Technology and SaaS M&A:
Legal Guide for Buyers and Sellers

Employees

US employees working within the scope of their employment are generally covered by the work-made-for-hire doctrine, but the scope of employment is not always clear. An employee who developed key functionality outside of normal working hours, using personal equipment, on a project that predated employment, or that was only later incorporated into the product may have a colorable ownership claim. Standard employment agreements should include an explicit IP assignment clause that covers all work product related to the company's business, regardless of when or where it was created.

In diligence, buyers should confirm that all current and former employees who made material contributions to the codebase have signed agreements containing valid IP assignment language. Agreements signed after the contribution was made are weaker than agreements signed at hiring. California law prohibits employers from assigning certain inventions developed entirely on an employee's own time without using company resources, and similar limitations exist in other states.

Independent Contractors and Freelancers

The work-made-for-hire doctrine does not apply to independent contractors in most circumstances. A contractor who built a module without a written assignment agreement owns the copyright to that code, even if the company paid for it. This is one of the most common IP gaps found in SaaS diligence, because early-stage companies regularly hire freelancers or offshore development firms without securing proper IP assignment.

When a gap is identified, it may be possible to obtain a retroactive assignment from the contractor. Sellers should take this step before going to market and document the remediation in the disclosure schedules. Retroactive assignments are less reliable than contemporaneous ones, but they reduce the risk profile and demonstrate good faith. Buyers should treat material unresolved contractor IP gaps as a pricing or indemnification issue, not an immaterial finding.

Founders

Founder IP assignment is frequently overlooked at company formation, particularly where technical founders begin building the product before the company is formally incorporated. Code written before formation and later incorporated into the product requires a specific assignment from the founder to the company. This should be documented at formation, but many early-stage companies do not address it properly.

Where a co-founder has departed the company, the assignment question becomes more complicated. A departing founder who signed a valid IP assignment at formation transferred ownership before departure. A founder who left without signing an assignment, or whose assignment is ambiguous as to pre-formation contributions, represents a material IP risk that buyers will price accordingly. Sellers should resolve founder IP questions before going to market rather than leaving them for buyers to discover.

Annual Recurring Revenue (ARR)

ARR is the annualized value of subscription revenue that is contracted and expected to continue without additional sales effort. It excludes one-time fees, professional services revenue, and non-recurring charges. Sellers may define ARR differently from how buyers will calculate it, and the purchase agreement should include a specific definition of ARR to prevent disputes.

Buyers verify ARR by reviewing the underlying subscription agreements, billing records, and payment histories for each customer included in the ARR calculation. Contracts that are expired, month-to-month beyond an initial term without a renewal, or subject to active cancellation discussions should be scrutinized. The ARR figure in the information memorandum should match what can be verified from contract documentation.

Net Revenue Retention (NRR)

NRR measures what happens to revenue from a cohort of existing customers over time. It accounts for expansions and upsells (which increase the cohort's revenue) as well as churn and contractions (which reduce it). NRR above 100 percent indicates that the existing customer base is growing on its own; below 100 percent indicates net shrinkage from the existing base.

High NRR is a quality indicator that directly affects valuation multiples. Buyers use NRR to assess the durability of the ARR base and the product's ability to expand within existing accounts. Sellers representing NRR as a metric in deal materials should be prepared to support that figure with customer-level data showing the cohort analysis underlying it.

Gross Revenue Retention (GRR)

GRR measures retention from a customer cohort excluding expansions. It shows only the effect of churn and contraction: the percentage of the original ARR base that remains at the end of the measurement period. GRR can never exceed 100 percent because it does not include upsells. It provides a baseline measure of how well the product retains customers at their existing spend level.

GRR and NRR together tell a more complete story than either metric alone. A business with strong NRR but weak GRR may be growing its customer revenue through upsells while losing a meaningful number of customers, which creates a different risk profile than a business with moderate NRR and strong GRR. Buyers analyze both metrics across multiple time periods to identify trends.

Asset Purchase vs. Stock Purchase

In an asset purchase, the buyer acquires specific assets of the target company. Customer contracts are assets and must be assigned to the buyer for the relationships to continue. Most commercial contracts prohibit assignment without the counterparty's consent. This means an asset purchase of a SaaS business requires either obtaining customer consent to assignment or accepting the risk that customers may refuse consent or terminate.

In a stock purchase, the buyer acquires the shares of the company that holds the customer contracts. The contracting entity does not change, so no assignment of individual contracts occurs. However, many SaaS customer agreements include change-of-control provisions that give the customer certain rights (typically termination or renegotiation rights) if the company's ownership changes. The structure choice must account for what the customer contract portfolio actually says.

Change-of-Control Provisions

Change-of-control clauses in SaaS customer agreements vary widely. Some give the customer a termination right effective immediately upon a change of control; others require notice and provide a cure period; others are limited to situations where the acquirer is a direct competitor of the customer. Reviewing the customer contract portfolio for change-of-control language is a prerequisite to structure selection.

Where material customers have change-of-control rights, buyers and sellers must decide whether to notify those customers pre-close (giving them the option to exercise termination rights before the transaction is consummated) or to close and manage the risk post-close. The choice affects representations about customer relationships and how post-close revenue risk is allocated through earn-outs or escrow provisions.

Standard Form Contracts vs. Enterprise Agreements

Most SaaS businesses have two tiers of customer agreements: standard-form subscription agreements (often click-through terms of service) for smaller customers, and negotiated enterprise agreements for larger customers. The assignment and change-of-control provisions in these two tiers are typically very different.

Standard-form terms generally do not grant change-of-control termination rights and may be silent on assignment. Enterprise agreements frequently include negotiated change-of-control provisions, anti-assignment clauses, and most-favored-nation pricing protections that can constrain the buyer's post-close flexibility. The material enterprise customer agreements should be reviewed individually in diligence, not as a class.

GDPR: Scope and Transfer to Buyer

GDPR applies to any company that processes personal data of individuals in the EU/EEA, regardless of where the company is located. A US SaaS company with European customers, users, or employees is subject to GDPR. Key compliance requirements include: a lawful basis for processing, data subject rights (access, deletion, portability), data breach notification obligations, and data transfer mechanisms for cross-border data flows.

In diligence, buyers should review the target's privacy policy and data processing records, data transfer mechanisms (standard contractual clauses, adequacy decisions), records of any regulatory inquiries or data subject complaints, and whether the company has a GDPR-compliant incident response process. Material compliance failures create regulatory exposure that the buyer assumes post-close.

CCPA/CPRA and State Privacy Laws

The CCPA (as amended by CPRA) imposes rights on California consumers and obligations on businesses that meet threshold criteria. Rights include the right to know, right to delete, right to opt out of sale or sharing, and right to correct. The CPRA added a new regulatory agency (California Privacy Protection Agency) with enforcement authority.

States including Virginia, Colorado, Connecticut, Texas, and others have enacted comprehensive privacy laws modeled in part on GDPR and CCPA. A SaaS business with customers or users across multiple states may be subject to several of these laws simultaneously. Diligence should assess the target's compliance program across the applicable state law landscape, not just California law.

Data Privacy in the Purchase Agreement

The purchase agreement should include specific representations about data privacy compliance: that the company has maintained a privacy policy consistent with its data practices, that it has not experienced unreported data breaches, that it has complied in all material respects with applicable privacy laws, and that it has obtained required consents for its data processing activities.

Buyers should also address the data privacy implications of the acquisition itself. Transferring customer and user data from seller to buyer as part of the acquisition may require a legal basis under GDPR and notifications to data subjects under applicable state law. Legal counsel should analyze these transfer obligations as part of pre-close planning.

SOC 2 Reports

A SOC 2 (System and Organization Controls 2) report is produced by an independent CPA firm and evaluates the service organization's controls against the AICPA Trust Services Criteria. A Type I report assesses the design of controls at a point in time; a Type II report assesses operating effectiveness over a period, typically six to twelve months. Type II is the standard for enterprise customer requirements.

Buyers review SOC 2 Type II reports for: (1) audit period and whether it is current; (2) findings and exceptions noted by the auditor; (3) management responses to findings; and (4) which Trust Services Categories are covered (Security is mandatory; Availability, Confidentiality, Processing Integrity, and Privacy are elective). A SOC 2 report with multiple findings, a stale audit period, or limited scope coverage requires additional diligence into the company's security controls.

ISO 27001 Certification

ISO 27001 is an international standard for information security management systems (ISMS). Certification involves an accredited third-party audit of the company's ISMS against the standard's requirements. Unlike SOC 2, which is US-centric, ISO 27001 is globally recognized and is more commonly required by European enterprise customers.

ISO 27001 certification provides a framework for ongoing security management, including risk assessment, control implementation, monitoring, and continual improvement. Buyers should review the certification scope (which systems and processes are covered), the certification date and renewal status, and any surveillance audit findings.

Penetration Testing and Vulnerability Assessments

Penetration testing involves authorized simulated attacks on the company's systems to identify exploitable vulnerabilities. A well-run security program includes annual penetration tests and remediation of identified findings. Buyers should request the most recent penetration test reports, including the scope of the test, vulnerabilities identified, severity ratings, and remediation status.

Unresolved high-severity findings from penetration tests are a material diligence issue. They represent known vulnerabilities that have not been addressed, creating security risk that transfers with the acquisition. The purchase agreement representations should require disclosure of material security vulnerabilities and any active security incidents.

Stay Bonuses

A stay bonus is a cash payment conditioned on the employee remaining employed through a defined retention period, typically six to eighteen months after closing. The bonus provides a financial incentive to remain through the transition period, which is often when the risk of departure is highest.

Structuring considerations include: the retention period length (short enough to be effective, long enough to cover the critical transition window), the payment schedule (lump sum at end of period vs. installments), what happens on termination without cause during the retention period (typically the employee should receive the full bonus), and the tax treatment and gross-up obligations.

The allocation of stay bonus costs between buyer and seller is negotiated as part of the deal economics. Bonuses funded by the seller as a closing cost reduce net proceeds. Bonuses funded by the buyer post-close represent an operating expense that affects post-close cash flow projections.

Equity Rollovers for Technical Employees

In cases where a technical employee holds equity in the target company (options, restricted stock, or other equity awards), the buyer has the option to cash out those awards at closing (as part of the transaction consideration) or to replace them with equity in the buyer entity through a rollover mechanism.

Equity rollovers create ongoing alignment between technical employees and the acquiring entity's performance. A well-designed rollover converts existing equity value to a new grant with a new vesting schedule tied to post-close performance. Tax treatment of equity rollovers is complex and depends on the structure of the original award, the form of consideration, and elections made at the time of exchange. Employees should receive independent tax advice on rollover decisions, and the buyer should work with tax counsel to structure the exchange properly.

Employment Agreement Terms for Key Technical Staff

For the most critical technical contributors, a stay bonus or equity rollover may be insufficient. New employment agreements that address role definition, compensation, reporting structure, and termination protections may be necessary to achieve the retention that the acquisition requires.

Employment agreements for key technical staff should address: title and reporting, base compensation and bonus target, equity or option grant terms under the new entity's plan, intellectual property assignment obligations (a critical element for technical staff), and the scope of any non-compete and non-solicit restrictions. These agreements should be finalized before close, not left as post-close actions.

What Deferred Revenue Represents

Deferred revenue on a SaaS balance sheet represents subscription payments that customers have made for periods that have not yet been delivered. It is a liability because the company owes the customer ongoing service for the prepaid period. When a company receives an annual subscription payment upfront, it books the full payment as deferred revenue and recognizes it ratably over the twelve-month service period.

At any given balance sheet date, the deferred revenue balance represents the portion of prepaid subscriptions that have not yet been earned. For a SaaS company with mostly annual contracts billed upfront, the deferred revenue balance may be substantial relative to monthly revenue.

The Purchase Price Adjustment Problem

In an asset purchase, the buyer acquires the obligation to deliver the remaining subscription service to customers who have prepaid. The cash for that prepaid service was collected by the seller. If the purchase price does not account for the deferred revenue liability being assumed, the buyer is effectively paying for an asset (the subscription contract) but also inheriting an obligation (to deliver service) for which the seller has already been paid.

How this is handled varies by deal. Some deals reduce the purchase price by the amount of deferred revenue assumed. Others include the deferred revenue balance in the working capital target and settle it through the post-close working capital adjustment. Others address it through a specific line item in the closing balance sheet.

The approach should be clearly defined in the purchase agreement, not left to negotiation after signing. Vague language on deferred revenue treatment is a reliable source of post-closing disputes in SaaS acquisitions.

Working Capital Definition and Deferred Revenue

The working capital mechanism in a SaaS acquisition purchase agreement should explicitly address whether deferred revenue is included as a liability in the working capital calculation and how its fair value (as opposed to its book value) is measured. Tax-related deferred revenue adjustments under purchase accounting can create a difference between the GAAP carrying value and the economic value of the liability being assumed.

Buyers should model the working capital impact of deferred revenue under multiple scenarios before finalizing the working capital target in the purchase agreement. The working capital target should reflect the expected normalized level of deferred revenue in the business, not an artificially inflated balance created by accelerated billing before close.