The Online Business Due Diligence Checklist: What Buyers Actually Verify

Accepting a Letter of Intent (LOI) from a buyer is often one of the most exciting moments in a founder's journey. What follows, however, is frequently the most stressful: a formal due diligence process in which an acquirer systematically examines every aspect of your business with the explicit goal of identifying risks — and justifying a lower purchase price.

Being prepared for due diligence is not just about protecting your valuation. It is about demonstrating that your business is operationally credible, financially verifiable, and structurally sound — which directly increases buyer confidence and reduces the likelihood of deal collapse.

This guide provides the complete due diligence checklist that sophisticated buyers use across financial, legal, operational, and technical domains.

Why Due Diligence Matters for Sellers

The due diligence phase is where the majority of online business deals fall apart or get re-traded (the buyer reduces the offer price after discovering something materially different from the initial representation). Understanding what buyers look for allows you to:

Identify and fix issues before they are discovered. A problem you disclose proactively is far less damaging than one a buyer finds independently.
Prepare your data room in advance. A well-organised data room signals professionalism and reduces the buyer's perception of risk.
Anticipate re-trade arguments. If you know where your weaknesses are, you can prepare defensible counter-arguments.

Part 1: Financial Due Diligence

Financial verification is the deepest and most time-consuming component. Buyers want to verify that the revenue and profit figures in the initial deal package match independently verifiable records.

Revenue Verification

Trailing 12-month P&L statement (monthly breakdown)
Trailing 36-month P&L statement (annual trend)
Reconciliation between P&L revenue and bank deposits (cash reconciliation)
Payment processor export (Stripe, Paddle, or equivalent) showing individual transaction data
Refund and chargeback rate analysis (last 12 months)
Revenue categorisation (recurring vs non-recurring, by product/pricing tier)

For SaaS Businesses

Active subscriber export (with ARR/MRR per account)
Churn and expansion MRR waterfall (month-by-month bridge)
Net Revenue Retention (NRR) calculation and supporting data
Annual vs monthly billing mix
Outstanding lifetime deal obligations

For Ecommerce Businesses

Amazon Seller Central or Shopify export (last 24–36 months)
Product-level revenue breakdown
COGS and gross margin calculation by SKU
Advertising spend and ROAS (Return on Ad Spend) by channel

Cost Verification

All recurring expense subscriptions (documented with invoices)
Contractor and freelancer payments (with contracts or work order history)
Owner salary and benefits add-back schedule (documented with evidence)
One-time expense add-back schedule (documented with evidence)
Outstanding liabilities or pending invoices

Part 2: Traffic and Analytics Due Diligence

Web Analytics

Google Analytics (or equivalent) read access — typically granted via view-sharing
Month-by-month sessions, users, and page views (last 24–36 months)
Traffic source breakdown (organic, direct, paid, referral, social)
Top-10 keyword rankings and associated traffic volume
Bounce rate, session duration, and engagement metrics

For Content Sites

Ahrefs or Semrush data showing organic traffic trend
Top-performing pages by revenue and traffic
Backlink profile (domain rating, referring domains, anchor text distribution)
Evidence of Google Core Update or Helpful Content System (HCS) impact analysis

For Paid Traffic Businesses

Google Ads, Meta Ads, or TikTok Ads account access
Trailing 12-month ROAS by channel
Customer acquisition cost (CAC) and CAC payback period
Lifetime value (LTV) analysis per acquisition channel

Part 3: Legal Due Diligence

Business Entity and Ownership

Business registration documents (certificate of incorporation, LLC operating agreement)
Shareholder or member structure (all equity holders documented)
Confirmation that the seller has authority to sell the business

Intellectual Property

Trademark registrations (active, pending, or expired)
Domain name ownership (WHOIS verification)
Copyright ownership of all original content
Patent filings (if applicable)
Software codebase ownership (particularly for contract developers)

Contracts and Agreements

Customer contracts (all active client agreements for agency/B2B businesses)
Supplier agreements (especially exclusivity terms)
Affiliate programme terms and conditions
Platform terms of service compliance (Amazon, Google, Meta, Shopify)

Compliance

GDPR / CCPA / UK GDPR compliance documentation
Terms of Service and Privacy Policy (current and comprehensive)
Any prior regulatory actions, investigations, or legal disputes

Part 4: Operational Due Diligence

Team and People

Full team roster (employees and contractors)
Employment contracts and independent contractor agreements
Key employee retention agreements (if applicable)
Evidence of team independence from founder (org chart, reporting structure)

Standard Operating Procedures (SOPs)

Documented SOPs for all recurring processes
Customer support ticket handling process
Content production workflow (for content businesses)
Product ordering and inventory management (for ecommerce/FBA)
Developer deployment and infrastructure management (for SaaS)

Tools and Subscriptions

Full list of all software subscriptions (with login access plan for transfer)
CRM and email marketing platform data (subscriber lists, sequences, segments)
Hosting infrastructure documentation

Part 5: Technical Due Diligence (For SaaS and Tech Businesses)

Codebase Review

Access to source code repository (typically GitHub, with read access under NDA)
Architecture documentation (system design overview)
Deployment process (CI/CD pipeline documentation)
Security review (authentication methods, data encryption, known vulnerabilities)
Technical debt inventory (identified issues, estimated remediation cost)

Infrastructure

Hosting provider, server specifications, and monthly infrastructure cost
Database architecture (schema documentation)
API integration dependencies (third-party services the product relies on)
Uptime and reliability history (last 12 months)
Disaster recovery and backup procedures

How to Prepare Your Data Room

A professional data room is a secure, organised folder structure (typically in Google Drive, Dropbox, or a dedicated platform like Docsend) that contains all diligence materials in an accessible format.

Recommended Data Room Structure:

/Financial
  - P&L Statements (Monthly, 36 months)
  - Bank Statements (12 months)
  - Revenue Reconciliation
  - Add-Back Schedule
/Legal
  - Business Registration
  - Contracts
  - IP Documentation
/Traffic & Analytics
  - Analytics Export
  - SEO Reports
/Operations
  - Team Overview
  - SOP Library
/Technical (if applicable)
  - Architecture Overview
  - Infrastructure Documentation

Frequently Asked Questions

How long does due diligence take?

For online businesses under $500,000 in value, due diligence typically takes 2–4 weeks. For businesses between $500,000 and $5,000,000, expect 4–12 weeks. Complex businesses with extensive code, customer contracts, or international operations can take 3–6 months.

What happens if a buyer discovers something unexpected during diligence?

The buyer has several options: proceed with the original terms, request a price reduction (re-trade), request escrow or indemnification provisions, or terminate the LOI and walk away. Proactive disclosure of known issues before diligence begins is almost always better for the seller's negotiating position.

Can I speed up the due diligence process?

Yes. The single biggest time accelerant is a pre-prepared data room with all materials organised and accessible. Buyers who receive an organised data room at LOI signing complete diligence significantly faster than those who must request documents piecemeal.