MyDealList · Due diligence

The IP & Copyright Due Diligence Playbook: Securing Code, Brand, and Assets

Complete intellectual property due diligence for SaaS acquirers: proprietary vs open-source code audits, GPL contamination scoring, AI-generated code ownership, software clean room evaluation, and trademark, domain, and patent transfer under absolute legal safety.

40 min read

The most expensive mistake in micro-acquisition is not overpaying for MRR—it is closing without verified ownership of the code, brand, and data that generate that MRR. Sellers routinely present revenue dashboards while hiding contractor IP gaps, copyleft license contamination, AI-generated code with unclear authorship, and trademark registrations that never transfer. A disciplined intellectual property due diligence workflow separates acquirers who compound cash flow from buyers who inherit litigation disguised as recurring revenue.

This masterclass is written for acquisition entrepreneurs evaluating SaaS, browser extensions, and digital tools in the $10k–$500k range. You will learn how to run a complete saas copyright audit, score GPL and copyleft contamination risk, evaluate AI-generated code ownership under 2026 legal frameworks, execute a software clean room evaluation when contamination is suspected, and transfer registered trademarks, domains, and patents under absolute legal safety.

Pair this with our legal framework for digital asset purchases, technical due diligence checklist, and micro-SaaS tech stack audit for a complete buy-side operating stack.

Not legal advice. IP law varies by jurisdiction. Engage qualified counsel before signing any APA or accepting IP assignments.

1. The IP Due Diligence Topology: What You Are Actually Buying

Intellectual property in a SaaS acquisition is not a single asset—it is a bundle of overlapping rights that must each be verified, assigned, and recorded independently. Revenue without ownership is a rental agreement the seller can revoke through litigation, platform takedowns, or trademark disputes.

1.1 The six-layer IP ownership model

LayerAssets coveredPrimary risk if unverifiedTransfer instrument
L1: Source code copyrightApplication code, scripts, configs, internal docsContributor claims ownership; buyer cannot enforce or sublicenseCopyright assignment + repo transfer
L2: Third-party licensesnpm/pip/cargo dependencies, SaaS SDKs, fonts, imagesGPL contamination forces source disclosure or rewriteLicense compliance audit + SBOM
L3: Brand & trademarksProduct name, logo, tagline, registered marksSeller launches competing product under same nameTrademark assignment (USPTO recordation if registered)
L4: Domain & digital presenceDomains, social handles, app store listings, DNSTraffic hijack; SEO collapse; customer confusionDomain purchase agreement + WHOIS transfer
L5: Patents & trade secretsUtility patents, provisional filings, proprietary algorithmsPrior art invalidation; competitor patent blockPatent assignment + prior art search
L6: AI-generated worksCopilot/Cursor/ChatGPT-assisted code, AI marketing assetsUnclear authorship; non-assignable output; training data taintAI provenance audit + vendor ToS compliance matrix

Professional acquirers score each layer independently before LOI. A clean L1 (code copyright) with a contaminated L2 (GPL dependency) still fails IP diligence—the product may be commercially unusable without a full rewrite or source disclosure.

1.2 IP Risk Score (IRS): The composite diligence metric

Quantify IP exposure with a weighted composite score. Use this to negotiate price reductions, escrow holdbacks, or walk-away decisions.

IRS = (0.30 × CodeScore) + (0.25 × LicenseScore) + (0.15 × BrandScore) + (0.10 × DomainScore) + (0.10 × PatentScore) + (0.10 × AIScore) Where each sub-score ∈ [0, 5]: 0 = verified clean 5 = critical unmitigated risk Interpretation: IRS ≤ 1.5 → proceed with standard APA IP reps IRS 1.6–2.5 → require IP holdback (10–15% purchase price) IRS 2.6–3.5 → renegotiate price or demand clean-room remediation IRS > 3.5 → walk unless turnaround thesis with legal budget

Example: a $45k micro-SaaS with IRS = 2.8 should trigger a $6,750–$9,000 price reduction or equivalent escrow holdback tied to GPL remediation milestones.

2. Proprietary vs. Open-Source Code: The SaaS Copyright Audit

A saas copyright audit answers one question: does the seller entity own every line of code that generates revenue, and can they prove it in writing? Most micro-SaaS sellers cannot—because they used contractors without work-for-hire agreements, forked open-source projects without tracking license obligations, or integrated AI assistants without documenting authorship.

2.1 The proprietary code verification matrix

Code originOwnership presumptionRequired evidenceRisk if missing
Founder-written (employee)Employer owns (work-for-hire)Employment agreement or founder entity docsLow if solo founder LLC
Contractor / freelancerContractor owns unless assignedSigned IP assignment or work-for-hire clause per contributorCritical—contractor can claim ownership post-close
Open-source fork (permissive)MIT/Apache/BSD: derivative OKLICENSE file + attribution complianceLow if license preserved in NOTICE
Open-source fork (copyleft)GPL/LGPL: derivative may infect productSBOM + linkage analysisCritical—may require source disclosure or rewrite
Purchased codebase / white-labelDepends on purchase agreementOriginal purchase APA + assignment chainMedium—chain of title may be broken
AI-assisted generationUnclear under current law (2026)AI tool ToS + provenance log + human reviewMedium-high—vendor terms may restrict commercial use

2.2 Automated copyright audit toolchain

Run these tools against the seller's repository during the 72-hour IP diligence sprint. Document outputs in your diligence data room.

# Step 1: Generate Software Bill of Materials (SBOM) npx @cyclonedx/cyclonedx-npm --output-file sbom.json # Step 2: License scan all dependencies npx license-checker --summary --excludePrivatePackages # Step 3: Copyleft / GPL detection npx license-checker --onlyAllow "MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC" \ --failOn "GPL;AGPL;LGPL;SSPL;EUPL" # Step 4: Contributor audit (Git history) git shortlog -sne --all | wc -l # contributor count git log --format='%ae' | sort -u # unique author emails # Step 5: FOSSA or Snyk (enterprise-grade) fossa analyze && fossa test

CodeScore derivation from audit outputs

FindingCodeScore penaltyRemediation
Unassigned contractor contributor+2.0 per contributorRetroactive IP assignment or code rewrite
GPL dependency linked to proprietary core+3.0Replace dependency or open-source product
Missing LICENSE file in forked repo+1.0Restore attribution; verify upstream license
Contributor count > 5 without assignment docs+1.5Collect assignments or audit commit scope
All contributors assigned; permissive deps only0.0Proceed

2.3 The contributor chain-of-title audit

Git commit history is not proof of ownership—it is evidence of authorship. For every unique contributor email in the repository, demand one of:

  1. Signed Intellectual Property Assignment Agreement assigning all contributions to the seller entity
  2. Employment or contractor agreement with explicit work-for-hire clause covering software deliverables
  3. Written confirmation the contributor is the founder/principal of the seller entity (solo founder exception)
  4. Evidence the contributor's commits were reverted and do not exist in the production codebase (clean-room rewrite of their sections)
Rule of thumb: if a contributor has >5% of total commit lines and no assignment document, treat the deal as contaminated until cured. Do not accept verbal assurances that “they were just helping out.”

3. GPL Contamination Risk: Scoring, Detection, and Remediation

GNU General Public License (GPL) and Affero GPL (AGPL) dependencies are the silent killer of SaaS acquisitions. If GPL code is linked to your proprietary core (static linking, direct import into closed-source modules, or modification without separation), the entire derivative work may be subject to copyleft obligations—including source code disclosure to customers and competitors.

3.1 GPL contamination severity taxonomy

SeverityPatternCommercial impactTypical fix cost
S0 — NonePermissive licenses only (MIT, Apache, BSD)None$0
S1 — IsolatedGPL tool in dev/build pipeline only; not shipped to productionNegligible$0–$500 (replace build tool)
S2 — BundledGPL library dynamically linked; separate process boundaryLow–medium (legal gray area)$2k–$8k (architectural separation)
S3 — IntegratedGPL code imported into proprietary modules; modified forkHigh—copyleft may infect entire codebase$15k–$60k (rewrite or open-source pivot)
S4 — CoreProduct is a fork of GPL project with proprietary layer on topCritical—product may be unsellable closed-source$30k–$150k+ (full rewrite)

3.2 LicenseScore formula

LicenseScore = baseSeverity + (0.5 × unlicensedDepCount) + (0.3 × copyleftDepCount) Where: baseSeverity = { S0: 0, S1: 0.5, S2: 1.5, S3: 3.5, S4: 5.0 } unlicensedDepCount = dependencies with no LICENSE in package metadata copyleftDepCount = GPL/AGPL/LGPL/SSPL dependencies in production bundle Cap LicenseScore at 5.0.

3.3 AGPL and SaaS: the network-copyleft trap

AGPL extends GPL obligations to network use—if users interact with your SaaS over a network, AGPL-licensed code in your stack may require you to offer source code to those users. This is more dangerous than standard GPL for SaaS because there is no “distribution” defense—network access triggers the license.

  • MongoDB SSPL: server-side public license restricts offering the software as a managed service
  • Elastic License 2.0: restricts providing the software as a hosted service to third parties
  • Commons Clause: adds “no selling” restriction on top of permissive licenses

Scan for these in addition to GPL/AGPL. A single SSPL database driver in a multi-tenant SaaS can invalidate your entire commercial model.

4. Software Clean Room Evaluation: When Contamination Is Suspected

A software clean room evaluation is a structured process to isolate proprietary code from contaminated or third-party code, then rebuild the contaminated portions without access to the original tainted implementation. Use this when IRS LicenseScore ≥ 3.0 or when a prior acquisition left broken chain-of-title.

4.1 Clean room protocol (buy-side execution)

PhaseDurationActivitiesDeliverable
Phase 0: Triage4–8 hoursSBOM + severity classification (S0–S4)Contamination map with affected modules
Phase 1: Isolation1–2 daysQuarantine contaminated modules; document functional specs onlyFunctional spec doc (no source from tainted code)
Phase 2: Clean implementation1–4 weeksIndependent dev reimplements from specs + tests onlyNew module with permissive deps only
Phase 3: Verification2–3 daysDiff analysis; confirm zero line overlap with quarantined codeClean room certification memo
Phase 4: Legal sign-off1–3 daysCounsel reviews protocol adherenceLegal opinion or risk acceptance letter

4.2 Clean room cost estimation formula

CleanRoomCost = (contaminatedLOC × $0.80) + (contaminatedModules × $2,500) + legalReview Typical ranges: S2 isolated module (500 LOC) → $2,400–$5,000 S3 integrated subsystem (3k LOC) → $12,000–$25,000 S4 core rewrite (15k+ LOC) → $50,000–$150,000+ Negotiate: seller funds clean room via escrow holdback or pre-close remediation.

Clean room team separation rules

  1. Spec writers may read contaminated code to document behavior—they never write replacement code
  2. Implementers receive only functional specs and test cases—no access to quarantined source
  3. Reviewers run automated diff tools comparing new code against quarantined modules
  4. Document the protocol in writing before work begins—counsel may require this for clean room defensibility

5. AI-Generated Code Ownership: The 2026 Legal Landscape

By 2026, the majority of micro-SaaS codebases contain AI-assisted commits—Copilot, Cursor, ChatGPT, Claude, or custom fine-tuned models. Ownership of AI-generated code remains unsettled in many jurisdictions. The US Copyright Office has consistently held that purely AI-generated works without sufficient human authorship are not copyrightable—meaning you may acquire code that nobody owns and nobody can enforce.

5.1 AI code ownership risk matrix

Generation patternCopyrightability (US, 2026)Vendor ToS riskAIScore penalty
Human-written with AI autocomplete (<20% AI)Likely copyrightable (human authorship)Low if vendor grants output rights0.0
AI-generated, human-edited (>50% AI)Gray area—depends on edit depthMedium—verify commercial use clause1.0
Fully AI-generated modules (prompt-only)Likely not copyrightableHigh—output may be non-exclusive2.5
AI trained on GPL/copyleft corpusUnknown—potential license taintHigh—training data litigation risk3.0
No AI provenance documentationUnverifiableCritical—cannot assess2.0 (default until proven otherwise)

5.2 AI vendor Terms of Service compliance checklist

For each AI tool used in the codebase, verify these clauses in the vendor Terms of Service effective at the time of generation:

  • Output ownership: does the user own generated code, or does the vendor retain a license?
  • Commercial use: are paid SaaS products explicitly permitted?
  • Assignment rights: can output be assigned to a buyer in an asset purchase?
  • Training opt-out: was the seller's code excluded from vendor training datasets?
  • Indemnification: does the vendor indemnify against third-party IP claims on output?

5.3 AI provenance detection script

# Detect likely AI-generated commit patterns in Git history git log --all --format='%H %s %ae' | while read hash subject email; do # Flag commits with AI tool signatures in message echo "$subject" | grep -iE 'copilot|cursor|chatgpt|claude|ai-generated' \ && echo "AI-flagged: $hash $subject" done # Scan for common AI code markers (heuristic) rg -l 'Generated by (OpenAI|Anthropic|GitHub Copilot)' --type-add 'code:*.{ts,js,py,go}' # Require seller disclosure: AI_Provenance_Log.md listing: # - Tool name + version # - Date range of use # - Approximate % of codebase AI-assisted # - Human review confirmation per module

5.4 APA language for AI-generated works

Include these representations in the APA IP schedule (adapt with counsel):

Seller represents that (a) all AI-assisted code was generated using tools whose Terms of Service permit commercial use and assignment; (b) Seller has documented AI provenance for all modules listed in Exhibit B; (c) no AI-generated module constitutes the sole or primary functional component of the Product without substantial human authorship; (d) Seller indemnifies Buyer against claims arising from AI training data contamination or vendor ToS violations not disclosed in diligence.

6. Trademark, Domain, and Patent Transfer Under Absolute Legal Safety

Code ownership without brand ownership is a trap. The seller can register a competing trademark, reclaim a domain through registrar disputes, or assert patent rights against your continued operation. Transfer each asset class through documented instruments—not verbal promises.

6.1 Registered trademark transfer workflow

StepActionTimelineVerification
1. USPTO searchConfirm registration status, class, and owner match seller entitySame dayTESS/TSDR screenshot in data room
2. Assignment agreementExecute trademark assignment naming registration number + markPre-closeSigned PDF with notarization if required
3. USPTO recordationFile Assignment Recordation via USPTO Trademark Electronic Application System2–4 monthsUSPTO assignment record number
4. Maintenance feesConfirm Section 8/9 filings current; budget renewal costsOngoingUSPTO maintenance history export
5. Common-law marksAssignment in APA exhibit even if unregisteredEffective on closingWritten assignment + brand asset handover

6.2 Domain transfer safety protocol

  1. WHOIS audit: confirm registrant matches seller entity; check for privacy proxy that obscures true owner
  2. Lock removal: seller disables registrar transfer lock 24 hours before auth code release
  3. Auth code transfer: initiate push transfer to buyer-controlled registrar account—never accept “we'll point DNS for you”
  4. DNS verification: confirm buyer controls nameservers before escrow release
  5. Secondary domains: transfer all TLD variants (.com, .io, .co, .app) listed in Schedule A
  6. Email continuity: migrate MX records only after verifying SPF/DKIM/DMARC under buyer control

6.3 Patent diligence for micro-SaaS acquisitions

Patents are rare in sub-$500k SaaS deals but catastrophic when present and defective. Run a lightweight patent audit:

CheckTool / sourcePass criteria
Seller-owned patentsUSPTO PAIR / Google PatentsAssignee matches seller; status active
Freedom to operate (FTO)Patent landscape search (counsel or PatSnap)No blocking patents on core features
Provisional filingsSeller disclosure + USPTO searchConverted or abandoned; no surprise claims
Patent assignmentUSPTO Assignment DatabaseChain of title complete to seller
PatentScore: 0.0 = no patents claimed or found 1.0 = seller owns 1–2 active patents, clean assignment chain 2.5 = provisional filings pending conversion (uncertainty) 3.5 = FTO concern flagged by counsel (not yet litigated) 5.0 = active third-party patent claim against product features

7. The 72-Hour IP Due Diligence Sprint

Execute this sprint between LOI and APA signing. Do not wire funds until every checkbox passes or is explicitly accepted with price adjustment.

7.1 Hour-by-hour execution checklist

WindowTasksOwnerOutput
H0–H4Repo access; SBOM generation; license scan; contributor listTechnical DD leadSBOM.json + LicenseScore draft
H4–H12Collect IP assignment docs; contractor audit; AI provenance logLegal / buyerAssignment folder + gap list
H12–H24USPTO trademark search; WHOIS domain audit; patent landscapeLegal counselBrandScore + DomainScore + PatentScore
H24–H48GPL severity classification; clean room scope if neededEngineering + legalContamination map + remediation budget
H48–H60Compute IRS composite; draft APA IP reps and holdback termsBuyer + counselIRS scorecard + price adjustment memo
H60–H72Final gap remediation or walk-away decision; Schedule A draftBuyerGo / no-go with documented rationale

7.2 IP diligence data room requirements

Seller must provide these documents before APA signing:

  • Complete SBOM with license classification per dependency
  • Signed IP assignment or work-for-hire agreement for every contributor
  • AI provenance log (tools, dates, modules, human review confirmation)
  • Trademark registration certificates or common-law usage evidence
  • Domain registrar account access or auth codes for all domains
  • Patent filings list with status and assignment chain
  • Third-party content licenses (stock images, fonts, embedded media)
  • Prior acquisition APAs if codebase was previously purchased

7.3 Price adjustment formula for IP defects

IP_Adjustment = PurchasePrice × (IRS / 5) × 0.35 + RemediationCost × 1.15 Where: IRS = composite IP Risk Score (0–5) RemediationCost = clean room + legal + contractor assignment costs 1.15 = contingency multiplier for unknown unknowns Example: $60k deal, IRS = 2.4, RemediationCost = $8,000 IP_Adjustment = $60,000 × (2.4/5) × 0.35 + $8,000 × 1.15 = $10,080 + $9,200 = $19,280 Adjusted offer = $60,000 - $19,280 = $40,720 (or equivalent escrow holdback)

8. Post-Close IP Hardening: The First 30 Days

Closing is not the end of IP diligence—it is the beginning of IP defense. Execute these actions in the first 30 days post-acquisition.

8.1 Day 1–7: Immediate lockdown

  1. Confirm buyer entity is GitHub org owner with 2FA enforced
  2. File USPTO trademark assignment recordation (if registered mark)
  3. Verify WHOIS registrant on all domains shows buyer entity
  4. Register copyright with US Copyright Office for core codebase (optional but recommended)
  5. Update privacy policy to reflect new data controller
  6. Notify key customers of ownership change if contractually required

8.2 Day 8–30: Compliance and monitoring

  1. Implement automated license scanning in CI/CD pipeline
  2. Establish AI tool policy for all new development (approved vendors only)
  3. Set Google Alerts for trademark infringement on product name
  4. Archive complete diligence data room for 7-year retention
  5. Schedule annual IP audit on anniversary of close

9. Frequently Asked Questions

Can I skip IP diligence on a $10k side project?

No. A $10k asset with GPL contamination or missing contractor assignments can cost $15k+ to remediate—turning a bargain into a liability. Run the 72-hour sprint on every code-based acquisition regardless of price.

What IRS score should make me walk away?

IRS above 3.5 unless you have engineering capacity for clean room remediation and legal budget for counsel review. Between 2.6 and 3.5, renegotiate aggressively or structure escrow holdbacks tied to remediation milestones.

Does buying the GitHub repo mean I own the code?

No. Repository transfer is a technical action—not a legal assignment. You need a written copyright assignment from the seller entity plus contributor assignments for a defensible ownership chain.

How do I handle AI-generated code in the APA?

Require seller disclosure of AI tools used, verify vendor ToS permit commercial assignment, and include AI-specific reps and indemnification in the IP schedule. See Section 5.4 for template language—adapt with counsel.

Is a clean room always necessary for GPL contamination?

Only for S3 (integrated) and S4 (core) severity. S1 and S2 can often be remediated by replacing the dependency or architectural separation without full clean room protocol. Counsel should classify severity before you commit remediation budget.

Comments from Pro members

Selected feedback from verified Pro subscribers. Timestamps update while you read.

  • Jordan K.

    Switched to Pro mainly for the extra analyses and Reddit/X coverage. This workflow section matches how I screen listings now—saves me hours every week.

    Pro

  • Priya S.

    The cross-marketplace point is huge. I used to miss duplicates across sites. Premium paid for itself after one decent lead I would have skipped.

    Pro

  • Marcus T.

    As a Pro user I appreciate the emphasis on red flags before diligence. If you are still on Free, at least read the checklist twice before you wire funds.

    Pro

  • Elena R.

    I send founders here when they ask how I find sub-$10k deals. The internal link to pricing is honest—you really do need Premium or Pro if you are serious.

    Pro

  • Chris V.

    MyDealList + a simple spreadsheet is my stack for 2026. Dynamic feed + alerts beats refreshing five marketplaces manually. Worth upgrading from Premium to Pro if you scale volume.

    Pro

Leave a Reply

Your email address will not be published.

Live activity

Team in Chicago found a gem with AI