Online business due diligence checklist
Work through traffic, revenue, contract, and technical checks before you commit to buying an online business. Each task has an optional note field for a figure, a source, or a concern to follow up on — check items off as you complete them, then export the whole checklist (with your notes) to a branded PDF or a CSV to share with a co-investor or advisor.
Frequently asked questions
What's the single most common thing buyers miss in due diligence?
Revenue reconciliation against actual processor statements. Sellers sometimes report revenue from a dashboard or spreadsheet summary that doesn't match what actually settled in Stripe or PayPal once refunds, chargebacks, and processor fees are accounted for. The second most common miss is traffic concentration risk — a business that looks healthy on trailing 12-month traffic but is quietly losing 20-30% of its organic traffic month over month due to an algorithm update.
How far back should I look at traffic and revenue trends?
At least 24 months where available, so you can see a full year-over-year comparison rather than just a trailing-12-month snapshot that can hide a declining trend. For businesses with strong seasonality (e.g. ecommerce around holidays), 24-36 months lets you confirm the seasonal pattern is consistent and not the result of a one-off promotional spike being presented as normal performance.
What does 'key person risk' mean in an acquisition and why does it matter?
Key person risk is the extent to which the business depends on the seller personally — their relationships with suppliers, their personal brand driving traffic, or undocumented processes only they know. It matters because a business that scores well on every financial metric can still fail post-acquisition if critical relationships or knowledge don't survive the handover; this is exactly what a structured transition period and documentation requirement in the purchase agreement is meant to protect against.
Share this tool
Related checklists
- Acquisitions Post-acquisition 90-day checklist → A 90-day handover checklist for after you buy an online business — covering infrastructure transfer, access, SEO continuity, and monitoring. Check items off, add notes, then export your progress to PDF or CSV.
- Security GDPR compliance checklist → A GDPR compliance checklist covering privacy notices, consent, vendor agreements, and data subject rights. Check items off, add notes, then export your progress to PDF or CSV.
- SaaS Monthly SaaS health review checklist → A monthly review checklist covering MRR movement, cohort churn, customer sentiment, and unit economics for a SaaS business. Check items off, add notes, then export your progress to PDF or CSV.
- Security Security audit checklist → A security audit checklist covering authentication, application security, and infrastructure monitoring for an online business. Check items off, add notes, then export your progress to PDF or CSV.