
Customers bonded to the founder personally rather than the business are at high churn risk when the seller exits.
Red flag: More than 40% of MRR comes from accounts where the founder is the primary relationship holder and day-to-day contact.
Find Cloud Services Provider Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Net revenue retention and the MRR bridge are the two most important metrics. NRR above 100% confirms that existing customers are expanding their spend, which means you don't need constant new logo acquisition just to maintain revenue. The MRR bridge breaks total monthly recurring revenue into new, expansion, contraction, and churn components, revealing whether headline growth is masking underlying customer losses. Buyers should request both metrics on a monthly basis for at least 24 months and calculate NRR by customer cohort to understand how different segments of the book perform over time.
Start by documenting every function the founder currently performs — customer escalations, vendor management, technical architecture, and billing — and ask who else in the organization can perform each task today. If the honest answer for more than a few functions is no one, that is a structural risk requiring a transition service agreement, an earnout tied to successful knowledge transfer, or a seller note contingent on customer retention. Equally important is reviewing the employment agreements and retention incentives for the top two or three engineers. Without contracts or equity-based retention, those employees can walk post-close and take critical institutional knowledge and customer relationships with them.
Any undisclosed data breach or ransomware incident affecting customer data is a serious concern that warrants independent verification and legal review before proceeding. Equally disqualifying is the absence of cyber insurance or coverage with limits below $1M for a business managing enterprise infrastructure. Open critical or high-severity vulnerabilities from a penetration test that have gone unaddressed for more than 90 days signal a culture of deferred security maintenance that creates liability exposure for the acquirer. Compliance gaps for businesses serving regulated industries — such as healthcare or financial services — should trigger a price reduction or an escrow holdback pending remediation.
Cloud services providers are generally eligible for SBA 7(a) loans, making it possible to finance acquisitions with as little as 10% buyer equity when the business meets lender requirements. SBA lenders will scrutinize the quality and durability of recurring revenue, typically requiring that MRR represents at least 70% of total revenue and that customer contracts are documented and multi-year where possible. Key person dependency is a known concern for SBA lenders in this sector, and some will require the seller to remain involved for a transition period or carry a seller note of 10–20% to demonstrate confidence in the business continuity. Buyers should work with an SBA lender experienced in technology and managed services transactions to structure the deal appropriately.
More Cloud Services Provider Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored Cloud Services Provider targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers