Technology M&A in the Era of Disruptive Innovation

In the era of brisk technological evolution, where intangible property drives valuation, mergers and acquisitions (M&A) in the technology sector are a central tool for companies seeking to remain competitive. Throughout previous years, M&A transactions have exceeded traditional growth strategies and have also become a powerful way for companies to acquire innovation and stay ahead of the curve.

Navigating M&A in the technology sector requires a sharp focus on legal and strategic elements unique to disruptive industries, especially where code, data, and know-how are more valuable than factories or physical products. This text explores the key legal considerations, due diligence processes, and strategic insights involved in technology M&A, with a particular focus on protecting and maximizing the value of intangible assets.

1. Intangible Assets as the MVP (Most Valuable Part) of an M&A

Intangible assets have become the core drivers of a company’s value, marking a significant shift from the traditional reliance on physical assets like property and equipment. For example, when Google acquired DeepMind, the real value it gained included algorithms and know-how. Similarly, Facebook’s acquisition of WhatsApp was driven by user base and messaging IP, not by any physical infrastructure.

As a result of this shift in the valuation metrics, today we have innovation, scalability, and digital presence outweighing physical infrastructure, and most tech companies derive their value from intangible property, such as:

• intellectual property (IP),
• artificial intelligence (AI) models and training data,
• proprietary software,
• data,
• trade secrets,
• brand reputation.

Core business models of technology companies are usually built on scalable digital solutions, meaning that their competitive edge lies in technology innovation and other non-material capital, which can generate exponential returns while incurring relatively low expenses. Such a fact makes ownership, protection, and strategic acquisition of such assets a key priority in the M&A transactions.

From the legal point of view, in the context of an M&A transaction, this requires:

• airtight IP assignment chains
• extensive protection of know-how
• careful consideration of IP licensing and related restrictions, including the implications of embedding third-party code in the product, as well as ownership and transferability of AI models and datasets involved in the transaction. Thorough risk assessments and regulatory compliance checks for transactions involving AI companies, especially in light of the emerging regulation on AI.

2. Due Diligence in Tech M&As – Key Understandings

In traditional corporate transactions, due diligence usually focuses on financial data, commercial contracts and regulatory compliance. However, when it comes to M&A in the field of technology, tech and IP due diligence calls for greater attention. This is even more true where AI is involved, as the complexity, legal uncertainty, and potential value of AI-based assets demand a far more rigorous and refined audit.

When targeting a company that was built around technology or intellectual property, several issues must be particularly addressed as part of the due diligence process:

• Ownership over IP: It is crucial to ensure that all IP is officially owned and assignable by the company. For this purpose, it is needed to examine who developed the software, employees or contractors, and ensure that contracts with such providers are suitable for IP assignment. Additionally, it must be checked if the copyrights, patents, and trademarks of the company are registered.

 In the context of AI, ownership of model architectures, training data, and weights must also be confirmed, especially where third-party data sets or pre-trained models have been used.

• Open-source compliance: First, any open-source incorporated in the software must be fully disclosed. If the codebase of the company contains restrictive open-source licenses such as GPL or AGPL, such a fact must be flagged. Such copyleft licenses usually include additional obligations for the users of the license, so there is a possibility that the company has triggered some obligations and violated the terms of the license, which may expose the company (and transaction) to liability.

With AI, it is essential to check if open-source components were used during the development of the AI model or training. Such data may be subject to similar licensing terms and compliance risks, which must be thoroughly evaluated to ensure the transaction aligns with the legal requirements.

• Cybersecurity risks: Keeping in mind that AI models rely on large datasets and complex software, they are particularly vulnerable to data breaches, performance issues, and cyber incidents. For that reason, the due diligence process should include a thorough review of the target’s internal policies, employees’ training, and third-party agreements related to AI security. Regardless of whether the AI is proprietary or outsourced, the company must have appropriate software, systems, and data protection measures in place.

• Software Escrow Agreements: If the target depends on some external software, analysis of the software escrow agreements must be included in the due diligence procedure, as this type of contract is one of the most common risk mitigation mechanisms. While this is typical for companies using third-party software for their crucial business operations, it is not as often with those companies that are developing their own product.

Companies relying on third-party AI platforms should particularly be reviewed in terms of service stability and continuity, dependency issues, and access to source code and retraining data in case the AI platform provider becomes unavailable or suspends support.

Additional considerations when AI is in play

When a company using AI is subject to due diligence, the first step is to detect all kinds of AI technologies that are being used, the purpose of their use, and the value such technologies add to the business.

The approach to the due diligence process depends on several facts:

• whether the company has built its own AI models,
• whether such models are only used internally or are being commercialized,
• whether the company relies on AI-generated output from third parties,
• whether it provides data that helps train someone else’s AI.

Each of these aspects leads to specific legal and business concerns calling for thorough review.

3. Data Transfer Risks

Data protection and privacy laws, on both the national and international level, impose strict rules on personal data transfers. As cross-border M&A transactions inevitably require the international transfer of data, it is necessary to ensure that all personal data involved in the transaction is lawfully collected, safely stored, and transferable.

In that regard, some of the key questions to be raised are:

• Was all the personal data collected under adequate legal grounds?
• Are there any restrictions regarding data transfer?
• Will the acquiring company be able to use data for new purposes (for example, marketing), or will it need new consent from data subjects?
• Has the target suffered any data breaches, and have they been properly remedied?

The rise of AI adds another layer of complexity to personal data protection in M&A. In case the target company uses personal data for AI model training, it is essential to assess if the data was lawfully obtained and whether data subjects were adequately informed about its use in automated decision-making or profiling. Regulatory frameworks such as the GDPR, when applied to AI systems, impose specific obligations on the use of AI involving personal data, including transparency, purpose limitation, and fairness. Proper application of these principles must be carefully reviewed during the due diligence.

Concerning the risks data breaches may impose on the M&A transaction, there is a well-known cautionary tale from the industry. In 2017, during Verizon’s acquisition of Yahoo, previously undisclosed large-scale data breaches came to light during the due diligence process. As a matter of fact, the discovered cybersecurity incident within Yahoo was one of the largest in history, and it resulted in a significant decrease in Yahoo’s valuation – the final purchase price was reduced by $350 million.

Although the final acquisition price was immensely high, this example highlights how insufficient transparency may lead to questioning the trustworthiness of the target and eventually materially affect the terms of the deal.

4. Securing Intangible Assets in the Target Company

The true value of technology companies often lies in assets that are not visible on a balance sheet, such as the source code, trade secrets, proprietary algorithms, datasets, and internal know-how. During the M&A transaction, the proper steps must be taken to ensure that such intangible assets are identified, owned, and protected.

a) Identification of IP

The first step towards securing intellectual property is mapping such assets – the ones that are the core of the target’s competitive advantage. Besides the source code and software architecture, for AI companies, these assets usually comprise:

• proprietary algorithms,
• machine learning models,
• model training data,
• customer interaction datasets.

In addition, other integral parts of the company’s intellectual property portfolio include trademarks and other brand assets, trade secrets, and other know-how.

Each asset should be properly documented and assessed not only to identify its commercial value but also to detect its legal ownership, protection status, and any third-party limitations.

b) IP ownership

One of the most common mistakes among software and AI companies is the failure to ensure that all IP is legally owned by the company. This can be done by raising several crucial questions:

• Has the company validly obtained all the IP rights for its proprietary algorithms, machine learning models, and training data from all current and former employees, founders, and independent contractors?
• Did the company register its copyrights, trademarks, patents, and domains, especially in regard to the AI technologies it develops?
• Does the company have valid, transferable licenses for any third-party software it is using, particularly in the case of AI frameworks or datasets?

If the company is factually not the owner of its IP or if it does not have the necessary licenses in place, that may cause high risks of IP disputes, eventually jeopardizing the deal.

c) Protection of IP

Finally, owning IP is not sufficient, since any IP may lose its value if it is not appropriately secured. The most common safeguards that protect IP include:

• Non-Disclosure Agreements with employees, vendors, and partners to safeguard source code, proprietary AI models and algorithms,
• Internal trade secret protection policies and procedures to prevent leakage of sensitive AI-related data or methodologies,
• Technical measures for the protection of sensitive data, especially in AI systems using personal data or confidential information, as well as for data breaches in case they occur.

Taking into account the unique nature of AI technologies, it is also crucial to implement continuous oversight and security practices to ensure that AI models and datasets are protected and not exposed to unauthorized third parties.

5. Tailoring Share Purchase Agreement

The Share Purchase Agreement (SPA) is not only a document transferring ownership – it represents the legal foundation of the deal. In acquisitions that include technology companies, the SPA must address unique factors and risks associated with the respective industry. In practice, this means that clauses that are standard in every M&A often need to be extended or adjusted to adapt to the tech-related requirements.

Basically, the same topics that were thoroughly analyzed during the due diligence procedure need to be further incorporated into the SPA:

• IP warranties: As previously mentioned, the main risks in any tech M&A include intellectual property infringements or disputes arising out of such breaches. With that in mind, the target must provide a warranty that all core IP is lawfully owned or licensed, and that there are no pending or threatened claims of IP rights violations.

• Retention of employees and incentive plan: In cases where the target owns proprietary software that was developed by a skilled internal team, retaining key developers, engineers, or leadership may be fundamental to the value of the deal. SPA should cover the main conditions regarding the key personnel, including retention bonuses and option acceleration.

• Open-source disclosure: Since the use of open-source software may significantly affect further development and the value of IP, it is critical to disclose it in the due diligence procedure. Consequently, the SPA should include clear warranties confirming that all open-source components used in the target’s software have been fully disclosed, as well as indemnities for the breach of such warranties, aimed at the protection of the buyer against any losses resulting from undisclosed or improperly licensed open-source code. The SPA should also explicitly state that no additional open-source code, beyond what has been disclosed, is embedded in the product.

• Data protection representations: Bearing in mind the significance and value of personal data, the SPA must include representations that any such data has been lawfully collected, kept, and processed in line with relevant privacy laws.

6. Post-Acquisition Integration

Although closing the deal may seem like a final stage in the M&A process, operational integration after the transaction completion is what actually determines long-term value. The post-acquisition period is especially challenging in a tech environment, bearing in mind that success is conditioned upon several factors.

a) Tech stack compatibility. Since technology is the core trigger of acquisition, the main task of technical teams of both the acquired and target is to merge their practices and enable their seamless performance, despite the ownership change. Mismatching of architectures or systems may cause significant integration delays, accompanied by high unexpected costs.

b) Data migration. The significance of data compliance can never be stressed enough, not even after the closing of the deal. Transfer of personal data, including customer data, must be in alignment with both privacy regulations and signed agreements. Change of jurisdiction or legal grounds for data processing may raise the need to obtain new consent from customers, which must be taken into account and properly handled.

c) Brand and product strategy. Usually, immediately after the transaction is complete, the new brand goes into the market. However, it is up to the parties to decide whether the rebranding of the existing target will be done or if an entirely new brand is established. Once the desired direction is determined, it will influence customer relationships, product roadmap, as well as marketing strategy.

d) Talent retention and aligning company culture. As people are one of the most valuable resources of any company, the integration of two teams and the timely establishment of a new corporate culture are of immense importance, besides the corporate and technical aspects of the transaction. The integration plan should therefore include a plan for the new team organization and clear role allocation to ensure a smooth transition and incentivize key employees to maintain the same level of dedication.

e) Security assessment. More often than not, post-transaction audits reveal vulnerabilities in code, infrastructure, or access controls. For that reason, integration should include a full review of cybersecurity procedures and mechanisms, especially when sensitive data or IP is involved.

Salesforce’s acquisition of Slack in 2021 is a great example of a thoughtful integration process, including a gradual alignment of platforms and branding, while maintaining Slack’s user experience and brand identity. Due to such a strategic approach, the product’s (Slack) value was successfully preserved while integrating it into Salesforce’s broader suite.

Mergers and acquisitions in the tech sector offer tremendous potential – they can accelerate innovation, open up new markets, and create long-term competitive advantages. However, these processes also carry unique and often complex risks, particularly in relation to IP, data, and retention of the key team members. Another example of such a success story was the acquisition of Wonder Dynamics by Autodesk in 2024, during which the Zunic Law team represented and advised Wonder Dynamics, a company specializing in AI-driven visual effects solutions.