SaaS Acquisition Due Diligence Checklist (2026): Red Flags From 615 Real Deals
The short version: a SaaS acquisition due diligence checklist is the set of checks you run to confirm a SaaS business is actually worth what the listing says. It breaks into seven areas — revenue quality, financials, the customer base, churn and retention, the tech stack, legal and IP, and founder dependency. The job is simple to state and hard to do: replace every claim in the listing with primary evidence (Stripe exports, bank statements, contracts, analytics) before money moves.
What makes this guide different from the dozen other checklists online is the data behind it. We analyzed 615 real SaaS-for-sale listings from acquire.com inside BigIdeasDB's SellSide DB and ran every one through an AI risk model. The patterns are blunt: 0% of those listings disclosed a churn figure, the median listing that disclosed any customers at all had just 5 paying customers, and 36% disclosed no customer count whatsoever. The red flags below are not theoretical. They are the ones that actually show up in the deals you will look at.
If you are still deciding whether to buy at all, start with buying vs. building a SaaS in 2026, then learn how to find SaaS acquisition targets worth running through this checklist.
Table of Contents
- What the data from 615 real listings tells you
- The 7-part SaaS acquisition due diligence checklist
- Part 1: Revenue quality and durability
- Part 2: Financial verification
- Part 3: Customer base and concentration
- Part 4: Churn and retention
- Part 5: Product, tech, and platform risk
- Part 6: Legal, IP, and compliance
- Part 7: Founder dependency and operations
- The red-flag table: what shows up in real deals
- How to price the risk you find
- Frequently Asked Questions
Want the risk signals pre-computed for every listing? SellSide by BigIdeasDB tracks 615+ real acquire.com deals with AI-generated buyer theses, red flags, and an acquisition-attractiveness score on each one — so you walk into diligence already knowing where to dig.
What the Data From 615 Real Listings Tells You
Before the checklist, calibrate your expectations. Here is what the typical SaaS for sale actually looks like, drawn from the 615 anonymized acquire.com listings in our SellSide DB. None of this is survey data or opinion — it is the aggregate of real deals on the market.
- Most listings are small. The median trailing twelve-month revenue is roughly $118,000, and the median listing that disclosed a customer count had just 5 paying customers. You are usually buying a micro-SaaS, not an enterprise.
- Churn is a black box. Across all 615 listings, 0% published a churn or retention figure in their structured data. The single most important indicator of SaaS revenue quality is the one sellers almost never volunteer.
- Customer data is thin. Only 64% disclosed a customer count at all; 36% left it blank. When the customer base is small or hidden, concentration risk is high by default.
- Pricing is optimistic. The median asking profit multiple is about 3.4x, with most small deals clustering between 2x and 4x. Sellers anchor high; you discount for risk.
- The market skews early. By growth stage, 56% of listings are tagged "growth," 29% "early traction," and only 13% "mature." Early-traction businesses carry the most unproven revenue.
- Not all of it is real SaaS. By business model, 67% are subscription, but 12% are services, 5% marketplaces, and 4% one-time sales — businesses often listed as "SaaS" that do not have recurring software economics.
- Quality is middling on average. Our AI scores acquisition attractiveness 0–10. The median is 6; only 12.5% score 8 or above, while 31% score 5 or below. Most listings are "fine, with caveats" — which is exactly why diligence matters.
The takeaway: assume the listing is a sales document, not an audited report. Your checklist exists to close the gap between the headline and the truth. For the full pricing picture, pair this with our guide to SaaS valuation multiples in 2026.
The 7-Part SaaS Acquisition Due Diligence Checklist
Work these seven areas in order. Earlier parts (revenue, financials, churn) are the cheapest to verify and the most likely to kill a deal, so front-load them before you spend on lawyers and technical reviews.
Part 1: Revenue Quality and Durability
Headline MRR is the most-faked number in any listing. Your job is to rebuild it from raw data and ask whether it will still be there in 12 months. Verify each of these:
- Reconcile MRR from the source. Get read-only or screen-shared exports from Stripe, Paddle, or Chargebee and rebuild MRR yourself. Do not accept a spreadsheet the seller typed.
- Separate recurring from one-time. With 4% of the market being one-time sales and 12% services, confirm the "MRR" is actually recurring subscriptions, not setup fees or consulting billed monthly.
- Strip out non-arm's-length revenue. Remove the seller's own test accounts, friends-and-family comps, and any single customer who happens to be the founder's other company.
- Check refund and chargeback rates. High refunds hidden under gross revenue inflate the headline. Net of refunds is the number that matters.
- Map the MRR trend. Is recurring revenue growing, flat, or declining month over month for the trailing 12? Flat or declining is not disqualifying, but it changes the multiple.
"Lack of resources to properly scale up." — acquire.com listing
Reasons-for-selling like the one above are common and benign — but they also tell you the business may be under-invested, which shows up in the revenue trend. Read the seller's stated reason against what the numbers actually do.
Part 2: Financial Verification
About 30% of the listings we scored carry a thin- or negative-profitability flag. Revenue is not profit, and a business that bleeds cash at scale is a liability, not an asset. Confirm:
- Trailing 12–24 months of P&L, reconciled against business bank statements — not just a dashboard screenshot.
- True margins. Add back the seller's own under-counted costs: their unpaid labor, contractor invoices paid personally, and infrastructure billed to a personal card.
- Hosting and API costs as a % of revenue. AI-heavy products especially can have model/inference costs that quietly eat the margin.
- Outstanding liabilities — annual plans paid upfront (deferred revenue you must deliver), unpaid invoices, and any debt.
- Owner add-backs sanity check. Sellers inflate SDE with aggressive add-backs. Question every one.
Part 3: Customer Base and Concentration
This is where the data is most alarming. With a median of 5 disclosed paying customers and 36% disclosing none, concentration risk is the default state, not the exception. We flagged roughly 11% of listings for explicit revenue concentration and 64% for a small or undisclosed customer base.
- Get the customer count and the revenue distribution. If the top 1–2 customers are more than ~25% of MRR, losing one materially changes the business.
- Check contract terms and renewal dates. Are big customers on month-to-month plans (easy to churn) or annual contracts? When do they renew, and is a renewal at risk?
- Confirm transferability. Do any contracts have change-of-control or assignment clauses that let customers walk when ownership changes?
- Talk to customers if possible. Even 2–3 reference calls reveal whether the product is loved or merely tolerated.
Part 4: Churn and Retention
Here is the most important finding in the entire dataset: not one of the 615 listings published a churn figure in its structured data. Churn is the truest measure of SaaS revenue quality, and it is precisely the number sellers omit. We flagged 31% of listings specifically for missing churn or retention data. Treat "no churn data" as a yellow flag you must clear before closing.
- Reconstruct churn from the payment processor. If the seller won't give you a number, compute it: cancellations and failed-payment lapses divided by active subscriptions, monthly.
- Build a cohort retention curve. Group customers by signup month and watch how each cohort decays. A flattening curve is healthy; a curve that goes to zero in a few months is a treadmill.
- Separate logo churn from revenue churn. Net revenue retention above 100% (expansion outpacing churn) is the gold standard; you almost never see it in micro-SaaS, so anything near 100% is strong.
- Watch for annual-plan masking. Annual plans hide churn for 11 months. A business that looks sticky may simply not have hit its renewal cliff yet.
Part 5: Product, Tech, and Platform Risk
We flagged roughly 8% of listings for tech or platform dependency — and that share is rising as no-code and single-API products proliferate. A business that lives entirely on one platform's rules can be killed by a policy change.
- Map every external dependency. Which APIs, platforms, and third-party tools does the product require? What happens if one changes pricing or terms? (Think: a wrapper on a single LLM API, or a Shopify-app-store-only distribution.)
- Review code ownership and quality. Is the codebase documented, or is it tribal knowledge in the founder's head? Undocumented code is a key-person risk in disguise.
- Check security and data handling. Past incidents, exposed secrets, and compliance posture (GDPR, CCPA, SOC 2 if relevant).
- Confirm the infrastructure transfers. Domains, hosting, repos, DNS, and all service accounts must move cleanly to you at close.
Part 6: Legal, IP, and Compliance
The cheapest way to lose a deal post-close is to discover you don't actually own what you bought. Verify ownership before money moves.
- IP assignment. Every contractor and employee who touched the code must have signed an IP assignment. Unassigned contractor work is one of the most common silent landmines.
- Trademarks and the brand. Confirm the name, domain, and any trademarks are owned and transferable.
- Open-source license compliance. Copyleft licenses (GPL) in a commercial product can create obligations you inherit.
- Customer and vendor contracts. Check assignment clauses, auto-renewals, and any unusual liabilities.
- Pending disputes. Refund chargebacks, threatened lawsuits, or platform bans.
Part 7: Founder Dependency and Operations
We flagged roughly 22% of listings — better than 1 in 5 — for founder or key-person dependency. If the business only works because the founder personally answers support, runs the sales, and is the only one who understands the code, you are not buying a business; you are buying a job that quits the day they leave.
- Quantify the owner's weekly hours and what they actually do. Sales? Support? Engineering? All three?
- Check for documented processes / SOPs. Can the business be run from the documentation, or only from the founder's memory?
- Negotiate a transition period. 30–90 days of seller support, in writing, is standard and protects you.
- Assess marketing channel concentration. If 100% of signups come from one SEO page or one founder's personal audience, that channel may not transfer to you.
To see how our AI weighs these signals into a single buyer thesis, read the help doc on reading the AI buyer thesis.
The same engine behind these numbers powers BigIdeasDB — 1M+ real user complaints turned into validated demand signals. Use it to pressure-test whether the SaaS you're buying solves a problem people actually keep paying for.
The Red-Flag Table: What Shows Up in Real Deals
We ran an AI risk model over all 615 listings and tagged the recurring risk signals. Below is how often each red flag appears, what it means, and how to clear it. Percentages are the share of the 615 listings carrying that signal.
| Red flag | Frequency | Why it matters / how to clear it |
|---|---|---|
| Small or undisclosed customer base | ~64% | Median disclosed base is just 5 customers. Get the count and the revenue distribution; assume concentration until proven otherwise. |
| No churn / retention data disclosed | ~31% flagged (0% disclosed a figure) | Churn is the truest revenue-quality signal. Reconstruct it from the payment processor and build a cohort curve. |
| Thin or negative profitability | ~30% | Revenue is not profit. Reconcile P&L to bank statements and add back the seller's hidden costs. |
| Founder / key-person dependency | ~22% | If it only runs because of the founder, it's a job, not an asset. Require SOPs and a 30–90 day transition. |
| Aggressive asking price / multiple | ~15% | Median ask is ~3.4x profit. Benchmark against category multiples and discount for every unverified claim. |
| Service revenue dressed as SaaS | ~14% | 12% of listings are services, not subscription. Confirm the revenue is recurring software, not billable hours. |
| Revenue concentration | ~11% | One customer leaving shouldn't sink the business. Map the top customers as a % of MRR. |
| Tech / platform dependency | ~8% | A single-API or single-platform product can be killed by a policy change. Map every external dependency. |
One flag is rarely fatal. The deals that go wrong are the ones where three or four stack: a tiny undisclosed customer base and no churn data and founder dependency and an aggressive ask. That combination is your signal to renegotiate hard or walk.
How to Price the Risk You Find
Due diligence isn't pass/fail — it's a pricing exercise. Start from a fair multiple for the category, then adjust:
- Anchor to the category. The median ask is ~3.4x profit, but multiples vary widely by niche — see our profit multiples by SaaS category breakdown.
- Discount each cleared-but-weak signal. High churn, concentration, founder dependency, and platform risk each justify shaving the multiple — or restructuring the deal with an earnout.
- Use structure to share risk. Earnouts, holdbacks, and seller financing let you tie part of the price to the business actually performing post-close.
- Compare your marketplace options. Where you buy changes the diligence burden — see SellSide vs. Acquire.com vs. Flippa.
If you want the listing-level data and AI scoring that this article is built on, that lives in SellSide. And if you decide a particular deal isn't worth it, head back to the BigIdeasDB homepage to find your next target.
Frequently Asked Questions
What is a SaaS acquisition due diligence checklist?
A SaaS acquisition due diligence checklist is the structured set of verification steps a buyer runs before purchasing a SaaS business. It covers revenue quality (MRR durability, churn, customer concentration), financials (profit, margins, refunds), the customer base, the tech stack and platform dependencies, legal and IP ownership, and operational or founder dependency. The goal is to confirm the seller's claims with primary evidence — bank statements, Stripe exports, analytics, and contracts — rather than the headline numbers in the listing.
What are the biggest red flags when buying a SaaS?
Across 615 real acquire.com listings in BigIdeasDB's SellSide DB, the most common red flags are: no churn or retention data disclosed (0% of listings published a churn figure), a tiny or undisclosed customer base (the median listing that disclosed customers had just 5 paying customers, and 36% disclosed none), founder or key-person dependency (flagged on roughly 1 in 5 listings), thin or negative profitability (about 30%), and revenue that is really services or one-time work dressed up as recurring SaaS (about 1 in 7). Any of these alone is survivable; two or more stacked together is when buyers should slow down.
How do you verify SaaS revenue before buying?
Never trust the listing's headline MRR. Ask for read-only access or screen-shared exports from the payment processor (Stripe, Paddle, or Chargebee), then reconcile that against business bank statements for the trailing 12 months. Separate one-time payments from genuine recurring subscriptions, strip out the seller's own test accounts and friends-and-family comps, and rebuild MRR yourself from the raw subscription data. Then pull a cohort retention curve to see whether revenue actually sticks — a clean MRR number with hidden 8% monthly churn is worth far less than it looks.
What revenue multiple should you pay for a small SaaS in 2026?
Among the 615 SellSide listings, the median asking profit multiple is about 3.4x annual profit, with most small bootstrapped SaaS deals clustering between 2x and 4x profit. Asking multiples skew high — sellers price optimistically — so the multiple you actually pay should adjust down for every unverified claim and every red flag: undisclosed churn, customer concentration, founder dependency, or platform risk each justify a discount. Recurring, low-churn, multi-channel businesses command the top of the range; service-heavy or single-customer businesses sit well below it. See our SaaS valuation multiples guide for the full picture.
How long does SaaS acquisition due diligence take?
For a small bootstrapped SaaS (under ~$500K), expect 2 to 4 weeks of focused diligence after the letter of intent: a few days reconciling financials and revenue, a few days on customer and churn analysis, a few days on the tech and security review, and the rest on legal, IP, and contract checks. Larger or more complex deals run 4 to 6 weeks or longer. The single biggest time sink is chasing data the seller did not prepare — which is itself a signal about how the business was run.