Technology Due Diligence: Don't Inherit a Tech Nightmare

"The technology works fine" — Famous last words before inheriting an IT disaster.

Most buyers focus on financial and operational due diligence and completely ignore technology. Then six months after closing, they discover:
- Critical software licenses they don't own
- Outdated systems that need expensive upgrades
- Security vulnerabilities waiting to be exploited
- No documentation or passwords for key systems

Technology due diligence isn't optional anymore. Here's your complete guide.

## Why Technology Due Diligence Matters

### The Hidden Costs:

**Case 1: The License Problem**
- Business used pirated Microsoft Office
- Post-purchase audit discovered violation
- Cost to fix: $25,000 in license fees + potential fines

**Case 2: The Security Breach**
- Outdated servers with known vulnerabilities
- Hacked 3 months after acquisition
- Ransom demand: $50,000
- Recovery cost: $100,000+
- Customer data compromised

**Case 3: The System Failure**
- Critical point-of-sale system running on Windows XP
- System crashed, couldn't be fixed (too old)
- Emergency replacement: $40,000
- 3 days of lost revenue: $15,000

**These aren't rare edge cases. They happen every day.**

## Technology Due Diligence Checklist

### 1. Software Inventory & Licenses

**Document ALL software used:**

**Critical Questions:**
- What software does the business depend on daily?
- Who owns the licenses—business or seller personally?
- Are licenses transferable to new owner?
- Are all licenses legal and properly paid?
- What are the renewal costs?

**Common Software to Check:**
✅ Accounting software (QuickBooks, Sage, Xero)
✅ Customer relationship management (CRM)
✅ Point-of-sale systems
✅ Inventory management
✅ Email systems
✅ Microsoft Office / Google Workspace
✅ Industry-specific software
✅ Website content management
✅ E-commerce platforms
✅ Payroll software

**Red Flags:**
❌ Seller won't provide license documentation
❌ Software registered to seller's personal email
❌ Using very old software versions
❌ "Cracked" or pirated software
❌ Software subscriptions auto-renewed on seller's credit card

**Action Items:**
1. Get list of all software with license numbers
2. Verify license ownership and transferability
3. Calculate annual software costs
4. Check for upcoming renewals or required upgrades
5. Verify business can continue operating post-transfer

### 2. Hardware Assessment

**Inventory all hardware:**

**Equipment to Document:**
- Desktop computers (age, specs, condition)
- Laptops (age, specs, condition)
- Servers (physical or cloud)
- Network equipment (routers, switches, WiFi)
- Point-of-sale terminals
- Printers, scanners, copiers
- Security cameras
- Phone system
- Tablets or mobile devices

**For Each Device, Document:**
- Age and condition
- Specifications
- Remaining useful life
- Replacement cost
- Whether it's owned, leased, or financed

**Red Flags:**
❌ Equipment over 5 years old
❌ Running unsupported operating systems (Windows 7, XP)
❌ Equipment showing signs of failure
❌ No backup equipment
❌ Mix of incompatible systems

**Calculate Replacement Costs:**
List equipment that needs immediate replacement or upgrade, and total the cost. This should reduce your purchase price or be disclosed upfront.

**Example:**
- 5 computers running Windows 7: $5,000 replacement
- Failing server: $8,000 replacement
- Outdated phone system: $3,000 upgrade
- **Total immediate tech capital needed: $16,000**

### 3. Website & Online Presence

**Critical Questions:**
- Who owns the domain name? (Check WHOIS records)
- When does domain registration expire?
- Who owns the website hosting account?
- Can you access the hosting control panel?
- Is the website design proprietary or custom?
- Who developed the website?
- Are there ongoing development contracts?

**E-Commerce Sites (Additional Questions):**
- What platform is used? (Shopify, WooCommerce, custom)
- Who owns the store account?
- Can payment processing be transferred?
- Are there plugins/extensions that need licenses?
- What's the monthly hosting/platform cost?

**Social Media:**
- Which platforms does business use?
- Who owns the accounts? (business or seller personally)
- Can login credentials be transferred?
- How many followers on each platform?
- Are there scheduled posts or campaigns?

**Red Flags:**
❌ Domain registered to seller's personal name
❌ Can't access website backend
❌ Website developer no longer available
❌ No documentation of how website works
❌ Social media accounts in seller's personal name
❌ Website hasn't been updated in years

**Action Items:**
1. Verify domain ownership and transfer process
2. Get website hosting login credentials
3. Document website maintenance requirements
4. Test website functionality thoroughly
5. Review website analytics (traffic, conversions)
6. Transfer social media account ownership

### 4. Data & Backup Systems

**Critical Questions:**
- Where is business data stored?
- Is there a backup system?
- When was the last backup tested?
- Where are backups stored?
- Can you recover from backup if needed?
- How long would recovery take?

**Types of Data to Verify:**
- Customer database
- Financial records
- Inventory data
- Vendor information
- Employee records
- Contracts and documents
- Email history

**Backup System Requirements:**
✅ Automated daily backups
✅ Backups stored off-site or in cloud
✅ Regular backup testing
✅ Documented recovery procedures
✅ Retention of at least 30 days of backups

**Red Flags:**
❌ No backup system
❌ Backups never tested
❌ Only one backup copy
❌ Backups stored on-site only
❌ Manual backup process (often forgotten)
❌ No documentation of recovery process

**Disaster Scenarios to Prepare For:**
- Fire destroys office → Can you rebuild from backups?
- Ransomware encrypts all data → Can you restore?
- Employee accidentally deletes critical data → Can you recover?
- Server crashes → How fast can you be operational again?

### 5. Cybersecurity Assessment

**Even small businesses are targets:**

**Security Checklist:**

**Passwords:**
✅ Strong passwords used
✅ Different passwords for each system
✅ Password manager in place
✅ Two-factor authentication enabled
✅ Employee password policies

**Antivirus/Anti-malware:**
✅ Commercial antivirus on all computers
✅ Definitions up to date
✅ Scans running regularly
✅ Email filtering in place

**Network Security:**
✅ Firewall properly configured
✅ WiFi network secured
✅ Guest WiFi separate from business network
✅ VPN for remote access
✅ Regular security updates applied

**Access Controls:**
✅ Limited user privileges (not everyone is admin)
✅ Former employee access revoked
✅ Vendor access properly managed
✅ Physical security for servers/equipment

**Compliance:**
✅ PCI compliance (if accepting credit cards)
✅ GDPR compliance (if serving EU customers)
✅ Industry-specific compliance (HIPAA, etc.)
✅ Privacy policy in place and followed

**Red Flags:**
❌ No antivirus or outdated definitions
❌ Everyone has admin access
❌ Passwords written on sticky notes
❌ No security policies
❌ Previous employees still have system access
❌ No data encryption
❌ Open WiFi network

**Cost of a Security Breach:**
- Average small business breach: $50,000-$200,000
- Lost productivity during recovery
- Reputation damage
- Potential lawsuits
- Regulatory fines

### 6. Vendor & Support Contracts

**Document all tech vendors:**

**Key Vendors to Identify:**
- IT support/managed services provider
- Website developer
- Software developers/consultants
- Internet service provider
- Phone service provider
- Cloud services (hosting, storage, etc.)
- Security system provider

**For Each Vendor, Document:**
- Service provided
- Contract terms and length
- Monthly/annual cost
- Notice period for cancellation
- Quality of service
- Contact information
- Whether service is essential

**Questions to Ask:**
- Are there contracts that transfer with the business?
- Are any vendors overcharging or underperforming?
- Are there better alternatives?
- Can you manage in-house vs. outsourcing?
- What happens if vendor goes out of business?

**Red Flags:**
❌ Long-term contracts you can't escape
❌ Seller's brother/friend providing expensive services
❌ No documentation of services provided
❌ Vendor has admin access to critical systems
❌ No service level agreements (SLAs)

### 7. Phone & Communication Systems

**Phone System:**
- Traditional landlines vs. VoIP
- Who owns the phone numbers?
- Can numbers be transferred/ported?
- Contract terms and costs
- Hardware condition
- Is system adequate for business needs?

**Business Phone Numbers:**
- Document ALL business phone numbers
- Check if they're transferable
- Verify ownership
- Plan for transition period

**Critical:** If customers have the phone number memorized or it's on marketing materials, make sure you can keep it!

### 8. Custom Software & Development

**If business uses custom-built software:**

**Critical Questions:**
- Who developed it?
- Who owns the source code?
- Is source code available and documented?
- Can it be maintained/modified?
- Are there licensing issues?
- What happens if developer disappears?

**Intellectual Property:**
- Get source code placed in escrow
- Verify business owns the code (not the developer)
- Ensure documentation exists
- Have another developer review code quality
- Assess long-term viability

**Red Flags:**
❌ Developer owns the code, not the business
❌ No source code available
❌ No documentation
❌ Built on obsolete technology
❌ Only one person knows how it works

### 9. IT Documentation

**Essential Documentation:**

**What Should Exist:**
✅ Network diagram
✅ List of all software and licenses
✅ Hardware inventory
✅ Password list (securely stored)
✅ Vendor contact list
✅ Backup procedures
✅ Disaster recovery plan
✅ Employee onboarding/offboarding procedures
✅ Common troubleshooting procedures

**If Documentation Doesn't Exist:**
This is a RED FLAG. Either:
- Seller needs to create it before closing
- You factor in time/cost to create it
- Price is reduced accordingly

**Create Your Own Documentation During Due Diligence:**
Even if seller provides some documentation, verify and expand it during your evaluation period.

## The Technology Transition Plan

### Pre-Closing (30-60 Days Before):

**Week 1-2:**
1. Complete technology inventory
2. Identify critical systems
3. Document all logins/passwords
4. Meet with key IT vendors
5. Assess cybersecurity posture

**Week 3-4:**
1. Verify software licenses are transferable
2. Confirm domain/website ownership transfer process
3. Review all IT contracts
4. Plan for any immediate upgrades needed
5. Budget for technology improvements

**Week 5-6:**
1. Transfer domain registrations
2. Transfer website hosting
3. Setup new business email addresses
4. Transfer social media accounts
5. Finalize IT support arrangements

### Closing Day:

✅ Transfer all account passwords
✅ Transfer domain registrations
✅ Transfer software licenses
✅ Transfer phone numbers
✅ Update credit cards on file for subscriptions
✅ Change locks on server room (if applicable)

### Post-Closing (First 30 Days):

**Immediate (Days 1-7):**
1. Change ALL passwords
2. Revoke former owner's system access
3. Verify backups are working
4. Test critical systems thoroughly
5. Setup your business email

**Week 2-3:**
1. Review and update security settings
2. Install any necessary software updates
3. Assess technology improvement priorities
4. Interview IT support vendors if needed
5. Document any issues discovered

**Week 4:**
1. Create/update technology roadmap
2. Budget for necessary improvements
3. Implement quick security wins
4. Train employees on any new systems
5. Establish regular maintenance schedule

## Budget for Technology Upgrades

**Typical Post-Purchase Technology Costs:**

**Immediate (First 30 days):**
- Replace outdated computers: $3,000-$10,000
- Upgrade software licenses: $1,000-$5,000
- Improve cybersecurity: $2,000-$5,000
- Website improvements: $1,000-$10,000
- Total: $7,000-$30,000

**First Year:**
- Complete technology refresh: $10,000-$50,000+
- Depends heavily on business size and current state

**Negotiate Technology Costs:**
If you discover significant technology issues during due diligence, negotiate:
- Price reduction equal to replacement costs
- Seller must upgrade before closing
- Escrowed funds to cover necessary upgrades
- Extended transition support from seller

## When to Walk Away

**Technology red flags that should scare you:**

❌ **Running illegal software** → Legal liability
❌ **No data backups** → One disaster away from business failure
❌ **Seller owns critical software** → Can't operate without seller
❌ **Major security vulnerabilities** → Expensive to fix, high risk
❌ **Technology costs significantly understated** → Hidden costs
❌ **Custom software with no source code** → Stuck with unsupportable system
❌ **Can't transfer critical systems** → Business can't continue

## The Bottom Line

**Technology is critical infrastructure:**

✅ Inventory all hardware and software
✅ Verify ownership and transferability
✅ Assess cybersecurity posture
✅ Document everything
✅ Budget for necessary upgrades
✅ Plan the transition carefully

**Remember:**
- Technology issues aren't obvious like financials
- Hidden technology costs can destroy your economics
- Post-purchase surprises are expensive
- Prevention (due diligence) is cheaper than cure

**Don't assume "the technology works fine."**

Verify it yourself or hire someone who can. The cost of technology due diligence ($2,000-$10,000) is tiny compared to the cost of inheriting a technology disaster ($50,000-$200,000+).

Want a complete technology assessment checklist? Our Legal & Compliance Checklist includes a comprehensive technology due diligence section.