Technical Discovery Questions for ETA Searchers

A practical guide for identifying technical risks during initial conversations with acquisition targets

Introduction

As a searcher evaluating acquisition opportunities, you don’t need to be a technical expert—but you do need to ask the right questions to identify when technical expertise is required. This guide provides straightforward questions to ask during your initial discovery phase, along with guidance on what answers should trigger deeper investigation.

Important Note: Not all businesses have custom software. Many successful businesses operate using:

  • Off-the-shelf software packages
  • SaaS platforms and subscriptions
  • Websites built on standard platforms (WordPress, Shopify, etc.)
  • Vendor-built or customized solutions

This guide covers questions relevant to all technology scenarios, from simple websites to complex custom applications. Skip sections that don’t apply to your target business, but don’t assume technology is “simple” without asking the right questions.

How to Use This Guide:

  • Ask these questions during management presentations and initial due diligence
  • Listen for vague answers, hesitation, or lack of documentation
  • Note any red flags that suggest you should bring in technical due diligence support
  • Focus on understanding risks that could affect your ability to operate and grow the business post-acquisition

1. Technology & Product Questions

Q1: “What technology or software does your business depend on to operate and deliver value to customers?”

What You’re Looking For:

  • Complete inventory of critical technology assets
  • Understanding of custom vs. off-the-shelf solutions
  • Mission-critical systems that could halt operations if unavailable

Red Flags Requiring Expert Assessment:

  • ⚠️ Unclear or incomplete understanding of technology dependencies
  • ⚠️ Critical systems owned or controlled by departing owner personally
  • ⚠️ Reliance on discontinued or sunset products
  • ⚠️ “It’s all handled by [one vendor/person] – I don’t really know the details”

Green Flags:

  • Clear inventory of all software and systems
  • Documented technology architecture
  • Mix of standard, well-supported solutions
  • Owner can explain how each system contributes to business operations

Q2: “Do you use any custom-built software, or is everything off-the-shelf/SaaS?”

What You’re Looking For:

  • Extent of custom development vs. standard solutions
  • Technical complexity and support requirements
  • Knowledge transfer needs

If Using Custom Software:

  • Proceed with questions Q3-Q5 below
  • Pay special attention to knowledge concentration and documentation

If Using Only Off-the-Shelf/SaaS:

  • Skip to infrastructure questions (Section 2)
  • Focus on vendor relationships (Q22-Q23)
  • Understand customization and integration complexity

Red Flags Requiring Expert Assessment:

  • ⚠️ Custom software with no documentation or maintainers
  • ⚠️ Heavy customization of off-the-shelf products creating vendor lock-in
  • ⚠️ Mix of custom and off-the-shelf with poor integration

Green Flags:

  • Clear understanding of what’s custom vs. standard
  • Appropriate choice (custom vs. off-the-shelf) for business needs
  • Standard solutions for non-differentiating functions

Q3: “For any custom software: Can you walk me through your technology stack? What programming languages, frameworks, and platforms do you use?”

Note: Skip this if no custom software is used.

What You’re Looking For:

  • Risk of obsolete or dying technologies that will be difficult to maintain or find developers for
  • Excessive complexity for the business size
  • Dependencies on niche or proprietary technologies

Red Flags Requiring Expert Assessment:

  • ⚠️ “We built everything in a custom framework that only [one person] really understands”
  • ⚠️ Technologies that are 10+ years old with no active community
  • ⚠️ “The original developer used some obscure language/framework”
  • ⚠️ Inability to clearly explain the technology choices

Green Flags:

  • Modern, widely-adopted technologies (Python, JavaScript, Java, C#, etc.)
  • Clear rationale for technology choices aligned with business needs
  • Technologies with active communities and available talent

Q4: “For any custom software: Do you use version control (like Git) for your code? Can you show me your repository?”

Note: Skip this if no custom software is used.

What You’re Looking For:

  • Basic software development hygiene
  • Risk of lost code or inability to track changes
  • Knowledge concentration with individual developers

Red Flags Requiring Expert Assessment:

  • ⚠️ “We don’t use version control” or “Code is on [developer’s] laptop”
  • ⚠️ Sporadic or inconsistent usage
  • ⚠️ No commit history or very limited history
  • ⚠️ Single developer making 95%+ of commits

Green Flags:

  • Consistent use of Git or similar version control
  • Multiple team members contributing
  • Clear branching and release patterns, but this is less important when there are one or two developers

Q5: “For any custom software: How do you test your software before releasing it to customers?”

Note: Skip this if no custom software is used.

What You’re Looking For:

  • Quality assurance processes that prevent customer-facing bugs
  • Risk of releasing defective software
  • Testing maturity and automation level

Red Flags Requiring Expert Assessment:

  • ⚠️ “We just test it manually” or “Our customers test it for us”
  • ⚠️ No automated testing whatsoever
  • ⚠️ “We don’t really have time for testing”
  • ⚠️ Frequent production issues or customer complaints about quality

Green Flags:

  • Automated test suites that run before releases
  • Clear QA process with documented test cases
  • Low rate of customer-reported bugs
  • Unittest coverage on cirical code.

Q6: “For any custom software: What open-source libraries or third-party components do you use? How do you keep them updated?”

Note: This question is less relevant for pure SaaS solutions (vendor manages updates), but critical for custom software.

What You’re Looking For:

  • Security vulnerabilities from outdated dependencies
  • License compliance risks
  • Maintenance burden from technical debt

Red Flags Requiring Expert Assessment:

  • ⚠️ “We don’t really track that” or “They’re probably pretty old”
  • ⚠️ No process for updating dependencies
  • ⚠️ Using libraries that are multiple major versions behind
  • ⚠️ Uncertain about licenses (especially GPL/copyleft in proprietary products)

Green Flags:

  • Regular dependency updates (at least quarterly)
  • Documented list of third-party components
  • Security scanning tools in place
  • Clear understanding of license obligations

Q7: “Does anyone in your business use AI tools (ChatGPT, Claude, Copilot, etc.) in their work? How are you managing prompts and outputs?”

What You’re Looking For:

  • AI usage awareness and governance
  • Data leakage risks through AI tools
  • Intellectual property protection
  • Prompt management and institutional knowledge

Red Flags Requiring Expert Assessment:

  • ⚠️ Uncontrolled AI usage with no policies or awareness
  • ⚠️ Employees entering customer data, proprietary code, or confidential information into public AI tools
  • ⚠️ No prompt preservation or knowledge management strategy
  • ⚠️ Using AI for critical decisions without human oversight
  • ⚠️ No consideration of AI-related IP ownership issues
  • ⚠️ Training AI models on customer data without consent

Green Flags:

  • Clear AI usage policy and employee training
  • Approved AI tools with appropriate data protections (enterprise agreements)
  • Prompt library or knowledge management system for valuable prompts
  • Human review required for AI-generated content/code
  • Clear guidelines on what data can/cannot be shared with AI tools
  • Understanding of AI output licensing and IP considerations
  • Regular audits of AI tool usage

Q8: “Have you ever had a security breach or data leak? How did you respond?”

Note: This applies to all businesses regardless of whether they use custom or off-the-shelf software.

What You’re Looking For:

  • Past security incidents and response quality
  • Security posture and awareness
  • Potential liability from inadequate security

Red Flags Requiring Expert Assessment:

  • ⚠️ Yes, and inadequate response or remediation
  • ⚠️ Defensive or evasive answers
  • ⚠️ No security measures in place at all
  • ⚠️ Storing sensitive data (PII, payment info, health data) without proper controls

Green Flags:

  • No breaches, or well-handled incident with thorough remediation
  • Regular security assessments
  • Clear security practices (encryption, access controls, etc.)
  • Security awareness training for team

2. Websites, Domains & Digital Assets

Q9: “What websites does the business own and operate? How are they hosted and maintained?”

What You’re Looking For:

  • Complete inventory of web properties
  • Technical ownership and control
  • Maintenance responsibilities and dependencies

Red Flags Requiring Expert Assessment:

  • ⚠️ Website “owned” by marketing agency or external vendor
  • ⚠️ No access to website admin/hosting accounts
  • ⚠️ Critical business website on shared hosting with poor uptime
  • ⚠️ Outdated platform (e.g., WordPress not updated in 2+ years)
  • ⚠️ Don’t know who maintains or can update the website

Green Flags:

  • Clear ownership and access to all website assets
  • Documented hosting arrangements
  • Regular updates and maintenance
  • Professional hosting appropriate for business criticality

Q10: “Who owns the domain names? Where are they registered? When do they expire?”

What You’re Looking For:

  • Legal ownership of critical domains
  • Risk of losing domain names during transition
  • Renewal and registration management

Red Flags Requiring Expert Assessment:

  • ⚠️ Domains registered in departing owner’s personal name
  • ⚠️ Domains registered with former employee or vendor accounts
  • ⚠️ Domains expiring soon with unclear renewal process
  • ⚠️ Can’t access domain registrar account
  • ⚠️ Using questionable or unreliable domain registrar
  • ⚠️ Missing important domain variations (competitors could acquire)

Green Flags:

  • Domains registered in business name or transferable to new owner
  • Clear registrar account access
  • Auto-renewal enabled with valid payment method
  • Domains secured for multiple years
  • Defensive domain registrations in place (.com, .net, common misspellings)

Q11: “Is your website custom-built, or does it use a platform like WordPress, Shopify, Wix, or Squarespace?”

What You’re Looking For:

  • Platform dependencies and limitations
  • Ease of maintenance and updates
  • Vendor lock-in risks

Red Flags Requiring Expert Assessment:

  • ⚠️ Proprietary platform with expensive licensing
  • ⚠️ Platform being discontinued or merged
  • ⚠️ Heavy customization making updates impossible
  • ⚠️ No one knows how to update or modify the website
  • ⚠️ Platform choice severely limiting business capabilities

Green Flags:

  • Standard, well-supported platform
  • Ability to export data and migrate if needed
  • Active community and plugin/extension ecosystem
  • Platform capabilities aligned with business needs
  • Clear documentation of customizations

Q12: “Who has access to update your website? What happens if they’re unavailable?”

What You’re Looking For:

  • Knowledge concentration risk
  • Operational continuity
  • Access control and security

Red Flags Requiring Expert Assessment:

  • ⚠️ Only one person (owner or external vendor) can make changes
  • ⚠️ No documented access credentials
  • ⚠️ Former employees still have administrative access
  • ⚠️ Unclear or lost passwords/access
  • ⚠️ Website changes take weeks due to vendor dependencies

Green Flags:

  • Multiple people with appropriate access levels
  • Documented credentials in secure location
  • Regular access reviews and cleanup
  • Reasonable turnaround time for updates
  • Emergency access procedures documented

Q13: “Have you had any vendor or agency build custom features, integrations, or plugins for your website or other systems?”

What You’re Looking For:

  • Vendor-built customizations creating dependencies
  • IP ownership of custom work
  • Documentation and supportability of custom integrations

Red Flags Requiring Expert Assessment:

  • ⚠️ Critical custom features built by vendor with no documentation
  • ⚠️ Vendor owns the code/IP for customizations
  • ⚠️ Custom integrations breaking regularly
  • ⚠️ Dependent on expensive agency retainer for basic updates
  • ⚠️ No source code or only compiled/obfuscated versions
  • ⚠️ Vendor out of business or no longer supporting the customization

Green Flags:

  • Clear IP ownership agreements giving business rights to custom work
  • Source code and documentation provided for customizations
  • Standard, well-documented integration approaches
  • Ability to switch vendors without losing functionality
  • Custom work built using standard practices (not proprietary)

Q14: “What’s your website hosting arrangement? What’s included in your hosting plan?”

What You’re Looking For:

  • Hosting costs and scalability
  • Infrastructure adequacy
  • Vendor relationships and transferability

Red Flags Requiring Expert Assessment:

  • ⚠️ Hosting bundled with agency services (can’t separate)
  • ⚠️ Severely undersized hosting for current traffic
  • ⚠️ No backups or disaster recovery
  • ⚠️ Hosting contract non-transferable or tied to owner personally
  • ⚠️ Frequent downtime or performance issues
  • ⚠️ Hosting in owner’s personal account

Green Flags:

  • Professional hosting appropriate for business size
  • Clear hosting costs and contract terms
  • Regular automated backups
  • Scalability headroom for growth
  • Standard hosting arrangement easy to transfer
  • Good uptime history (99%+ uptime)

3. Infrastructure & Operations Questions

Q15: “Where is your application hosted? How does your infrastructure work?”

Note: This applies to custom applications. For SaaS-only businesses, focus on vendor relationships instead.

What You’re Looking For:

  • Scalability limitations
  • Infrastructure complexity and costs
  • Vendor lock-in risks

Red Flags Requiring Expert Assessment:

  • ⚠️ “It runs on a single server in [person’s] basement/office”
  • ⚠️ No redundancy or backup systems
  • ⚠️ Extremely complex infrastructure for business size
  • ⚠️ “Only [one person] knows how to manage the servers”

Green Flags:

  • Cloud-based infrastructure (AWS, Azure, Google Cloud)
  • Clear understanding of infrastructure costs
  • Documented infrastructure setup
  • Scalable architecture

Q16: “How often do you deploy new code to production? What’s your deployment process?”

Note: This applies primarily to businesses with custom software development.

What You’re Looking For:

  • Development velocity and deployment risk
  • Process maturity
  • Operational excellence

Red Flags Requiring Expert Assessment:

  • ⚠️ Deployments require all-night manual work
  • ⚠️ Frequent deployment failures or need to rollback
  • ⚠️ Can only deploy when specific person is available
  • ⚠️ No deployment process or documentation

Green Flags:

  • Regular, predictable deployments (weekly, bi-weekly, or on-demand)
  • Automated deployment processes
  • Low failure rate
  • Documented rollback procedures

Q17: “What happens if your main server or service goes down? Do you have a disaster recovery plan?”

Note: This applies to all businesses—whether custom software, hosted applications, or SaaS dependencies.

What You’re Looking For:

  • Business continuity risk
  • Data loss potential
  • Operational resilience

Red Flags Requiring Expert Assessment:

  • ⚠️ “We’d be completely down until we fix it”
  • ⚠️ No backups or untested backups
  • ⚠️ No disaster recovery plan
  • ⚠️ Single points of failure with no redundancy

Green Flags:

  • Documented disaster recovery plan
  • Regular backup testing
  • Redundant systems
  • Clear recovery time objectives

Q18: “How do you monitor your systems? How do you know if something is wrong?”

What You’re Looking For:

  • Operational visibility
  • Proactive vs. reactive problem management
  • Mean time to detect/resolve issues

Red Flags Requiring Expert Assessment:

  • ⚠️ “Customers tell us when things break”
  • ⚠️ No monitoring or alerting systems
  • ⚠️ Frequent unplanned outages
  • ⚠️ No visibility into system health

Green Flags:

  • Monitoring and alerting systems in place
  • Dashboards showing system health
  • Proactive issue detection
  • Low customer-reported outages

4. Team & Knowledge Questions

Q19: “Who on your team has deep technical knowledge of your systems? What would happen if they left?”

Note: This applies to all businesses, whether they have custom software, manage SaaS platforms, or rely on vendors.

What You’re Looking For:

  • Key person dependencies (critical for ETA)
  • Knowledge concentration risk
  • Bus factor (minimum number of team members that can be lost before project fails)

Red Flags Requiring Expert Assessment:

  • ⚠️ “Really just [one person] knows how it all works”
  • ⚠️ Original developer left and no one fully understands the code
  • ⚠️ Owner is the only technical person
  • ⚠️ No knowledge transfer plan

Green Flags:

  • Knowledge distributed across multiple team members
  • Documentation supports knowledge transfer
  • Team can operate independently
  • Clear succession plan for technical roles

Q20: “How long does it typically take for a new team member to become productive with your systems?”

Note: Adjust this based on whether they have custom software (new developer) or use off-the-shelf solutions (new operator/admin).

What You’re Looking For:

  • Code quality and documentation
  • Onboarding process maturity
  • Hidden complexity

Red Flags Requiring Expert Assessment:

  • ⚠️ “Six months or more”
  • ⚠️ “We’ve never successfully onboarded anyone”
  • ⚠️ No onboarding documentation
  • ⚠️ Extreme complexity for the business size

Green Flags:

  • 2-4 weeks to first meaningful contribution
  • Documented onboarding process
  • Clear codebase structure
  • Good code documentation

Q21: “What’s your team structure? Who’s full-time vs. contractor? Where are they located?”

What You’re Looking For:

  • Team stability and retention risk
  • Transition complexity
  • Reliance on specific individuals or vendors

Red Flags Requiring Expert Assessment:

  • ⚠️ Heavy reliance on offshore contractors with no documentation
  • ⚠️ Critical functions entirely outsourced
  • ⚠️ High team turnover
  • ⚠️ No employment/IP agreements with contractors

Green Flags:

  • Stable core team
  • Clear roles and responsibilities
  • Strong employment agreements with IP assignment
  • Balanced contractor/employee mix

5. Documentation & Process Questions

Q22: “Can you show me your technical documentation? System diagrams? Operating procedures?”

Note: Adjust expectations based on business type—custom software needs architecture docs, SaaS-based businesses need operational runbooks.

What You’re Looking For:

  • Knowledge transfer readiness (critical for ETA)
  • Technical debt and complexity
  • Operational readiness for new owner

Red Flags Requiring Expert Assessment:

  • ⚠️ Little to no documentation exists
  • ⚠️ “It’s all in [person’s] head”
  • ⚠️ Documentation severely outdated (2+ years old)
  • ⚠️ No architectural diagrams or system overview

Green Flags:

  • Up-to-date technical documentation
  • Clear architecture diagrams
  • Documented APIs and integrations
  • Runbooks for common operations

Q23: “How do you manage your development process? Sprints? Kanban? Something else?”

Note: For businesses without active development, ask about operational processes and project management instead.

What You’re Looking For:

  • Process maturity
  • Predictability of delivery
  • Team efficiency

Red Flags Requiring Expert Assessment:

  • ⚠️ No process—completely ad hoc
  • ⚠️ Chaotic, unpredictable delivery
  • ⚠️ No project management or tracking
  • ⚠️ Excessive process overhead for team size

Green Flags:

  • Appropriate process for team size
  • Consistent delivery rhythm
  • Clear prioritization framework
  • Reasonable meeting/overhead time

6. Product & Customer Questions

Q24: “How do you track product usage and customer behavior? What analytics do you have?”

What You’re Looking For:

  • Data-driven decision making capability
  • Product intelligence for growth
  • Understanding of customer value

Red Flags Requiring Expert Assessment:

  • ⚠️ “We don’t really track that”
  • ⚠️ No analytics implementation
  • ⚠️ Decisions based purely on intuition
  • ⚠️ Unknown customer usage patterns or feature adoption

Green Flags:

  • Analytics tools implemented (Google Analytics, Mixpanel, etc.)
  • Regular review of metrics
  • Data-informed product decisions
  • Clear understanding of customer behavior

Q25: “What’s your bug backlog like? How many open issues? What’s the trend?”

Note: For non-software products, ask about quality issues, customer complaints, or service problems instead.

What You’re Looking For:

  • Product quality and technical debt
  • Development capacity
  • Customer satisfaction risk

Red Flags Requiring Expert Assessment:

  • ⚠️ Hundreds or thousands of open bugs
  • ⚠️ Bug backlog growing faster than resolution
  • ⚠️ No bug tracking system%$
  • ⚠️ Increasing customer complaints about quality

Green Flags:

  • Manageable bug backlog (< 50 for small teams)
  • Declining or stable bug trends
  • Clear prioritization of bugs
  • Fast resolution of critical issues

Q26: “How do you handle customer support? What’s the relationship between support and technical teams?”

What You’re Looking For:

  • Support burden on engineering team
  • Product quality indicators
  • Operational efficiency

Red Flags Requiring Expert Assessment:

  • ⚠️ Engineering team spends >50% time on support
  • ⚠️ Constant firefighting mode
  • ⚠️ No distinction between support and development
  • ⚠️ Escalating support tickets

Green Flags:

  • Clear support processes and tools
  • Escalation path from support to engineering
  • Low engineering time on support
  • Decreasing support volume per customer

7. Scalability & Growth Questions

Q27: “What would need to change technically if your customer base doubled? Tripled? 10x’d?”

What You’re Looking For:

  • Scalability constraints (critical for ETA growth plans)
  • Infrastructure investment needs
  • Technical limitations on growth

Red Flags Requiring Expert Assessment:

  • ⚠️ “We’d need to completely rebuild everything”
  • ⚠️ “Should be fine”
  • ⚠️ Major infrastructure investment required for modest growth
  • ⚠️ Manual processes that don’t scale
  • ⚠️ Unclear or uncertain about scaling requirements

Green Flags:

  • Clear understanding of scalability limits
  • Architecture supports 3-5x growth without major changes
  • Incremental scaling costs
  • Load testing or capacity planning done

Q28: “What are the biggest technical constraints on your roadmap? What can’t you do today that customers want?”

What You’re Looking For:

  • Technical debt impact on innovation
  • Competitive risk from limitations
  • Investment needs for growth

Red Flags Requiring Expert Assessment:

  • ⚠️ Fundamental architectural limitations blocking key features
  • ⚠️ Years of technical debt preventing innovation
  • ⚠️ Losing customers due to technical limitations
  • ⚠️ Major rebuild required for competitive parity

Green Flags:

  • Minor or manageable technical constraints
  • Clear roadmap for addressing limitations
  • Technical capabilities aligned with market needs
  • Competitive feature parity

8. Compliance & Legal Questions

Q29: “What regulatory requirements apply to your business and technology? How do you ensure compliance?”

What You’re Looking For:

  • Regulatory risk and compliance obligations
  • Industry-specific requirements (HIPAA, PCI-DSS, SOC 2, etc.)
  • Liability exposure

Red Flags Requiring Expert Assessment:

  • ⚠️ Handling sensitive data without proper compliance (healthcare, financial, etc.)
  • ⚠️ No compliance program for regulated industry
  • ⚠️ Past compliance violations or warnings
  • ⚠️ Unclear about applicable regulations

Green Flags:

  • Clear understanding of compliance requirements
  • Regular compliance audits
  • Documented compliance procedures
  • Current with all regulatory obligations

Q30: “If you handle health data: Are you HIPAA compliant? What safeguards do you have in place?”

Note: Skip this if the business doesn’t handle protected health information (PHI).

What You’re Looking For:

  • HIPAA compliance requirements and current status
  • Business Associate Agreements (BAAs) with vendors
  • Technical and administrative safeguards
  • Potential liability from non-compliance

Red Flags Requiring Expert Assessment:

  • ⚠️ Handling PHI without HIPAA compliance program
  • ⚠️ No Business Associate Agreements with vendors handling PHI
  • ⚠️ Storing PHI without encryption
  • ⚠️ No access controls or audit logs for PHI access
  • ⚠️ Past HIPAA violations or complaints
  • ⚠️ Staff not trained on HIPAA requirements
  • ⚠️ No incident response plan for PHI breaches

Green Flags:

  • Documented HIPAA compliance program
  • Current BAAs with all relevant vendors
  • PHI encrypted at rest and in transit
  • Regular HIPAA training for staff
  • Access controls and audit logging in place
  • Regular risk assessments completed
  • Incident response plan tested

Q31: “If you serve EU customers or handle EU resident data: How do you comply with GDPR?”

Note: Skip this if the business has no EU customers or data subjects.

What You’re Looking For:

  • GDPR compliance requirements and current status
  • Data processing agreements and documentation
  • Privacy controls and data subject rights
  • Cross-border data transfer mechanisms

Red Flags Requiring Expert Assessment:

  • ⚠️ Processing EU personal data without legal basis
  • ⚠️ No privacy policy or severely outdated policy
  • ⚠️ Cannot fulfill data subject requests (access, deletion, portability)
  • ⚠️ Transferring data outside EU without valid mechanism (SCCs, adequacy decision)
  • ⚠️ No Data Protection Officer when required
  • ⚠️ No data processing agreements with vendors
  • ⚠️ Marketing without proper consent mechanisms
  • ⚠️ Past GDPR complaints or investigations

Green Flags:

  • Clear legal basis for all data processing
  • Updated privacy policy compliant with GDPR
  • Process for handling data subject requests
  • Valid data transfer mechanisms (Standard Contractual Clauses, etc.)
  • Data processing agreements with vendors
  • Consent management system for marketing
  • Regular GDPR compliance reviews
  • Appointed DPO if required

Q32: “If you serve California customers: Are you CPRA/CCPA compliant?”

Note: Skip this if the business doesn’t meet CPRA/CCPA thresholds or serve California residents.

What You’re Looking For:

  • CPRA/CCPA compliance status
  • Consumer rights implementation
  • Data sale/sharing disclosures
  • Service provider agreements

Red Flags Requiring Expert Assessment:

  • ⚠️ Meeting CPRA thresholds but no compliance program
  • ⚠️ No “Do Not Sell or Share My Personal Information” link
  • ⚠️ Cannot honor consumer rights requests (know, delete, correct, opt-out)
  • ⚠️ Selling/sharing consumer data without disclosures
  • ⚠️ No service provider agreements limiting data use
  • ⚠️ No process for verifiable consumer requests
  • ⚠️ Missing required privacy policy disclosures

Green Flags:

  • Compliance program if thresholds met
  • Clear privacy disclosures and opt-out mechanisms
  • Process for consumer rights requests
  • Service provider agreements in place
  • Regular compliance reviews
  • Consumer request verification process
  • Updated privacy policy with CPRA disclosures

Q33: “If you use AI/automated decision-making serving EU customers: Are you aware of the EU AI Act requirements?”

Note: Skip this if no AI usage or no EU customers. The EU AI Act phases in from 2025-2027.

What You’re Looking For:

  • Awareness of EU AI Act requirements
  • AI system risk classification
  • Documentation and transparency obligations
  • Prohibited AI practices

Red Flags Requiring Expert Assessment:

  • ⚠️ Using high-risk AI systems (credit scoring, employment, law enforcement, critical infrastructure) without awareness of requirements
  • ⚠️ AI systems using prohibited practices (social scoring, manipulation, etc.)
  • ⚠️ No technical documentation for AI systems
  • ⚠️ Deploying AI without human oversight for high-risk applications
  • ⚠️ No risk management system for AI
  • ⚠️ Training AI on data without proper rights
  • ⚠️ No transparency about AI use to customers

Green Flags:

  • AI systems classified by risk level
  • Technical documentation for AI systems
  • Human oversight for high-risk AI
  • Transparency notices to users about AI
  • Risk management procedures
  • Regular AI system monitoring
  • Clear data governance for AI training
  • Awareness of compliance timeline

Q34: “If you’re a financial services business or critical vendor in EU: Are you aware of DORA requirements?”

Note: Skip this unless the business is a financial entity or ICT service provider to financial entities in the EU.

What You’re Looking For:

  • Awareness of Digital Operational Resilience Act
  • ICT risk management framework
  • Incident reporting capabilities
  • Third-party risk management

Red Flags Requiring Expert Assessment:

  • ⚠️ In scope for DORA but unaware of requirements
  • ⚠️ No ICT risk management framework
  • ⚠️ No incident detection and response procedures
  • ⚠️ No third-party ICT service provider oversight
  • ⚠️ No digital operational resilience testing
  • ⚠️ Cannot report ICT incidents within required timeframes
  • ⚠️ No business continuity plans for ICT disruptions

Green Flags:

  • Awareness of DORA requirements and timeline
  • ICT risk management framework in place
  • Incident detection, reporting, and response procedures
  • Third-party vendor risk management program
  • Regular resilience testing (including for critical vendors)
  • Business continuity and disaster recovery plans
  • Documentation of ICT systems and dependencies

Q35: “Does your business require any facility security certifications or clearances?”

Note: This applies to businesses handling classified information, government contracts, or sensitive facilities.

What You’re Looking For:

  • Required security clearances and facility certifications
  • Compliance with facility security requirements
  • Transferability of certifications and clearances
  • Ongoing compliance obligations

Red Flags Requiring Expert Assessment:

  • ⚠️ Facility Security Clearance (FCL) or personnel clearances tied to departing owner
  • ⚠️ Pending security violations or investigations
  • ⚠️ Unable to sponsor new cleared personnel
  • ⚠️ SCIF or secure facility requirements not transferable
  • ⚠️ Non-compliance with NISPOM or other security requirements
  • ⚠️ Loss of clearance would terminate major contracts
  • ⚠️ No backup cleared personnel for critical roles

Green Flags:

  • Transferable facility clearances
  • Multiple cleared personnel (not just owner)
  • Clean security record
  • Documented security procedures
  • Regular security audits passed
  • Clear understanding of ongoing requirements
  • Succession plan for maintaining clearances

Q36: “Who owns the IP for your software and digital assets? Are there any licensing issues I should know about?”

What You’re Looking For:

  • IP ownership clarity (deal-breaker risk)
  • License compliance issues
  • Contractor IP assignment

Red Flags Requiring Expert Assessment:

  • ⚠️ Unclear IP ownership
  • ⚠️ No IP assignment agreements with contractors
  • ⚠️ Using GPL or other copyleft licenses in proprietary products
  • ⚠️ Disputed ownership or potential claims

Green Flags:

  • Clear IP ownership documentation
  • All employees and contractors have IP assignment agreements
  • License compliance documented
  • No known IP disputes

9. Integration & Dependencies Questions

Q37: “What third-party services or vendors are critical to your operations? What happens if they go away?”

What You’re Looking For:

  • Vendor lock-in and dependency risk
  • Contract transferability
  • Operational continuity risk

Red Flags Requiring Expert Assessment:

  • ⚠️ Deep dependency on single vendor with no alternatives
  • ⚠️ Critical vendor relationships owned by seller personally
  • ⚠️ Vendor services being discontinued
  • ⚠️ Expensive vendor contracts with no exit strategy

Green Flags:

  • Diversified vendor relationships
  • Alternative vendors available
  • Contracts transferable to new owner
  • Vendor relationships documented

Q38: “How does your product integrate with customers’ other systems? How complex are these integrations?”

What You’re Looking For:

  • Integration maintenance burden
  • Customer switching costs (retention indicator)
  • Technical support requirements

Red Flags Requiring Expert Assessment:

  • ⚠️ Every customer has custom integration requiring ongoing support
  • ⚠️ Fragile integrations that break frequently
  • ⚠️ No standardized integration approach
  • ⚠️ Integration work consuming majority of development time

Green Flags:

  • Standardized integration methods (APIs, webhooks)
  • Self-service integration capabilities
  • Documented integration guides
  • Low integration support burden

10. Costs & Financial Questions

Q39: “What are your technology costs? How do they scale with revenue or users?”

What You’re Looking For:

  • Technology cost structure and trends
  • Unit economics
  • Hidden costs or liabilities

Red Flags Requiring Expert Assessment:

  • ⚠️ Technology costs growing faster than revenue
  • ⚠️ Expensive legacy systems with high maintenance costs
  • ⚠️ Unclear cost structure or tracking
  • ⚠️ Upcoming major expenses (license renewals, infrastructure upgrades)

Green Flags:

  • Clear technology cost breakdown
  • Costs scale linearly or sublinearly with growth
  • Regular cost optimization efforts
  • Predictable cost structure

11. Transition & Ownership Questions

Q40: “What’s your role in the day-to-day technical operations? What would I need to learn to operate the business?”

What You’re Looking For:

  • Owner dependency (critical for ETA)
  • Knowledge transfer requirements
  • Operational complexity for new owner

Red Flags Requiring Expert Assessment:

  • ⚠️ Owner deeply involved in daily technical operations
  • ⚠️ Complex technical systems requiring deep expertise
  • ⚠️ No one else can perform critical technical functions
  • ⚠️ Mismatch between acquirer capabilities and technical requirements

Green Flags:

  • Owner has hands-off or strategic role
  • Team operates independently
  • Good documentation supports learning
  • Technical complexity appropriate for acquirer’s background

When to Bring in Technical Due Diligence Expertise

You should seriously consider engaging a technical due diligence advisor if you encounter:

Critical Red Flags (Engage Before LOI)

  • Multiple red flags across different categories
  • Unclear IP ownership, domain ownership, or licensing issues
  • Critical security vulnerabilities or compliance gaps (HIPAA, GDPR, CPRA, etc.)
  • Owner is the sole technical person with no transition plan
  • Technology requires complete rebuild to operate or scale
  • No documentation and owner unwilling/unable to provide knowledge transfer
  • Critical digital assets (websites, domains) controlled by third parties
  • Vendor or agency “owns” essential business systems
  • Key integrations built by vendors who retain IP rights
  • Unmanaged AI usage with customer/proprietary data in public tools
  • Regulatory compliance issues (EU AI Act, DORA for financial services)
  • Security clearances or facility certifications tied to departing owner

High-Value Situations (Engage During Confirmatory DD)

  • Large portion of business value depends on technology or digital presence
  • Significant post-acquisition technical investment required
  • Complex technical architecture, large codebase, or extensive customizations
  • Regulated industry requiring compliance verification
  • Integration or carve-out from larger organization
  • Your technical background doesn’t match the technology complexity
  • Heavy reliance on SaaS platforms with complex integrations
  • E-commerce or online business where website IS the business

Resource Limitations (Consider Engagement)

  • Limited technical background on your team
  • Want objective assessment of technical quality and vendor relationships
  • Need help quantifying technical debt and remediation costs
  • Planning significant technical transformation post-acquisition
  • Want to identify quick wins and growth opportunities
  • Need to negotiate with vendors or assess contract terms
  • Evaluating platform migration or technology modernization options

Using These Questions Effectively

During Initial Conversations:

  • Ask these questions conversationally, not as an interrogation
  • Listen for confidence vs. uncertainty in responses
  • Note where seller needs to “get back to you” (indicates gaps)
  • Look for patterns across multiple red flags

Documenting Responses:

  • Take detailed notes on answers (record the call, or use a transcription tool)
  • Request supporting documentation
  • Ask follow-up questions when answers are vague
  • Track red flags to discuss with technical advisor

After Discovery:

  • Review your notes and identify red flag patterns
  • Consider the red flags in context of the overall deal
  • Determine if technical DD expertise is needed
  • Plan follow-up questions for next conversation

Conclusion

These questions help you identify technical risks early, before significant time and money is invested in due diligence. Not every red flag is a deal-breaker—many can be mitigated with proper planning, resources, and expert guidance.

Remember: These questions apply across a wide spectrum of businesses:

  • High-tech software companies with custom development teams
  • Service businesses using SaaS platforms and standard tools
  • E-commerce operations on platforms like Shopify or WooCommerce
  • Content businesses with WordPress or similar CMS platforms
  • Any business that depends on technology to operate and serve customers

The goal is not to become a technical expert yourself, but to recognize when you need one. A skilled technical due diligence advisor can help you:

  • Verify and quantify the risks you’ve identified
  • Uncover issues that only deep technical analysis would reveal
  • Estimate remediation costs for deal valuation
  • Create a post-acquisition technical roadmap
  • Ensure you’re operationally ready for Day 1
  • Assess vendor relationships and negotiate better terms
  • Identify quick wins and optimization opportunities

Remember: Every business has technical issues and dependencies. The question is whether they’re manageable within your context and whether the opportunity justifies the investment in addressing them.

System Sense Advisory helps ETA searchers and lower/mid-market M&A facilitators navigate technical due diligence. We provide expert assessment of technology assets to inform deal decisions and post-acquisition planning. Contact us to discuss how we can support your acquisition process.