Technical Due Diligence
What buyers check
before they write the check
Most SaaS acquisitions fail technical review.
Here's what acquirers actually evaluate — and how to pass.
The due diligence checklist
Every technical buyer evaluates these six areas. Weakness in any one can kill a deal.
Code Architecture
Clear separation of concerns. Consistent conventions. No spaghetti. Buyers want code their team can maintain from day one.
Test Coverage & CI
Automated test suite that runs in CI. Not just unit tests — integration tests that prove the app works. Green builds on every commit.
Security Posture
Dependency scanning, static analysis, no hardcoded secrets. Auth that follows framework conventions, not a custom implementation.
Deployment & Infra
Reproducible deploys. Not "SSH in and run commands." Buyers want to see infrastructure as code and zero-downtime deployment.
Documentation
README that explains how to run the app. Architecture decisions recorded. The next developer can get productive in hours, not weeks.
Portability
Can you move off the current hosting? Are you locked into a platform? Buyers discount heavily for vendor dependencies they can't escape.
Red flags that kill deals
These are the findings that make acquirers walk away — or slash their offer by 50%.
"Works on my machine" deployment
No deploy scripts. No CI/CD pipeline. Deployment is a manual process that lives in one person's head. Acquirers see this as operational risk they'll have to fix themselves.
No tests, or tests that don't run
A test suite that's been disabled, skipped, or never existed. Buyers can't verify the app works as expected, and they can't refactor safely after acquisition.
Hardcoded secrets, no security scanning
API keys in source code. No dependency auditing. No static analysis. This isn't just a red flag — it's a liability that can tank the entire deal.
Platform lock-in
Can't migrate without rewriting. Deep dependencies on a specific PaaS, proprietary APIs, or serverless functions that only run on one platform.
No documentation for the next developer
No README. No architecture notes. No onboarding path. If the original developer disappears, the codebase becomes an archaeology project.
Tangled architecture
No clear separation of concerns. Business logic in views. Database queries in controllers. Everything coupled to everything else. The cost to maintain grows exponentially.
How Omaship addresses each checkpoint
Every due diligence item mapped to a specific, verifiable feature.
| What buyers check | What Omaship provides |
|---|---|
| Code architecture |
Rails 8 conventions. Models, controllers, services in expected locations. CLAUDE.md documents every architectural decision. ast-grep rules enforce patterns automatically.
|
| Test coverage & CI | GitHub Actions CI pipeline from day one. Minitest integration tests included. Every push runs the full suite — tests, linting, security scanning. |
| Security posture |
Brakeman static analysis and bundler-audit run in CI. Rails 8 native authentication (no Devise). Secrets managed through Rails credentials, never committed to source.
|
| Deployment & infra | Kamal 2 with zero-downtime deploys to any VPS. Infrastructure as code — the entire deploy config is in the repo. No manual server setup. |
| Documentation |
CLAUDE.md with project context. README with setup instructions. Architecture follows Rails conventions — the framework is the documentation.
|
| Portability | Self-hosted on any Linux VPS. No Vercel, no Heroku, no proprietary runtime. SQLite or Postgres — your choice. You own the code and the infrastructure. |
Want the full technical breakdown?
Our exit-ready architecture guide covers the complete technical foundation — from database design to deployment pipelines.
Read the architecture guideBuild for the exit from day one
Join the waitlist. Ship clean code. Pass due diligence.
No credit card. We’ll email a confirmation link.
Exit-ready architecture. From the first commit.