Technical Due Diligence Checklist — UK SaaS
Area
Key Questions
Red Flags
How ClickMasters Assesses
Codebase quality
Test coverage? Linting? TypeScript? CI/CD?
< 40% test coverage, no CI/CD, no TypeScript on JS codebase
Code review (GitHub/GitLab access), static analysis (SonarQube scan)
Architecture
Monolith or microservices? Scalable? Over-engineered?
50+ microservices for 5-person team, no clear service boundaries
Architecture review call with engineering team + diagram review
Technical debt
Quantified? Known issues list? EOL dependencies?
EOL frameworks (Magento 1, PHP 5, jQuery 1.x), no upgrade path
Dependency scan (npm audit, pip-audit), CVE check, EOL component list
UK GDPR compliance
ICO registration? DPAs? DSAR process? Breach history?
No ICO registration, no DPAs with processors, undisclosed breach history
GDPR gap assessment, ICO register check, DPA review
Security certifications
Cyber Essentials? ISO 27001? Pen test history?
No Cyber Essentials, last pen test > 2 years ago, unresolved critical findings
Certificate verification, pen test report review, CVSS scoring
FCA/NHS/GDS compliance
FCA authorised? NHS DTAC? GDS assessed?
Undisclosed FCA enforcement, expired DTAC, pending GDS assessment failure
FCA register check, DTAC certificate status, GDS assessment review
Infrastructure
Cloud costs? Scaling evidence? Single points of failure?
100% AWS Lambda with no ECS fallback, all data on single RDS, no DR
AWS Cost Explorer review, architecture diagram, DR test evidence
Key person dependency
Bus factor > 1? Documentation? Tribal knowledge?
One developer who wrote 70%+ of code with no documentation
Git blame analysis, documentation review, team interview
UK GDPR Due Diligence — Deal-Critical Checks
UK GDPR acquisition risk: if a data breach occurred pre-acquisition but is reported post-acquisition, the acquiring company is liable for the ICO fine. Contractual protection: price reduction, escrow, or warranty & indemnity insurance covering GDPR breaches.
Regulated UK SaaS — FCA, NHS, GDS Specific Checks
Regulated Sector
Key DD Checks
Deal-Critical Issues
Remediation Cost
FCA-regulated FinTech
FCA register status, enforcement history, SYSC controls, Consumer Duty compliance
Undisclosed enforcement action, expired FCA authorisation
£25,000–£200,000+ if FCA remediation required
NHS HealthTech (DTAC)
DTAC certificate status (expiry, domains passed), DCB0129 clinical safety file, MHRA registration
Expired DTAC, missing DCB0129 file, unregistered SaMD
£15,000–£60,000 DTAC re-assessment plus remediation
GovTech (GDS)
Beta/Live assessment status, PSBAR accessibility compliance, GOV.UK Service Manual adherence
Assessment failure pending, PSBAR accessibility statement non-compliant
£10,000–£40,000 accessibility remediation
NHS supplier (not DTAC)
DSP Toolkit submission status, Data Security and Protection standards
Overdue DSP Toolkit submission, critical standards not met
£5,000–£20,000 DSP Toolkit remediation