The B-Corp of SaaS
Most SaaS acquisitions fail quietly, disappearing in the fog of complacency.
The product stops getting updates. Support response times stretch from hours to days to weeks. The users who made it worth acquiring in the first place quietly move on. By the time you realise the asset wasn't what it looked like, you're already committed, you've already onboarded, your team has already been trained and adapted to the new system, and it's time to start all over. You could go back out and try to filter through the apps yourself, finding a new software that might integrate into your work flow. If you go this route, be sure to read our blog article that outlines what to look for. Or, you could leave the heavy lifting to us.
We've spent the last several months building a structured evaluation framework for every tool that comes through Myriad's pipeline. Before any software earns the Verified by Myriad badge, it goes through five stages and the Quality Gate is the one that does the real work.
In the spirit of transparency, we want to share with you a part of our process and what can help earn software the coveted Verified by Myriad badge.
First: the non-negotiables
Before we score anything, there are binary checks that end the evaluation immediately if they fail. No partial credit. No "they're working on it." These are the table stakes for any software we'd put our name on.
Legal standing
The company behind the software must be properly registered, actively trading, and not subject to any insolvency proceedings. Simple, yet you'd be surprised how often indie tools are technically owned by dormant or dissolved entities.
Active maintenance
The product must have received updates in the last six months. Software that isn't being maintained isn't just stagnant but accumulating security risk with every passing month. As security is a top concern at Myriad, this is a particularly important aspect.
Developer commitment
The person or team behind the product must confirm in writing that they're not actively trying to sell or shut it down. We can't stake our reputation on software that's quietly on its way out, and we don’t want our customers implementing something they won’t be able to use in the long-run. SaaS changes can be costly and frustrating for all.
UK data compliance
ICO registration confirmed. A Data Processing Agreement in place. Customer data stored in the UK or EU, or with documented safeguards if not. A current, accurate privacy policy that references UK GDPR specifically, not just generic "GDPR." HTTPS across the board. Every single one of these must pass before we go further.
Commercial terms
The developer must be willing to enter a reseller agreement and publish transparent pricing. No "contact us for pricing." No surprise mid-year rate changes without 30 days' notice. This also help protect the Myriad marketplace, so customers know they’re getting a great deal and not just another marked up subscription.
IP and legal clean bill of health
Every line of code, every design asset, every third-party library must be owned or properly licensed. No active litigation. No regulatory investigations. AML and KYC checks completed satisfactorily. And if the product uses AI — automated decision-making, content generation, user profiling — that use must be disclosed to end users and compliant with UK GDPR Article 22.
If any of these fail, the evaluation stops. There is no score to recover from. It simply isn’t safe enough for us to list on our marketplace. We have a minimum standard for software we're willing to distribute to businesses that depend on it, and this first part gets them through the gate.
Then: the scored evaluation
Everything beyond the mandatory gates is scored across six areas, 0 to 2 per criterion. A score of 70% or above is a Pass. 50–69% is a Conditional Pass, with specific improvements required before go-live. Below 50% is a Fail, with an invitation to resubmit after 90 days.
Security
We're looking for data encrypted at rest (AES-256 or equivalent), proper access controls and user permission levels, two-factor authentication available for all accounts, a documented process for responding to security vulnerabilities, and ideally a Cyber Essentials certification or a penetration test from the last 12 months. We also want to see an incident response plan that includes ICO notification within 72 hours in the event of a personal data breach. Not because we expect things to go wrong, but because a developer who has thought about what happens when they do is fundamentally more prepared than the kind of operator who hasn't.
Data privacy beyond the legal minimum
The mandatory gates check what UK law requires. This section checks whether the developer has gone further. Can they respond to Subject Access Requests within 30 days? Can they fully and permanently delete a customer record when requested? Can users export their own data in a standard format? Is there a clear, proportionate data retention policy? Are sub-processors disclosed, including their location and the safeguards in place for any outside the UK or EU?
Technical reliability
A documented uptime SLA of 99.5% or above. A public status page. Daily backups with a tested recovery process. Hosting on a reputable, established provider, AWS, Azure, GCP, or equivalent. And a clear process for communicating significant updates to customers before they roll out. The last one sounds small. It isn't. Surprise changes that break established workflows are one of the most consistent sources of churn in SME software.
Integration and compatibility
For Myriad's target markets, this matters enormously. We look for Xero or QuickBooks integration as a baseline, the vast majority of the SMEs we serve use one of them. Beyond that, we check for a documented API, niche-specific integrations (Healthcode for allied health, CIS-compliant accounting for field services), clean data import capability, and genuine mobile compatibility.
Support and onboarding
This section is the most important one for how Myriad actually operates. We're not a directory, we implement and support the tools we list. That means we need developers who have documentation we can actually use. A help centre or knowledge base. A structured onboarding guide. A named partner contact who isn't a generic support queue. And at minimum one training resource, recorded walkthroughs, a sandbox environment, or a live onboarding session for our team before the first customer goes live.
If we can't confidently implement a product ourselves, we won't list it.
Commercial and marketplace fit
The final scored section is about fit, not just quality. Can the product be demonstrated end-to-end in a 5–10 minute recorded walkthrough, without requiring a sales call? Is it priced with market levels for SMEs? Does it speak the language of its target niche, or is it a generic horizontal tool with an industry-specific landing page? Does the developer have real paying customers?
Niche-specific compliance
On top of the scored sections, tools in regulated niches go through additional compliance checks. For allied health, that means health data classified as special category under UK GDPR, a compliant patient consent mechanism, Healthcode integration for private insurance billing, and awareness of CQC registration requirements. For field services, it means Gas Safe and NICEIC certificate management, CIS-compliant accounting integration, and offline capability for engineers working in low-signal environments. For property management, it covers deposit protection scheme integration, EPC tracking, Section 21 and Section 8 notice management, and documented awareness of the Renters Rights Act.
Every niche has its specifics and we ensure that our listed SaaS is compliant at every turn.
Why this matters
The Verified by Myriad badge is what differentiates us from the rest of the other SaaS marketplaces out there. Our transparency in what the process looks like, what quality gates these developers have to pass to get listed, helps give our customers assurance that "Verified by Myriad” is a source of quality. We don’t just say the words, we back it up with measurable actions.
We're not trying to be the biggest catalogue. We're trying to be the most trusted one, the source that SMEs can come to knowing that someone has already done the unglamorous work of asking the hard questions, reading the privacy policy, emailing the support team, and checking whether the changelog is actually alive.
"Verified by Myriad" is meant to be the B-Corp certification of SaaS. Not a star rating, not a sponsored placement, a signal that something has been properly evaluated against a clear, published standard.
We're starting in UK allied health and field service management. They won't be where we stop. The gems are out there. They just need someone willing to do the looking, and Myriad is stepping up.