The SaaS Due Diligence Checklist (2026)

Buying a SaaS business looks clean on the surface — predictable subscriptions, software margins, no inventory — and that's exactly why diligence matters. The recurring-revenue story is easy to dress up, and the things that quietly destroy value (silent churn, a single key developer, revenue recognized before it's earned) don't show up in a headline ARR number.

This is a practical SaaS due diligence checklist: what to verify before you close, and the SaaS-specific red flags that should make you slow down. It builds on the general M&A due diligence checklist with the items that are unique to software.

What makes SaaS diligence different

A SaaS business lives or dies on the durability of its revenue, not just the size of it. Two companies with identical ARR can be worth wildly different multiples depending on who's paying, how long they stay, and how much it costs to keep them. So SaaS diligence is mostly about pressure-testing the recurring-revenue claim from every angle.

1. Recurring revenue quality

The number sellers lead with is ARR or MRR. Verify what's actually inside it:

• ✓Committed vs. implied ARR — is it contracted recurring revenue, or an annualized run-rate that includes one-time and services revenue dressed up as recurring? Strip out setup fees, professional services, and usage spikes.
• ✓Revenue by plan and cohort — concentration in a few large accounts is as dangerous in SaaS as in any business. Any single customer over ~10-15% of ARR is a flag.
• ✓Billing reality — reconcile the ARR schedule against the payment processor (Stripe, etc.) and the bank. Optimistic ARR that the bank statements don't support is the most common SaaS overstatement.

2. Churn and retention — read it honestly

This is where SaaS deals are really won or lost:

• ✓Gross revenue churn and logo (customer) churn — monthly and annual. Rising churn under a flat ARR headline means the business is filling a leaky bucket with sales spend.
• ✓Net revenue retention (NRR) — expansion minus contraction and churn within the existing base. Above 100% is healthy; below ~90% is a structural problem.
• ✓Cohort retention curves — pull retention by signup cohort. A curve that flattens means a sticky product; one that keeps declining means you're buying a treadmill.

3. Unit economics

• ✓CAC and CAC payback period — how much it costs to acquire a customer and how many months of revenue to earn it back. Payback over ~18-24 months is a concern.
• ✓LTV:CAC ratio — directionally, you want comfortably above 3:1, but treat any LTV built on optimistic churn assumptions with suspicion.
• ✓Gross margin — true software gross margin after hosting/infrastructure, third-party APIs, and customer-success cost. "80% margins" often shrink once real cost of revenue is allocated.

4. Revenue recognition and financials

• ✓Revenue recognition policy (ASC 606) — annual prepaid contracts must be recognized over the term, not booked upfront. Aggressive recognition inflates current earnings.
• ✓Deferred revenue — understand the deferred-revenue balance you're inheriting; it's a delivery obligation, not cash you get to keep.
• ✓Quality of earnings basics — normalize EBITDA, scrutinize owner add-backs, and reconcile statements to tax returns, exactly as in any acquisition.

5. Product, code, and IP

• ✓Code and IP ownership — confirm the company actually owns its code. Contractor-written code without a proper assignment, or unresolved open-source license obligations, can be a serious problem.
• ✓Technical debt and architecture — get an honest read (ideally a technical reviewer) on how maintainable the codebase is and what a rewrite risk looks like.
• ✓Key-person dependency — if one developer holds the whole system in their head, that's a single point of failure. What happens if they leave at close?

6. Security, data, and compliance

• ✓Security posture — SOC 2, penetration test history, and any past breaches or incidents.
• ✓Data protection — GDPR/CCPA handling, data-processing agreements, and where customer data lives.
• ✓Third-party dependencies — critical APIs, infrastructure providers, and what happens to pricing or access if a key vendor changes terms.

7. Contracts and commercial

• ✓Customer contracts and ToS — auto-renewal terms, change-of-control clauses, and any non-standard commitments to large customers.
• ✓Sales pipeline — is growth coming from a repeatable motion or a few heroic deals?
• ✓Pricing power — has the company ever raised prices without churn spiking?

SaaS-specific red flags

• ✓ARR that the payment processor and bank statements don't support.
• ✓Net revenue retention below ~90%, or churn rising while ARR looks flat.
• ✓Revenue recognized upfront on annual contracts.
• ✓Code owned by contractors with no assignment, or heavy unresolved open-source obligations.
• ✓A single developer or founder who is the only person who understands the system.
• ✓Growth that depends entirely on rising ad spend rather than retention or expansion.

Where the time goes — and how to compress it

Most SaaS diligence is reading and reconciling: subscription and billing exports, cohort data, the cap table, customer contracts, security docs, and a data room full of PDFs — cross-checking each claim against the underlying document. It's slow and detail-heavy, and a single missed clause in a key customer contract can change the deal.

This is the part you can systematize. Deal OS reads the documents in a deal workspace and produces source-cited diligence briefs and findings — every claim quoted from your own documents and verified before you see it — plus risk, contradiction, and missing-information audits across the data room. It doesn't replace your judgment, your technical reviewer, or your QoE provider; it gets you to the questions that matter faster. See how we approach diligence automation for the document-heavy review specifically.

Frequently asked questions

What is the most important metric in SaaS due diligence? Net revenue retention (NRR), backed by honest churn data. It tells you whether the existing customer base grows or shrinks on its own before any new sales. NRR comfortably above 100% signals a sticky product; below ~90% is a structural problem no amount of new-sales spend fixes cheaply.

How do you verify ARR when buying a SaaS company? Reconcile the seller's ARR schedule against the payment processor (e.g., Stripe) and the bank deposits, strip out one-time and services revenue, and separate committed contracted ARR from an annualized run-rate. ARR the bank statements don't support is the most common SaaS overstatement.

What are the biggest red flags in a SaaS acquisition? Churn rising under a flat ARR headline, net revenue retention below ~90%, revenue recognized upfront on annual contracts, code owned by contractors without assignment, and a single developer who is the only person who understands the system.

Can AI help with SaaS due diligence? Yes, for the document-heavy parts. Tools like Deal OS read the contracts, financials, and data-room documents and produce source-cited findings and contradiction audits, so you reach the real questions faster. It supports your diligence; it doesn't replace your own verification, technical review, or professional advisors.

Review your next SaaS deal with less grind

If reconciling the billing data and reading the contracts is eating your nights, book a 15-minute walkthrough of how Deal OS turns a workspace of documents into cited diligence findings.