SaaS Due Diligence: What Investors Check and How to Prepare
Due diligence consists of four categories: commercial (customer references, competitive position), financial (model audit, cash flow reconciliation), legal (IP, contracts, cap table), and technical (architecture, security, scalability). Typical due diligence lasts 4-6 weeks and kills deals if founders misrepresent traction, legal issues surface, or technology proves weak. Prepare thoroughly and manage the process actively.
What Due Diligence Is and Why It Matters
Due diligence is the investor's investigation of your company. After you receive a term sheet, the investor conducts thorough checks on four fronts: commercial (are your claims about traction accurate), financial (are your metrics defensible), legal (are there any contractual risks), and technical (can your product scale). Due diligence lasts 4-6 weeks for Series A and 6-8 weeks for Series B. During this period, your deal is not closed. Investors have discovered red flags that killed deals in the past; they use due diligence to confirm your narrative is accurate.
Poor due diligence outcomes: undisclosed customer concentration (top three customers represent 50%+ of revenue, suggesting fragile business), misrepresented churn (you claimed 5% monthly churn but actual cohort data shows 12%), legal issues (IP not properly assigned, employment agreements missing), or technical debt (product is poorly architected and does not scale). Any of these can cause investors to kill the deal or significantly revise terms downward.
Commercial Due Diligence: Customer and Competitive Verification
Investors conduct customer reference calls with 3-5 of your customers. They ask: how long have you used this product, why did you purchase it, what value do you derive, would you recommend it, and what is your likelihood of continued usage? Investors are testing whether you misrepresented the value proposition or customer satisfaction. A customer saying "it solves the problem but we are evaluating alternatives" is a red flag. A customer saying "this is mission-critical and we could not operate without it" is validating. Prepare your reference customers. Brief them beforehand on the types of questions investors will ask. Do not script the conversation but ensure they understand the key selling points.
Investors also analyse your sales motion: how long is the sales cycle, how much does your product cost, who are your buyers, how many competitors are you losing deals to, and why. If you claim a 30-day sales cycle and your internal data shows 90 days, investors will catch this and lose confidence in your forecasting. If you have a weak win rate against direct competitors (you win 30% of deals against Competitor X), investors will question your value proposition. Be honest about competitive position and customer acquisition patterns. Investors expect variation; they do not expect perfect outcomes.
Financial Due Diligence: Model Audit and Metrics Verification
Investors hire a financial consultant to audit your financial model and verify key metrics. They obtain your bank statements and reconcile revenue reported in your model to revenue actually deposited. They verify your ARR calculation is accurate (annual contract value times number of active customers at month-end). They confirm your churn calculation is correct by reviewing customer cohort data. They validate your CAC by dividing total sales and marketing spend by new customers acquired. If your model claims 150% ARR growth but reconciliation shows 80% growth, the deal is at risk. If your claimed CAC of £2,000 is actually £5,000 when calculated correctly, investors will drop out.
Investors will challenge margin assumptions. Your model might claim 75% gross margins, but if your cloud infrastructure costs are rising with customer usage, actual margins may be 65%. If you have variable support costs that scale with customer count, margins decline further. Prepare your financial model to show realistic margins including all infrastructure and direct support costs. Avoid disguising COGS as operating expense to make margins appear better. Investors see through this and it destroys credibility.
Legal Due Diligence: IP, Contracts, and Cap Table Review
Investors hire a law firm to review your IP ownership, material contracts, and cap table. IP review confirms that all code, designs, and algorithms created by founders and employees are properly assigned to the company (through employee agreements) and not licensed from third parties without appropriate rights. Missing IP assignments are a major deal killer. If a key employee claims to retain rights to a critical piece of software, you cannot represent to investors that you own the IP. Assignment is fixable (get the employee to sign an assignment retroactively) but discovering this in due diligence creates doubt about what else is wrong.
Contract review examines your customer agreements, supplier contracts, and employment agreements. Investors look for material risks: non-standard payment terms (customer wants 120-day payment but you need cash flow), concentration risk (one customer represents 30%+ of revenue), or termination rights that allow customers to exit if your product fails to meet minimum performance standards. These are not necessarily deal killers but they must be disclosed and understood before closing.
Cap table review verifies that all shares, options, and warrant conversions are properly recorded. Investors want to confirm the fully diluted capitalization and that no hidden stakeholders exist. A founder who failed to register a co-founder's shares or who issued options outside the option pool creates uncertainty about who owns what. These issues are fixable but time-consuming and create legal costs that push close dates.
Technical Due Diligence: Architecture, Security, and Scalability
Investors hire a technical consultant (for larger rounds) or conduct informal technical review (for smaller rounds) to assess whether your product is architecturally sound, secure, and scalable. They ask: how is your product built, what are your dependencies on third-party services, how do you handle data security, what is your uptime track record, and can you scale to 10x your current customer base? A product built on legacy technology or with significant technical debt may be a concern. A product with poor security practices or frequent security incidents is a red flag. A product with unacceptable uptime (95% instead of 99.9%) for a mission-critical use case is a deal killer.
Technical due diligence typically includes a code review of your core systems, review of your infrastructure and deployment process, and assessment of your monitoring and alerting. Investors want to understand if you have a professional engineering foundation or if you have hacked together a product that is fragile. This is especially important for B2B SaaS where downtime has direct customer impact.
Managing the Due Diligence Process: Timeline and Momentum
Due diligence typically begins two weeks after you receive a term sheet. Create a due diligence timeline that allocates tasks and deadlines. You are responsible for providing documents, customer references, and being available for investor questions. Do not let investor requests linger unanswered. If they ask for a document, provide it within 48 hours. If they ask for customer reference contacts, provide them within 24 hours. Slow responses create perception that you are hiding something or disorganised.
Assign someone on your team to manage the due diligence process. This person should track all investor requests, maintain a document checklist, and ensure nothing falls through cracks. Investor diligence teams will request documents repeatedly if they do not receive clear acknowledgement that the request was received. Centralising all communication prevents the chaos of investors asking multiple team members for the same document.
Red Flags That Kill Deals in Due Diligence
Major red flags: customer concentration (top customer is more than 20% of revenue), undisclosed legal issues (litigation, IP disputes, regulatory issues), material misrepresentation of metrics, significant technical debt or poor code quality, high employee turnover without documented reasons, undisclosed related-party transactions, or customer acquisition cost that is materially higher than claimed. Any of these can cause investors to walk away or significantly revise valuation downward. Address red flags before due diligence if possible. If they surface during diligence, be transparent about them and explain your mitigation plan.
Related Reading
For preparing your financial model and metrics, see SaaS Pre-Raise Preparation: The Complete Checklist. For understanding cap table and legal structure, read SaaS Cap Table Dilution: How to Calculate and Model Ownership. For term sheet negotiation after due diligence, explore Term Sheet to Close: The Legal Process and Timeline.
Key Takeaways
- Due diligence consists of four categories: commercial, financial, legal, and technical
- Typical due diligence lasts 4-6 weeks and can kill deals if red flags surface
- Commercial due diligence includes customer reference calls and competitive positioning verification
- Financial due diligence reconciles your model to bank statements and verifies all key metrics
- Legal due diligence checks IP assignment, material contracts, and cap table accuracy
- Technical due diligence assesses architecture, security, and scalability of your product
- Manage the process actively: respond to requests quickly and assign one owner to coordinate
Get the complete guide with all 16 chapters, exercises, and model templates.
Get Raise Ready - £9.99