Blog

Legal Due Diligence for Tech Companies | Lawyerly

Written by Patricia Tinn | Jun 2, 2026 1:40:11 PM

By the time legal due diligence starts, the deal has usually moved from interest to intent. An investor leans in, or a buyer starts to ask serious questions. The company has already sold the opportunity: the product, the traction, the market and the growth story. Then the focus shifts. The conversation moves from what the business could become to how carefully it has been built.

Legal due diligence is the moment a tech company gets looked at carefully from the outside. An investor or buyer has decided they are interested, and the conversation has moved beyond what the business could become and into how it has actually been built. The questions become more specific, and they often reach back into decisions made months or years earlier.

That is what makes diligence feel different. The product, traction and market opportunity may already have been made. What gets tested next is the foundation underneath them: who created the first version of the product, whether early contractors were properly signed up, whether the cap table holds together, whether the contracts behind the revenue are as solid as the revenue itself.

Most founders can answer the big questions, but the harder part is finding the proof. It is often buried in emails, unfinished paperwork, or informal decisions that made sense at the time but were never properly recorded.

The companies that handle diligence well are not always the ones with no gaps. They are the ones that know where they stand, have records that hang together, and can answer questions without scrambling.

Why diligence is more than a box-ticking exercise

Investors are looking for confidence

Legal due diligence is often spoken about as if it is a simple checklist. In practice, investors are looking for more than a folder of documents. They want confidence that the company has been built with care, and these documents help tell that story. They show whether the company owns its product, whether the ownership structure is clear, whether key contracts support the commercial story, and whether the records have kept pace with the business as it has grown.

Diligence is about risk, but it is also about trust.

A missing document does not always create a serious problem, but repeated gaps can make investors look more closely. For example, if the IP records are unclear, they may start asking more questions about contractors. If the cap table does not tie up neatly, they may wonder how carefully early investment was managed.

Buyers look at value and risk together

For buyers, diligence is closely tied to valuation. A buyer is trying to understand what it is acquiring and whether anything could reduce the value of the business after completion. In a tech company, that value often sits in the product, the customer relationships, the technical know-how and the team that keeps everything moving.

If there are gaps around ownership, customer contracts or data protection, those points may affect the price, the deal structure or the warranties a buyer asks for. The buyer may still want the business, but it will want to understand the risk before it commits. Clean records do not guarantee a deal, but they make it easier for a buyer to trust what they are buying.

1. Show that the company owns its product

Intellectual property (IP) ownership is usually one of the first areas reviewed in a tech company. The question is simple: does the business own, or have the right to use, the product it is selling?

That often means looking back at how the product was built, especially in the early days when the company may have been moving quickly and relying on informal arrangements. A founder may have built the first version before the company existed, or a contractor may have developed an important feature before a proper agreement was signed.

The business should be able to show how the product was created and how ownership moved into the company. That usually means signed founder IP assignments, employment contracts with clear IP clauses, and contractor agreements that properly assign work to the company.

Where third-party technology is used, the licence terms should be understood. For AI companies, the ownership position may need more explanation, especially where model providers, training data, customer data use and output terms are involved.

There is also a newer point worth watching. If developers have used AI coding assistants such as GitHub Copilot or Claude Code, diligence may ask how those tools were used and whether the company understands the licence position on code produced with them.

2. Keep the cap table easy to explain

A cap table tells reviewers who owns the company and what has been promised. It should be easy to read and consistent with the company's records. If it does not match Companies House filings, option records or investment documents, diligence becomes slower and more difficult.

A messy cap table builds through early decisions that felt practical at the time: an informal promise of advisor equity, a small investment accepted on unusual terms, options discussed without the paperwork being completed, or convertible instruments that were not properly tracked. By the time the company is being reviewed, those small gaps can make the ownership position harder to explain.

Future dilution matters too. Investors and buyers will also want to understand what happens next, looking at the option pool, outstanding convertible instruments, investor rights and any approvals needed before a round or sale can complete.

The company should be able to answer three questions without difficulty: who owns the company, what has been promised, and what changes when the next round or sale completes.

The company should be able to answer three questions without difficulty: who owns the company, what has been promised, and what changes when the next round or sale completes

3. Make sure customer contracts support the revenue

Diligence looks at revenue, as well as the contracts behind that revenue. A growing SaaS or AI company may have strong customer traction, but the terms behind those relationships shape how secure that revenue really is. If customers can leave easily, liability sits too broadly with the company, or key contracts contain restrictions on assignment or change of control, the value of that revenue may look less reliable than the top-line figures suggest.

Founders should know which customer contracts matter most. For a funding round, that may mean the customers showing traction, repeatability and market demand. For an exit, it may mean the contracts representing the largest part of the company's value.

Those contracts should be signed, complete and easy to find. The company should also understand any terms that could affect the deal, particularly around termination, liability, data protection, IP, exclusivity, renewal and assignment. The commercial position should not have to be pieced together while a buyer or investor is waiting for answers.

4. Match the data story to the documents

Data protection is now a standard part of tech diligence under UK GDPR. Reviewers will want to understand how personal data moves through the business and whether the company's documents reflect what the product actually does.

The questions may start with privacy notices and Data Processing Agreements (DPA), but they lead back to the same practical point: does the company understand its own data position? 

This is where inconsistencies can create concern. If the privacy notice says one thing, the customer contract says another, and the product works differently in practice, the gap becomes harder to explain.

If the company processes personal data for customers, the DPA position matters. Reviewers may look at whether customer DPAs are in place, whether sub-processors are listed properly, whether international transfers have been considered, and whether the company has a process for handling data subject requests or breaches.

If customer data touches model providers, testing processes or AI outputs, the company should be able to explain that clearly. If customers have been told their data is not used for training, the documents and product setup need to back that up.

5. Be ready to explain and control AI

AI companies should expect more detailed diligence. Reviewers will want to understand what the AI system does, what it relies on and how the company manages the risks around it. Common questions cover model providers, customer data, output review, training data and how the product is described to customers.

They are assessing more than the technology itself — whether the company can explain and control how it is used. That matters because AI risk can affect customer trust, regulatory exposure, contract terms and valuation.

Good AI governance comes down to records. An AI register, approved tool list, model provider terms, data-use records and customer-facing AI terms can all help show that the business has thought about how AI is being used. For higher-risk use cases, the company may also need a more careful assessment of human review, data protection and customer reliance.

If the company can explain what the system does, what it depends on and how risk is managed, diligence becomes much easier.

6. Know what is in the codebase

Open source software is part of how most tech companies build. It helps teams move quickly and avoid rebuilding standard components from scratch. During diligence, the question is whether the company knows what is in the codebase and what licence terms apply.

Some licences are easy to manage. Others can create restrictions depending on how the software is used, modified or made available. For SaaS companies, copyleft licences such as AGPL deserve particular care because they can create obligations even where the software is only accessed over a network.

Reviewers may ask whether the company has an open source policy, whether it keeps a software bill of materials, and whether any higher-risk licences have been reviewed. These issues matter because they can affect how the product can be used, distributed or commercialised. If a restrictive licence surfaces late in the process, a buyer may ask for remediation, extra warranties or a price adjustment.

The stronger position is to know what is in the codebase before diligence starts, rather than discovering it at the same time as a buyer.

7. Keep people records aligned with the business

Reviewers will also look at the team behind the company. They want to know that employees have proper contracts, that IP created by the team belongs to the company, and that key people are tied into the business in a way that supports continuity.

Option grants, consultant arrangements, contractor status, disputes and settlement agreements may all be reviewed. Closer attention is usually paid to anyone central to the product, sales pipeline or leadership team.

Contractor status is a particular area to watch. Many startups rely on contractors early on, and that can work well, provided the legal setup matches how the relationship operates in practice. If a contractor has been working like an employee for a long time, using company systems and operating as part of the internal team, diligence may raise employment status or tax risk.

Long-term or highly integrated contractors should be reviewed before the process starts, especially where their work is central to the product.

8. Make tax positions clean and explainable

Tax records should be clean and explainable

Tax diligence looks at whether the company's tax position is clean, understandable and properly supported. Reviewers may examine corporation tax, VAT, payroll taxes, EMI and any overseas tax exposure. They are looking for unpaid liabilities, uncertain positions or issues that could create future cost.

For tech companies, R&D tax relief claims now receive particular attention. HMRC has tightened its approach to R&D claims in recent years, and claims that may previously have passed without much challenge are being looked at more carefully by HMRC and diligence reviewers. If the company has claimed R&D relief, it should be able to explain the basis of the claim and produce the technical and financial records that support it.

EMI sits at the intersection of hiring, equity and tax. If options have been promised or granted, diligence may review whether the scheme was set up properly, whether valuations were obtained, whether grants were documented and whether HMRC notifications were completed on time. A well-managed EMI scheme supports the company's hiring and retention story. A poorly managed one creates tax questions and employee expectation issues at exactly the moment the company is trying to close a deal.

The practical takeaway

A clean legal foundation cannot be built in the weeks before a deal. It is the result of small decisions made long before diligence starts: assigning intellectual property properly when a contractor is hired, documenting an option grant when it is promised, updating the DPA when the product changes, and keeping the cap table tied to the underlying records.

The companies that come through diligence smoothly are rarely the ones with no gaps. They are the ones that have built good habits over time, know where the remaining gaps are, and have answers ready for the questions they know are coming. For tech and AI founders, that mindset is worth adopting long before any deal is on the table. By the time diligence begins, the work that matters most has usually already been done.