MyDealList · Due diligence
The IP & Copyright Due Diligence Playbook: Securing Code, Brand, and Assets
Complete intellectual property due diligence for SaaS acquirers: proprietary vs open-source code audits, GPL contamination scoring, AI-generated code ownership, software clean room evaluation, and trademark, domain, and patent transfer under absolute legal safety.
The most expensive mistake in micro-acquisition is not overpaying for MRR—it is closing without verified ownership of the code, brand, and data that generate that MRR. Sellers routinely present revenue dashboards while hiding contractor IP gaps, copyleft license contamination, AI-generated code with unclear authorship, and trademark registrations that never transfer. A disciplined intellectual property due diligence workflow separates acquirers who compound cash flow from buyers who inherit litigation disguised as recurring revenue.
This masterclass is written for acquisition entrepreneurs evaluating SaaS, browser extensions, and digital tools in the $10k–$500k range. You will learn how to run a complete saas copyright audit, score GPL and copyleft contamination risk, evaluate AI-generated code ownership under 2026 legal frameworks, execute a software clean room evaluation when contamination is suspected, and transfer registered trademarks, domains, and patents under absolute legal safety.
Pair this with our legal framework for digital asset purchases, technical due diligence checklist, and micro-SaaS tech stack audit for a complete buy-side operating stack.
Not legal advice. IP law varies by jurisdiction. Engage qualified counsel before signing any APA or accepting IP assignments.
1. The IP Due Diligence Topology: What You Are Actually Buying
Intellectual property in a SaaS acquisition is not a single asset—it is a bundle of overlapping rights that must each be verified, assigned, and recorded independently. Revenue without ownership is a rental agreement the seller can revoke through litigation, platform takedowns, or trademark disputes.
1.1 The six-layer IP ownership model
| Layer | Assets covered | Primary risk if unverified | Transfer instrument |
|---|---|---|---|
| L1: Source code copyright | Application code, scripts, configs, internal docs | Contributor claims ownership; buyer cannot enforce or sublicense | Copyright assignment + repo transfer |
| L2: Third-party licenses | npm/pip/cargo dependencies, SaaS SDKs, fonts, images | GPL contamination forces source disclosure or rewrite | License compliance audit + SBOM |
| L3: Brand & trademarks | Product name, logo, tagline, registered marks | Seller launches competing product under same name | Trademark assignment (USPTO recordation if registered) |
| L4: Domain & digital presence | Domains, social handles, app store listings, DNS | Traffic hijack; SEO collapse; customer confusion | Domain purchase agreement + WHOIS transfer |
| L5: Patents & trade secrets | Utility patents, provisional filings, proprietary algorithms | Prior art invalidation; competitor patent block | Patent assignment + prior art search |
| L6: AI-generated works | Copilot/Cursor/ChatGPT-assisted code, AI marketing assets | Unclear authorship; non-assignable output; training data taint | AI provenance audit + vendor ToS compliance matrix |
Professional acquirers score each layer independently before LOI. A clean L1 (code copyright) with a contaminated L2 (GPL dependency) still fails IP diligence—the product may be commercially unusable without a full rewrite or source disclosure.
1.2 IP Risk Score (IRS): The composite diligence metric
Quantify IP exposure with a weighted composite score. Use this to negotiate price reductions, escrow holdbacks, or walk-away decisions.
Example: a $45k micro-SaaS with IRS = 2.8 should trigger a $6,750–$9,000 price reduction or equivalent escrow holdback tied to GPL remediation milestones.
2. Proprietary vs. Open-Source Code: The SaaS Copyright Audit
A saas copyright audit answers one question: does the seller entity own every line of code that generates revenue, and can they prove it in writing? Most micro-SaaS sellers cannot—because they used contractors without work-for-hire agreements, forked open-source projects without tracking license obligations, or integrated AI assistants without documenting authorship.
2.1 The proprietary code verification matrix
| Code origin | Ownership presumption | Required evidence | Risk if missing |
|---|---|---|---|
| Founder-written (employee) | Employer owns (work-for-hire) | Employment agreement or founder entity docs | Low if solo founder LLC |
| Contractor / freelancer | Contractor owns unless assigned | Signed IP assignment or work-for-hire clause per contributor | Critical—contractor can claim ownership post-close |
| Open-source fork (permissive) | MIT/Apache/BSD: derivative OK | LICENSE file + attribution compliance | Low if license preserved in NOTICE |
| Open-source fork (copyleft) | GPL/LGPL: derivative may infect product | SBOM + linkage analysis | Critical—may require source disclosure or rewrite |
| Purchased codebase / white-label | Depends on purchase agreement | Original purchase APA + assignment chain | Medium—chain of title may be broken |
| AI-assisted generation | Unclear under current law (2026) | AI tool ToS + provenance log + human review | Medium-high—vendor terms may restrict commercial use |
2.2 Automated copyright audit toolchain
Run these tools against the seller's repository during the 72-hour IP diligence sprint. Document outputs in your diligence data room.
CodeScore derivation from audit outputs
| Finding | CodeScore penalty | Remediation |
|---|---|---|
| Unassigned contractor contributor | +2.0 per contributor | Retroactive IP assignment or code rewrite |
| GPL dependency linked to proprietary core | +3.0 | Replace dependency or open-source product |
| Missing LICENSE file in forked repo | +1.0 | Restore attribution; verify upstream license |
| Contributor count > 5 without assignment docs | +1.5 | Collect assignments or audit commit scope |
| All contributors assigned; permissive deps only | 0.0 | Proceed |
2.3 The contributor chain-of-title audit
Git commit history is not proof of ownership—it is evidence of authorship. For every unique contributor email in the repository, demand one of:
- Signed Intellectual Property Assignment Agreement assigning all contributions to the seller entity
- Employment or contractor agreement with explicit work-for-hire clause covering software deliverables
- Written confirmation the contributor is the founder/principal of the seller entity (solo founder exception)
- Evidence the contributor's commits were reverted and do not exist in the production codebase (clean-room rewrite of their sections)
Rule of thumb: if a contributor has >5% of total commit lines and no assignment document, treat the deal as contaminated until cured. Do not accept verbal assurances that “they were just helping out.”
3. GPL Contamination Risk: Scoring, Detection, and Remediation
GNU General Public License (GPL) and Affero GPL (AGPL) dependencies are the silent killer of SaaS acquisitions. If GPL code is linked to your proprietary core (static linking, direct import into closed-source modules, or modification without separation), the entire derivative work may be subject to copyleft obligations—including source code disclosure to customers and competitors.
3.1 GPL contamination severity taxonomy
| Severity | Pattern | Commercial impact | Typical fix cost |
|---|---|---|---|
| S0 — None | Permissive licenses only (MIT, Apache, BSD) | None | $0 |
| S1 — Isolated | GPL tool in dev/build pipeline only; not shipped to production | Negligible | $0–$500 (replace build tool) |
| S2 — Bundled | GPL library dynamically linked; separate process boundary | Low–medium (legal gray area) | $2k–$8k (architectural separation) |
| S3 — Integrated | GPL code imported into proprietary modules; modified fork | High—copyleft may infect entire codebase | $15k–$60k (rewrite or open-source pivot) |
| S4 — Core | Product is a fork of GPL project with proprietary layer on top | Critical—product may be unsellable closed-source | $30k–$150k+ (full rewrite) |
3.2 LicenseScore formula
3.3 AGPL and SaaS: the network-copyleft trap
AGPL extends GPL obligations to network use—if users interact with your SaaS over a network, AGPL-licensed code in your stack may require you to offer source code to those users. This is more dangerous than standard GPL for SaaS because there is no “distribution” defense—network access triggers the license.
- MongoDB SSPL: server-side public license restricts offering the software as a managed service
- Elastic License 2.0: restricts providing the software as a hosted service to third parties
- Commons Clause: adds “no selling” restriction on top of permissive licenses
Scan for these in addition to GPL/AGPL. A single SSPL database driver in a multi-tenant SaaS can invalidate your entire commercial model.
4. Software Clean Room Evaluation: When Contamination Is Suspected
A software clean room evaluation is a structured process to isolate proprietary code from contaminated or third-party code, then rebuild the contaminated portions without access to the original tainted implementation. Use this when IRS LicenseScore ≥ 3.0 or when a prior acquisition left broken chain-of-title.
4.1 Clean room protocol (buy-side execution)
| Phase | Duration | Activities | Deliverable |
|---|---|---|---|
| Phase 0: Triage | 4–8 hours | SBOM + severity classification (S0–S4) | Contamination map with affected modules |
| Phase 1: Isolation | 1–2 days | Quarantine contaminated modules; document functional specs only | Functional spec doc (no source from tainted code) |
| Phase 2: Clean implementation | 1–4 weeks | Independent dev reimplements from specs + tests only | New module with permissive deps only |
| Phase 3: Verification | 2–3 days | Diff analysis; confirm zero line overlap with quarantined code | Clean room certification memo |
| Phase 4: Legal sign-off | 1–3 days | Counsel reviews protocol adherence | Legal opinion or risk acceptance letter |
4.2 Clean room cost estimation formula
Clean room team separation rules
- Spec writers may read contaminated code to document behavior—they never write replacement code
- Implementers receive only functional specs and test cases—no access to quarantined source
- Reviewers run automated diff tools comparing new code against quarantined modules
- Document the protocol in writing before work begins—counsel may require this for clean room defensibility
5. AI-Generated Code Ownership: The 2026 Legal Landscape
By 2026, the majority of micro-SaaS codebases contain AI-assisted commits—Copilot, Cursor, ChatGPT, Claude, or custom fine-tuned models. Ownership of AI-generated code remains unsettled in many jurisdictions. The US Copyright Office has consistently held that purely AI-generated works without sufficient human authorship are not copyrightable—meaning you may acquire code that nobody owns and nobody can enforce.
5.1 AI code ownership risk matrix
| Generation pattern | Copyrightability (US, 2026) | Vendor ToS risk | AIScore penalty |
|---|---|---|---|
| Human-written with AI autocomplete (<20% AI) | Likely copyrightable (human authorship) | Low if vendor grants output rights | 0.0 |
| AI-generated, human-edited (>50% AI) | Gray area—depends on edit depth | Medium—verify commercial use clause | 1.0 |
| Fully AI-generated modules (prompt-only) | Likely not copyrightable | High—output may be non-exclusive | 2.5 |
| AI trained on GPL/copyleft corpus | Unknown—potential license taint | High—training data litigation risk | 3.0 |
| No AI provenance documentation | Unverifiable | Critical—cannot assess | 2.0 (default until proven otherwise) |
5.2 AI vendor Terms of Service compliance checklist
For each AI tool used in the codebase, verify these clauses in the vendor Terms of Service effective at the time of generation:
- Output ownership: does the user own generated code, or does the vendor retain a license?
- Commercial use: are paid SaaS products explicitly permitted?
- Assignment rights: can output be assigned to a buyer in an asset purchase?
- Training opt-out: was the seller's code excluded from vendor training datasets?
- Indemnification: does the vendor indemnify against third-party IP claims on output?
5.3 AI provenance detection script
5.4 APA language for AI-generated works
Include these representations in the APA IP schedule (adapt with counsel):
Seller represents that (a) all AI-assisted code was generated using tools whose Terms of Service permit commercial use and assignment; (b) Seller has documented AI provenance for all modules listed in Exhibit B; (c) no AI-generated module constitutes the sole or primary functional component of the Product without substantial human authorship; (d) Seller indemnifies Buyer against claims arising from AI training data contamination or vendor ToS violations not disclosed in diligence.
6. Trademark, Domain, and Patent Transfer Under Absolute Legal Safety
Code ownership without brand ownership is a trap. The seller can register a competing trademark, reclaim a domain through registrar disputes, or assert patent rights against your continued operation. Transfer each asset class through documented instruments—not verbal promises.
6.1 Registered trademark transfer workflow
| Step | Action | Timeline | Verification |
|---|---|---|---|
| 1. USPTO search | Confirm registration status, class, and owner match seller entity | Same day | TESS/TSDR screenshot in data room |
| 2. Assignment agreement | Execute trademark assignment naming registration number + mark | Pre-close | Signed PDF with notarization if required |
| 3. USPTO recordation | File Assignment Recordation via USPTO Trademark Electronic Application System | 2–4 months | USPTO assignment record number |
| 4. Maintenance fees | Confirm Section 8/9 filings current; budget renewal costs | Ongoing | USPTO maintenance history export |
| 5. Common-law marks | Assignment in APA exhibit even if unregistered | Effective on closing | Written assignment + brand asset handover |
6.2 Domain transfer safety protocol
- WHOIS audit: confirm registrant matches seller entity; check for privacy proxy that obscures true owner
- Lock removal: seller disables registrar transfer lock 24 hours before auth code release
- Auth code transfer: initiate push transfer to buyer-controlled registrar account—never accept “we'll point DNS for you”
- DNS verification: confirm buyer controls nameservers before escrow release
- Secondary domains: transfer all TLD variants (.com, .io, .co, .app) listed in Schedule A
- Email continuity: migrate MX records only after verifying SPF/DKIM/DMARC under buyer control
6.3 Patent diligence for micro-SaaS acquisitions
Patents are rare in sub-$500k SaaS deals but catastrophic when present and defective. Run a lightweight patent audit:
| Check | Tool / source | Pass criteria |
|---|---|---|
| Seller-owned patents | USPTO PAIR / Google Patents | Assignee matches seller; status active |
| Freedom to operate (FTO) | Patent landscape search (counsel or PatSnap) | No blocking patents on core features |
| Provisional filings | Seller disclosure + USPTO search | Converted or abandoned; no surprise claims |
| Patent assignment | USPTO Assignment Database | Chain of title complete to seller |
7. The 72-Hour IP Due Diligence Sprint
Execute this sprint between LOI and APA signing. Do not wire funds until every checkbox passes or is explicitly accepted with price adjustment.
7.1 Hour-by-hour execution checklist
| Window | Tasks | Owner | Output |
|---|---|---|---|
| H0–H4 | Repo access; SBOM generation; license scan; contributor list | Technical DD lead | SBOM.json + LicenseScore draft |
| H4–H12 | Collect IP assignment docs; contractor audit; AI provenance log | Legal / buyer | Assignment folder + gap list |
| H12–H24 | USPTO trademark search; WHOIS domain audit; patent landscape | Legal counsel | BrandScore + DomainScore + PatentScore |
| H24–H48 | GPL severity classification; clean room scope if needed | Engineering + legal | Contamination map + remediation budget |
| H48–H60 | Compute IRS composite; draft APA IP reps and holdback terms | Buyer + counsel | IRS scorecard + price adjustment memo |
| H60–H72 | Final gap remediation or walk-away decision; Schedule A draft | Buyer | Go / no-go with documented rationale |
7.2 IP diligence data room requirements
Seller must provide these documents before APA signing:
- Complete SBOM with license classification per dependency
- Signed IP assignment or work-for-hire agreement for every contributor
- AI provenance log (tools, dates, modules, human review confirmation)
- Trademark registration certificates or common-law usage evidence
- Domain registrar account access or auth codes for all domains
- Patent filings list with status and assignment chain
- Third-party content licenses (stock images, fonts, embedded media)
- Prior acquisition APAs if codebase was previously purchased
7.3 Price adjustment formula for IP defects
8. Post-Close IP Hardening: The First 30 Days
Closing is not the end of IP diligence—it is the beginning of IP defense. Execute these actions in the first 30 days post-acquisition.
8.1 Day 1–7: Immediate lockdown
- Confirm buyer entity is GitHub org owner with 2FA enforced
- File USPTO trademark assignment recordation (if registered mark)
- Verify WHOIS registrant on all domains shows buyer entity
- Register copyright with US Copyright Office for core codebase (optional but recommended)
- Update privacy policy to reflect new data controller
- Notify key customers of ownership change if contractually required
8.2 Day 8–30: Compliance and monitoring
- Implement automated license scanning in CI/CD pipeline
- Establish AI tool policy for all new development (approved vendors only)
- Set Google Alerts for trademark infringement on product name
- Archive complete diligence data room for 7-year retention
- Schedule annual IP audit on anniversary of close
9. Frequently Asked Questions
Can I skip IP diligence on a $10k side project?
No. A $10k asset with GPL contamination or missing contractor assignments can cost $15k+ to remediate—turning a bargain into a liability. Run the 72-hour sprint on every code-based acquisition regardless of price.
What IRS score should make me walk away?
IRS above 3.5 unless you have engineering capacity for clean room remediation and legal budget for counsel review. Between 2.6 and 3.5, renegotiate aggressively or structure escrow holdbacks tied to remediation milestones.
Does buying the GitHub repo mean I own the code?
No. Repository transfer is a technical action—not a legal assignment. You need a written copyright assignment from the seller entity plus contributor assignments for a defensible ownership chain.
How do I handle AI-generated code in the APA?
Require seller disclosure of AI tools used, verify vendor ToS permit commercial assignment, and include AI-specific reps and indemnification in the IP schedule. See Section 5.4 for template language—adapt with counsel.
Is a clean room always necessary for GPL contamination?
Only for S3 (integrated) and S4 (core) severity. S1 and S2 can often be remediated by replacing the dependency or architectural separation without full clean room protocol. Counsel should classify severity before you commit remediation budget.
Comments from Pro members
Selected feedback from verified Pro subscribers. Timestamps update while you read.
- Jordan K.…
Switched to Pro mainly for the extra analyses and Reddit/X coverage. This workflow section matches how I screen listings now—saves me hours every week.
Pro
- Priya S.…
The cross-marketplace point is huge. I used to miss duplicates across sites. Premium paid for itself after one decent lead I would have skipped.
Pro
- Marcus T.…
As a Pro user I appreciate the emphasis on red flags before diligence. If you are still on Free, at least read the checklist twice before you wire funds.
Pro
- Elena R.…
I send founders here when they ask how I find sub-$10k deals. The internal link to pricing is honest—you really do need Premium or Pro if you are serious.
Pro
- Chris V.…
MyDealList + a simple spreadsheet is my stack for 2026. Dynamic feed + alerts beats refreshing five marketplaces manually. Worth upgrading from Premium to Pro if you scale volume.
Pro
Leave a Reply
Your email address will not be published.