Human Renaissance
Contact Us
Exit ReadinessFor Scaling Sarah6 min

SaaS Company Due Diligence: The 50 Questions Investors Always Ask

The definitive 2026 SaaS due diligence checklist. 50 diagnostic questions PE investors ask about NRR, technical debt, and founder dependency. Prepare your exit.

By
Justin Leader
Industry
B2B SaaS
Function
M&A / Strategy
Filed
January 12, 2026

The Interrogation, Not the Verification

If you think due diligence is simply a verification of the numbers in your pitch deck, you have already lost valuation. In 2026, due diligence is an interrogation of your business’s soul. It is a stress test designed to break your revenue model, expose your technical debt, and prove that your company cannot survive without you.

The statistics are unforgiving: 50% of SaaS deals fall apart during due diligence. Of those that survive, nearly half suffer a "retrade"—a reduction in purchase price—after the buyer uncovers operational risks that weren't visible in the CIM. Why? because buyers today aren't just looking for growth; they are looking for durability.

As an operator who has sat on both sides of the table, I can tell you that the questions have changed. Financial buyers don't just ask about your growth rate; they ask about the quality of that growth. They don't just check if your code works; they check if it will require a total rewrite to scale past $50M ARR. Below is the diagnostic framework we use—the 50 questions that determine whether you get a 10x multiple or a polite "no thanks."

Part 1: Commercial & Revenue Quality (The "Real" Growth)

Investors scrutinize not just how much you sell, but how efficiently you sell it and how well you keep it. In 2026, Net Revenue Retention (NRR) < 100% is a deal-killer, and premium multiples (7x-10x ARR) are reserved for those above 120%.

The Retention & Unit Economics Probe

  • 1. What is your NRR and Gross Revenue Retention (GRR) by cohort for the last 36 months? (If GRR is below 85%, your "growth" is just replacing a leaky bucket).
  • 2. What is your CAC Payback Period on a gross margin basis? (Benchmark: <12 months is premium; >18 months is a red flag).
  • 3. What is the "Logo Churn" vs. "Revenue Churn" disparity? (Are you losing small customers to save big ones, or vice versa?)
  • 4. How much of your NRR expansion is price increases vs. seat expansion vs. cross-sell? (Price increases are finite; cross-sell proves platform value).
  • 5. What is the LTV:CAC ratio by customer segment (SMB, Mid-Market, Enterprise)?
  • 6. Do you track "Phantom Revenue" in your pipeline? (See: The Phantom Revenue Problem).

The Contract & Concentration Risk

  • 7. What percentage of ARR is up for renewal in the next 120 days?
  • 8. Do you have any customer concentration >10% of ARR? (If yes, expect a structured earnout).
  • 9. Are there "Change of Control" clauses in your top 20 contracts? (Can customers walk away if you sell?)
  • 10. What percentage of contracts are on non-standard terms or have side letters?
  • 11. How much service revenue is disguised as ARR? (Implementation fees amortized over the deal do not count as recurring revenue).
  • 12. What is your "Time to Value" (TTV) for new customers? (Slow onboarding = high early churn risk).

Part 2: Technical Health & Product (The Engine)

In 2026, technical due diligence is no longer a cursory architectural review. With the rise of AI and the complexity of modern stacks, buyers hire specialized firms to audit your code. They are looking for the "Grand Rewrite"—the hidden $5M expense they’ll inherit post-close. If your technical debt estimate is zero, you are lying.

Architecture & Scalability

  • 13. What is your "Technical Debt Ratio" (remediation time / new feature time)?
  • 14. Can the platform scale to 10x current transaction volume without a database re-architecture?
  • 15. What are your single points of failure in the infrastructure?
  • 16. How reliant is the product on "Hero Code" written by one person who left 2 years ago?
  • 17. What is your Open Source Software (OSS) exposure and license compliance status? (A GPL violation can kill a deal instantly).
  • 18. Do you have a documented AI strategy, or are you just "wrapping" OpenAI? (Defensibility is the key question here).

Security & Compliance

  • 19. Have you completed a SOC 2 Type II audit? (Not "in progress," but completed).
  • 20. When was your last third-party penetration test, and have all critical vulnerabilities been remediated?
  • 21. Do you store PII/PHI, and are you fully GDPR/CCPA/HIPAA compliant?
  • 22. What is your Disaster Recovery (DR) RTO and RPO? (Recovery Time Objective / Recovery Point Objective).
  • 23. Have you had any security incidents in the last 3 years? (Disclose early; hiding it is fraud).
  • 24. Are your developers working in production environments? (A massive governance red flag).

Part 3: Operational Reality (The Machine)

This is where "Scaling Sarah" usually gets stuck. Buyers don't buy founder heroics; they buy systems. If the business runs on your intuition, it’s not transferable.

Founder Dependency & Team

  • 25. If the CEO and CTO go on vacation for 30 days, what breaks?
  • 26. Is the sales process "Founder-Led" or "Playbook-Led"? (See: Founder Extraction Checklist).
  • 27. What is your employee Net Promoter Score (eNPS) and regrettable attrition rate?
  • 28. How much "Tribal Knowledge" exists solely in Slack DMs vs. documented SOPs?
  • 29. Are your sales quotas based on historical data or top-down revenue goals?
  • 30. What is the ramp time for a new sales rep to full productivity?

Part 4: Financial Integrity (The Truth)

Financial due diligence (FDD) is where the "Quality of Earnings" (QofE) report tears apart your EBITDA. The goal of the buyer is to find "add-backs" they can reject to lower the purchase price.

  • 31. Are your financials audited, reviewed, or merely compiled?
  • 32. Can you bridge the gap between Reported EBITDA and Adjusted EBITDA with evidence? (See: Why EBITDA Adjustments Get Rejected).
  • 33. Are you recognizing revenue in accordance with ASC 606? (This is the #1 reason for post-LOI revenue restatements).
  • 34. Do you have sales tax nexus liability in states where you sell but don't collect? (A massive hidden liability in SaaS).
  • 35. What is the accuracy of your sales forecast vs. actuals for the last 8 quarters?
  • 36. How do you capitalize software development costs? (Aggressive capitalization inflates EBITDA artificially).
  • 37. What are your "One-Time" expenses, and will they actually disappear post-close?

Part 5: Legal & IP (The Shield)

Finally, the lawyers will look for reasons to sue you later. This phase is tedious but dangerous.

  • 38. Do all employees and contractors have signed IP Assignment Agreements?
  • 39. Are there any threatened or pending litigation matters?
  • 40. Do you own all domains, trademarks, and social handles?
  • 41. Are there "Change of Control" payments or bonuses triggered by this deal?
  • 42. Have you complied with all open-source attribution requirements?
  • 43. Are there any restrictive covenants in your employment agreements?
  • 44. What is the status of your cap table? Are all options properly issued and 409A valued?
  • 45. Do you have cyber insurance, and has a claim ever been filed?
  • 46. Are there any "Most Favored Nation" (MFN) clauses in customer contracts?
  • 47. Have you used any prohibited data (e.g., scraped data) to train your AI models?
  • 48. Are there any liens on your IP or assets?
  • 49. Is your data privacy policy up to date with current legislation (CPRA, etc.)?
  • 50. Can you produce a "Data Room" with all of this information in 48 hours?

The Operator’s Take

You do not pass due diligence by answering these questions perfectly. You pass by knowing the answers are ugly and fixing them before the buyer asks. If your churn is high, fix the onboarding process now. If your code is messy, commission your own audit now. The difference between a 4x multiple and an 8x multiple is often just the ability to prove that your problems are solved, not hidden.

Continue the operating path
Topic hub Exit Readiness Pre-LOI cleanup. Financial reporting normalization, contract hygiene, IP assignment review, customer-concentration mitigation. Pillar Operational Excellence Buyers pay for repeatability. Exit-readiness is the work of converting heroics into something a smart buyer's diligence team can validate without flinching. Service Transaction Advisory Services Operator-led buy-side and sell-side diligence for technology middle-market deals. Financial rigor, technical diligence, and integration risk in one workstream. Service Valuations Defensible valuation work for SaaS, services, IP, ARR/MRR, cap tables, and exit readiness in technology middle-market transactions. Service Office of the CFO ARR waterfalls, board reporting, FP&A, unit economics, forecast accuracy, and finance infrastructure for technology companies scaling or preparing for exit.
Related intelligence
Sources
  1. Mergewave Capital (2025) - SaaS Due Diligence Checklist & Trends
  2. Software Equity Group (2025) - 5 Costly Errors in M&A Due Diligence
  3. AKF Partners (2025) - Technology Due Diligence Checklist
  4. SaaS & Co (2025) - Revenue Operations Benchmarks
Justin Leader, CEO of Human Renaissance
Filed by

Justin Leader

CEO, Human Renaissance. Operator-led turnaround and performance improvement for the technology middle market. Built and exited a firm; $500M+ delivered to Fortune 500 divisions. Writes from the trenches, not the boardroom.

Book a call →
Move on this

A 14-day operator-led diagnostic, before the gap is priced into your multiple.

No retainer until we agree on the work.

Request a Turnaround Assessment →