SaaS Due Diligence Checklist
The structured evaluation that prevents a 12-month commitment you regret by month three.
Vendor viability assessment
Before evaluating features, assess whether the vendor is viable: How long have they been in business? How many employees do they have in product and engineering? Are they backed by funding or profitable, and if funded, when was the last round? Are there public signals of team stability — leadership changes, layoffs, Glassdoor patterns? A tool that solves your problem today but whose vendor is in distress will become your problem in 12 months.
Data security and compliance
Request the vendor's SOC 2 Type II report. Confirm whether they hold certifications required by your industry: HIPAA for healthcare data, PCI DSS for payment data, ISO 27001 for international operations. Ask for the full subprocessor list and evaluate whether any create compliance concerns. Confirm data residency: where your data is stored and whether it can be restricted to specific geographies. These questions must be answered before a contract is signed, not after.
Contract and commercial terms
Read the following contract sections before signing and evaluate each: auto-renewal terms and notice windows, price increase provisions, data retention after termination, liability caps and indemnification, acceptable use policy, and governing law and arbitration clause. For anything above 5,000 dollars annually, have an attorney review the contract. For anything above 25,000 annually, negotiate at least the price increase provision, the termination notice window, and the data portability clause.
Reference checks and community validation
Request references from companies that match your profile and actually speak to them. Ask specifically: what went wrong and how was it handled? Beyond vendor-provided references, search relevant communities for authentic user experiences — industry Slacks, LinkedIn groups, review aggregators. Look for patterns across multiple sources. A single negative review is a data point; a pattern of the same complaint across many sources is a signal.
Technical integration validation
Before signing, confirm that the integrations you need exist, are bidirectional if required, and are maintained by the vendor rather than by a third-party connector service. Test the API during the trial period. Confirm rate limits at your expected usage volume. Evaluate the webhook reliability if you depend on event-driven data. A tool whose API you have not touched before signing is a tool whose integration cost you have not assessed.