Before you acquire a SaaS or software business, validate ARR quality, churn data, technical infrastructure, and customer contract terms with this step-by-step checklist built for lower middle market buyers.
Acquiring a SaaS business in the $1M–$5M ARR range offers compelling economics — high gross margins, predictable cash flows, and scalable infrastructure — but surface-level metrics rarely tell the full story. Net revenue retention figures can mask accelerating logo churn. MRR schedules can obscure deferred revenue misclassification. And a clean dashboard can hide a codebase held together with legacy dependencies and undocumented architecture. This checklist gives SaaS buyers a structured framework across five critical domains: revenue quality, technical infrastructure, customer contracts, financial reporting, and key person risk. Each item is designed to surface the specific failure modes that derail SaaS acquisitions in the lower middle market — before you close.
Validate the true quality, durability, and trajectory of recurring revenue beyond top-line MRR reporting.
Request cohort-level churn analysis by contract vintage and customer segment for the past 24 months.
Cohort data exposes whether churn is accelerating among newer customers, signaling weakening product-market fit.
Red flag: Seller cannot produce cohort data and only provides blended monthly churn figures.
Calculate net revenue retention (NRR) independently using raw subscription data, not seller-provided summaries.
NRR above 100% confirms expansion revenue offsets churn; NRR below 90% erodes valuation basis significantly.
Red flag: NRR drops below 85% when calculated from raw data versus the seller's reported figure.
Verify MRR reconciles to bank deposits and invoiced amounts across a trailing 12-month period.
Discrepancies between MRR schedules and actual cash receipts indicate revenue recognition errors or inflated reporting.
Red flag: MRR schedule exceeds deposited revenue by more than 5% without a credible deferred revenue explanation.
Identify all customers representing more than 10% of ARR and review their contract terms and renewal history.
High customer concentration creates existential revenue risk if one enterprise client churns post-acquisition.
Red flag: A single customer accounts for more than 25% of total ARR with a contract expiring within 18 months.
Assess the true condition of the codebase, infrastructure, and third-party dependencies that underpin the product.
Commission an independent technical audit covering code quality, architecture, test coverage, and deployment practices.
Technical debt invisible to non-engineers can require $200K–$500K in post-acquisition remediation investment.
Red flag: No version control system, test suite, or documented deployment process exists for core product functions.
Audit all third-party API dependencies, SaaS infrastructure vendors, and licensing agreements for continuity risk.
Platform dependency on AWS, Stripe, or niche APIs can create existential risk if vendor terms change post-close.
Red flag: Critical product functionality relies on a deprecated API or a vendor with no enterprise SLA in place.
Review system uptime history, incident logs, and SLA performance records for the trailing 24 months.
Chronic downtime or unresolved incidents indicate infrastructure instability that will surface as churn post-acquisition.
Red flag: Uptime falls below 99% in any rolling 90-day period or major incidents lack documented post-mortems.
Confirm all IP, proprietary code, and software components are owned by the business entity, not the founder personally.
Unassigned IP creates legal exposure and can block deal closing or require costly post-acquisition remediation.
Red flag: Founder wrote core modules as a contractor pre-incorporation with no formal IP assignment agreement on file.
Review every material customer agreement for renewal provisions, cancellation rights, and payment obligations.
Collect all active customer contracts and verify auto-renewal clauses, notice periods, and cancellation provisions.
Weak auto-renewal language allows customers to cancel immediately post-close, collapsing the ARR you paid for.
Red flag: More than 30% of ARR is on month-to-month agreements with no contractual cancellation notice requirement.
Review all SLAs, uptime guarantees, and data security obligations for financial exposure and compliance requirements.
Aggressive SLAs with financial penalties or HIPAA/SOC 2 obligations create undisclosed post-acquisition liability.
Red flag: Existing SLAs include financial penalty clauses the business has never tracked or provisioned against.
Verify all contracts are assignable to the acquiring entity without requiring individual customer consent.
Non-assignability clauses require customer re-signing at close, creating churn risk and deal execution delays.
Red flag: Multiple enterprise contracts include anti-assignment clauses with no modification or waiver mechanism available.
Audit payment history for all customers exceeding $10K ARR, noting late payments, disputes, or credits issued.
Chronic late payers or credit-heavy accounts inflate gross ARR while masking effective net revenue quality.
Red flag: Three or more accounts in the top 20% of ARR have unresolved billing disputes or outstanding balances over 90 days.
Validate GAAP compliance, deferred revenue treatment, and the accuracy of seller-reported financial statements.
Reconcile reported ARR to GAAP revenue by reviewing deferred revenue schedules and subscription billing cycles.
Cash-basis SaaS businesses often overstate revenue by recognizing annual prepayments immediately rather than ratably.
Red flag: Seller conflates cash collected with earned revenue and cannot produce a deferred revenue rollforward schedule.
Request trailing 3 years of P&L statements, balance sheets, and bank statements prepared or reviewed by a CPA.
Unaudited financials with no third-party review increase the risk of misstated expenses, owner perks, and add-backs.
Red flag: Financial statements are owner-prepared spreadsheets with no CPA involvement and significant unexplained add-backs.
Analyze gross margin composition, separating true software margin from hosting costs, support labor, and implementation fees.
Reported 80% gross margins can compress to 60% when support headcount and infrastructure costs are properly allocated.
Red flag: Gross margin calculation excludes customer success salaries or hosting costs that are buried in operating expenses.
Evaluate owner compensation, related-party transactions, and discretionary expenses against market-rate benchmarks.
Inflated add-backs that normalize owner salary to unrealistic levels artificially boost adjusted EBITDA and purchase price.
Red flag: Seller adds back more than $150K in owner compensation adjustments without comparable market-rate justification.
Assess founder dependency across sales, product, and customer success functions before committing to full valuation.
Map every customer relationship to identify which accounts the founder owns directly versus team-managed contacts.
Founder-owned enterprise relationships frequently churn within 12 months of a founder's departure post-acquisition.
Red flag: Founder is the primary contact for customers representing more than 40% of ARR with no documented handoff plan.
Review documented SOPs for onboarding, customer support, product releases, and sales processes end-to-end.
Absence of SOPs means the business cannot operate without the founder, destroying post-acquisition transferability.
Red flag: No written SOPs exist for any core function and all process knowledge resides with the founding team exclusively.
Assess the engineering team's ability to maintain, deploy, and extend the product independently post-acquisition.
A solo founder-developer with no engineering team leaves the buyer with no product continuity without founder retention.
Red flag: Founder is the sole engineer with no contractors, documentation, or succession plan for critical product infrastructure.
Negotiate transition support terms specifying founder availability, duration, and compensation during handover period.
Undefined transition obligations create operational gaps and buyer-seller disputes that delay post-close stabilization.
Red flag: Seller is unwilling to commit to more than 30 days of transition support for a highly founder-dependent operation.
Find SaaS/Software Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Net revenue retention is the single most predictive metric of SaaS business health. NRR above 100% means the existing customer base is growing through expansion revenue, which compounds value post-acquisition. Always calculate NRR independently from raw billing data rather than relying on seller-provided summaries, which frequently blend or misrepresent cohort-level churn patterns.
Commission an independent technical audit from a third-party engineering firm before signing a purchase agreement. The audit should cover code architecture, test coverage, deployment documentation, third-party dependencies, and security vulnerabilities. Budget $5,000–$15,000 for a credible technical review — it is the most cost-effective insurance against a $300K+ post-acquisition engineering remediation project.
Yes. SaaS businesses are SBA-eligible if they meet standard program requirements including U.S. operations, for-profit status, and size standards. Lenders will scrutinize ARR stability, customer concentration, and whether the business can service debt at the proposed acquisition price. Businesses with more than 30% customer concentration or declining MRR trends will face higher scrutiny and may require additional collateral or seller financing as a condition of approval.
The most common structures include all-cash at close with a 10–20% holdback tied to customer retention milestones over 12–24 months, or a hybrid structure combining partial seller financing with an earnout based on ARR growth targets over two years. Retention-based holdbacks are especially common when customer concentration is elevated or when the founder holds key relationships, as they align seller incentives with post-acquisition revenue continuity.
More SaaS/Software Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored SaaS/Software targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers