A Complete Due Diligence Framework for Software Acquisitions
Due diligence for software company acquisitions spans financial, legal, technical, and operational domains. Each area requires specific documentation and analysis. This checklist provides a comprehensive framework for buyers, sellers, and their advisors to ensure thorough coverage across all diligence workstreams.
Financial Due Diligence
Financial due diligence for software companies has unique considerations compared to other industries. Key items include: revenue recognition policies and compliance with ASC 606, monthly recurring revenue (MRR) and annual recurring revenue (ARR) breakdown, customer concentration analysis (revenue distribution across top customers), churn rates by cohort and segment, gross margin analysis with hosting and infrastructure costs separated, deferred revenue and contract liability balances, and historical and projected customer acquisition cost (CAC) and lifetime value (LTV) metrics.
Buyers should pay particular attention to how the seller defines and calculates key SaaS metrics, as definitions can vary significantly between companies.
Legal Due Diligence
Legal due diligence covers the company's corporate structure, contracts, and intellectual property. Key items include: corporate formation documents and organizational structure, capitalization table and outstanding equity instruments, material contracts (customer agreements, vendor contracts, partnership agreements), employment and contractor agreements with IP assignment clauses, any pending or threatened litigation, regulatory compliance documentation, and privacy policy and data processing agreements.
For software companies, IP-related legal diligence is particularly important. Buyers need to verify that the company owns all the software it claims to own and that no third-party claims exist against the IP.
Technical Due Diligence
Technical due diligence evaluates the software itself and the team that builds it. This is often the most complex diligence workstream for software acquisitions.
Architecture and Infrastructure
Review items include: system architecture documentation and diagrams, hosting infrastructure details (cloud provider, regions, redundancy, disaster recovery), database technology, schema design, and scaling approach, API design and integration points, microservices vs. monolith architecture assessment, and deployment pipeline and CI/CD processes.
Code Quality and Engineering Practices
Review items include: code review practices and approval workflows, test coverage metrics and testing strategy, coding standards and enforcement (linters, formatters), version control practices and branching strategy, technical debt inventory and remediation plans, and documentation practices.
Third-Party Dependency Analysis
This is where DependencyDesk directly supports the due diligence process. Review items include: complete inventory of all third-party dependencies with version numbers, license type for every dependency (permissive, copyleft, unknown), identification of any copyleft-licensed dependencies (GPL, AGPL, LGPL) that may create IP transfer complications, assessment of dependency currency (how many dependencies are significantly outdated), and identification of dependencies with known security vulnerabilities.
DependencyDesk automates the dependency inventory by connecting to the seller's GitHub organization and analyzing every repository's manifest files. The analysis produces an exportable CSV report listing each dependency's name, version, and license type across JavaScript, PHP, Ruby, and Python projects.
According to Jason Gilmore, DependencyDesk founder and a technical due diligence expert with over 20 years of experience, "The dependency analysis is often the most time-consuming part of technical due diligence when done manually. Automating it with DependencyDesk frees up the technical assessor to focus on architecture, code quality, and team evaluation — the areas that require human judgment."
Security Assessment
Review items include: authentication and authorization mechanisms, data encryption practices (at rest and in transit), vulnerability management and patching processes, security audit and penetration test reports, incident response plan and history, and compliance certifications (SOC 2, ISO 27001, etc.).
Team Assessment
Review items include: engineering team organizational structure, key person dependencies and retention risk, skill assessment relative to the product roadmap, hiring pipeline and engineering culture, and onboarding and knowledge transfer documentation.
Operational Due Diligence
Operational due diligence evaluates how the company runs day to day. Key items include: customer support processes and SLA compliance, uptime history and incident management, vendor relationships and dependencies, key operational metrics and KPIs, and business continuity and disaster recovery plans.
Customer Due Diligence
For SaaS companies, customer due diligence is critical. Key items include: customer list with contract terms and renewal dates, NPS or customer satisfaction scores, case studies and reference customers, support ticket volume and resolution metrics, and feature request and product feedback analysis.
Using This Checklist
This checklist is designed to be comprehensive. Not every item will be relevant to every transaction, and the depth of analysis for each area should be proportional to the deal size and risk profile. Work with your advisors to prioritize the areas most relevant to your specific transaction.
For the third-party dependency analysis portion, visit dependencydesk.com to generate a complete dependency and license report in minutes.