Due Diligence for Acquiring a SaaS Business

Validate recurring revenue, uncover technical risk, and structure smart deals when buying bootstrapped software companies with $1M–$5M in ARR.

Find SaaS/Software Acquisition Targets

Acquiring a SaaS business requires moving beyond headline MRR to validate true retention, code quality, and founder dependency. This guide walks buyers through three structured phases covering financial verification, technical assessment, and commercial risk — the areas where SaaS deals most commonly break down or get repriced.

SaaS/Software Due Diligence Phases

Phase 1: Financial & Revenue Verification

Confirm the quality and durability of recurring revenue by stress-testing MRR schedules, churn cohorts, and revenue recognition policies before advancing the deal.

Cohort-Level Churn & Retention Analysiscritical

Request monthly cohort data segmented by customer size and contract vintage. Net revenue retention below 90% is a red flag requiring deal structure adjustments or price reduction.

Revenue Recognition & Deferred Revenue Schedulecritical

Reconcile GAAP versus cash accounting. Identify prepaid annual contracts recorded as deferred revenue that inflate cash flow but don't represent earned recurring income.

Customer Concentration Reviewimportant

Map ARR by customer. Any single customer exceeding 15% of total ARR warrants holdback provisions or earnout triggers tied to that customer's retention post-close.

Phase 2: Technical & Infrastructure Assessment

Assess the codebase, hosting dependencies, and third-party integrations to quantify post-acquisition engineering investment and identify existential platform risks.

Codebase Quality & Technical Debt Auditcritical

Engage a third-party engineer to assess code documentation, version control, test coverage, and deployment pipelines. Undocumented legacy code significantly increases post-acquisition operating costs.

Third-Party Dependency & API Risk Reviewimportant

Catalog reliance on AWS, Stripe, Twilio, or other vendors. Evaluate contract terms, pricing exposure, and what happens if a critical API is deprecated or repriced.

Security, Uptime, and Compliance Verificationimportant

Review historical uptime logs, penetration test results, SOC 2 status, and data handling practices. Identify any GDPR, HIPAA, or industry-specific compliance gaps requiring remediation.

Phase 3: Commercial & Operational Risk

Evaluate contract terms, founder dependency, and sales process documentation to determine whether the business can operate and grow independently under new ownership.

Customer Contract & Auto-Renewal Auditcritical

Review all subscription agreements for cancellation clauses, auto-renewal terms, SLA obligations, and change-of-control provisions that could allow customers to exit at acquisition.

Key Person & Founder Dependency Assessmentcritical

Interview team members and document which sales, support, and product functions rely solely on the founder. Request SOPs for every founder-led process before closing.

Sales Pipeline & CAC Verificationimportant

Validate the inbound and outbound pipeline, customer acquisition cost, and payback period. Founder-driven sales with no documented playbook significantly increases transition risk and churn.

SaaS/Software-Specific Due Diligence Items

Verify MRR reconciles to bank deposits by cross-referencing Stripe or payment processor reports against the MRR schedule provided in the CIM.
Confirm all intellectual property — including code, trademarks, and domain assets — is assigned to the legal entity being acquired, not held personally by the founder.
Assess AI displacement risk by mapping core product features against emerging AI-native tools that could replicate functionality and erode the competitive moat within 24 months.
Request NPS scores, login frequency data, and feature adoption metrics to build a customer health baseline and identify accounts at elevated churn risk post-acquisition.
Evaluate whether the product roadmap is documented and prioritized independently of the founder, and whether a technical lead or contractor can execute development post-transition.

Frequently Asked Questions

What churn rate is acceptable when acquiring a SaaS business?

Annual gross churn below 10% is the target for lower middle market SaaS acquisitions. Above 15% signals weak product-market fit and should trigger price reductions or retention-based earnout structures.

How do buyers typically structure SaaS acquisitions to manage retention risk?

Common structures include 10–20% holdbacks tied to 12-month customer retention milestones, seller notes contingent on ARR maintenance, and earnouts paying 25–40% of consideration based on ARR growth targets.

Should I hire a technical expert during SaaS due diligence?

Yes. Engaging an independent software engineer to audit code quality, test coverage, and infrastructure is essential. Technical debt discovered post-close can cost hundreds of thousands in remediation and delay product development.

How are SaaS businesses in the $1M–$5M ARR range typically valued?

Lower middle market SaaS businesses trade at 3.5x–6x ARR depending on net revenue retention, growth rate, gross margins, and founder dependency. Clean financials and documented processes command the higher end of the range.

More SaaS/Software Guides

Buy a SaaS/Software Business →Due Diligence Checklist →Common Mistakes →Valuation Guide →SBA Loan Guide →Integration Guide →

Find SaaS/Software businesses ready for acquisition

DealFlow OS surfaces targets with seller signals and motivation scores — so you know before you start diligence. Free to join.

Start finding deals — free

No credit card required