Case study
€4M in Regulatory Risk Identified Before the Ink Dried
Independent technical assessment identifying €4M exposure across portfolio companies
The problem
Affirma Capital was evaluating three portfolio companies where Salesforce sat at the centre of operations. Standard financial and legal due diligence does not reach the org. Sellers represented their implementations as production-ready and compliant. The investment thesis depended on operational efficiency that nobody on the buyer side had verified.
What I did
An independent technical assessment audited each org against a 60-point checklist covering code quality, integration architecture, data quality, and GDPR compliance. Every finding was sized in remediation cost and operational risk. The output was a prioritised roadmap that fed directly into the post-acquisition 100-day plan.
At a glance
- Client
- Affirma Capital
- Sector
- Financial · PE
- Engagement
- 3 months
- My role
- Independent Technical Assessor, Due Diligence Lead
- Salesforce clouds
- Sales Cloud · Service Cloud · Marketing Cloud
- Outcome
- €4M risk exposure surfaced
Before / After
- Seller-controlled narrative on Salesforce health, no independent verification.
- Three orgs presented as production-ready, configured, and compliant.
- Post-acquisition integration timelines built on best-case assumptions.
- GDPR retention, license compliance, and integration debt entirely absent from deal documentation.
- No remediation cost line in the financial model.
- Independent read of each org, evidenced against a 60-point checklist.
- Findings categorised by severity, sized in euros, presented to non-technical decision-makers.
- Price adjustment, indemnification clause, and pre-close seller-funded remediation on the table.
- Post-acquisition integration timeline extended by six months on Company A, with realistic milestones.
- Prioritised remediation roadmap handed to the 100-day integration team on close.
Situation
Affirma Capital was evaluating three portfolio companies across the consumer goods and professional services sectors. Each target carried a significant Salesforce implementation as core operational infrastructure: CRM, sales operations, service management, and in one case a custom-built customer portal on Experience Cloud. Sellers in all three deals presented the implementations as production-ready, fully configured, and compliant with applicable data protection regulations.
The investment thesis on each company depended partly on the operational efficiency that Salesforce was supposed to enable. If the implementations were technically sound, they were an accelerant for growth. If they carried hidden technical debt, compliance risk, or architectural problems that would require remediation, the post-acquisition cost model and integration timeline shifted materially.
The structural issue is that Salesforce as an asset in M&A due diligence sits in a blind spot. Standard financial and legal review does not reach it. Auditors read financials, lawyers read contracts, and nobody assesses whether the org is a liability. The seller controls the narrative. Sellers have no incentive to surface problems that would reduce their valuation.
Challenge
Three portfolio companies, three different Salesforce profiles, all needed reading inside the deal timeline.
Company A, consumer goods, €180M ARR. The org presented well from the outside: custom-branded UI, clean-looking pipeline reports, what appeared to be a well-configured Sales Cloud. The reality underneath was different. Over 400 inactive custom fields cluttered the schema. The org ran 12 active Apex triggers, six of them with no error handling, meaning a single malformed record could cascade into a full transaction failure. Data quality was poor: 34 percent of Account records had missing or invalid postal codes, 22 percent had duplicate email addresses. Five years of Salesforce use, zero data quality initiatives.
Company B, professional services, €95M ARR. A more recent implementation with significantly better code quality. The primary finding was compliance. The org processed personal data of EU citizens but had not implemented the data retention policies required under GDPR. Records were being kept indefinitely with no automated deletion or anonymisation. The privacy impact assessment had never been completed. Remediation cost was estimated at €200K plus legal fees, with regulatory enquiry risk if the gap came to light post-close.
Company C, consumer services, €62M ARR. The Experience Cloud customer portal had been built by a boutique SI that was no longer in business. The codebase was entirely undocumented: 40,000 lines of custom Visualforce and Apex that nobody in the company could maintain. The Experience Cloud licensing was misconfigured, with Community licenses assigned to users who required full Salesforce licenses, creating a retroactive license compliance issue estimated at €350K.
Action
The assessment methodology was built for M&A timelines: high-signal, fast to execute, with findings structured for non-technical decision-makers.
Technical architecture review
A 60-point checklist covered Apex governor usage and test coverage, configuration hygiene (active vs inactive elements, field utilisation, flow complexity), integration architecture (API design, error handling, documentation), and data quality (completeness, consistency, duplication). Read-only org access plus metadata export and analysis. No changes to production systems, no access to business data.
Data quality profiling
Field-level and object-level profiling on the entities that drive operations: Accounts, Contacts, Opportunities, Cases. Completeness, consistency against defined value sets, and uniqueness by key business identifiers. Python-based analysis tooling produced repeatable results across the three orgs.
Compliance risk review
Targeted assessment against the 12 highest-risk GDPR scenarios for Salesforce implementations: data retention configuration, consent management, data subject rights handling, and privacy impact assessment documentation. Calibrated to surface deal-relevant exposure, not produce a comprehensive GDPR audit.
Every finding was categorised by severity (Critical / High / Medium / Low) and sized in three dimensions: direct remediation cost, ongoing operational risk, and deal risk (findings that could affect deal completion or valuation). Findings were presented as ranges, not point estimates, because honesty about uncertainty matters more in investment decisions than the false precision of a single number.
Brief delivered to the investment committee on Company AThe integration layer is not production-ready. Rebuilding it post-acquisition costs 800K to 1.2M euros and adds six months to the integration timeline. That is not a remediation. That is a price negotiation.
Result
The assessment surfaced €4M in combined risk exposure across the three portfolio companies, risks that were entirely absent from seller documentation and from the standard due diligence process.
Company A’s integration layer risk and data quality issues were factored into the acquisition negotiation, producing a price adjustment. The post-acquisition integration timeline was extended by six months, preventing the buyer from committing to a Day 1 target that was structurally impossible. Company B’s GDPR compliance gap led to a specific warranty and indemnification clause covering any regulatory action arising from data retained before close. Company C’s license compliance issue was resolved pre-close, with the seller funding the retroactive license reconciliation as a condition of deal completion.
The assessments were delivered in 11 weeks across all three companies, inside the deal timeline. Findings were structured as a prioritised remediation roadmap that transitioned directly into the post-acquisition 100-day integration plan. The buyer teams went into Day 1 knowing what needed fixing, in what order, and at what cost.
Reflection
This pattern works when Salesforce is core operational infrastructure on the target, not a peripheral system. The cost of independent assessment is small relative to the deal; the cost of inheriting a hidden integration debt, a GDPR gap, or a license compliance issue is not. It works less well when Salesforce is barely used or running a vanilla Sales Cloud instance with no integrations, where the upside on findings is bounded.
Worth doing earlier: starting the read in parallel with legal due diligence, not after. The Salesforce findings often inform clauses the lawyers need to draft. Sequencing them in series adds two weeks to the deal timeline that nobody has.
The pattern that does not transfer: trying to compress this into a one-day org health checkup. The 60-point methodology covers the surfaces where M&A-relevant risk hides. Skipping integration architecture or compliance to save time produces findings that look credible and miss the money.
Glossary
- Salesforce due diligence
- An independent technical assessment of a target company's Salesforce implementation conducted during M&A. Covers code quality, configuration hygiene, integration architecture, data quality, and compliance. Distinct from financial or legal due diligence, which do not reach the org.
- Governor limits
- Platform-enforced runtime limits on Apex execution (CPU time, heap size, SOQL rows, DML statements). When an integration or trigger runs close to a limit in one org, it can exceed it under another's data volume, causing silent failures or transaction rollbacks.
- Apex trigger without error handling
- A code element that fires on record changes but has no try/catch protection. One malformed record can cascade into a full transaction failure, blocking unrelated updates. Common in older orgs that were built feature-first without operational discipline.
- GDPR data retention policy
- A configured rule that automatically deletes or anonymises personal data after a defined period. Required for EU citizen data. Salesforce supports retention via scheduled batch jobs or platform features. Absence of a policy creates regulatory exposure that can surface during audit or breach.
Frequently asked
- Financial due diligence reads the books. Legal due diligence reads the contracts. Neither team has the skills to assess whether a Salesforce org is an asset or a liability. The result is a structural blind spot in M&A: a target's core operational platform gets evaluated by whoever the seller chooses to describe it, and the buyer inherits whatever was hidden. Independent technical assessment closes that gap, but only if it happens before the deal closes, not after.
- Each engagement ran as a separate read-only access window. No production changes, no access to business data, only metadata and schema-level analysis via Salesforce CLI. Findings were delivered to a single named contact at Affirma Capital, with sealed annexes per portfolio company. Sellers were not told an independent assessment was underway. This is standard practice for PE-side Salesforce due diligence.
- Full org health takes 8 to 12 weeks per org. M&A timelines do not allow that. The 60-point assessment is calibrated to surface the findings that materially affect deal economics, not to produce a complete remediation backlog. It covers integration architecture (where most hidden cost lives), GDPR and license compliance (where regulatory exposure lives), and the top data quality and code patterns that predict post-acquisition pain. A full health audit can follow on the winning deal post-close.
- Steering committees and investment committees do not act on red, amber, green. They act on numbers tied to the deal model. A finding sized at 800K to 1.2M euros becomes a price adjustment conversation. The same finding labelled red becomes a debate about colour. Sizing in money also forces honesty about uncertainty: ranges, not point estimates, with the assumptions exposed.
- Yes, and the checklist gets longer. Agentforce assessment adds prompt-template governance, agent action scope, and the data foundation the agents reason against. Data Cloud assessment adds identity resolution quality, calculated insights coverage, and activation latency to the relevant clouds. The principle does not change: independent technical assessment, sized in money, delivered in the deal timeline. The list of attack surfaces grows.
Book the call
We'll know in 30 minutes
whether I can help.
No slides. No pitch deck. Bring the architecture diagram or describe the problem in your own words. I'll tell you whether I'm the right fit and what the next step costs — before you've finished your coffee.
- Replies within 24 hours, always
- If I'm not the right fit, I'll point you at someone who is
- No follow-up emails unless you ask