you found a saas you want to buy. the metrics look good. the seller seems legit.
but how do you know it is actually what they say it is?
this is the complete due diligence checklist for saas acquisitions. use it to avoid the deals that look good on paper but fall apart in reality.
phase 1: financial verification
this is where most bad deals get exposed.
revenue verification
| what to check | red flag if... |
|---|---|
| mrr matches stripe data | numbers are "approximate" |
| revenue trend (12 months) | recent spike before listing |
| refund rate | above 5% consistently |
| chargeback rate | above 1% |
| revenue concentration | top 3 customers > 30% |
critical: ask for live stripe access or stripe-verified metrics. screenshots can be faked.
on vaulto, all listings with the verified badge have metrics pulled directly from stripe's api. no screenshots, no spreadsheets, no trust issues.
expense verification
| what to check | red flag if... |
|---|---|
| hosting costs | unusually low for traffic |
| third-party services | hidden recurring costs |
| contractor payments | undisclosed ongoing work |
| marketing spend | required to maintain revenue |
ask for: 12 months of bank statements or accounting exports. compare against claimed profits.
profit margins
calculate the actual profit margin:
(revenue - all expenses) / revenue = margin
healthy micro-saas margins are typically 60-80%. below 50% means there is less profit than the topline suggests.
phase 2: customer health
revenue is a lagging indicator. customer health tells you where the business is going.
churn analysis
| metric | healthy | concerning |
|---|---|---|
| monthly logo churn | < 3% | > 5% |
| monthly revenue churn | < 2% | > 4% |
| net revenue retention | > 100% | < 90% |
ask for: cohort analysis showing retention over time. a business with 3% monthly churn loses 30% of customers per year.
customer concentration
if the top 3 customers represent more than 30% of revenue, you are buying customer risk, not a business.
ask for: revenue breakdown by customer (anonymized is fine at this stage).
customer feedback
| what to check | how to verify |
|---|---|
| support ticket volume | ask for helpdesk export |
| common complaints | read recent tickets |
| feature requests | shows product direction |
| nps or csat scores | if they track it |
phase 3: technical assessment
you are buying code. make sure it is not a liability.
codebase quality
| what to check | red flag if... |
|---|---|
| test coverage | no tests at all |
| documentation | none exists |
| last commit date | months ago |
| dependency versions | years out of date |
| security practices | no auth best practices |
ask for: read-only repo access or a code walkthrough call.
infrastructure
| what to check | red flag if... |
|---|---|
| hosting provider | unusual or custom setup |
| deployment process | manual and undocumented |
| monitoring | no error tracking |
| backups | no backup strategy |
| scaling | will break at 2x traffic |
technical debt
every codebase has debt. the question is how much.
ask: "what would you fix if you had time?" — honest sellers will tell you.
phase 4: legal and compliance
boring but critical.
asset ownership
| asset | what to verify |
|---|---|
| domain | owned outright, not expiring |
| codebase | no third-party claims |
| trademarks | registered or registrable |
| customer data | gdpr/privacy compliant |
existing obligations
| what to check | red flag if... |
|---|---|
| customer contracts | long-term commitments |
| vendor contracts | expensive to exit |
| employee/contractor agreements | ongoing obligations |
| pending legal issues | any active disputes |
phase 5: operational assessment
can you actually run this business?
owner dependency
| question | what to look for |
|---|---|
| hours per week | < 10 is ideal, > 20 is a job |
| key relationships | customers tied to founder |
| specialized knowledge | undocumented expertise |
| support complexity | requires deep product knowledge |
transition plan
| what to get | why it matters |
|---|---|
| documentation | how things work |
| recorded walkthroughs | visual reference |
| introduction to key vendors | relationship transfer |
| agreed transition period | typically 30-90 days |
the due diligence timeline
| phase | duration | outcome |
|---|---|---|
| initial review | 1-2 days | decide to proceed or not |
| financial deep dive | 3-5 days | verify the numbers |
| technical review | 2-3 days | assess the code |
| customer analysis | 2-3 days | understand retention |
| legal review | 2-3 days | check ownership |
| final questions | 1-2 days | clear remaining concerns |
total: 2-3 weeks for a thorough review.
questions to ask the seller
these reveal more than any document:
- why are you selling?
- what would you do differently if starting over?
- what is the biggest risk to this business?
- which customers are most likely to churn?
- what is the hardest part of running this?
- how did you acquire your last 10 customers?
- what is blocking growth right now?
honest answers build trust. evasive answers are a red flag.
deal structure protection
even after due diligence, protect yourself with deal structure:
escrow
hold 10-20% of payment in escrow for 30-90 days. releases after successful transition.
earnout
tie part of payment to post-acquisition performance. aligns seller incentives.
representations and warranties
seller guarantees that what they said is true. creates recourse if it is not.
the vaulto advantage
on vaulto, due diligence is faster because:
- verified metrics: mrr, arr, churn pulled directly from stripe
- nda-protected deal rooms: documents organized by category
- structured q&a: questions and answers in one place
- activity tracking: see what documents were shared
you still need to do the work. but verified data means less time verifying basics and more time on what matters.
browse verified saas listings →