Why Technology M&A in Japan Requires a Different Lens
Acquiring a Japanese software or SaaS company is structurally different from acquiring a manufacturer or retailer. The value drivers are intangible: source code, customer data, proprietary algorithms, and engineering talent. Each of those drivers carries a distinct regulatory risk profile that a standard financial or legal due diligence process does not adequately surface.
Foreign buyers who apply a conventional Japan M&A checklist to a technology target routinely discover, post-signing, that key IP has unclear ownership, that customer data cannot legally be shared across the due diligence data room without additional legal steps, and that the target's core product may trigger Foreign Exchange and Foreign Trade Act, "FEFTA" (外為法) prior-notification obligations.
IP Due Diligence for Japan Technology Targets
Patent Ownership and Contractor-Developed IP
Japanese patent law, Patent Act (特許法), vests patent rights in the inventor by default. For inventions made in the course of employment, Patent Act Article 35 (特許法第35条) permits employers to claim ownership through a prior agreement or employment policy, provided the policy is reasonable and the employee receives separate compensation for any assignment. Many Japan SMEs and early-stage technology companies have not put those agreements in place systematically.
The risk for buyers is compounded when the target has used contractors or freelance developers. Unlike salaried employees, contractors do not transfer IP to the client entity unless the contract explicitly provides for assignment. In practice, a substantial proportion of Japan technology startups have core features developed by contractors under agreements that are silent on IP ownership. A patent or code base that the seller presents as fully owned by the target entity may, on closer inspection, be partly or fully owned by individual developers who left the company years earlier.
Due diligence should include a complete inventory of contractor agreements, development SoWs, and any IP assignment confirmations.
NDA coverage is a related concern. Unregistered know-how, technical processes, and product roadmap documentation are protected under Unfair Competition Prevention Act (不正競争防止法) as trade secrets (営業秘密) only if the information is managed with reasonable confidentiality protocols. If the target cannot demonstrate that it has NDAs with its employees, contractors, and business partners, and that it has implemented access controls appropriate to the sensitivity of the information, that know-how is legally unprotected regardless of its commercial value.
Software Copyright: Japan's Framework
Japan protects software copyright under Copyright Act (著作権法), which treats software as a copyrighted literary work. For works created by employees in the course of employment, Copyright Act Article 15 (著作権法第15条) recognizes a "work for hire" doctrine that vests copyright in the employing entity under certain conditions. Independent contractor work does not qualify as "work for hire" under that provision, so contractor-developed code requires an explicit assignment.
Buyers should request a copyright chain-of-title review covering all material source code components, including documentation of who created each component and under what contractual arrangement.
Open-Source Software License Audit
The critical risk for acquirers is GPL (GNU General Public License) contamination. Software licensed under GPL version 2 or version 3 requires that any derivative work incorporating the GPL-licensed code also be distributed under GPL terms, which effectively mandates disclosure of the source code of the combined work. If the target's proprietary product incorporates GPL-licensed code without a commercial exception license, the buyer may be acquiring a product that is legally obligated to be distributed as open source.
MIT and Apache 2.0 licenses are permissive: they impose attribution requirements but do not restrict the licensing terms of derivative works. A target whose OSS dependencies are predominantly MIT or Apache 2.0 licensed carries substantially lower contamination risk.
An OSS audit should produce a complete bill of materials for each code component, its license, and the legal analysis of whether the usage is compliant.
Software License Continuity: Share Deal vs. Asset Deal
In a share deal, the contracting entity (the target KK) does not change. Its existing vendor agreements remain in effect because the legal counterparty is unchanged. Cloud hosting, enterprise licenses, and API agreements continue without interruption. Notification to vendors may still be required under specific change-of-control clauses, but re-negotiation is generally not triggered automatically.
In an asset deal, vendor agreements do not transfer automatically; they require assignment, which is subject to vendor consent. Major cloud providers and enterprise software vendors vary in how they handle assignment requests. For a SaaS target with material AWS or Azure spend, the asset deal scenario requires pre-closing engagement with each key vendor to confirm transfer terms.
Trade Secret Protocols
不正競争防止法 protects trade secrets (営業秘密) if three conditions are met: the information is managed as secret (秘密管理性), it has utility value (有用性), and it is not publicly known (非公知性). Many early-stage Japan technology companies have not met the secrecy management requirement in practice.
Due diligence should review whether the target has formal document classification policies, access controls on code repositories and internal systems, confidentiality obligations in employment and contractor agreements, and departure protocols that include reminders of post-employment confidentiality obligations.
APPI Data Compliance in the M&A Data Room
Scope of APPI
Act on the Protection of Personal Information, "APPI" (個人情報保護法) applies to any business that handles personal information (個人情報): information that can identify a specific individual. For a Japanese SaaS or consumer technology company, this covers customer account records, user behavioral data, employee records, and any analytics or targeting data linked or linkable to individuals.
The target's database is typically one of the most commercially significant assets in a tech M&A deal. It is also the asset that carries the most complex data compliance requirements during the deal process itself.
Cross-Border Data Sharing in the Due Diligence Process
When the target's data room contains personal information and a foreign buyer (or its advisors located outside Japan) accesses that data, the act of sharing constitutes provision of personal information to a third party located in a foreign country (外国にある第三者への提供) under 個人情報保護法第28条. The provision is lawful only if one of three conditions is satisfied:
(a) Data subject consent: The target obtains prior consent from each individual whose data is being shared, specifically disclosing that the data will be transferred to a foreign recipient. For a SaaS company with tens of thousands of users, obtaining per-user consent before opening the data room is operationally impractical in most timelines.
(b) Adequacy recognition: The destination country is recognized by the Personal Information Protection Commission, "PPC" (個人情報保護委員会) as having an equivalent level of data protection. As of the current date, only the EU/EEA and the UK hold adequacy recognition under APPI. Data rooms accessible to buyers or advisors in the United States, Singapore, China, or most other jurisdictions do not benefit from this exemption.
(c) Data transfer agreement between the target and the buyer: The target enters into a binding agreement with the foreign buyer that imposes APPI-equivalent data protection obligations on the receiving party.
A data room containing live personal data, shared with a US or Asian buyer at the early diligence stage, is likely non-compliant with APPI without a prior transfer agreement or per-subject consent.
Practical Data Room Design for Tech Targets
A well-structured data room for a Japanese technology target at the pre-exclusivity stage should contain:
- Aggregated, anonymized statistics about data volumes, user counts, geographic distribution, and data categories rather than actual personal records
- Data architecture diagrams and data flow maps that describe how personal data is collected, stored, and processed
- A data compliance summary: APPI privacy policies, data subject rights procedures, breach notification history, and PPC correspondence
- Samples or screen captures of UI that handle personal data, without underlying records
At the exclusivity stage, with a narrowed buyer group and a data transfer agreement in place, access to pseudonymized (仮名化) datasets for technical due diligence may be appropriate.
Post-Closing APPI Obligations
If the buyer intends to change how the target processes personal data, APPI may impose additional requirements. A change in the purpose of use of personal data requires notification to data subjects when the new purpose is outside the scope reasonably expected from the original collection purpose. Re-consent from the affected individuals may be legally required rather than merely prudent when integrating the target's customer database into a group-wide data platform.
FEFTA Screening for Technology Sector Acquisitions
The Designated Sector Question in Software
FEFTA Article 26 (外為法第26条) requires foreign investors to file prior-notification before acquiring shares in a Japanese company operating in a designated sector. The designated sector list includes, among others, security-related software, IT infrastructure systems, telecommunications infrastructure, and technology with potential national security applications.
For a conventional consumer SaaS or e-commerce software company, the FEFTA exposure is typically low. However, the population of Japanese technology companies that may fall within the designated sector is broader than it appears at first assessment.
The May 2025 amendment introduced the concept of security-critical technology (安全保障上重要な技術) and broadened the designated sector description in terms that capture technology categories not previously named explicitly. The amendment also introduced the Type-A / Type-B investor classification framework, which tightened exemption access for investors with foreign government affiliations.
For technology sector deals, the FEFTA screening question must be asked and answered before the letter of intent is signed, not at closing. If the target falls within a designated sector and the buyer is a foreign investor, prior-notification must be filed and the 30-day statutory review window must run before closing.
Indicators That Warrant Early FEFTA Review
Buyers should request a preliminary FEFTA screen when the target:
(a) Develops or licenses encryption software, security monitoring systems, or vulnerability assessment tooling
(b) Provides software to Japanese government agencies, defense contractors, or critical infrastructure operators including electric utilities, telecommunications carriers, or transport operators
(c) Holds or has applied for patents in technology areas related to cybersecurity, communications security, or information processing systems with dual-use potential
(d) Operates infrastructure systems including data centers, communications networks, or industrial control systems
(e) Has existing relationships with customers in designated sectors, even if the software itself is general-purpose
FEFTA determinations for technology sector acquisitions are subject to Director review at Aplash before any regulatory opinion is issued.
Talent Retention After a Japan Technology Acquisition
Engineering talent is frequently the most fragile component of a Japan technology acquisition.
Non-compete enforceability. Japanese labor law imposes strict requirements for non-compete clauses to be enforceable after departure. Courts apply a proportionality analysis that considers the geographic scope, duration, scope of restricted activities, and whether adequate compensation was paid for the restriction. Blanket post-employment non-competes of the type common in US technology employment agreements are generally unenforceable in Japan.
Earn-out structures tied to team retention. Because non-competes offer limited protection, many technology acquirers structure a portion of the consideration as an earn-out that pays out over 18 to 36 months, with milestones tied to product delivery, revenue targets, or explicit team retention metrics.
Change of management uncertainty. Japan's working culture places high value on stability, long-term relationships, and clear communication from leadership. An acquirer that delays communicating its integration vision or restructures management too rapidly will see attrition accelerate. Early and transparent engagement with the target's engineering leadership, ideally before closing, reduces this risk.
Post-Acquisition Integration for Technology Targets
Source Code Escrow and Repository Transfer
At closing, the buyer must confirm that it has access to the complete and current source code. Source code escrow arrangements with a Japan-based escrow provider can be put in place pre-closing to verify completeness. For a cloud-hosted target, repository access should be transferred as a day-one integration task.
The buyer should also confirm that build pipelines, deployment credentials, and infrastructure access credentials are transferred as part of the integration plan.
License Transfer Notifications to Key Vendors
The post-closing compliance calendar should include review of each material vendor agreement and, where notification is required, timely filing of the required notice. Failure to notify within a contractually specified window can constitute a breach of the vendor agreement.
Cloud Infrastructure and Japan-Specific Hosting Considerations
Some Japanese technology companies, particularly those serving regulated industries such as financial services, healthcare, or government, operate on Japan-specific hosting infrastructure with contractual or regulatory data residency requirements. Post-closing migration decisions should be made with a full residency assessment in hand.
Aplash's Role in Japan Technology M&A
Regulatory due diligence. Aplash assesses the target's regulatory exposure across IP ownership structures, APPI compliance posture, vendor agreement continuity risk under the proposed deal structure, and preliminary FEFTA sector classification.
FEFTA screening. Where the target's technology profile suggests possible designated-sector exposure, Aplash conducts a structured FEFTA screen, advises on prior-notification timing and filing, and coordinates with the Bank of Japan filing process. FEFTA determinations are subject to Director review; buyers should engage early to avoid timeline compression at closing.
Post-closing regulatory integration. Aplash supports the integration team in mapping which registrations transfer automatically in a share deal, which require change-of-control notification, and which require re-application.
Corporate structuring. Where the deal involves establishing a Japan holding structure, converting the target's entity type, or restructuring the capitalization post-acquisition, Aplash provides company structuring support in coordination with Japan-licensed legal and tax advisors.
This article is informational only and does not constitute legal, tax, or regulatory advice. Consult a qualified advisor before acting on the content. Aplash is a regulatory strategy and market entry firm, not a legal or accounting practice. Last updated: May 2026.