SaaS Due Diligence Checklist 2025: 47 Points to Verify Before Buying

Missing one red flag can cost you 30% of the deal value. This is the exact due diligence checklist we've refined after analyzing 326+ SaaS transactions on CounterX. Whether you're acquiring a micro-SaaS or a $2M+ business, these verification steps separate successful buyers from those who inherit hidden problems.

Due diligence is the most critical phase of any SaaS acquisition. It's where you verify everything the seller claims, identify potential risks, and ensure you're making an informed decision. This comprehensive guide walks you through the complete due diligence process, based on CounterX's 8-pillar verification system and real-world experience from 326+ transactions.

Table of Contents

1. What is SaaS Due Diligence?
2. The 8 Verification Pillars
3. Financial Verification
4. Operational Due Diligence
5. Technical Due Diligence
6. Legal and Compliance
7. Risk Assessment
8. Trust Score Explained
9. Due Diligence Checklist
10. Common Red Flags

What is SaaS Due Diligence?

Due diligence is the process of verifying all claims about a SaaS business before acquisition. It's your opportunity to:

• Verify revenue and financials
• Assess operational health
• Identify risks and liabilities
• Validate technology and infrastructure
• Understand customer base and retention
• Check legal compliance

Why Due Diligence Matters

Without proper due diligence:

• 40% of SaaS acquisitions fail to meet expectations
• Hidden liabilities can cost 20-30% of purchase price
• Operational surprises delay integration
• Customer churn increases post-acquisition

With thorough due diligence:

• Better negotiation position
• Accurate valuation
• Smooth transition
• Reduced post-acquisition risks

The 8 Verification Pillars

CounterX's Due Diligence API uses 8 verification pillars to calculate a Trust Score (0-100). Each pillar is weighted based on its importance:

Pillar 1: Identity (15% weight)

Verifies: Owner identity, business registration, legitimacy

Key Checks:

• Business entity registration
• Owner identity verification (KYC)
• Business licenses and permits
• Historical ownership records

Why It Matters: Confirms you're dealing with legitimate sellers who own the asset.

Pillar 2: Asset (20% weight)

Verifies: Asset existence, domain ownership, platform access

Key Checks:

• Domain ownership and expiration
• SaaS platform access and control
• Asset history and age
• Technology stack verification

Why It Matters: Ensures the asset actually exists and you'll have full control post-acquisition.

Pillar 3: Financial (25% weight)

Verifies: Revenue, MRR, financial data accuracy

Key Checks:

• Revenue verification (bank statements, payment processor)
• MRR calculation and trends
• Expense verification
• Financial statement accuracy
• Revenue source breakdown

Why It Matters: Financial accuracy directly impacts valuation. This is the most critical pillar.

Pillar 4: Traffic (15% weight)

Verifies: Website traffic, analytics, traffic sources

Key Checks:

• Google Analytics verification
• Traffic volume and trends
• Traffic source analysis
• Conversion rates
• SEO health

Why It Matters: Validates marketing claims and growth potential.

Pillar 5: Legal (10% weight)

Verifies: Compliance, contracts, legal structure

Key Checks:

• Terms of Service and Privacy Policy
• Customer contracts
• Employment agreements
• IP ownership
• Compliance (GDPR, CCPA, etc.)

Why It Matters: Legal issues can create significant liabilities.

Pillar 6: Reputation (10% weight)

Verifies: Online reputation, reviews, brand health

Key Checks:

• Online reviews and ratings
• Social media presence
• Brand mentions
• Customer satisfaction
• Historical reputation

Why It Matters: Reputation affects retention and growth potential.

Pillar 7: Operational (3% weight)

Verifies: Operational continuity, infrastructure, processes

Key Checks:

• Hosting and infrastructure
• Backup and disaster recovery
• Operational processes
• Team structure
• Knowledge transfer plans

Why It Matters: Ensures smooth transition and operational continuity.

Pillar 8: Fraud (2% weight)

Verifies: Fraud signals, manipulation detection

Key Checks:

• Revenue manipulation signs
• Fake reviews or traffic
• Suspicious patterns
• Anomaly detection

Why It Matters: Identifies potential fraud before it's too late.

Financial Verification

Financial due diligence is the most critical aspect of SaaS acquisition. Here's what to verify:

Revenue Verification

1. Payment Processor Data

• Connect directly to Stripe, PayPal, or payment processor
• Verify all transactions
• Check for refunds and chargebacks
• Validate revenue trends

What to Look For:

• ✅ Consistent revenue growth
• ✅ Low refund rate (<2%)
• ✅ Diverse customer base
• ❌ Revenue spikes (possible manipulation)
• ❌ High refund rate (>5%)
• ❌ Single customer dependency (>30%)

2. Bank Statements

• Review 12-24 months of bank statements
• Match deposits to reported revenue
• Verify expense claims
• Check for unusual transactions

Red Flags:

• Deposits don't match reported revenue
• Large unexplained withdrawals
• Irregular payment patterns

3. MRR Calculation

• Verify MRR calculation method
• Check monthly trends
• Validate churn calculations
• Confirm expansion revenue

MRR Components to Verify:

• New MRR (new customers)
• Expansion MRR (upgrades)
• Contraction MRR (downgrades)
• Churned MRR (lost customers)
• Net New MRR = New + Expansion - Contraction - Churn

Churn Analysis

Monthly Churn Rate:

• Formula: Churned Customers / Starting Customers
• Industry Average: 5-7% monthly
• Good: <5% monthly
• Red Flag: >10% monthly

Revenue Churn vs. Customer Churn:

• Revenue churn includes downgrades
• Lower revenue churn = better (expansion revenue offsets)

Cohort Analysis:

• Review customer retention by cohort
• Identify trends in retention
• Check for declining retention (red flag)

CAC and LTV Analysis

Customer Acquisition Cost (CAC):

• Total marketing spend / New customers
• Verify marketing spend claims
• Check CAC trends (increasing = bad)

Lifetime Value (LTV):

• Average Revenue Per User (ARPU) × Average Lifetime
• Average Lifetime = 1 / Churn Rate

LTV:CAC Ratio:

• Healthy: 3:1 or higher
• Good: 2-3:1
• Red Flag: <2:1

Profitability Analysis

Gross Margin:

• Revenue - Cost of Goods Sold (COGS)
• SaaS Target: 75%+ gross margin
• COGS includes: Hosting, payment processing, customer support (sometimes)

Operating Margin:

• Gross Profit - Operating Expenses
• Operating Expenses: Marketing, salaries, software tools
• Negative operating margin can be OK if growing fast

Free Cash Flow:

• Operating Cash Flow - Capital Expenditures
• Positive FCF = sustainable
• Negative FCF = requires funding (check runway)

Operational Due Diligence

Technology Stack Review

Infrastructure:

• Hosting provider and costs
• Scalability limitations
• Security measures
• Backup and disaster recovery

Code Quality:

• Code review (if possible)
• Technical debt assessment
• Documentation quality
• Testing coverage

Dependencies:

• Third-party service dependencies
• API integrations
• Platform dependencies (AWS, Google Cloud)
• Single points of failure

Customer Base Analysis

Customer Segmentation:

• Enterprise vs. SMB
• Geographic distribution
• Industry verticals
• Plan distribution

Customer Concentration Risk:

• Single customer >30% revenue = High risk
• Top 10 customers >50% revenue = Medium risk
• Diversified customer base = Low risk

Customer Health:

• Usage metrics
• Support ticket volume
• Feature adoption
• Expansion potential

Team and Operations

Team Structure:

• Who's essential vs. replaceable?
• Will key team members stay?
• Knowledge documentation
• Operational processes

Key Person Risk:

• Dependency on founder/creator
• Technical knowledge concentration
• Customer relationships

Process Documentation:

• Standard Operating Procedures (SOPs)
• Onboarding processes
• Support processes
• Marketing processes

Technical Due Diligence

Code and Architecture

Code Review:

• Code quality and maintainability
• Architecture scalability
• Security vulnerabilities
• Technical debt

If Code Access is Limited:

• Request architecture diagrams
• Review technology stack
• Check security certifications
• Assess scalability claims

Infrastructure

Hosting and Costs:

• Current hosting costs
• Scalability costs
• Infrastructure limitations
• Migration complexity

Security:

• Security audits
• Penetration testing
• Compliance certifications
• Data protection measures

Integrations and APIs

Third-Party Integrations:

• List all integrations
• Dependency on each
• Costs and contracts
• Alternatives available

API Health:

• API documentation
• Rate limits
• Versioning strategy
• Deprecation risks

Legal and Compliance

Intellectual Property

IP Ownership:

• Code ownership verification
• Trademark and brand assets
• Patent portfolio (if any)
• Content ownership (blog posts, guides)

Licenses:

• Software licenses (open source compliance)
• Third-party licenses
• Content licenses
• API licenses

Contracts and Agreements

Customer Contracts:

• Terms of Service
• Service Level Agreements (SLAs)
• Pricing contracts
• Enterprise agreements

Vendor Contracts:

• Hosting agreements
• Software licenses
• Service agreements
• Contract terms and renewals

Compliance

Data Protection:

• GDPR compliance (if EU customers)
• CCPA compliance (if CA customers)
• Privacy policy accuracy
• Data processing agreements

Industry Compliance:

• SOC 2 (if applicable)
• HIPAA (if healthcare)
• PCI-DSS (if payment processing)
• Industry-specific regulations

Risk Assessment

Risk Flags System

CounterX identifies 30+ standardized risk flags across 4 severity levels:

CRITICAL Risk Flags

• Revenue manipulation detected
• Fake traffic or subscribers
• Legal issues (lawsuits, violations)
• Single customer dependency (>50%)

HIGH Risk Flags

• High churn (>10% monthly)
• Declining revenue trend
• Platform dependency risk
• Poor financial controls

MEDIUM Risk Flags

• Customer concentration (30-50%)
• Limited documentation
• Technical debt concerns
• Key person dependency

LOW Risk Flags

• Minor compliance gaps
• Documentation needs improvement
• Process optimization opportunities

Common Risk Patterns

Revenue Risks:

• Revenue spikes before sale (possible manipulation)
• High refund rate (quality issues)
• Single customer dependency (concentration risk)
• Declining MRR trends (churn problem)

Operational Risks:

• Platform dependency (Twitter, YouTube, etc.)
• Technical debt (will require investment)
• Key person dependency (founder essential)
• Poor documentation (knowledge transfer risk)

Legal Risks:

• Pending lawsuits
• Compliance violations
• IP disputes
• Contract issues

Trust Score Explained

How Trust Score is Calculated

Trust Score (0-100) is calculated from the 8 verification pillars:

Formula: Trust Score = Σ (Pillar Score × Pillar Weight)

Pillar Weights:

• Financial: 25%
• Asset: 20%
• Identity: 15%
• Traffic: 15%
• Legal: 10%
• Reputation: 10%
• Operational: 3%
• Fraud: 2%

Trust Score Ranges

90-100: Excellent

• Very low risk
• All pillars verified
• Strong financials
• Smooth acquisition likely

75-89: Good

• Low to medium risk
• Minor issues identified
• Generally safe acquisition
• Some items need attention

60-74: Fair

• Medium risk
• Some concerns
• Requires careful review
• May need adjustments to deal

Below 60: Poor

• High risk
• Significant concerns
• Recommend avoiding or major deal adjustments
• Extensive due diligence needed

Confidence Levels

VERY_HIGH:

• All evidence provided and verified
• Multiple verification sources
• Low uncertainty

HIGH:

• Most evidence provided
• Verification sources available
• Some minor gaps

MEDIUM:

• Partial evidence provided
• Limited verification
• Some uncertainty

LOW:

• Little evidence provided
• Difficult to verify
• High uncertainty

Due Diligence Checklist

Financial Checklist

• [ ] 12-24 months of bank statements
• [ ] Payment processor data (Stripe, PayPal)
• [ ] Monthly P&L statements
• [ ] MRR calculation and trends
• [ ] Churn analysis by cohort
• [ ] CAC calculation and trends
• [ ] LTV calculation
• [ ] Customer lifetime analysis
• [ ] Revenue source breakdown
• [ ] Expense verification
• [ ] Tax returns (if available)
• [ ] Financial projections

Operational Checklist

• [ ] Customer list and segmentation
• [ ] Customer contracts and agreements
• [ ] Support ticket volume and trends
• [ ] Feature usage analytics
• [ ] Technology stack documentation
• [ ] Infrastructure costs
• [ ] Team structure and roles
• [ ] Key person identification
• [ ] Process documentation
• [ ] Knowledge transfer plan

Technical Checklist

• [ ] Code access (if possible)
• [ ] Architecture documentation
• [ ] Technology stack review
• [ ] Security audit results
• [ ] Backup and disaster recovery
• [ ] Hosting and infrastructure costs
• [ ] Integration list and dependencies
• [ ] API documentation
• [ ] Scalability assessment
• [ ] Technical debt evaluation

Legal Checklist

• [ ] Business entity documents
• [ ] Terms of Service
• [ ] Privacy Policy
• [ ] Customer contracts
• [ ] Vendor contracts
• [ ] Employment agreements
• [ ] IP ownership verification
• [ ] Trademark and brand assets
• [ ] Compliance certifications
• [ ] Legal dispute history

Reputation Checklist

• [ ] Online reviews (G2, Capterra, etc.)
• [ ] Social media presence
• [ ] Brand mentions and sentiment
• [ ] Customer testimonials
• [ ] Case studies
• [ ] Press coverage
• [ ] Industry recognition

Common Red Flags

Financial Red Flags

1. Revenue Doesn't Match Bank Deposits

   • Possible revenue inflation
   • Verify all revenue sources

2. High Refund Rate (>5%)

   • Product quality issues
   • Customer satisfaction problems

3. Single Customer Dependency (>30%)

   • High risk if customer leaves
   • Negotiate retention agreements

4. Declining MRR Trend

   • Churn problem
   • Market issues
   • Product problems

5. Revenue Spikes Before Sale

   • Possible manipulation
   • Investigate spike causes

Operational Red Flags

1. Poor Documentation

   • Knowledge transfer risk
   • Operational continuity concerns

2. Key Person Dependency

   • Founder/creator essential
   • Transition risk

3. Platform Dependency

   • YouTube, Twitter, etc.
   • Platform policy changes risk

4. Technical Debt

   • Will require investment
   • Scalability concerns

5. High Churn (>10% monthly)

   • Retention problems
   • Product-market fit issues

Legal Red Flags

1. Pending Lawsuits

   • Legal liability risk
   • Potential financial impact

2. Compliance Violations

   • GDPR, CCPA violations
   • Regulatory risk

3. IP Disputes

   • Ownership uncertainty
   • Legal risk

4. Unfavorable Contracts

   • Long-term vendor lock-in
   • Unfavorable terms

Using CounterX Due Diligence API

Automated Verification

CounterX's Due Diligence API automates the verification process:

Benefits:

• ✅ Fast verification (<5 minutes)
• ✅ Standardized process
• ✅ Trust Score calculation
• ✅ Risk flag identification
• ✅ Complete audit trail

How It Works:

1. Submit asset information
2. Upload evidence (bank statements, analytics, etc.)
3. API verifies across 8 pillars
4. Receive Trust Score and risk flags
5. Access complete verification report

Integration Example

// Start due diligence
const response = await fetch(
  'https://api.counterx.com/v1/due-diligence/start',
  {
    method: 'POST',
    headers: { 'Authorization': 'Bearer YOUR_API_KEY' },
    body: JSON.stringify({ assetId: 'asset_123' })
  }
);

// Get Trust Score
const trustScore = await fetch(
  'https://api.counterx.com/v1/due-diligence/trust-score/asset_123',
  { headers: { 'Authorization': 'Bearer YOUR_API_KEY' } }
);

const { trustScore, confidenceLevel, riskFlags } = await trustScore.json();

Best Practices

1. Start Early

Begin due diligence as soon as you identify a potential acquisition. Early verification helps:

• Identify deal-breakers quickly
• Negotiate from position of knowledge
• Avoid wasted time

2. Verify, Don't Trust

Assume nothing. Verify everything:

• Revenue claims
• Customer counts
• Traffic numbers
• Growth claims

3. Use Multiple Sources

Cross-reference information:

• Bank statements + Payment processor
• Analytics + Server logs
• Contracts + Customer interviews

4. Focus on What Matters

Prioritize:

1. Financial accuracy (most critical)
2. Operational health
3. Legal compliance
4. Technical assessment

5. Document Everything

Keep detailed records:

• All communications
• Verification results
• Identified risks
• Deal adjustments

Conclusion

Thorough due diligence is essential for successful SaaS acquisitions. The 8-pillar verification system provides a comprehensive framework, but remember:

1. Financial verification is critical - Revenue accuracy directly impacts value
2. Engagement matters more than size - Quality over quantity
3. Risk flags are guides - Investigate thoroughly
4. Trust Score is a tool - Use it with context
5. Due diligence never ends - Continue monitoring post-acquisition

Use our Due Diligence API to automate verification, or follow this guide for manual due diligence. For personalized help, consider using CounterX's platform where all listings include automated due diligence verification.

---

Ready to verify a SaaS asset? Use our Due Diligence API →

Need help with acquisition? Browse Verified SaaS Listings →