Exit ReadinessFor Scaling Sarah6 min

SaaS Company Due Diligence: The 50 Questions Investors Always Ask

Don't let your deal die in diligence. The comprehensive 50-question checklist for SaaS founders and PE sponsors covering revenue quality, technical debt, and legal risks. 2026 Benchmarks included.

**Figure 01** *A structured checklist of SaaS due diligence questions on a digital tablet, surrounded by financial charts and analytics dashboards.*

By: Justin Leader
Industry: B2B SaaS
Function: Corporate Development

The Era of the "Trust Me" Deal Is Dead

If you raised capital between 2020 and 2021, you might remember due diligence as a formality—a two-week sprint where investors glanced at your ARR growth, high-fived your CTO, and wired the funds. Those days are gone. In 2026, due diligence is an autopsy performed on a living patient.

Today, roughly 47% of M&A deals fail during due diligence. They don’t fail because the product is bad; they fail because the documentation of the business contradicts the narrative of the business. Investors have moved from checking boxes to hunting for "valuation killers"—hidden technical debt, shaky revenue recognition, and customer concentration risks that don’t show up in a pitch deck.

For founders like you ("Scaling Sarah"), this shift is terrifying. You’ve spent years building a product, not a data room. But for Private Equity buyers ("Portfolio Paul"), this rigor is non-negotiable. They aren’t betting on potential anymore; they are buying predictability. If your answers to their questions are "I’ll get back to you" or "It’s complicated," you aren’t just losing trust—you are actively compressing your multiple.

The following guide isn’t just a list; it’s the exact interrogation script used by top-tier PE firms and strategic acquirers in 2026. We have broken it down into the five "Kill Zones" where deals go to die. If you can answer these 50 questions with data, you won’t just close; you’ll close at a premium.

The 50-Question Interrogation Script

Kill Zone 1: Commercial & Revenue Quality

Investors don’t trust your ARR. They want to know the quality of that revenue. Is it growing because you’re good, or because you’re burning cash?

1. What is your Net Revenue Retention (NRR) by cohort for the last 3 years? (Benchmark: >104% median, >120% top decile).
2. What is your Gross Revenue Retention (GRR)? (If <90%, your bucket is leaking).
3. What is your exact CAC Payback Period on a gross margin basis, not revenue basis?
4. Do you have any single customer representing >10% of ARR? (See: The Math Behind Concentration Risk).
5. What is your Logo Churn vs. Revenue Churn rate?
6. How much of your ARR is actually one-time professional services disguised as subscription?
7. What is the bridge between your bookings and your recognized revenue (ASC 606 compliance)?
8. What is your win rate against your top 3 named competitors?
9. What is the average discount given at the end of the quarter vs. beginning?
10. How many customers are currently "dark" (no logins in 30 days) but counted as active ARR?

Kill Zone 2: Technical Debt & Product Architecture

This is where the "black box" discount happens. If your code is a mess, your valuation drops by millions to pay for the rewrite.

11. What percentage of engineering time is spent on maintenance/bugs vs. new features? (Benchmark: >30% on bugs is a red flag).
12. Do you have an automated Bill of Materials (BOM) for all open-source components?
13. Have you conducted a third-party Black Duck or Synopsys scan for license compliance?
14. What is your code coverage percentage for automated testing?
15. Are there any single points of failure in your architecture (e.g., one legacy server named "Gandalf")?
16. Can you demonstrate a disaster recovery plan that was actually tested in the last 12 months?
17. Do you strictly enforce Multi-Factor Authentication (MFA) across all internal systems?
18. Is your platform multi-tenant, or are you hosting "fake cloud" single instances for big clients?
19. What is your documented uptime vs. your SLA penalties paid out?
20. When was your last penetration test, and have all "Critical" and "High" issues been remediated?

Kill Zone 3: Financial Rigor & Unit Economics

Your EBITDA is likely a lie—or at least, highly "adjusted." Buyers will strip away your add-backs to find the true cash generation.

21. What is your Rule of 40 score (Growth % + Profit Margin %) today?
22. Can you provide a bridge of your EBITDA add-backs with justification for each?
23. What is your Days Sales Outstanding (DSO) trend? (Rising DSO = unhappy customers).
24. Have you capitalized software development costs? If so, show the methodology.
25. What is your burn multiple? (Net New ARR / Cash Burned).
26. Are your unit economics calculated on Blended CAC or Fully Loaded CAC?
27. What is the variance between your forecasted budget and actuals for the last 8 quarters?
28. Do you have a "Switch" clause in your debt covenants?
29. What is the detailed breakdown of your COGS (hosting vs. support vs. implementation)?
30. Are sales commissions expensed immediately or amortized over the contract life?

Kill Zone 4: Legal & IP Hygiene

The deal dies instantly if you don’t own what you’re selling.

31. Do 100% of current and former employees/contractors have signed IP assignment agreements?
32. Are there any "change of control" provisions in your top 20 customer contracts?
33. Have you ever utilized GPL-licensed code in your proprietary software?
34. Are you fully compliant with GDPR, CCPA, and industry-specific regs (HIPAA, SOC 2)?
35. Is there any threatened or pending litigation?
36. Do you have clean title to all domains and trademarks?
37. Are there any non-competes preventing you from entering specific markets?
38. Have you collected sales tax (nexus) in all required jurisdictions? (A massive hidden liability).
39. Are your data privacy policies consistent with your actual data handling practices?
40. Do you have adequate Cyber Insurance and E&O coverage?

Kill Zone 5: Talent & Culture

Investors buy systems, but they bet on people. They need to know who leaves when the check clears.

41. What is your unwanted attrition rate by department?
42. Who are the "Key Persons" without whom the business stops functioning?
43. Is there a "Founder Extraction" plan in place, or is the CEO still doing sales demos?
44. What is your eNPS (Employee Net Promoter Score)?
45. Are sales quotas attained by >70% of reps, or is revenue carried by two "hero" sellers?
46. Do you have a documented org chart vs. the actual "shadow" hierarchy?
47. What are the change-in-control bonuses or golden parachutes triggered by this deal?
48. How diverse is your leadership team compared to industry benchmarks?
49. Are there any undocumented side letters with employees regarding equity?
50. If the founders leave tomorrow, does the product roadmap freeze?

Graph showing the correlation between NRR (Net Revenue Retention) and Valuation Multiples in 2026.

Surviving the Inquisition: Your Action Plan

Looking at this list of 50 questions, most founders feel a mix of exhaustion and panic. That is the point. Due diligence is designed to expose weakness. The only way to survive it is to simulate it before the buyer does.

1. Build Your Data Room Now (Not Later)

Do not wait for a Letter of Intent (LOI) to start organizing. A reactive data room screams "high risk." Create a structured Perpetual Data Room that is updated monthly. When an investor asks for "Question 17 (MFA policy)," you shouldn't be drafting a policy; you should be sending a link to a folder titled "2.1 Security Protocols."

2. The "Mock Diligence" Exercise

Six months before you plan to exit, hire a third-party (or an operational consultant) to run a "Mock Diligence" on your firm. Give them this list of 50 questions. Let them tear your answers apart. It is better to find out you have a $500k sales tax liability from a friendly consultant than from a PE firm’s shark-like auditor who will use it to shave $2M off your purchase price.

3. The Narrative Bridge

Data without context is dangerous. For every "red flag" answer (e.g., "Our NRR dipped to 98% last year"), you need a narrative bridge. "Yes, NRR dipped because we intentionally churned unprofitable legacy clients to improve gross margins, and NRR is now tracking 106% for Q1." You must control the story, or the data will tell a worse one for you.

Conclusion: Precision Pays

In 2026, the valuation spread between a "clean" asset and a "messy" asset is massive—often 2x-3x on the revenue multiple. The difference isn't usually the product; it's the preparation. By mastering these 50 questions, you aren't just ticking boxes. You are signaling that you are an Operator, not just a Founder. And Operators get paid.

Continue the operating path

Topic hub Exit Readiness Pre-LOI cleanup. Financial reporting normalization, contract hygiene, IP assignment review, customer-concentration mitigation. Pillar Operational Excellence Buyers pay for repeatability. Exit-readiness is the work of converting heroics into something a smart buyer's diligence team can validate without flinching. Service Transaction Advisory Services Operator-led buy-side and sell-side diligence for technology middle-market deals. Financial rigor, technical diligence, and integration risk in one workstream. Service Valuations Defensible valuation work for SaaS, services, IP, ARR/MRR, cap tables, and exit readiness in technology middle-market transactions. Service Office of the CFO ARR waterfalls, board reporting, FP&A, unit economics, forecast accuracy, and finance infrastructure for technology companies scaling or preparing for exit.

Related intelligence

Sources

Filed by

Justin Leader

CEO, Human Renaissance. Operator-led turnaround and performance improvement for the technology middle market. Built and exited a firm; $500M+ delivered to Fortune 500 divisions. Writes from the trenches, not the boardroom.

Book a call →

Move on this

A 14-day operator-led diagnostic, before the gap is priced into your multiple.

No retainer until we agree on the work.

Request a Turnaround Assessment →