Vibe-coded acquisition diligence checklist (2026)
If you built your app with Lovable / Cursor / Bolt / Replit and you're heading into a fundraise or acquisition, the diligence questions are different than they were two years ago. The Wix-Base44 deal in 2025 introduced "AI code provenance" as a standard line item. JP Morgan's founder guide makes it explicit. Here's what's on the checklist and how to be ready.
Why this changed
Three things shifted in 2024–2025 that brought AI provenance into the diligence room:
- USCO Part 2 AI Report (January 2025) — made it explicit that pure AI-generated material isn't copyrightable. Acquirers now ask whether they're buying copyrightable assets or not.
- Wix-Base44 acquisition (April 2025, ~$80M) — first widely-reported deal where AI code provenance materially extended diligence. Set the template.
- Doe v. GitHub developments — even though the case keeps narrowing, it's made every acquirer's lawyer aware that AI-generated code may carry inherited license obligations.
JP Morgan's 2025 "Vibe Coding founder guide" lists three specific diligence items: code provenance, license compliance, and accessibility/privacy compliance. Those three areas are now standard line items in the IP section of a stock or asset purchase agreement.
Related: Does GitHub Copilot own your code? (the underlying copyright question) →The 8-point checklist
What sophisticated acquirers and growth-stage VCs are actually asking, in roughly the order they ask:
1. What percentage of your codebase was AI-generated?
Acquirers want a number, even an approximate one. Examples: "~80% of the initial scaffold was Lovable; ~30% of the current codebase is AI-modified." Honesty matters here — they'll find out from the commit pattern. The number doesn't kill deals; an inability to answer it does.
2. Do you have prompt logs for major AI-assisted modules?
Used as evidence of human creative direction. If you have logs from Cursor, Lovable, Bolt, or Copilot showing iterative refinement, that supports a copyright claim. If you can't produce any logs, the question becomes whether anything in the codebase is copyrightable at all.
3. Have you scanned your bundle for copyleft contamination?
Specifically AGPL — see the dedicated article — but also GPL and LGPL. A bundle scan with a fingerprint comparison against a copyleft corpus is the answer. Acquirers' counsel may require this scan as part of red-team diligence.
Related: What happens if your AI-built app uses AGPL code →4. Have you registered copyright on key modules?
Not required, but strengthens the IP position. The USCO permits copyright registration on the human-authored portions of mixed AI/human works. For a few hundred dollars per module, it's cheap insurance for an acquisition-bound codebase.
5. Are you compliant with ADA / WCAG 2.2 AA?
Increasingly a diligence item even for B2B SaaS. The acquirer doesn't want to inherit 3,000+ ADA-vulnerable accounts. Standard ask: "Have you been audited? Do you have a remediation plan?" An axe-core scan with a remediation timeline is usually sufficient evidence.
Related: How many ADA website lawsuits happen each year →6. Are you compliant with GDPR / CCPA on consent and data handling?
Especially: any tracking pixel that fires before consent is a discovered liability. Data Processing Agreements (DPAs) with vendors, a complete record of processing activities (ROPA), and an actual cookie consent flow are the documentation acquirers want.
Related: Is GDPR consent required for analytics? →7. Are there exposed secrets, API keys, or PII in your client bundle?
A bundle scan with a secret-detection rule catches this. If anything's exposed, the remediation timeline (rotate, move to server, prevent regression) matters more than the historical exposure itself.
8. Are your third-party AI tool licenses in good standing?
Cursor, Lovable, Bolt, Replit licenses — usually per-seat or usage-based. Have you been paying? Have any commits come from contractors who weren't licensed? Worth confirming before diligence reveals it.
Documentation acquirers want to see
If you can pre-build a data room with these documents, diligence goes from 6–10 weeks to 2–4 weeks:
- AI Tooling Disclosure — a 1-page memo describing what AI tools you used, when, and for what.
- License Compliance Report — output of a license scan (npm + bundle fingerprint).
- Accessibility Audit — most recent axe-core or Comply Code scan with findings + remediation status.
- Privacy Compliance Memo — DPAs in place, consent flow description, data processing addendum, sub-processor list.
- Secret Audit Report — confirmation that no production secrets are exposed in the client bundle.
- Copyright Registrations — USCO certificates for any registered modules.
- Contributor Agreements — IP assignment from any contractor or employee who touched the code.
- Prompt Logs (Sample) — even a small sample is reassuring; full logs are gold.
Red flags that kill deals (or discount them)
- 100% AI-generated codebase with no human iteration and no prompt logs. Buyer may treat the codebase as having near-zero IP value.
- AGPL contamination with no remediation plan. Triggers either a forced open-sourcing of the buyer's later work or a deal break.
- Active ADA demand letter or pending GDPR complaint. Buyer escrows funds for resolution, or walks.
- Production secrets in the client bundle that have been there for months. Implies a broader operational hygiene problem.
- Open-source contributors who never signed IP assignment agreements. Creates ambiguity about who owns derivatives of their contributions.
Public reporting indicates the deal closed at ~$80M with extended IP diligence focused on code provenance. The deal didn't break — it took longer than a typical SaaS acquisition of that size. The lesson: AI provenance issues don't always kill deals, but they routinely add weeks and may discount valuation.
If you're 6 months from raising or selling
Start the checklist now. Bundle scan + ADA audit + GDPR review take about a week of work between an attorney and a developer. Cleaning up exposed secrets and replacing AGPL contamination takes longer. Filing copyright registrations on key modules takes ~3 months from USCO. Getting prompt logs together, if you've been deleting them, is impossible — but starting to save them now is still worthwhile.
The diligence delta between a prepared founder and an unprepared one isn't subtle. Two otherwise-equivalent deals can vary by months in close time and 10–20% in price based on how the IP and compliance story holds up. None of this is legal advice — for a specific transaction, talk to an M&A attorney early.
Common questions.
How much does an AI-tooling diligence add to a deal?
Industry pattern in 2025–2026: an additional 2–6 weeks of diligence time for AI-heavy codebases. For deals under $5M, sometimes the extra cost is absorbed into normal IP review. For deals above $20M, AI provenance is usually a separate work-stream with its own counsel.
Should I register copyright on every file?
No — that's overkill and expensive. Register copyright on the most strategically important modules: your core proprietary algorithms, your distinctive UI patterns, your specialized data structures. For most companies that's 3–8 registrations totaling a few thousand dollars in filing fees.
Do investors actually care about this at seed stage?
Most don't, yet — seed investors care more about the product and traction than the IP. But Series A+ investors increasingly do, and they ask retroactively. If you're going to take seed money and then raise A, prepping the diligence now is much easier than trying to reconstruct it later.
What if I never plan to sell or raise?
Then most of this is moot. The legal exposures (ADA, GDPR, copyleft) still exist regardless, but you can deprioritize the documentation work. Just stay aware that fundraising and acquisition can move from "never" to "in 6 months" faster than you'd think.