Due Diligence Before Buying a SaaS: The 27-Point Checklist

It is day ten of exclusivity. An ex-product director, three weeks past a signed LOI on a $180,000 analytics micro-SaaS, is on a Thursday-night call with a developer friend who agreed to look at the repo. They expected to talk about framework versions and test coverage. Instead, the developer is pointing at one line in the vendor list: a single third-party API doing the product's actual core work, billed per call, at a rate that — under the seller's own usage numbers — consumes 41% of gross revenue. The seller's P&L listed it as "infrastructure," bundled at 9%. That delta is not rounding. That delta is the business.

The LOI does not collapse that night. It collapses eight days later, after the buyer tries to renegotiate price against the restated margin and the seller walks. What the buyer lost was not the deposit — that came back. What the buyer lost was three months of exclusivity, two retainer invoices for legal and tech advisors, and the next three deals they could not run in parallel. The whole thing could have been caught in the pre-LOI phase with one question, asked in the right order, about where each dollar of revenue actually goes. That is what this checklist is for.

TL;DR. Twenty-seven questions, grouped into seven categories, sequenced into three phases (pre-LOI filter, post-LOI deep-dive, pre-close verification). They cover product, financials, customers, legal, operations, growth, and handover. Five of them are walk-away items — skip those and you are buying a liability, not an asset. Everything else is a price-negotiation lever.

Why 27 points, not 12

The pillar guide on buying a startup in 2026 includes a 12-question due diligence section. That list is the minimum viable filter for any digital asset — enough to stop you from buying a domain with a landing page and calling it a SaaS. This post is what comes next. Twenty-seven points, because once a real SaaS with real users and real recurring revenue is on the table, the failure modes get more specific and more expensive, and twelve questions are no longer enough to catch them.

A checklist is not bureaucracy. It is the difference between operating a SaaS and inheriting a bug. Every item below exists because a real buyer, in a real transaction, learned about it in month two — when the seller had already cashed out. The point of running it before close is not to kill deals. It is to price them correctly and to walk away from the three or four in a hundred that are structurally broken.

A. Product and tech (5 points)

1. What is the stack, and is it the stack you can actually operate?

Ask for the exact versions of framework, database, hosting, payments integration, email provider, and every third-party API that touches user flow or billing. Compare against the default modern SaaS stack (Next.js or equivalent, Postgres, Vercel or a PaaS, Stripe, Resend or Postmark). Exotic choices are not automatic red flags — but they raise the retainer cost of maintaining the product, sometimes by 2–3x, and that cost comes out of your margin.

Walk if: the product depends on a framework or runtime the original developer has already stopped supporting, and no migration path is documented.

2. Where is it hosted, and can the accounts actually be transferred?

Hosting, database, CDN, monitoring, logs, transactional email, domain registrar. Each needs a named account, a named owner, and a documented transfer procedure. Some vendors (Stripe, Google Workspace) treat account transfer as a formal process with compliance checks; others (AWS, Vercel) allow smoother reassignment. Confirm with each vendor directly, not via the seller's assurance.

Walk if: the production database lives under the seller's personal account with no organisation structure, and the vendor does not support non-destructive ownership transfer.

3. Does the commit history tell a believable story?

Pull the full git log. You are looking for months — ideally a year or more — of distributed work: small commits, meaningful messages, bug-fix branches, refactors. A repository with one massive initial commit and sporadic typo fixes on top is either copy-pasted, AI-generated in a weekend, or a clean export that hid the real history. All three are problems you inherit.

Walk if: the commit history is younger than the claimed product age by more than 30%, and the seller cannot produce the original repo.

4. Can a new developer build and deploy it in under one day?

This is the single best test of documentation quality. Hire a developer (hourly, $150–$300, 4 hours is enough) to clone the repo, follow the README, and produce a running local instance plus a staging deploy. If they cannot, you have not bought a product — you have bought a puzzle. This is the point where two-thirds of marketplace listings fail.

Walk if: no environment variable reference exists, or the deploy depends on undocumented manual steps only the seller knows.

5. How old are the dependencies, and how many have open critical CVEs?

Run npm audit, pip-audit, or the equivalent for the stack. A handful of medium-severity warnings is normal. Multiple unpatched critical CVEs on core packages — auth libraries, framework runtime, database drivers — mean the product is one automated scan away from being listed on a public vulnerability board. Patching takes time; budget it into the deal price.

Walk if: the authentication or payment-handling layer has an open critical CVE and the seller has not patched it in 60 days.

B. Financials (4 points)

6. What is the quality of the MRR, not just the number?

Ask for read-only access to Stripe (or whichever billing processor is in use) for the trailing 24 months, plus the full subscription export. MRR quality means three things: the revenue is recurring (not one-off payments re-labeled as subscriptions), it is collected (not invoiced-but-unpaid), and it is not inflated by annual prepayments counted monthly. Compare the processor's own MRR number against the seller's P&L line by line. Per Acquire.com's Biannual Acquisition Multiples Report (January 2026, consulted April 2026), the platform's median SaaS profit multiple closed at 3.9× in both 2024 and 2025 — but that multiple is against real, verified profit, not against whatever the seller typed into a spreadsheet.

Walk if: the seller offers screenshots instead of processor access, or the MRR in Stripe differs from the seller's claim by more than 10%.

7. What does the monthly cohort churn curve actually look like?

A single "3% monthly churn" number is almost always misleading. Ask for cohort retention by signup month, across at least 12 months. What you want to see is a curve that flattens — that is, users who survive the first 90 days tend to stay. What you do not want to see is a constantly-eroding line, because that means the product loses even its loyal users over time. ChartMogul's published benchmarks (consulted April 2026) put median SMB SaaS monthly churn above 4%; numbers materially above that should be priced into the multiple, not hand-waved.

Walk if: cohort data does not exist and the seller cannot reconstruct it from the subscription export.

8. What is CAC, what is payback, and who is paying for it?

Customer acquisition cost is blended cost of marketing and sales divided by new paying customers in the same period. Payback is CAC divided by gross monthly margin per customer. If CAC payback is longer than 18 months on an SMB product, the business is growth-starved — the seller is running it at a steady state but cannot scale it without injecting capital you do not have. If the seller claims zero CAC because acquisition is 100% organic, ask specifically about the content author, the time invested per month, and whether that work stops the day they hand over the keys.

Walk if: the seller cannot name the actual channel mix with percentages, or claims pure virality on a product whose category has none.

9. What is the revenue concentration across the top customers?

Export the full customer list sorted by contribution to MRR. Calculate the share held by the top 1, top 3, and top 10. On a micro-SaaS, a top-3 concentration above 25% is a structural risk — losing one of those contracts moves the valuation by a meaningful percentage. Enterprise deals hide inside a "SaaS" label more often than buyers expect; check contract length, auto-renewal, and notice period for every customer above 5% of MRR.

Walk if: one customer alone represents more than 20% of MRR and is on month-to-month terms.

C. Customers (3 points)

10. How much support does the product actually generate, per week?

Ask for the last 90 days of support tickets — volume, median resolution time, the top five recurring issues. Most buyers discover in month two that "5 hours a week of ops" quietly means "5 hours on a calm week." Recurring issues are also a product-debt signal: if the same three bugs show up weekly, you are buying a backlog, not a stable product. Multiply observed ticket volume by the user count you intend to grow toward, and budget support accordingly.

Walk if: the same critical bug has appeared in tickets for more than 60 days without a fix shipping.

11. Why do customers actually cancel?

Cancellation reasons collected in the cancel flow are gold. If the reason is "too expensive," you have pricing-power upside. If the reason is "missing feature X," you have a clear roadmap input. If the reason is "found a better alternative" — and the alternative keeps appearing — you may be buying a product about to be commoditized. If there is no cancel-reason flow at all, that itself is a finding: the seller did not run the product like an operator.

Walk if: the top cancellation reason is "product doesn't work reliably" at any volume above anecdotal.

12. Is there any qualitative signal that customers actually like it?

NPS, CSAT, product-review sites (G2, Capterra, Product Hunt), unsolicited testimonials, referral traffic share. You are looking for any independent evidence that this product matters to its users. A SaaS with $3,000 MRR and twelve heartfelt testimonials is a different asset than a SaaS with $3,000 MRR and radio silence. The first has defensibility; the second is a treadmill.

Walk if: the product has been on the market for 18+ months with no public review footprint and no in-product NPS of any kind.

D. Legal and ownership (4 points)

13. Is the intellectual property chain clean from first commit to today?

Every line of code needs to be either written by the seller, written by an employee under a work-for-hire clause, written by a contractor who signed an IP assignment, or licensed under a commercial-compatible open source license. Ask for the contractor list, the assignment agreements, and a license audit of dependencies. This is the single most overlooked item in micro-SaaS transactions, and it is the most expensive one to fix retroactively.

Walk if: any contractor who wrote material code cannot be located to sign an assignment, or refuses to.

14. Do all contractor and employee assignments actually cover the work?

Signed NDAs are not IP assignments. An assignment agreement must name the work, assign the rights, and be dated before the work was delivered. If the seller used freelancers from Upwork, Fiverr, or a regional agency, their default marketplace contracts may or may not include assignment — check each one.

Walk if: the lead developer who wrote more than 30% of the code has no assignment agreement on file.

15. Are the trademarks, domains, and brand assets registered and transferable?

The domain must be in the seller's registrar account with no registrar lock preventing transfer. The trademark, if registered, must be in a jurisdiction that matters to you — a US trademark is useful if you plan to sell in the US; it does you nothing in Spain or Mexico. Logos, fonts, and photography must be owned or licensed for commercial use, with the license transferable.

Walk if: the primary domain is in a third party's name (a former contractor, a lapsed partner, the seller's ex-spouse — all real cases).

16. Where does customer data live, and does that match where your customers are?

GDPR, CCPA, LGPD, and equivalents make data residency a material term, not a paperwork detail. If the product serves EU customers and the database lives in a US-only region, you are inheriting a compliance gap that costs real money to fix. Ask for the privacy policy, the DPA with each subprocessor, and the actual geographic region of every data store.

Walk if: the product processes EU personal data and has no DPA with its hosting provider, or has no privacy policy at all.

E. Operations (4 points)

17. Does a written runbook exist for every recurring operational task?

User onboarding, refund processing, plan changes, failed-payment recovery, subscription cancellation, incident response, weekly metrics review. A runbook is a step-by-step document that a new operator can follow without asking the seller. If no runbook exists, the seller is the runbook — and the seller is leaving in 30 days. Expect to build these yourself post-close, and budget 40–80 hours of documented transition time with the seller.

Walk if: the seller cannot produce a single written runbook and characterises operations as "I just know how to do it."

18. What is the complete vendor list, with monthly cost per line item?

Hosting, database, CDN, monitoring, logs, email, payments, analytics, error tracking, customer support tool, AI/ML APIs, anything else. Every vendor, every monthly bill, every contract term. Total it against the seller's P&L "infrastructure" line. Mismatches between the vendor list and the P&L are the single most common source of restated unit economics — like the scene that opens this post.

Walk if: any single vendor line exceeds 15% of gross revenue and is not disclosed as a material cost in the P&L.

19. Are there SLAs to customers, and can you actually meet them?

If the product sells to B2B with written SLAs (uptime commitments, response-time guarantees, data-export rights), read every one. SLAs do not vanish because the company changed hands — they transfer. A 99.9% uptime SLA on single-region infrastructure with no failover is a liability you have not seen until the first outage.

Walk if: any SLA exists that the current infrastructure cannot demonstrably meet, with no plan to close the gap.

20. Has a backup and restore drill actually been run, end to end?

Daily backups existing in a dashboard is not the same as verified restore. Ask the seller to demonstrate a restore from yesterday's backup to a staging environment, live, with you watching. If they cannot or will not, the backups are theoretical and the disaster-recovery story is fiction. This is a 90-minute test that catches a five-figure problem.

Walk if: no restore has ever been tested, and the seller refuses to run one before close.

F. Growth channels (4 points)

21. Where does traffic actually come from, month by month?

Ask for 24 months of traffic source breakdown from the analytics platform — not a screenshot, a read-only login. Organic search, direct, referral, paid, social, email. What you want to see is diversification and stability. What is dangerous is a single source above 70%, because that source is one algorithm change or one account suspension away from zero.

Walk if: more than 70% of signups come from a single channel that the buyer cannot directly influence.

22. If SEO is the moat, is the moat real?

Pull the top 50 ranking keywords, their positions, their search volumes, and the pages that rank for them. Check backlink profile and domain authority in a tool like Ahrefs or Semrush. An SEO moat is real when multiple high-volume keywords rank on page one, backed by earned backlinks from non-spammy domains, and the ranking pages are genuine content that a human wrote. An SEO moat is fake when rankings depend on a single programmatic page, a purchased link network, or keyword stuffing that Google will eventually demote.

Walk if: the backlink profile is dominated by obvious PBN sources, or traffic is concentrated in keywords already showing downward trend lines.

23. If paid acquisition is a channel, is attribution actually tracked?

"We spend $4,000 a month on ads and it works" is not attribution. Ask for the ad platform account access, conversion events, and CAC per channel over the last 12 months. Without proper attribution, the seller cannot prove that the $4,000 is working — and neither will you, post-close, when you are spending it.

Walk if: paid spend exceeds $1,000/month and conversion tracking is not set up, or is set up wrong.

24. What content assets come with the product, and who wrote them?

Blog posts, landing pages, email sequences, onboarding flows, help docs, social accounts, YouTube videos, podcast appearances. Each is an asset. Each has an author. Each needs a license or assignment if it was not written by the seller personally. Ghostwritten content is fine; unlicensed ghostwritten content is a lawsuit waiting to happen.

Walk if: more than 30% of the content corpus was produced by a contractor with no assignment on file.

G. Seller and handover (3 points)

25. Why is the seller actually selling?

The stated reason and the real reason are often different. Common legitimate reasons: portfolio rotation (building the next thing), bandwidth constraints from multiple products, lifestyle mismatch, a founder who is honestly tired. Common concerning reasons: an impending competitor launch the seller knows about, a key customer threatening to leave, a dependency that is about to become expensive. Triangulate by asking the seller directly, then checking the public record, then asking a current customer under the seller's permission.

Walk if: the stated reason contradicts what the numbers show, or the seller refuses to let you talk to a single customer before close.

26. What does the training period actually include, and for how long?

"Post-sale support" in a marketplace listing usually means two hours of Zoom. Define in writing: hours per week, duration in weeks, channels (Slack, email, call), response-time expectation, scope of questions covered, and what happens if something breaks in month two. Shorter than 30 days is almost always insufficient for a non-technical buyer picking up a real product.

Walk if: the seller's offered transition is under two weeks and they refuse to extend at any price.

27. What does the non-compete actually cover, and is it enforceable?

The non-compete should name the product category, the geography, and the duration. A worldwide 5-year non-compete is probably unenforceable and will be struck by any court. A 18–24 month non-compete in the specific vertical is defensible and genuinely protective. Equally important: a non-solicit clause covering the customer list and any employees or contractors.

Walk if: the seller refuses any non-compete at all, or has already registered domains in the same category.

How to sequence the 27 points

Running all 27 in parallel is a way to burn 40 hours on a deal that was never going to close. Sequence them instead.

Phase 1 — Pre-LOI filter (points 1, 3, 6, 9, 13, 18, 21, 25). These are the eight questions you can answer from public information, a 60-minute seller call, and a limited data-room look. If any of them comes back wrong, you save the three weeks of exclusivity. This is the cheapest failure mode you have.

Phase 2 — Post-LOI deep-dive (points 2, 4, 5, 7, 8, 10, 11, 12, 14, 15, 16, 17, 19, 22, 23, 24). These require full data-room access, paid advisor time, and concrete tests (the one-day deploy, the cohort export, the vendor confirmation calls). Budget 2–3 weeks. This is where you either reconfirm the price or renegotiate it against what the data actually says.

Phase 3 — Pre-close verification (points 20, 26, 27). The restore drill, the written training scope, the non-compete language. These are done in the last week before signing. They are cheap to run but expensive to skip — they are the items that matter in month two, not month one.

A deal that passes Phase 1 but dies in Phase 2 was a $500 loss in legal time and a week of calendar. A deal that passes Phase 3 is ready to close.

Where this breaks down on marketplaces

On Flippa and Acquire.com, the buyer runs this checklist alone. There is no standard handover. There is no one to guarantee that runbooks exist, that the training period is real, or that the restore drill will be demonstrated before close. The seller's motivation, by definition, is to move on. The buyer's motivation is to avoid month-two surprises. Those two motivations are not aligned, and the checklist exists precisely because of that gap.

The Ownix works differently because the starting premise is different. Every product in the portfolio ships with pre-built runbooks, a documented vendor list with monthly costs, SLAs calibrated to the infrastructure actually provisioned, and a 30-day operator support window — so points E1–E4 and G2 on the list are pre-answered at delivery, not negotiated deal-by-deal. That does not make the other 22 points irrelevant: product quality, growth channels, legal chain, trademark registrations still matter, and we expect buyers to ask. It does mean the five most operationally fragile items are not where the friction is. That is a deliberate choice about what kind of transaction this is.

Printable appendix: the 27 questions

A. Product and tech

1. What is the stack, and is it the stack you can actually operate?
2. Where is it hosted, and can the accounts actually be transferred?
3. Does the commit history tell a believable story?
4. Can a new developer build and deploy it in under one day?
5. How old are the dependencies, and how many have open critical CVEs?

B. Financials 6. What is the quality of the MRR, not just the number? 7. What does the monthly cohort churn curve actually look like? 8. What is CAC, what is payback, and who is paying for it? 9. What is the revenue concentration across the top customers?

C. Customers 10. How much support does the product actually generate, per week? 11. Why do customers actually cancel? 12. Is there any qualitative signal that customers actually like it?

D. Legal and ownership 13. Is the intellectual property chain clean from first commit to today? 14. Do all contractor and employee assignments actually cover the work? 15. Are the trademarks, domains, and brand assets registered and transferable? 16. Where does customer data live, and does that match where your customers are?

E. Operations 17. Does a written runbook exist for every recurring operational task? 18. What is the complete vendor list, with monthly cost per line item? 19. Are there SLAs to customers, and can you actually meet them? 20. Has a backup and restore drill actually been run, end to end?

F. Growth channels 21. Where does traffic actually come from, month by month? 22. If SEO is the moat, is the moat real? 23. If paid acquisition is a channel, is attribution actually tracked? 24. What content assets come with the product, and who wrote them?

G. Seller and handover 25. Why is the seller actually selling? 26. What does the training period actually include, and for how long? 27. What does the non-compete actually cover, and is it enforceable?

Conclusion

Due diligence is not defensive. It is pricing. Every question on the list either confirms the seller's narrative, reveals a lever to renegotiate, or uncovers the reason to walk. The five walk-away items — one per category among the most structural — protect you from the deals that look right on the surface and are broken underneath. The remaining 22 are how you arrive at a number that reflects the asset you are actually buying, not the pitch.

If you are running this list against a marketplace listing, run it alone and run it in sequence. If you want a starting point where the most operationally fragile items are already built in — runbooks, vendor clarity, training period, warranty — see the current startup catalog, review the direct purchase and territorial licensing models, or compare pricing by model.

Buying a SaaS well is not about finding the perfect asset. It is about pricing what you are buying accurately and refusing to close on what is structurally broken. Twenty-seven questions are the cheapest way to do both.

---

---META---

Meta description (150–160 chars): The 27-point SaaS due diligence checklist: product, financials, customers, legal, ops, growth, and handover. Five walk-aways, 22 price levers.

OG title: Due Diligence Before Buying a SaaS: The 27-Point Checklist

OG description: Twenty-seven questions, seven categories, three phases. The checklist indie acquirers use to price what they are actually buying — and walk from what is broken.

Twitter title: The 27-point SaaS due diligence checklist

A/B headlines (4 variants):

1. Due Diligence Before Buying a SaaS: The 27-Point Checklist
2. The SaaS Acquisition Checklist: 27 Questions, Five Walk-Aways
3. How to Vet a SaaS Before You Buy It: A 27-Point Framework
4. Buy a Micro-SaaS Without Inheriting a Bug: The 27-Point Checklist

Sources cited:

• Acquire.com, Biannual Acquisition Multiples Report (January 2026, consulted April 2026) — SaaS profit multiples.
• Flippa, Online Business M&A Insights 2025 Recap & 2026 Outlook (December 2025, consulted April 2026) — marketplace data referenced via the pillar guide.
• ChartMogul, published SaaS retention and churn benchmarks (consulted April 2026) — median SMB monthly churn reference.

Internal links included:

• /en/blog/buy-a-startup-2026-complete-guide (pillar link in "Why 27 points")
• /en/portfolio (marketplaces section + conclusion)
• /en/buy-a-startup (conclusion)
• /en/pricing (conclusion)