⚠️ Sample Report. All company names, financials, and findings are fictional and for illustrative purposes only.
⚡ PlausityOS · Due Diligence Report

Meridian Cloud Services, Inc.

Project Meridian — Buy-Side Due Diligence
Overall Risk
6.8
Elevated
247
Documents Analyzed
4.2 hrs
Time to Completion
31
Total Findings
2 Critical 8 High 15 Med 6 Low
By Severity
📁 Enterprise Value $195M
📊 EV / EBITDA 8.2×
🏢 Sector B2B SaaS · Cloud Infrastructure
📍 HQ Austin, TX
📅 Report Date March 14, 2026
🔬 Workstreams 7 / 7 Complete
Executive Summary

Deal is executable with appropriate risk mitigation

PlausityOS analyzed 247 documents across 7 workstreams in 4.2 hours. Overall risk scores 6.8/10 (Elevated), driven primarily by critical cybersecurity findings and elevated financial quality-of-earnings concerns. The deal is broadly executable at the proposed $195M enterprise value, but value protection mechanisms are warranted before close.

The most material risks are concentrated in two workstreams: Cybersecurity (8.1) — an expired SOC 2 Type II certification with unresolved API vulnerabilities creates active enterprise customer retention risk — and Financial (7.4) — management's adjusted EBITDA includes $2.3M in addbacks that do not meet standard QoE criteria. These issues are remediable but require deal structuring to allocate risk appropriately.

Commercial fundamentals are solid: ARR of $29.1M growing 22% YoY with strong logo retention, though net revenue retention has compressed from 112% to 104% over 24 months and warrants monitoring. The technology stack carries meaningful modernization debt ($3–5M), which is manageable within a 24-month post-close roadmap.

☑ Recommended Deal Mechanics

  • $15M escrow holdback for 18 months to cover FalconTech IP litigation ($15M claim; no insurance confirmed).
  • Condition close on completion of SOC 2 Type II renewal audit OR $8M price reduction with 90-day post-close milestone.
  • Retention packages for top 5 engineers (est. $2.1M total) tied to 24-month vesting; 3 are unprotected today.
  • Working capital peg at $6.4M (company currently pegs at $4.8M); adjust purchase price accordingly.
  • Enhanced reps & warranties insurance covering cybersecurity and IP representations for 3-year tail.
📊
Commercial Due Diligence
Market position, revenue quality, customer analysis
5.2
Moderate
🗂 Docs reviewed: 38 / 38
Findings: 4
1 Critical 1 High 2 Med
Customer Concentration — Top 3 Logos = 47% of ARR
Critical
AWS (19% of ARR), NovaTech Corp (16%), and Praxis Financial (12%) represent 47% of total ARR. The AWS contract — the largest single relationship — expires March 2027 with no automatic renewal clause and includes a change-of-control notification right. A churn event on any two of these logos would reduce revenue by ~$13.8M.
Sources: Customer Revenue Schedule (Exhibit 3.2), AWS Master Agreement rev. 2024-08, NovaTech SaaS Agreement
→ Require estoppel certificates from top 5 customers confirming intent to renew post-close. Negotiate AWS contract extension as pre-close condition.
NRR Compression: 112% → 104% Over 24 Months
High
Net Revenue Retention has declined consistently from 112% (Q1 2024) to 104% (Q4 2025), indicating a slowdown in expansion revenue relative to churn. Expansion revenue from upsells declined $1.2M YoY while gross churn remained flat at 8%. The downgrade trend is driven by SMB customers reducing seats post-COVID headcount normalization.
Sources: Cohort Analysis Workbook (Finance DD Room / Tab: NRR), Management Presentation Slide 14
→ Model base case at 105% NRR (not management's 110% projection). Sensitivity test at 98% NRR for downside scenario.
TAM Saturation in Core SMB Segment; Enterprise Push Requires GTM Investment
Medium
Third-party market data indicates Meridian has achieved ~14% penetration in its primary SMB segment (companies 50–500 employees using AWS). The enterprise segment (>500 employees) represents 3× the TAM but requires a dedicated enterprise sales motion, customer success expansion, and SOC 2 / compliance certification — none of which are currently in place.
Sources: Gartner Cloud Infrastructure Report 2025, Meridian GTM Strategy Deck (Confidential)
→ Enterprise GTM investment of $2.5–$3.5M is a required element of the value creation plan. Validate via management reference calls.
Competitive Pressure from AWS-Native Tooling
Medium
AWS launched a competing cloud cost optimization suite (AWS Cost Hub) in November 2025 with overlapping functionality. Initial market feedback suggests AWS Cost Hub will be included in existing AWS contracts at no additional cost, which could commoditize part of Meridian's core value proposition for AWS-centric customers.
Sources: AWS re:Invent 2025 announcement, Win/loss analysis Q4 2025 (CRM export), 3 customer reference calls
→ Conduct 5 additional win/loss interviews specifically on AWS Cost Hub competitive dynamic. Assess product differentiation roadmap.
💰
Financial Due Diligence
Quality of earnings, working capital, accounting review
7.4
High
🗂 Docs reviewed: 61 / 61
Findings: 4
1 Critical 2 High 1 Med
$2.3M EBITDA Addback Dispute — Management Adjusted EBITDA Overstated
Critical
Management presents Adjusted EBITDA of $23.8M (9.3× EV/EBITDA at proposed price). Our quality-of-earnings analysis identifies $2.3M in addbacks that do not meet standard QoE criteria: (1) $1.1M in "one-time" recruiting costs that have recurred for 3 consecutive years; (2) $0.8M in capitalized software development costs that should be expensed under ASC 350-40; (3) $0.4M in accelerated vendor payments reclassified as non-recurring. Adjusted EBITDA on a QoE basis is $21.5M, implying a purchase price multiple of 9.1×.
Sources: Audited Financials FY2023-2025, Management QoE Schedule, EY Audit Workpapers (Partial), ASC 350-40 Guidance
→ Negotiate purchase price adjustment of ~$15M using QoE EBITDA of $21.5M at 8.2× multiple. Alternatively, escrow $15M pending 12-month post-close EBITDA validation.
Deferred Revenue Haircut Risk — $8.2M at Risk on Change of Control
High
Meridian carries $14.7M in deferred revenue on the balance sheet, representing prepaid annual and multi-year contracts. Review of 23 customer contracts identified that $8.2M relates to agreements containing change-of-control provisions that allow customers to request pro-rata refunds within 90 days of a qualifying transaction. Historical churn on such events at comparable companies is 15–30%.
Sources: Balance Sheet 12/31/2025, Contract Database Review (42 agreements), Customer Agreement Template v3.1
→ Adjust working capital peg to exclude at-risk deferred revenue. Model $1.2–$2.5M cash outflow in first 90 days post-close in liquidity plan.
Working Capital Requirements 30% Above Industry Norms; $4.1M Seasonal Swing
High
Meridian's working capital cycle is longer than peers due to quarterly invoicing on annual contracts. NWC averaged $6.4M over the trailing 12 months but swings from a low of $4.3M (Q3) to $8.4M (Q1) due to enterprise renewal timing. Management's proposed working capital peg of $4.8M is below the normalized average and would result in a $1.6M true-up to buyer at close.
Sources: Monthly Balance Sheet Rollforward (24 months), Treasury Management Policy, CFO Interview (2026-02-28)
→ Negotiate working capital peg to $6.4M (TTM average). Obtain weekly cash flow model for 13-week post-close period.
Two Quarters of Net Cash Burn Masked by Delayed Vendor Payments
Medium
Q2 and Q3 2024 showed negative operating cash flow of $0.9M and $1.2M respectively, obscured on the cash flow statement by $3.1M in deferred vendor payments (AP days stretched from 38 to 71). This pattern normalized in Q4 2024 when delayed payments were made, resulting in a one-time $3.1M cash outflow. No evidence this behavior will recur, but it indicates prior cash management pressure.
Sources: Cash Flow Statements Q1–Q4 2024, AP Aging Schedules, CFO Interview
→ Confirm vendor relationships are in good standing. Verify no outstanding late payment disputes. Include AP days normalization covenant in reps & warranties.
🔧
Technology Due Diligence
Architecture, tech debt, scalability, engineering team
5.8
Moderate
🗂 Docs reviewed: 31 / 31
Findings: 5
2 High 2 Med 1 Low
Legacy Monolith Architecture — $3–5M Re-Architecture Investment Required
High
Approximately 40% of the core codebase was written before 2020 and operates as a monolithic Rails application. The architecture creates horizontal scaling bottlenecks above 500 concurrent enterprise users and limits feature development velocity (average sprint velocity is 60% of what comparable teams achieve on modern microservices architectures). External engineering assessment estimates $3–5M and 18–24 months to complete migration.
Sources: Madrona Ventures Technical Assessment Report (2026-01), Code Repository Analysis (GitHub), Engineering Interview — CTO Marcus Chen
→ Budget $4M for re-architecture in value creation plan. Validate with CTO that roadmap is realistic; consider dedicated platform engineering team post-close.
3 of 5 Senior Engineers at Post-Close Flight Risk — No LTIPs in Place
High
Five engineers are classified as "senior" by Meridian. Three of them — responsible for the core data ingestion pipeline and API layer — have no long-term incentive agreements (LTIPs, equity refresh, or retention bonuses) that would create post-close retention incentives. Reference checks indicate at least two have received recruiter outreach from AWS and Snowflake in the past 6 months.
Sources: HR Interview (VP People, 2026-02-14), Equity Cap Table, LinkedIn Intelligence Report (Meridian Engineering Team)
→ Prepare retention packages of ~$400K–$700K per engineer (mix of cash + phantom equity) for 3 engineers. Condition portion of seller proceeds on 24-month retention.
No Tested Disaster Recovery Plan in 18+ Months
Medium
Meridian's DR plan was last tested in August 2024. The documented RTO/RPO targets (4 hours / 1 hour) have not been validated against current production architecture. The most recent AWS architecture change (addition of RDS Aurora in April 2025) was not incorporated into the DR runbook.
Sources: DR Policy Document v2.3 (2022), AWS Architecture Diagram (2025-04), Engineering Runbook Repository
→ Require full DR test before close. Update runbook to reflect current architecture. Add DR testing cadence to post-close governance framework.
AWS Single-Region Architecture Creates 99.7% SLA Exposure
Medium
All production infrastructure runs in a single AWS region (us-east-1). Two enterprise contracts include 99.9% uptime SLAs with financial penalties for breaches. A single-region deployment cannot reliably meet 99.9% SLA commitments, particularly given three AWS us-east-1 partial outages in 2024 that each caused 45–90 minute Meridian service degradation.
Sources: AWS Architecture Diagram, SLA Contracts (ProximaSoft, DataBridge), AWS Status History Report
→ Multi-region active-passive deployment is a 6-month post-close priority. Estimated cost $280K/year incremental AWS spend. Factor into post-close EBITDA forecast.
Dependency on 2 Deprecated Open-Source Libraries
Low
Two production dependencies (node-aws-sdk v2.x, deprecated Nov 2023; and redis-py v3.x, deprecated Dec 2024) are past end-of-life and no longer receive security patches. Both have known CVEs with low exploitability scores (<5.0 CVSS). Migration to current versions is straightforward but has not been prioritized.
Sources: Package.json / requirements.txt (Repository Audit), NVD CVE Database, Library Deprecation Notices
→ Add to 100-day post-close engineering backlog. Low urgency; estimated 2 sprint effort per library.
🛡️
Cybersecurity Due Diligence
SOC 2, vulnerabilities, access controls, vendor security
8.1
Critical
🗂 Docs reviewed: 29 / 29
Findings: 4
2 Critical 2 High
SOC 2 Type II Certification Expired June 2025 — 3 Enterprise Customers Have Audit Rights
Critical
Meridian's SOC 2 Type II report expired June 30, 2025. The renewal audit, originally scheduled for Q3 2025, has been delayed by 9 months due to internal control deficiencies identified by the auditor (Deloitte) in a pre-audit assessment. Three enterprise customers — representing $14.2M ARR — have audit rights in their agreements that allow them to request evidence of SOC 2 compliance within 30 days of request. One customer (ProximaSoft) has already invoked this right and is awaiting a response.
Sources: SOC 2 Type II Report (Deloitte, Issued 2024-06), Deloitte Pre-Audit Assessment Letter 2025-09-12, Customer Agreement Review (§11.3, §9.4, §14.2)
→ This is a deal-stopper risk. Condition close on SOC 2 renewal OR negotiate $8M price reduction with 90-day post-close remediation milestone and clawback mechanism. Require seller to respond to ProximaSoft immediately.
2 Unresolved High-Severity Vulnerabilities in API Authentication Layer (2023 Pen Test)
Critical
The 2023 penetration test (conducted by Bishop Fox) identified 2 high-severity vulnerabilities in the API authentication layer: (1) JWT token validation bypass allowing privilege escalation under specific timing conditions (CVSS 8.1); (2) Inadequate rate limiting on the authentication endpoint enabling credential stuffing attacks. Both were marked as "accepted risk" in the remediation tracker with no completion date. No follow-up pen test has been conducted.
Sources: Bishop Fox Penetration Test Report 2023-11, Remediation Tracker (Internal JIRA Export), CVSS v3.1 Scores
→ Require written remediation plan with specific engineers assigned and 30-day completion date as pre-close condition. Commission new pen test within 60 days of close to verify remediation.
No MFA Enforced for 12 Privileged Admin Accounts
High
Twelve accounts with administrative access to production systems (AWS console, database admin, CI/CD pipelines) do not have mandatory MFA enforcement. The MFA policy was updated in January 2025 but grandfathered existing admin accounts pending a "migration sprint" that has not been scheduled. This represents a significant credential compromise risk, particularly given the 2024 industry-wide uptick in cloud admin credential attacks.
Sources: AWS IAM Access Analyzer Report, Okta Admin Console Audit (2026-01-15), IT Security Policy v2.1 (2025-01)
→ Require MFA enforcement on all 12 accounts within 14 days of signing. Non-negotiable pre-close condition. Verify completion via AWS IAM report.
8 Third-Party Vendors with Persistent Production Access — Undocumented
High
Eight third-party vendor accounts have persistent (non-time-limited) access to production systems, including two vendors whose contracts expired in 2024. None of these access grants are documented in the vendor risk register. This creates supply chain attack exposure and potential compliance issues under Meridian's own security policy and customer contractual obligations.
Sources: AWS IAM Role Audit, Okta App Integration Report, Vendor Contract Database (2 expired contracts identified)
→ Require immediate revocation of the 2 expired vendor accounts. Require documented vendor access matrix for all 8 vendors with 30-day time-limited access grants. Verify completion before close.
🧾
Tax Due Diligence
State nexus, R&D credits, transfer pricing, tax attributes
4.3
Low
🗂 Docs reviewed: 22 / 22
Findings: 4
2 Med 2 Low
Sales Tax Nexus Exposure — 5 Unregistered States, Est. $280K–$420K Liability
Medium
Meridian has operations (employees or significant customer revenue) in 14 states but is registered for sales tax in only 9. Post-Wayfair economic nexus thresholds have been exceeded in California, New York, Illinois, Washington, and Massachusetts without corresponding sales tax registration. Estimated exposure based on SaaS tax applicability and state statute of limitations is $280K–$420K.
Sources: Employee Headcount by State, Revenue by State Report, Avalara Nexus Analysis 2026-01, State Revenue Department Guidance
→ Voluntary disclosure agreements (VDAs) in all 5 states pre-close or seller indemnity for tax liability up to $500K. Engage Avalara or Ryan Tax post-close.
R&D Tax Credit Documentation Incomplete — $1.1M Potential Recapture Risk
Medium
Meridian claimed $1.1M in R&D tax credits for FY2022–2023. Documentation supporting the qualified research expense (QRE) calculations (contemporaneous employee time records, project tracking) is incomplete for 35% of claimed expenses. An IRS examination could result in partial or full recapture of these credits plus interest and penalties (~$220K–$440K additional exposure).
Sources: Federal Tax Returns FY2022–2023, R&D Credit Study (KPMG 2023), Employee Timekeeping System Export, IRS Rev. Proc. 2011-42
→ Require seller R&W indemnity for R&D credit exposure. Engage R&D tax specialist to remediate documentation within 90 days of close.
Transfer Pricing Documentation for Canadian Subsidiary Requires Update
Low
Meridian's Canadian subsidiary (Meridian Cloud Canada, Inc.) has intercompany service agreements that have not been updated since 2021. The current documentation may not support the intercompany pricing under 2025 OECD guidelines, particularly given the subsidiary's expansion of engineering headcount from 4 to 11 employees. CRA audit risk is low given the subsidiary's relatively small size (~$2.1M in intercompany transactions).
Sources: Intercompany Service Agreement (2021), Canadian Subsidiary Financials, OECD Transfer Pricing Guidelines 2022
→ Update intercompany agreements and contemporaneous documentation within 180 days of close. Include in integration tax workstream.
Delaware Franchise Tax — Gross Assets Method May Reduce Tax Liability
Low
Meridian currently uses the authorized shares method for Delaware franchise tax, resulting in annual taxes of ~$200K. Under the gross assets alternative calculation method, estimated taxes would be approximately $45K–$65K annually — a $135K–$155K annual savings. This is a tax optimization opportunity, not a risk.
Sources: Delaware Franchise Tax Filings FY2023–2025, Gross Assets Balance Sheet, Delaware Division of Corporations Guidance
→ Elect gross assets method within 60 days of close. Simple administrative change with meaningful annual savings.
🌱
ESG Due Diligence
Environmental, social, governance, reporting standards
3.9
Low
🗂 Docs reviewed: 22 / 22
Findings: 4
2 Med 2 Low
No Formal Emissions Tracking — 4 Enterprise Customers Have Scope 3 Reporting Requirements
Medium
Meridian has no formal GHG emissions tracking program. Four enterprise customers — part of SEC-registered companies or EU-domiciled entities subject to CSRD — have contractual requirements for vendor Scope 3 emissions data (Meridian would be a Scope 3 Category 1 supplier). Inability to provide emissions data within 12 months could trigger contract review rights under two of these agreements.
Sources: Customer Sustainability Questionnaires (4 responses), SEC Climate Disclosure Rule 2024, EU CSRD Directive
→ Engage Watershed or Persefoni for emissions tracking within 90 days of close. AWS carbon data is available via AWS Customer Carbon Footprint Tool — low-effort baseline.
Board Lacks Gender Diversity — 1 Woman of 7 Board Members
Medium
Meridian's board consists of 6 men and 1 woman (14% female). California AB 979 requires at least 2 women on boards of public companies headquartered in California; while Meridian is private, LP-level ESG reporting requirements at two of the firm's LPs require portfolio companies to demonstrate gender diversity progress. No board diversity targets or recruiting pipeline is documented.
Sources: Board Composition Records, LP ESG Questionnaire Requirements (2 LPs), CA AB 979 Text
→ Add board diversity to 100-day post-close governance agenda. Target adding 1–2 additional female directors within 18 months. Document commitment in shareholder agreement.
No Documented Supplier Code of Conduct
Low
Meridian does not have a formal supplier code of conduct. Given that 3 enterprise customers include supplier ESG requirements in their procurement policies, this absence could become a contract renewal issue in the next procurement cycle. The company has 34 active vendor relationships.
Sources: Vendor Master List, Customer Procurement Policy Reviews (3 customers), Industry Benchmark: 78% of comparable SaaS companies have supplier CoC
→ Draft and publish supplier CoC within 60 days of close. Template available from BSR or Sedex. Low effort, high credibility signal.
Carbon Offset Program Referenced in Marketing Not Yet Formalized
Low
Meridian's website and sales materials state the company is "committed to carbon neutrality by 2028." No formal carbon offset program, verified carbon credits, or roadmap exists to support this claim. Two enterprise customers in regulated industries have flagged this discrepancy as a potential greenwashing concern.
Sources: Meridian Website (archive 2026-01), Marketing Collateral, Customer Correspondence (2 emails)
→ Update marketing materials to remove unsubstantiated claim immediately. Develop actual carbon neutrality roadmap within 90 days — Watershed can generate this alongside emissions tracking.
⚡ This is what PlausityOS delivers

Run your own DD in hours, not weeks.

Upload your data room. PlausityOS reads every document, runs all 7 workstreams simultaneously, and delivers a report like this — with zero analyst hours.

Get Early Access — $499/mo → Back to PlausityOS

Early access pricing. Lock in $499/mo before we go to market pricing. Cancel anytime.