Situation
Affirma Capital was evaluating three portfolio companies across the consumer goods and professional services sectors. All three had significant Salesforce implementations as core operational infrastructure — CRM, sales operations, service management, and in one case, a custom-built customer portal on Experience Cloud. In each acquisition, the seller represented their Salesforce implementation as “production-ready,” “fully configured,” and “compliant with applicable data protection regulations.”
Affirma Capital’s investment thesis for all three companies depended partially on the operational efficiency that Salesforce was supposed to enable. If those implementations were technically sound, they represented an accelerant for growth. If they carried hidden technical debt, compliance risk, or architectural problems that would require remediation, that changed the post-acquisition cost model and integration timeline materially.
The challenge with Salesforce as an asset in M&A due diligence is that standard financial and legal due diligence does not reach it. Auditors review financials. Lawyers review contracts. Nobody looks at whether the Salesforce org is a liability. The seller controls the narrative. And most sellers have no incentive to surface architectural problems that would reduce their valuation.
Affirma Capital needed an independent technical assessment of all three Salesforce implementations — honest, methodical, and delivered within the deal timeline.
Diagnosis
Company A (Consumer Goods, €180M ARR)
The Salesforce org presented well from the outside: custom-branded UI, clean-looking pipeline reports, what appeared to be a well-configured Sales Cloud. The reality underneath was different. 400+ inactive custom fields cluttered the schema. The org had 12 active Apex triggers, six of which had no error handling — a single bad record could cascade into a full transaction failure. Data quality was poor: 34% of Account records had missing or invalid postal codes, 22% had duplicate email addresses. The organization had been relying on Salesforce for five years without a single data quality initiative.
The integration layer was the most significant finding. The org had 8 active integrations to ERP, e-commerce, and fulfillment systems — all built without API versioning, retry logic, or error monitoring. Three integrations were documented only in the memory of a developer who had left the company. One integration was connecting to an API endpoint that was scheduled for decommissioning by the target vendor in six months. The post-acquisition integration cost to rebuild this layer was estimated at €800K-1.2M.
Company B (Professional Services, €95M ARR)
Company B had a more recent implementation (three years old) with significantly better code quality. The primary finding here was compliance: the org was processing personal data of EU citizens but had not implemented the data retention policies required under GDPR. Records were being retained indefinitely with no automated deletion or anonymization process. The privacy impact assessment had never been completed. The legal and compliance remediation cost was estimated at €200K plus legal fees, with potential GDPR investigation risk if the issue came to light post-acquisition.
Company C (Consumer Services, €62M ARR)
Company C’s Experience Cloud customer portal had been built by a boutique SI that was no longer in business. The portal codebase was entirely undocumented, with 40,000 lines of custom Visualforce and Apex that nobody in the company could maintain. The Experience Cloud license was also misconfigured: the company was using Community licenses for users who required full Salesforce licenses, creating a license compliance issue estimated at €350K in retroactive license fees.
Action
The assessment methodology was designed for M&A timelines: high-signal, fast-to-execute, with findings structured for non-technical decision-makers.
Technical Architecture Review
Each org was audited against a 60-point technical checklist covering: code quality (Apex governor limit usage, test coverage, trigger architecture), configuration hygiene (active vs inactive elements, field utilization, flow complexity), integration architecture (API design, error handling, documentation), and data quality (completeness, consistency, duplication rates).
The review used read-only org access supplemented by metadata export and analysis — no changes to production systems, no access to business data, only metadata and schema-level analysis.
Data Quality Assessment
Data quality was profiled at the field and object level for the entities most critical to business operations: Accounts, Contacts, Opportunities, and Cases. Profiling covered completeness (% of records with populated values for required business fields), consistency (adherence to defined value sets), and uniqueness (duplication rates by key business identifiers).
Compliance Risk Review
For EU and GDPR-relevant implementations, the review included an assessment of data retention configurations, consent management implementation, data subject rights handling (export, deletion), and privacy impact assessment documentation. This was a targeted review against the 12 highest-risk compliance scenarios for Salesforce implementations, not a comprehensive GDPR audit.
Financial Impact Modeling
Each finding was categorized by severity (Critical / High / Medium / Low) and assessed for financial impact: direct remediation cost (what it would cost to fix), operational risk (what ongoing exposure the issue creates), and deal risk (findings that could affect deal completion or valuation). Findings were presented with ranges, not point estimates, to reflect genuine uncertainty in cost modeling.
Result
The assessment identified €4M in combined risk exposure across the three portfolio companies — risks that were entirely absent from the seller documentation and standard due diligence process.
Company A’s integration layer risk (€800K-1.2M remediation) and data quality issues were factored into the acquisition negotiation, resulting in a price adjustment. The post-acquisition integration timeline was extended by six months to account for the remediation work, preventing the buyer from committing to an unrealistic Day 1 target.
Company B’s GDPR compliance gap led to a specific warranty and indemnification clause covering any regulatory actions arising from data retained before the acquisition close.
Company C’s license compliance issue was resolved pre-close, with the seller funding the retroactive license reconciliation as a condition of deal completion.
The assessment was completed in 11 weeks across all three companies, within the deal timeline. Findings were presented as a prioritized remediation roadmap that transitioned directly into the post-acquisition 100-day integration plan — buyers had clear visibility into what needed to be fixed, in what order, and at what cost.
Methodology components: Technical architecture audit (60-point checklist), metadata export and analysis (Salesforce CLI), data quality profiling (Python-based analysis tooling), GDPR compliance assessment framework, financial impact modeling
Related Case Studies
8M+ Records, 7 Legacy Systems, Zero Data Loss
Enterprise pharma platform migration with zero data loss across 8M+ records
Center of Excellence: 15 Business Units, One Architecture
Centralized governance architecture scaling from siloed implementations to unified strategy