Software Acquisition Agreement: Due Diligence for Multi-Million Dollar Deals

Private equity buyers and strategic acquirers don’t lose money on software deals because the code “doesn’t work.” They lose money because what they thought they were buying—clean IP ownership, enforceable licenses, recurring revenue, scalable infrastructure, and compliant data practices—turns out to be partially owned, over-licensed, under-secured, or contractually constrained.

A well-structured software acquisition agreement (often drafted as a software asset purchase agreement or software rights purchase) is the mechanism that turns diligence findings into enforceable protections. This guide is written from the buyer’s perspective and provides a practical due diligence roadmap for multi-million dollar software acquisitions, including the key contract terms that should be shaped by the diligence results.

Along the way, we’ll naturally cover the search terms many acquirers use when sourcing documents and frameworks—like software acquisition agreement template, buying software company contract, software asset purchase agreement, and due diligence software acquisition—but with the nuance needed for real transactions.

---

Asset Purchase vs. Stock Purchase: Why It Matters for Software Buyers

Many buyers prefer a software asset purchase agreement when acquiring software assets (IP, code, customer contracts, domains, data, and related rights) rather than buying the company’s stock. The asset structure can help:

• Avoid unknown liabilities (to a degree—some liabilities can follow assets depending on jurisdiction and contract terms)
• Exclude non-core assets and problematic obligations
• Require clean IP assignment and targeted consents

However, asset deals can be harder operationally. You may need:

• Third-party consent to assign customer agreements, licenses, leases, and cloud contracts
• Confirmed IP assignments from employees/contractors
• Transition services to keep the product running

This is why due diligence software acquisition is not just a checklist—it’s the basis for structuring closing conditions, price adjustments, indemnities, and post-close obligations.

---

The Buyer’s Due Diligence Playbook (Multi-Million Dollar Edition)

1) Corporate, Authority, and Chain of Title (Start Here)

Before debating revenue quality or scalability, confirm the seller can legally sell what they claim.

Buyer checklist:

• Entity formation documents; good standing certificates
• Board/member approvals and any required third-party approvals
• Cap table (even in an asset deal, liens and claims matter)
• Subsidiaries or JV arrangements affecting IP ownership
• UCC filings, liens, security interests, and releases required at closing

Red flags:

• IP held by founders personally
• Prior investors with security interests in IP
• Unreleased liens on “general intangibles” (often includes software IP)

Deal impact:

• Closing deliverable: lien releases, payoff letters
• Specific rep: seller has good and marketable title, free of encumbrances

---

2) IP Ownership: The Core of the Software Rights Purchase

In a software rights purchase, you’re not buying “a product.” You’re buying exclusive legal rights to exploit, modify, sublicense, and commercialize software and related IP.

Buyer checklist:

• Comprehensive schedule of IP: source code, object code, repositories, domains, trademarks, patents, trade secrets, documentation, APIs, SDKs
• Invention assignment agreements for all employees
• Work-made-for-hire and assignment agreements for all contractors (critical)
• Prior assignments, transfers, and inbound IP licenses
• Any university, accelerator, or prior employer claims

Red flags:

• Missing contractor IP assignments (common and expensive)
• Side projects co-mingled into production code
• “Borrowed” code from prior employers
• No formal policy for IP creation and repository access

Deal impact:

• Special indemnity for IP ownership gaps
• Closing condition: execution of missing assignments
• Escrow/holdback tied to curing title defects

---

3) Open Source Compliance (Where “Free” Can Become Very Expensive)

Open source isn’t inherently risky. Unmanaged open source is.

Buyer checklist:

• Software Bill of Materials (SBOM) or open source inventory
• License types used (MIT/Apache/BSD vs. copyleft like GPL/AGPL)
• Open source scanning reports (e.g., Black Duck, Snyk, FOSSA)
• Internal policies for introducing and modifying OSS
• Use of AGPL components in networked SaaS (a frequent surprise)

Red flags:

• GPL/AGPL in core proprietary modules without compliance controls
• No attribution notices or license documentation
• Developers copying snippets from unknown sources

Deal impact:

• Rep/warranty: OSS usage is disclosed and compliant
• Covenant: remediate high-risk dependencies pre-close
• Indemnity carveout for specific OSS violations (buyer-friendly)

---

4) Customer Contracts and Revenue Quality (Assignment, Change of Control, and Churn)

Even if you’re buying assets, revenue often depends on contracts that may not be assignable without consent.

Buyer checklist:

• Top customer contracts (by ARR/TCV), amendments, and SOWs
• Renewal terms, termination rights, and service level commitments
• Change-of-control or anti-assignment clauses
• Most favored nation (MFN) clauses and pricing locks
• Support, uptime, credits, and refund obligations
• Any “perpetual” licenses, source code escrow triggers, or bespoke terms

Red flags:

• “Termination for convenience” rights on key accounts
• Uncapped service credits or penalties
• Heavy reliance on a single channel partner with termination rights
• Informal renewals or missing signatures

Deal impact:

• Closing condition: obtain consents for “Required Contracts”
• Purchase price adjustment tied to post-close churn
• Transitional services to ensure SLAs are maintained

---

5) Licensing Model and Third-Party Dependencies (Cloud, Data, and Tooling)

The product may run on infrastructure or use data/services the seller can’t legally transfer.

Buyer checklist:

• Cloud hosting agreements (AWS, Azure, GCP), reserved instances, credits
• Tooling: CI/CD, monitoring, analytics, support desk, CRM
• Third-party SDK/API terms (maps, payments, messaging, AI services)
• Data provider contracts and usage restrictions
• Restrictions on assignment and continued use post-close

Red flags:

• Non-transferable cloud credits priced into margins
• API terms that prohibit certain use cases or redistribution
• Vendor agreements tied to founder personal accounts

Deal impact:

• TSA (Transition Services Agreement) if contracts can’t transfer immediately
• Specific covenant to migrate accounts and credentials securely
• Warranty: no violation of third-party terms

---

6) Data Privacy and Security (Regulatory Risk + Contract Risk)

Data compliance failures can quickly become purchase price impairments—especially for SaaS with enterprise customers.

Buyer checklist:

• Privacy policy and internal data processing practices
• DPIAs, RoPAs (GDPR records), consent management
• DPA templates used with customers and subprocessors
• Incident response plan; breach history and notices
• Security posture: SOC 2 reports, ISO 27001 (if any), pen tests, vulnerability management
• Encryption, access controls, key management, and audit logging

Red flags:

• No signed DPAs with key customers
• Misalignment between privacy policy and actual practice
• Unreported security incidents or weak logging
• Over-collection of sensitive data (especially in regulated industries)

Deal impact:

• Rep: compliance with privacy laws and customer DPAs
• Indemnity: known incidents or specific compliance gaps
• Pre-close remediation plan as a condition or covenant

---

7) Product and Engineering Diligence (Code Quality, Scalability, and Maintainability)

Legal diligence should be informed by technical diligence. If the software can’t be maintained, your “rights” won’t generate returns.

Buyer checklist:

• Repository review: commit history, branching strategy, access rights
• Architecture diagrams; dependency map; critical services
• Test coverage, build reproducibility, release cycle
• Technical debt log; backlog health
• Key-person risk: who knows what, and documentation quality
• Roadmap feasibility and resourcing assumptions

Red flags:

• Single engineer as the only admin for production
• No disaster recovery plan or backup testing
• Manual deployments or undocumented infrastructure
• Licensing risk in embedded third-party libraries

Deal impact:

• TSA scope includes engineering support and knowledge transfer
• Holdback tied to deliverables: documentation, runbooks, admin access transfer

---

8) Litigation, Claims, and IP Infringement Exposure

Buyer checklist:

• Threatened or pending litigation
• Cease-and-desist letters, DMCA notices, customer disputes
• Claims of infringement, misappropriation, or breach of license
• Employment disputes that could implicate IP ownership

Red flags:

• Competitor claims of copied functionality or trade secrets
• Former employees asserting ownership
• Customer disputes over performance, security, or uptime

Deal impact:

• Specific indemnities and escrow for known claims
• Exclusion of certain liabilities (or separate settlement pre-close)

---

9) Employment, Contractors, and Incentives (Who Built It and Who Will Stay?)

In software deals, people create the value. Even in a pure asset purchase, you need continuity.

Buyer checklist:

• Employee/contractor roster, roles, and employment terms
• Non-compete/non-solicit enforceability (varies by jurisdiction)
• Equity incentives and acceleration that may trigger
• Bonus plans tied to closing or post-close performance
• Immigration/visa issues for key technical staff

Red flags:

• Misclassified contractors
• No confidentiality agreements
• Key engineers planning to leave post-close

Deal impact:

• TSA and consulting agreements with key founders/engineers
• Condition: key employee offers accepted (where appropriate)
• Non-solicit and confidentiality reaffirmations

---

Essential Terms in a Buyer-Friendly Software Acquisition Agreement

Diligence findings should map directly into the agreement. If your draft reads like a generic software acquisition agreement template, it likely won’t protect a multi-million dollar investment.

1) Purchased Assets and Excluded Assets (Be Precise)

Define exactly what is being purchased: code, IP registrations, domains, customer contracts, documentation, data sets (if transferable), support materials, and goodwill. Attach schedules and make them comprehensive.

2) Assumed vs. Excluded Liabilities

Buyers usually aim to assume only explicitly listed liabilities (e.g., ongoing customer support obligations under assigned contracts). Everything else should remain excluded—subject to legal limits.

3) Representations and Warranties That Matter in Software Deals

Common buyer-critical reps include:

• IP ownership and non-infringement
• OSS compliance
• Authority and enforceability
• Customer contract status (no defaults, disputes disclosed)
• Privacy/security compliance and breach disclosure
• Financial and operational disclosures relevant to the asset

For larger deals, consider representation & warranty insurance (RWI), but note: insurers often scrutinize IP and security heavily and may exclude known issues.

4) Covenants (Pre-Closing and Post-Closing)

Covenants operationalize the transition:

• Maintain normal course operations
• No new high-risk OSS introduction
• No changes to key customer terms without consent
• Deliver migration plans, credentials transfer, and documentation

5) Conditions to Closing (Tie to Real Risks)

Examples:

• Receipt of required contract consents
• Delivery of lien releases
• Execution of missing IP assignments
• No material adverse effect (carefully defined for SaaS)

6) Indemnities, Caps, Baskets, and Escrows (Allocate Risk)

In software rights purchases, buyers often negotiate:

• Escrow/holdback for IP, security, and contract assignment risks
• Longer survival periods for IP and compliance reps
• Special indemnities for known issues uncovered in diligence

7) Transition Services and Source Code/Infrastructure Handover

A TSA can be critical for:

• Continued hosting and DevOps support
• Customer support and bug fixes
• Knowledge transfer and training
• Migration of accounts from seller-owned credentials

8) Post-Closing Support, Non-Solicit, and Confidentiality

Even after acquiring the software assets, you want to reduce erosion:

• Non-solicit of customers and employees (where enforceable)
• Confidentiality obligations that survive
• Cooperation on audits, customer notices, and compliance updates

---

Practical Due Diligence Workflow for PE and Acquirers

If you’re running parallel legal + technical diligence, the process below keeps the deal moving while preserving leverage:

1. Kickoff with a diligence request list tailored to software (IP/OSS/security/customer contracts).
2. Do a “top 10 risks” review in week one (assignment barriers, IP gaps, security posture).
3. Quantify remediation: cost, timeline, and operational disruption.
4. Convert issues into deal terms: closing conditions, special indemnities, escrows, TSAs.
5. Re-check right before signing/closing: no new key contract changes, no new vulnerabilities, clean title deliverables ready.

This is where many “buying software company contract” discussions stall: the buyer sees risk, but the agreement doesn’t clearly convert risk into enforceable remedies. Your objective is alignment.

---

Conclusion: Diligence Is Only Valuable If the Agreement Captures It

For multi-million dollar acquisitions, software diligence must go beyond surface-level checklists. The value of the deal lives in enforceable ownership, transferable contracts, compliant licensing, and reliable operations—and the software asset purchase agreement is where those findings become real buyer protections.

If you’re moving quickly and want to generate a strong first draft (and then customize it based on diligence), consider using an AI-assisted approach to accelerate iteration. You can explore Contractable, an AI-powered contract generator, at https://www.contractable.ai.

---

Other Questions Buyers Ask (Continue Learning)

• What’s the difference between a software asset purchase agreement and an IP assignment agreement?
• Which representations and warranties are most important in a software acquisition agreement template for buyers?
• How do anti-assignment clauses affect SaaS customer contract transfers in asset deals?
• What open source licenses (GPL/AGPL) create the biggest risk in commercial software acquisitions?
• How should escrow and holdback amounts be sized for IP and cybersecurity risk?
• What should be included in a Transition Services Agreement for a software rights purchase?
• Can customer data be transferred in a software acquisition, and what consents are required?
• How does RWI (rep and warranty insurance) treat software IP and security findings?
• What technical diligence items most often change valuation in due diligence software acquisition reviews?
• How do you handle founder-owned code repositories, cloud accounts, and credentials pre-close?