Why we hired a mergers and acquisitions attorney for a SaaS buyout

Why We Hired a Mergers and Acquisitions Attorney for a SaaS Buyout

I've watched boards wave through six-figure retainer agreements like they're stamping expense reports, then balk at hiring specialized legal counsel for a deal worth fifteen times the company's ARR. The logic, if you can call it that, goes something like: "We have a general counsel. We have a finance team. How hard can software M&A be?" The answer, as anyone who's survived one can tell you, is: hard enough to lose your shirt if you guess wrong on IP ownership, revenue recognition, or a single badly worded earn-out clause.

Let me walk you through what we learned — and what every acquirer in the SaaS space should know before signing a letter of intent.

The Hidden Risks of SaaS Intellectual Property: Beyond the Code

Here's the thing about software companies: the product looks clean from the outside. Shiny dashboard, recurring revenue, happy customers. Underneath? A labyrinth of third-party libraries, API integrations, and open-source components that may or may not comply with their own licensing terms.

In our case, the target had built its core platform on top of several GPL-licensed libraries. For the uninitiated, GPL — the GNU General Public License — carries what the industry calls a "copyleft" obligation: if you incorporate GPL-licensed code into your product, you may be required to release your own source code under the same terms. That's not a theoretical inconvenience. For a proprietary SaaS company whose competitive moat is the code, being forced to disclose it is existential.

An M&A attorney specializing in software transactions doesn't just "check the boxes" on IP. They commission a line-by-line audit of the dependency tree — every open-source package, every license variant, every attribution requirement. They're looking for contamination risk: code that was contributed by former employees without proper assignment agreements, libraries pulled from GitHub without verifying license compatibility, or proprietary modules that got accidentally mingled with copyleft components. The audit typically involves automated scanning tools like Black Duck or FOSSology layered on top of manual legal review, because automated tools catch known license headers but miss nuanced cases — like permissively licensed code that was forked from a GPL project and never properly sanitized.

What makes this particularly treacherous in SaaS is the pace of development. Engineering teams ship fast. They pull in dependencies without flagging them for legal review. A library added by a junior developer two years ago to solve a niche problem can sit dormant in the dependency graph, silently contaminating the entire codebase with license obligations nobody realized existed.

A SaaS company's intellectual property isn't just what it wrote — it's every library, framework, and API it borrowed along the way. Miss one, and you're buying a time bomb with a recurring revenue sticker on it.

This is where the due diligence period — typically thirty to ninety days for SaaS deals — earns its keep. Rush it, and you're gambling that nothing catastrophic is hiding in the dependency graph. I've seen acquirers who treated IP diligence as a formality discover, post-close, that a key integration was built on an API with a revocable license. The vendor pulled access six months later. Revenue cratered. Board meetings got very uncomfortable.

The other dimension people overlook is employee IP assignment. In many jurisdictions, code written by employees on company time automatically belongs to the employer. But what about contractors? What about that founding engineer who built the core authentication module before the company even incorporated, while still freelancing? If the assignment agreements aren't airtight — or worse, if they don't exist — you're buying a company that may not legally own the thing it sells.

Navigating Earn-Out Structures and Revenue Recognition Hurdles

If IP diligence is the part of the deal that protects you from catastrophic downside, the earn-out structure is where ambition meets the spreadsheet — and where most acquirers get outmaneuvered.

An earn-out, for those who haven't had the pleasure, is a provision in the purchase agreement where a portion of the sale price is contingent on the target hitting specific performance metrics after the acquisition closes. In SaaS, those metrics almost always involve ARR — Annual Recurring Revenue — or NRR, Net Revenue Retention. Sounds straightforward. It's anything but.

The friction comes from definitions. What counts as "revenue"? Is it bookings, recognized revenue under ASC 606, or something else entirely? Does churn from inherited enterprise contracts factor in? What about revenue from customers acquired through channel partners who take a thirty percent cut? What about customers on month-to-month contracts versus those locked into multi-year agreements — do they carry equal weight in the earn-out calculation? Every one of those questions is a negotiation, and every one of them can swing the earn-out payment by seven figures.

There's also the question of who controls the levers post-close. If the acquiring entity starts redirecting the target's sales team, shifting pricing strategy, or consolidating product lines — all normal post-acquisition behavior — they may be inadvertently sabotaging the very metrics the earn-out depends on. The seller's founders, who are now (in theory) motivated to hit those targets, watch their potential payout evaporate because of decisions they had no say in. That breeds litigation. Every time.

Earn-outs aren't incentives. They're compressed negotiations disguised as forward-looking optimism — and the side with better definitions wins.

Our mergers and acquisitions attorney caught something our finance team missed: the target was recognizing revenue from multi-year contracts on a straight-line basis, while our internal standard was to recognize it ratably based on delivery milestones. The difference in Year One alone was a $1.2 million gap in reported ARR. Had we built the earn-out on their accounting treatment, we'd have overpaid — and we wouldn't have discovered the discrepancy until the first post-close audit.

The fix wasn't just technical. Our counsel restructured the earn-out with clearly defined accounting methodology tied to our internal standards, included provisions for independent audit rights during the earn-out period, and — critically — added a "buyer protection" clause that prevented the seller from claiming earn-out shortfall if our own operational changes materially impacted the metrics. That single clause, which took roughly four hours of negotiation, saved us from what would have been a seven-figure arbitration.

This is precisely the kind of structural misalignment that turns a "synergistic acquisition" into a board-level headache. The attorney's job isn't to be a killjoy. It's to ensure that both sides are measuring success with the same ruler.

Data Privacy Liabilities: The GDPR and CCPA Audit Process

Let's talk about the liability nobody wants to discuss at the deal table: user data.

Every SaaS company is, at its core, a data company. The product processes it, stores it, and — if the marketing team has been doing its job — monetizes it. But that data carries legal obligations that can transfer to the acquirer like a contagion.

GDPR and CCPA compliance isn't a checkbox exercise; it's a structural question about how the target collected, processed, and stored personal data. Our attorney's team demanded copies of every Data Processing Agreement — DPAs — in place with customers and subprocessors. They audited consent records for the entire user base. They reviewed the target's privacy policy for accuracy and compliance, cross-referencing it against actual data flows. They mapped where personal data resided geographically, which cloud providers hosted it, and whether any transfers crossed jurisdictions in ways that violated adequacy requirements or lacked proper Standard Contractual Clauses.

What they found was instructive. The EU-based user records the team reviewed had consent documentation that was either incomplete, outdated, or noncompliant with current GDPR standards. Common problems included consent language that was too vague to meet the "freely given, specific, informed, and unambiguous" standard the regulation requires, records that predated the target's most recent privacy policy update, and in some cases, no documented evidence of consent at all — just an email address in a database with no audit trail showing how or when it was collected.

Under the GDPR's penalty framework — up to 4% of global annual revenue for serious infringements — that exposure represented a material liability we couldn't ignore. And the regulatory climate has only intensified: enforcement actions have escalated noticeably through 2023 and 2024, with authorities in Ireland, France, and Germany issuing multi-million-euro fines for violations that would have drawn warnings five years ago.

On the CCPA side, the picture was similarly concerning. California's enforcement framework has matured since its initial rollout, and the California Privacy Protection Agency has signaled a willingness to pursue companies that treat compliance as aspirational rather than operational. For a SaaS company processing data from California residents — and which one doesn't? — the cost of non-compliance isn't hypothetical.

The seller's response was predictable: "We've never had a complaint." That's not a compliance strategy. That's luck running on fumes.

We restructured the deal to include a specific indemnification clause for data privacy liabilities, with a holdback amount sufficient to cover remediation costs and potential fines. The holdback was tiered — released in tranches over eighteen months as the remediation milestones were hit and verified. Without counsel who understood the regulatory landscape at that granular level, we'd have either walked away from a viable deal or, worse, signed without understanding the exposure.

Protecting Continuity: Managing Change of Control Clauses in Vendor Contracts

There's a provision hiding in nearly every enterprise SaaS contract that can detonate a deal, and most acquirers don't think to look for it until it's too late: the Change of Control clause.

These clauses give customers — and sometimes vendors — the right to terminate their agreement if the company is acquired. On paper, they exist to protect the counterparty from being forced into a relationship with an unknown entity. In practice, they're a leverage point that can vaporize recurring revenue the day after closing.

Our attorney's team reviewed every contract above $50,000 in annual value. Out of roughly 200 enterprise agreements, 34 contained Change of Control provisions with immediate termination rights. Another 21 had modified versions requiring notice within 30 or 60 days of the acquisition. Combined, those contracts represented approximately 18% of the target's ARR.

Think about that for a moment. Nearly a fifth of the revenue we were pricing into the deal was, legally speaking, optional for the customers generating it.

The downstream effects are even worse than the raw numbers suggest. When a marquee customer exercises a Change of Control termination, it doesn't just remove their revenue from the ledger — it sends a signal to the rest of the customer base. Enterprise procurement teams talk to each other. A single high-profile departure during the integration window can trigger a cascade of renewal negotiations where every customer suddenly wants better pricing, shorter terms, or additional contractual protections.

The strategy became twofold. First, we negotiated a specific reps and warranties package from the seller confirming that all material contracts had been disclosed and that no counterparty had signaled intent to terminate. That package included a survival period and an indemnification basket tied specifically to revenue loss from Change of Control exercises — so if a customer did walk, we had contractual recourse against the seller for the misrepresentation.

Second, we built a customer retention plan — executive-level outreach to the top accounts, service-level guarantees, contractual extensions — to execute between signing and closing. The attorney structured these as "pre-closing covenants" in the purchase agreement, obligating the seller to cooperate with our retention efforts and prohibiting them from making any unilateral commitments to customers that could complicate the transition.

The contracts you don't read before closing are the ones that read you after.

Without the attorney flagging those provisions and quantifying the risk, we'd have valued the company on ARR that could have evaporated within weeks. That's not a rounding error. That's the difference between a profitable acquisition and a write-down.

There's also a subtlety worth noting: Change of Control provisions don't just exist in customer contracts. They appear in vendor agreements too — the target's hosting provider, its payment processor, its key API partners. If any of those relationships carry a Change of Control clause, the acquirer might find itself scrambling to renegotiate critical infrastructure agreements while simultaneously trying to integrate the product and retain customers. Our counsel mapped these vendor dependencies as part of the diligence process, flagged the ones with termination risk, and ensured we had contingency plans in place before we signed.

The Economics of Legal Counsel: Balancing Deal Complexity and Fee Structures

I'll be blunt about the cost, because everyone dances around it and it helps nobody.

M&A legal fees for SaaS transactions typically run between 0.5% and 2% of the total deal value, depending on complexity, jurisdictional scope, and the number of moving parts — IP audits, regulatory reviews, multi-entity structures, international data considerations. On a $50 million acquisition, that's $250,000 to $1 million in legal costs. It's real money. It's also a fraction of what it costs to get it wrong.

SaaS valuations in the current market sit in a wide band — anywhere from 5x to 15x ARR depending on growth trajectory, churn rates, gross margins, and market positioning. At those multiples, even a modest misalignment in the purchase agreement — an earn-out miscalculation, an undisclosed IP claim, a privacy fine — can swing the deal's economics by several multiples of the legal spend.

Here's how I frame it internally, every time someone proposes cutting the legal budget on a deal:

The numbers aren't trivial. But compare them against the average cost of a post-acquisition dispute — litigation, indemnification claims, regulatory penalties, restructured earn-outs — and the math becomes uncomfortably simple.

There's also a structure worth understanding if you're doing repeated deals. Many specialized M&A firms offer blended fee arrangements — a flat fee for the diligence phase, hourly billing for negotiation, and success-based components tied to deal completion. That alignment matters. If your attorney has skin in the closing outcome, they're incentivized to be efficient without cutting corners. If they're purely hourly, the incentive structure runs the other direction. Our counsel worked on a modified flat-fee structure with milestone-based billing, which gave us cost predictability without sacrificing the depth of review.

I've sat in rooms where general counsels argued they could handle software M&A internally. Some can. Most can't — not because they're incompetent, but because the specificity of SaaS transactions demands a practitioner who has seen the failure modes before. Open-source license contamination, GDPR enforcement patterns, the nuances of ASC 606 applied to subscription revenue — these aren't generalist questions. They're specialist terrain.

Our attorney didn't just review documents. They anticipated problems we hadn't considered, structured protections we didn't know existed, and, frankly, kept us from overpaying for a company whose surface metrics looked better than its underlying risk profile. That's not overhead. That's the core infrastructure of a deal that actually works.

The SaaS acquisition market rewards speed and punishes due diligence shortcuts. Every week a deal drags on, the competitive dynamics shift, the team at the target company starts wondering about their option pools, and the board gets antsy. I understand the pressure. I feel it too.

But I've also seen what happens when speed wins and rigor loses. It's ugly, it's expensive, and it's almost always preventable.

If you're buying a software company and you're debating whether to bring in specialized M&A counsel, stop debating. The question isn't whether you can afford the attorney. The question is whether you can afford what happens without one — whether you're tracking the right trends to even evaluate the opportunity in the first place.

The deal that closes without surprises isn't lucky. It's lawyered.