Most legal due diligence items are the same in each M&A transaction, regardless of the industry the target company operates. The same applies to share purchase agreements (SPA): large parts of an SPA look the same in each M&A transaction.

But there are several focus points that are specific to M&A transactions involving SaaS target companies that shall be highlighted in the following (under German law):

SaaS Specific Legal DD Focus Items

There are four items that are a specific focus of legal due diligence regarding SaaS companies:

  1. Customer contracts and standardization,
  2. Exclusive ownership in source code,
  3. Freelancers and
  4. Data protection.

Let’s deep dive into those four focus items.

1. Customer contracts and standardization

The value drivers in SaaS transactions are recurring revenue and profitability and both result from customer contracts. Usually, SaaS companies work with quotations and purchase orders and apply the general terms and conditions of the SaaS company. If all customer contracts are concluded, applying the SaaS company’s general terms and conditions, the due diligence of the customer contracts is easy: only customer-specific terms like prices, fixed term and renewal terms, or customer-specific customizations need to be specifically reviewed.

The less customer contracts are standardized, the more cumbersome the due diligence becomes. For example, if a SaaS company has mainly large corporation customers and they insist on using their general framework agreement with statements of work and service level agreements, each customer agreement has to be reviewed individually, which takes longer and leads to a more complex risk assessment. Therefore, standardizing customer agreements using the SaaS company’s general terms and conditions facilitates the due diligence review and a straightforward M&A transaction process.

2. Exclusive ownership of source code

Except for IP, SaaS companies usually don’t have any valuable assets. But the IP is an extremely important asset. The key factor for IP is that it’s actually owned by the SaaS company and that such ownership is exclusive.

Basically, there are three sources who usually contribute to software source code (i) the founders / managing directors, (ii) employees, and (iii) freelancers / outsourced service providers.

Under German law, the rights in software created by employees automatically transfer to their employer regardless of whether there is a rights transfer clause or not, Sec. 69b of the German Copyright Act.

But this provision does not apply to managing directors and freelancers or outsourced service providers. Therefore, the rights in software source code created by them only transfer to the SaaS company if this is agreed upon. Therefore, it is paramount for SaaS companies to include valid and extensive rights transfer clauses in their contracts with managing directors, freelancers, and service providers.

3. Freelancers

SaaS companies often work extensively with freelancers. They are used for different functions, quite often for software development and DevOps, but also for service, sales, or other functions.

The main legal and tax risk in working with freelancers is whether or not they are actually employees. This differs from jurisdiction to jurisdiction. In Germany, the German State Pension Fund (Rentenversicherung Bund) has set up a catalog of criteria that are determinative for deciding whether a freelancer is an actual freelancer. What’s decisive is not primarily what is written in the freelancer contract, but the actual situation.

The consequences of fake freelancers being actually employees are far-reaching: Firstly, employees are entitled to termination protection under German law according to the German Termination Protection Act and freelancers are not.

Secondly, the tax regime is different for employees and freelancers. Freelancers charge VAT (unless a VAT exemption applies), pay their own taxes, and are not subject to social security. Employees are paid a salary, the employer has to withhold wage tax and employees are subject to social security, i.e. the employer and the employee each pay their part of the contribution to the health insurance, unemployment insurance, and pension insurance.

In case a freelancer was actually an employee, taxes and social security have to be retroactively paid and late payment charges apply.

Therefore, the legal due diligence on SaaS companies usually focuses on the status and treatment of freelancers and the SPA almost always contains tax and social security indemnity provisions, by which the seller(s) have to economically bear tax and social security payments incurring until the closing date of the transaction.

4. Data Protection

The level of detail of a data protection compliance review in the course of due diligence varies depending on the intensity of the processing of personal data by the SaaS company. In easy cases, SaaS companies do not process personal data beyond standard processing steps such as names of contact persons at customers or suppliers in a CRM or employee data.

But there are other cases where the SaaS company not only provides software, by which customers themselves process personal data but where the SaaS company has access to and processes personal data of its customers as well.

While standard data protection compliance due diligence is limited to certain areas such as whether an internal or external data protection officer has been appointed, whether there is a directory of data processing measures, which technical and operational measures are applied to protect personal data or whether there have been data protection violations and/or investigations by public authorities.

But if the business model of a SaaS company involves more extensive processing of personal data, the data protection compliance due diligence requires more detail and will usually comprise a review of the business model, the type of personal data processed, consent mechanisms, external reviews of data protection compliance, etc.

SaaS Specific SPA Focus Items

In SaaS M&A transactions, clauses in the SPA that are specific to SaaS transactions vary from transaction to transaction. However, the SaaS-specific clauses most often seen are

1. ARR or MRR based earn-out clauses,

2. Consideration of virtual shares in the purchase price and

3. SaaS-specific warranties and indemnities.

1. ARR or MRR-based earn-out clauses

Sometimes buyer and seller agree only on a fixed purchase price. But in many transactions, next to a fixed purchase price, a variable purchase price (so-called “earn-out”) is agreed upon.

Whereas earn-outs are most often profit (EBIT or EBITDA) based in M&A transactions, in SaaS transactions they are often (but not always) based on annual recurring revenue (ARR) or monthly recurring revenue (MRR).

This is because the cost structure at SaaS companies often changes after an acquisition. For example, synergies may be generated, costs may rise or fall due to an increase or decrease of development work or overhead functions may be centralized.

ARR or MRR-based earn-out clauses are relatively straightforward, but “recurring” revenue must be accurately defined. Usually, it includes only recurring licensing, service, and maintenance revenue from software licensing, service, and subscription agreements, but excludes one-time revenues generated through e.g. set-up and installation or development. Furthermore, revenues from non-collectible invoices are usually excluded.

2. Consideration of virtual shares

Quite often, SaaS companies grant virtual shares to their employees and members of management and sometimes further persons (e.g. advisors or advisory board members). Payments on such virtual shares are usually owed by the SaaS company upon the closing of the transaction. If the virtual shares are granted to employees, payments on such virtual shares are subject to wage tax withholding and potentially social security contributions.

The way often followed to deal with virtual shares is to deduct the amount payable (including wage tax to be withheld) and potential social security contributions as financial debt in the equity value purchase price calculation, leading to an iteration calculation. Other ways of settling virtual share programs are possible and the ideal way depends on how the virtual share program is structured.

SaaS-specific warranties and indemnities

The warranties and indemnities specific to SaaS transactions usually mirror the focus items in the due diligence. Most SaaS SPAs contain extensive warranties on IP ownership, exclusive rights in the source code, the absence of open source code leading to copyleft effects or source code disclosure obligations, source code escrow arrangements, IT security, and data protection compliance.

Furthermore, a tax indemnity provision in a SaaS SPA will usually comprise indemnification not only for taxes payable but also social security contributions payable by the company. At least regarding wage tax and social security contributions, such indemnification obligation must comprise the entire period until the closing of the transaction, even if the economic effective date differs from such date.


M&A involving SaaS companies is no rocket science. But in order to facilitate a smooth M&A process, founders of SaaS companies should envisage the due diligence already from day one of their company and standardize their customer agreements, implement proper rights transfer clauses in the managing director service agreements and freelancer agreements, and work with external freelancers only on such basis that they are actually freelancers and not employees.

Also, proper documentation should be kept available on a constant basis in order to avoid a lengthy process to prepare due diligence when an M&A transaction actually materializes.