Part 1 of the blog series on ‘Software due diligence: the key to successful M&A deals’ dealt with the influence of company size and organisation on the implementation and focus of software due diligence.
Here in Part 2, we take a detailed look at the protection of software IP and suitable strategies.
To protect the intellectual property rights of software during an M&A transaction, a specialised external service provider is usually hired to conduct software due diligence (SW DD). This approach has proven successful, ensuring that neither the investor nor any other unauthorised parties gain direct or indirect access to the source code or underlying data sources.
A legally binding non-disclosure agreement (NDA) between the seller, the investor, and the analysis service provider ensures that confidentiality is maintained during and after the SW DD process. The analysis service provider — such as Cape of Good Code — prepares a report based on this access to information, enabling the investor to assess the software without disclosing the IP.
This approach protects the target's IP and offers investors legal security. Should the transaction fail, the investor can prove that they never had access to the IP, which is an important form of protection against possible recourse claims.
Technical IP protection begins with the execution of the analysis, which is carried out exclusively on seller-side computers — typically via virtual machines (VMs) that are specifically provided for this purpose. Access to these VMs is secured in various ways, for example:
A copy or minimal export of the required data is usually provided on the VMs. For tools like DETANGLE from Cape of Good Code, it is sufficient to export selected data records from a bug tracker and clone a code repository. Only the necessary metadata, such as the ticket ID, title, type, and any hierarchies, is extracted.
In some cases, direct read access is necessary, for instance to analyse data from DevOps tools. The aim is to draw conclusions about the quality of technical processes, such as test coverage or code reviews.
Some vendors prohibit access to source code or repositories out of concern for IP rights. Nevertheless, they must provide sufficient information about the software to enable investors to make an substantiated risk assessment.
In such cases, Cape of Good Code offers special tools that sellers can use to:
Based on this information, experienced consultants can assess software quality and development processes despite limited data. More in-depth technical issues, such as architecture or technical debt, are clarified in Q&A sessions with the target company. The validity of this information should be guaranteed in the purchase contract.
To minimise legal risks in the area of open source, the target is asked to use proven analysis tools to identify potential security or licensing issues relating to open source dependencies. The results of these scans are made available to the software analysis consultant and will be reported in the final Due Diligence report.
Even if the code has been made unreadable, the DETANGLE tool from Cape of Good Code allows well-founded statements to be made about
This demonstrates that reliable analyses are possible even without direct access to the source code - provided the right tools and experts are involved.
An increasing number of US-vendors are rejecting the use of analysis tools with direct access to their source code. One possible reason for this is that it is much easier to obtain a software patent in the USA than in other countries. Therefore, IP protection is highly prioritized prior to a patent being granted. Nevertheless, experienced consultants and the indirect use of such tools can provide information relevant to decision-making on the status and risks of the target's software without disclosing its IP.