The Ultimate SaaS Due Diligence Checklist (2026 Edition)

We've compiled everything we check in a Premium report into a single checklist. Whether you do due diligence yourself or use a service, this ensures nothing gets missed.

Financial (15 points). Verify MRR against payment processor. Calculate true monthly churn (monthly cohort only). Analyze revenue concentration (top 10 customers). Check net revenue retention. Review refund and dispute history. Verify LTV/CAC ratio. Analyze expansion revenue sources. Check for seasonal patterns (12 months minimum). Verify pricing tier distribution. Check payment processor fee impact on margins. Review outstanding annual prepayments and their renewal dates. Cross-reference Stripe payouts with bank deposits. Check for pending refunds or disputes. Analyze gross margin after infrastructure costs. Verify MRR growth trend over 6+ months.

Technical (15 points). Review overall architecture and project structure. Audit dependencies for vulnerabilities (npm audit, safety check). Check test coverage percentage and critical path coverage. Review deployment process and infrastructure. Assess framework and language currency. Check for hardcoded secrets or credentials. Review error handling and logging. Assess database design and query performance. Check for single points of failure. Review API rate limits and external dependencies. Verify backup and disaster recovery procedures. Assess mobile responsiveness. Check page load performance. Review authentication and authorization implementation. Assess documentation quality.

Traffic and acquisition (15 points). Verify total traffic trend (12 months). Analyze traffic source distribution. Check organic keyword rankings and trends. Assess domain authority and backlink quality. Review conversion funnel (visit to signup to paid). Check for bot traffic or artificial inflation. Analyze geographic distribution. Review paid acquisition costs and ROI. Check referral partner stability. Assess content marketing effectiveness. Review social media presence and engagement. Check email list size and engagement rates. Analyze seasonal traffic patterns. Verify claimed traffic against third-party estimates. Review Google Search Console for penalties.

Legal (15 points). Verify IP ownership for all contributors. Run open source license compliance scan. Review Terms of Service completeness. Audit privacy policy against actual practices. Check GDPR compliance (if EU users). Check CCPA compliance (if California users). Review data processing agreements with subprocessors. Verify cookie consent implementation. Check for pending legal issues or disputes. Review trademark status. Verify domain ownership and expiration. Check for non-compete agreements affecting the seller. Review any existing customer contracts. Assess regulatory compliance for the specific vertical. Verify insurance coverage (if applicable).

Download this checklist as a PDF from our Resources page, or let AcquiCheck handle it all in a comprehensive report.