Buyer Guide

The due diligence checklist.

Most acquisition mistakes happen because someone skipped a step here. This checklist covers every area that matters — financials, customers, code, legal, traffic, and operations.

Use this before making any offer. The time you spend on diligence now is orders of magnitude cheaper than discovering problems after close.

Financial verification

Confirm MRR against Stripe, Paddle, or payment processor — not spreadsheets alone

Verify trailing 12-month ARR and identify any revenue that is non-recurring

Request monthly MRR breakdown for the past 24 months to identify trends

Confirm churn rate calculation method and verify against raw customer data

Review any outstanding refunds, chargebacks, or disputed payments

Confirm net revenue retention (NRR) — ideally above 100%

Understand payment terms: monthly vs annual, any large prepayments

Review all operating expenses: hosting, tools, contractors, subscriptions

Confirm profit margin and identify any costs that will change post-acquisition

Request bank statements or payout records for the past 6–12 months

Customer analysis

Total active customer count — and how it is defined (trial vs paid)

Customer concentration: share of revenue from top 1, 3, and 10 customers

Customer contract lengths: month-to-month vs annual vs multi-year

Customer segments: B2B vs B2C, industry breakdown, geography

Churn cohort analysis: early cohorts vs recent cohorts — are things improving?

Identify any enterprise customers with custom contracts or SLAs

Review customer support ticket volume and resolution time

Net Promoter Score or CSAT data if available

Understand key customer relationships and which ones are founder-dependent

Technical review

Review code repository — access granted, not just described

Assess codebase documentation quality and inline comments

Identify any significant technical debt or unresolved architectural issues

Review test coverage — automated tests reduce post-acquisition risk

Understand deployment pipeline: CI/CD setup, how often deployments happen

Review infrastructure: cloud provider, architecture, estimated monthly costs

Identify any single points of failure in the technical stack

Confirm all third-party API dependencies and their reliability / cost

Review security practices: authentication, data encryption, vulnerability history

Confirm codebase ownership — no former contributors with IP claims

Traffic and marketing

Verify organic traffic via Google Search Console access — not just Analytics

Identify traffic sources and concentration risk (SEO vs paid vs referral vs direct)

Review backlink profile for any thin or low-quality links that could create SEO risk

Understand paid acquisition: CAC, ROAS, and whether campaigns are profitable

Review any affiliate or partnership programs and their terms

Confirm domain ownership and registration expiry

Review social media presence and community assets being transferred

Understand content assets: blog, documentation, SEO pages — who owns them

Legal and contracts

Confirm business entity structure and what exactly is being transferred

Review all customer contracts for transferability clauses

Identify any non-compete or non-solicitation obligations on the seller

Confirm trademark and domain ownership — no third-party claims

Review software licenses used in the product — open source compliance

Check for any outstanding litigation, regulatory action, or disputes

Review contractor and employee agreements — IP assignment clauses

Confirm GDPR / CCPA compliance posture and data processing practices

Review Terms of Service and Privacy Policy for any unusual provisions

Confirm there are no undisclosed revenue sharing or equity agreements

Operational continuity

Document all tools, subscriptions, and accounts required to run the business

Identify which accounts are tied to the seller's personal identity or email

Understand the support process: who handles it, how, and how long it takes

Map all integrations: payment processors, email providers, analytics, APIs

Identify any contracts with vendors that must be renegotiated post-acquisition

Understand onboarding process for new customers — is it documented?

Review any outstanding feature requests or committed roadmap items

Confirm hosting and infrastructure can be transferred or access granted

Hard red flags

Any of these alone is enough to pause and investigate further. Multiple red flags in the same deal should make you walk away.

Seller refuses to provide payment processor access for revenue verification

MRR figures do not reconcile with bank statement payouts

Churn is reported as an annual figure only — hiding higher monthly rates

Revenue is heavily concentrated in 1–2 customers with no written contracts

Codebase access is delayed or given only after signing — not before

Seller cannot explain revenue trend changes month-to-month

Any undisclosed revenue sharing, equity, or prior acquisition offers

Google Search Console shows traffic drop in the 60–90 days before listing

Open support tickets that have been unresolved for weeks without explanation

What we verify on listed businesses

Every listing on StackFlippers goes through a pre-publication review. We verify key metrics, review traffic data, and reject submissions that do not meet our threshold for accuracy and quality.

That said, we are not auditors. We verify what is verifiable and flag what is not. Buyers should treat our verification as a first filter — not a substitute for their own due diligence.

If something in a listing does not add up or you want access to deeper data before making an offer, contact us directly. We can facilitate NDA-protected conversations and structured data room access for serious buyers.

Browse verified listings

Every listing on StackFlippers has been reviewed before going live. Start with a business you believe in — then run the checklist.

Browse all listings Back to buying guide