You've evaluated three vendors. The demos went well. Your top choice offered a compelling price. You're ready to sign. And then, six months later, the vendor is acquired by a private equity firm, support response times triple, and the pricing model changes entirely. You're locked in for two more years.
This scenario isn't unusual — it's the default outcome when SMBs skip vendor due diligence. Enterprise buyers run structured risk assessments before every significant vendor commitment. SMBs rarely do, because nobody told them what to check and the process feels overwhelming. It doesn't have to be.
This framework covers six categories of vendor risk: financial stability, security posture, contract terms, integration capabilities, support SLAs, and exit clauses. For each category, you'll get the specific questions to ask, the red flags to watch for, and how to score each vendor against your requirements. At the end is a vendor scorecard template you can use directly.
Percentage of SMBs that report experiencing at least one significant vendor-related disruption in the past two years — pricing increases, support failures, acquisitions, or product discontinuation. Most say they didn't see it coming. Most didn't ask.
Why Vendor Risk Matters More for SMBs Than Enterprises
Here's a counterintuitive truth: SMBs face more vendor risk than enterprises, not less. Enterprises have dedicated procurement teams, legal review, and the leverage to negotiate custom contract terms. They walk away from vendors that won't meet their requirements. SMBs typically sign standard contracts without negotiation, and they're far less resilient to vendor failures when they happen.
For a 200-person company, a vendor's support response time degrading from 4 hours to 48 hours is a serious inconvenience. For a 20-person company where that vendor runs your order management system, it's a crisis. The smaller you are, the more concentrated your vendor risk — and the more carefully you need to evaluate before committing.
The good news: most vendor risk is discoverable before you sign. The questions below take 2–4 hours to work through for a single vendor. That's a reasonable investment before committing to a 2–3 year contract worth $20,000 or more.
Category 1: Financial Stability
A vendor that shuts down, gets acquired, or runs out of runway mid-contract creates far more disruption than one that's just mediocre. Financial stability is the first thing to check — and it's often the most overlooked.
What to Ask
- How long have you been in business? Under 2 years is high risk for core systems. 3–5 years with consistent growth is a positive signal. 10+ years is low risk on this dimension.
- What is your current funding status? Self-funded or profitable is low risk. Recently funded (Series A/B in the past 18 months) is moderate. "We raised Series B three years ago" with no follow-on is a yellow flag — they may be running on fumes.
- How many customers do you have, and what's your customer retention rate? A vendor with 2,000 customers and 90%+ annual retention is stable. A vendor with 200 customers that can't answer this question is not.
- Have you been approached for acquisition? They don't have to answer, but the reaction tells you something. Vendors actively trying to sell often deprioritize product investment and customer service.
Red Flags
Acquisition risk is often invisible until it isn't. Three patterns predict acquisition: (1) a founder-led company where the founder is suddenly less visible, (2) a vendor that raises a large round but lays off 20% of staff 12 months later, (3) a vendor that starts discounting aggressively to hit revenue targets. All three can precede a forced sale to a PE firm that guts support and raises prices.
- Can't tell you how many customers they have
- Leadership team has turned over significantly in the past 12 months
- News of layoffs or office closures
- Pressure to close deals by end of quarter with unusually large discounts
- Glassdoor reviews mentioning financial instability or uncertainty about runway
How to Verify
Search for the company on Crunchbase (funding history), LinkedIn (employee count trends — if it was 200 and is now 120, that's meaningful), and Google News (recent coverage). Call two or three references from their customer list — not the references they give you, but customers you find independently through LinkedIn or G2 reviews.
Category 2: Security Posture
Any vendor that stores, processes, or accesses your data is a security risk if their posture is weak. For SMBs, a vendor security breach can result in regulatory fines, customer notification requirements, and reputational damage — regardless of whether it was your fault.
What to Ask
- Do you have a SOC 2 Type II report? (Or ISO 27001, if they're international.) Type II is stronger than Type I — it covers a period of audit, not just a point-in-time assessment. Ask for the report, not a summary. If they can't provide it, they haven't done it.
- When did you last conduct a penetration test, and can you share the executive summary? Annual pen tests are the baseline. More frequent for vendors handling financial or healthcare data.
- Have you had a data breach in the past three years? The answer matters less than how they answer. "Yes, here's what happened, what we did, and what we changed" is a responsible answer. Deflection or vagueness is a red flag.
- Who are your subprocessors — third-party services that access customer data? Every cloud vendor uses subprocessors (AWS, Stripe, Salesforce, etc.). A responsible vendor maintains a list and notifies customers before adding new ones.
- Where is our data stored, and can it be kept in a specific region? If you're in healthcare, finance, or any regulated industry, data residency matters. EU customers often need EU data storage.
| Security Question | Minimum Acceptable | Best Practice | Red Flag |
|---|---|---|---|
| SOC 2 | Type I report available | Type II, renewed annually, shareable | No SOC 2; "in progress for 2 years" |
| Pen Testing | Annual third-party test | Annual + bug bounty program | Last test was 3+ years ago or never |
| Breach History | No breach, or breach handled responsibly | No breach, active monitoring, incident response plan documented | Breach not disclosed or handled poorly |
| Encryption | TLS in transit, AES-256 at rest | End-to-end encryption, customer-managed keys available | No answer on encryption standard |
| Access Controls | MFA required for employee access | MFA + SSO + role-based access controls | No MFA on admin access |
Category 3: Contract Terms
Contract risk is the category most SMBs skip entirely. They assume the terms are non-negotiable, so they don't read them carefully. This is the most expensive mistake in vendor due diligence.
For a detailed breakdown of contract negotiation tactics, see our guide on SaaS vendor lock-in and how to negotiate better contracts. The short version for due diligence purposes:
The Five Clauses That Determine Your Risk
1. Early Termination Penalty
What does it cost to exit before the contract ends? Acceptable: no penalty or <20% of remaining contract value. Red flag: 50–100% of remaining contract value. This is the primary lock-in mechanism — a $15,000/year contract with a 3-year term and 100% termination penalty puts you $30,000 in the hole if you need to exit at month 13.
2. Auto-Renewal Terms
When does the contract auto-renew, and to what term? Acceptable: auto-renews month-to-month or requires 30-day written notice. Red flag: auto-renews to a new multi-year term if you miss a 60–90 day notice window. Set a calendar reminder 120 days before expiration the moment you sign.
3. Data Export Rights
Can you export your data, in what formats, and at what cost? Acceptable: free export in standard formats (CSV, JSON, API) at any time. Red flag: export fees (5–15% of ACV), restricted formats, or data only available for 30 days after termination. Your data is your data — never sign a contract where export is restricted or expensive.
4. Price Escalation
What happens to pricing in years 2 and 3? Acceptable: fixed pricing for the full contract term. Red flag: 3–10% annual escalators or "market rate" repricing at renewal — locking you in to a price you didn't agree to. Year-1 discounts that reset to list price in year 2 are common and almost always mentioned in the sales pitch but buried in the contract.
5. Termination for Convenience
Can you exit the contract for any reason with reasonable notice? This is the single most important clause in any IT vendor contract. If a vendor won't include termination for convenience (typically 30–90 days' written notice with pro-rata refund), you need a specific reason to accept that risk. See how to negotiate this clause before signing.
Category 4: Integration Capabilities
A vendor that can't integrate cleanly with your existing stack creates hidden labor costs and lock-in you won't see until you're already committed. Integration risk is underweighted in most vendor evaluations because it's less obvious than price or features — until you're three months into an implementation that was supposed to take three weeks.
What to Evaluate
- Does the vendor have a public API, and is it documented? Undocumented APIs or APIs that require a Professional Services engagement to use are integration traps. A healthy vendor publishes its API documentation publicly and maintains it.
- What are the specific integrations with your current tools? Native integrations (not Zapier) with your CRM, accounting system, project management tool, and communication platform. Ask specifically, not generally — "do you integrate with Salesforce" is a different question than "do you have a native Salesforce integration that syncs bidirectionally with custom objects".
- What's the average integration implementation time for companies your size? For a 50-person company, a core system integration should take 2–4 weeks. If the vendor says "it depends" without giving you a reference range, press for customer examples.
- Who owns integration maintenance? Integrations break. When an API version changes or a third-party platform updates, someone needs to fix the integration. Is that the vendor, your team, or a third-party implementation partner? Clarify this before signing — it's a significant ongoing cost that's often not in the contract.
The "we integrate with everything" trap: Many vendors will tell you they integrate with your entire stack. Ask for the names of three customers who use the exact integrations you need and contact them directly. "We integrate with Salesforce" can mean "we have a one-way data push that breaks when Salesforce updates their API" — which is not the same as a maintained, bidirectional integration.
Category 5: Support SLAs
Support quality is the dimension where vendor promises and vendor reality diverge most dramatically. A vendor that responds in 4 hours during your trial will respond in 48 hours after you've signed a 3-year contract and are locked in. Due diligence on support before you commit is the only way to know which scenario you're buying into.
What to Ask
- What support tier is included in your contract price, and what are the SLAs at that tier? Get the actual SLA document — not the marketing page. Look for: initial response time, resolution time, escalation path, and the definition of "business hours" (is 24/7 support actually 24/7 or 9–5 in one time zone).
- What does the upgrade to the next support tier cost? "Enterprise support" is often a separate line item that doubles the contract value. If you need 24/7 support or a dedicated customer success manager, confirm the price now.
- What is the average response time at your tier for the past 90 days? Ask for actual data, not the SLA target. If the SLA says 4 hours but actual response time is 18 hours, the SLA is useless. A vendor that won't share this data is telling you something.
- What happens if the vendor misses an SLA? SLA penalties (service credits) are meaningless if they're smaller than the cost of the disruption. A vendor offering a 10% monthly credit for missing a 99.9% uptime SLA is offering roughly $12 back on a $1,200/month contract for an outage that may have cost you $5,000 in lost productivity.
Test the Support Before You Sign
Call their support line. Submit a ticket. Do this during your evaluation period. The wait time and quality of that interaction predicts your actual support experience more accurately than any SLA document. If support is hard to reach during the sales process, it will be harder to reach after you've signed.
Category 6: Exit Clauses and Offboarding
Most SMBs evaluate vendors on the way in and forget to think about the way out. This is exactly backwards. The time to understand your exit options is before you've committed — when you still have leverage to negotiate better terms.
For a detailed breakdown of exit planning and migration strategies, see our guide on cybersecurity vendor consolidation and the 12 red flags that mean you should walk away from an IT vendor. For due diligence, evaluate these specifically:
Exit Checklist
- Data export available in standard formats (CSV, JSON, API) at no cost within 30 days of termination request
- Vendor provides migration documentation or a migration guide for customers moving to competitive platforms
- No "data hostage" clauses — your data is available for export at any time, not just after termination
- Offboarding process is documented — you know exactly what happens at day 1, day 30, and day 90 after termination
- Contract includes termination for convenience with pro-rata refund of prepaid fees
- No perpetual license or data processing obligations that survive termination without clear end conditions
Not sure where to start your vendor assessment?
Our free IT assessment evaluates your current vendor stack, identifies contract risk, and gives you specific negotiation recommendations within 24 hours.
Take the Free Assessment →Red Flags That Should Stop the Deal
Most vendor risks are manageable with negotiation or planning. But some are deal-breakers — situations where the right answer is to walk away entirely, regardless of how good the product looks in a demo.
Walk away immediately if the vendor: (1) refuses to provide a SOC 2 report for a product that handles sensitive data; (2) can't tell you where your data is stored; (3) includes clauses that restrict your right to export your own data; (4) has had a serious data breach in the past 24 months and can't clearly describe what changed; (5) won't disclose their subprocessor list; or (6) requires prepayment of a multi-year contract with penalties for any reason for exit. These aren't negotiating positions — they're structural risks that don't go away after you sign.
Beyond the hard walk-aways, these patterns are yellow flags that require investigation before proceeding:
- Reference customers all came from the vendor's list. Independent references tell a different story than curated ones. Find your own.
- The demo environment differs significantly from production. Ask to see a live customer environment, with that customer's permission. If the vendor resists, ask why.
- Implementation timelines are vague. "It depends" without a reference range means either they don't know or they don't want you to know. Either is a problem.
- The sales rep can't answer technical questions. For any product that involves integration or data migration, the sales rep should be able to answer basic technical questions or escalate to someone who can — during the sales process, before you've committed.
- Multiple contract versions are provided in quick succession. Legitimate reason or negotiation in progress is fine. If terms change subtly between versions in ways you weren't told about, that's a trust problem.
The Vendor Risk Scorecard
Use this scorecard to evaluate vendors across the six categories. Score each dimension 1–5 (1 = major concern, 3 = meets minimum requirements, 5 = exceeds expectations). Weight each category based on how critical it is for your use case — a vendor handling payroll data should be weighted heavily on security; one providing a scheduling tool may be weighted more on integration.
| Category | What You're Evaluating | Score (1–5) | Weight | Weighted Score |
|---|---|---|---|---|
| Financial Stability | Operating history, funding status, customer retention, leadership stability | 15% | — | |
| Security Posture | SOC 2 Type II, pen testing, breach history, encryption standards | 20% | — | |
| Contract Terms | Termination rights, auto-renewal, data export, price escalation | 25% | — | |
| Integration Capabilities | API quality, native integrations, implementation time, maintenance ownership | 20% | — | |
| Support SLAs | Response times at your tier, actual vs. promised SLAs, escalation path | 10% | — | |
| Exit Clauses | Data portability, migration documentation, offboarding process | 10% | — |
Scoring guide: Below 2.5 weighted average = do not proceed without major concessions. 2.5–3.5 = proceed with contract modifications. Above 3.5 = proceed with standard precautions. Any category scored 1 (major concern) = mandatory escalation regardless of overall score.
When to Walk Away
Due diligence sometimes produces an obvious answer: this vendor is not the right choice. Knowing when to walk away is as important as knowing what to evaluate.
Walk away when:
- The vendor scored below 2 in any single category and won't negotiate to address the concern. A 1 in security for a data-sensitive application is not a negotiating starting point — it's a disqualifier.
- The contract won't include termination for convenience and the total contract commitment (including early termination penalty) exceeds what you could absorb if the vendor fails to deliver.
- You can't verify any of the claims they made in the sales process. References don't support the promises. Documentation contradicts the demo. This vendor will be harder to hold accountable after you've signed.
- The implementation timeline is longer than your business can absorb. A vendor that needs 6 months to implement a tool that should take 4 weeks is either understaffed or the product is harder to implement than the demo suggested.
- Your gut says something is off. The sales process felt too high-pressure. The contract changed in ways you weren't told about. The reference customer didn't seem happy. Due diligence exists to surface these signals objectively — but if the signals are there, trust them.
Walking away from a vendor mid-evaluation costs you a few hours. Walking away from a vendor mid-contract costs you thousands of dollars and months of disruption. The asymmetry is extreme. Use it.
The Full Due Diligence Checklist
Run through this checklist for every vendor you're evaluating for a significant commitment:
- Verified company operating history (3+ years preferred; Crunchbase, LinkedIn employee trends, Google News)
- Confirmed funding status and asked about acquisition conversations
- Called independent references (not vendor-provided) and asked about stability signals
- Requested and reviewed SOC 2 Type II report (or equivalent)
- Confirmed pen testing frequency and requested executive summary
- Asked about breach history — looking for transparency, not just the answer
- Reviewed subprocessor list and data residency options
- Read the contract fully — early termination, auto-renewal, data export, price escalation, support tier
- Negotiated termination for convenience with pro-rata refund before signing
- Confirmed free data export in standard formats at any time
- Tested the API documentation (or integration with specific tools your team uses)
- Called support pre-signature to test response time and quality
- Obtained actual support SLA data for past 90 days (not just targets)
- Confirmed offboarding process and migration documentation
- Completed vendor scorecard — no category below 2; overall above 2.5
Related Guides
These guides go deeper on specific areas covered in this framework:
- SaaS Vendor Lock-in: How SMBs Can Negotiate Better Contracts — in-depth breakdown of contract clauses and negotiation scripts for exit terms
- 12 Red Flags That Mean You Should Walk Away From an IT Vendor — the warning signs in the sales process that predict post-sale problems
- How to Negotiate Better IT Vendor Contracts — complete negotiation framework for pricing, SLAs, and implementation terms
- Cybersecurity Vendor Consolidation: Why SMBs Are Overpaying for Overlapping Tools — how to reduce vendor count and risk simultaneously
- How to Evaluate Vendor Management Software — once you've run due diligence, the right VMS keeps your vendor contracts, SLAs, and renewal dates tracked in one place
- Cloud vs. On-Premise: How to Choose the Right Deployment Model — the deployment decision that shapes your vendor's security posture, exit options, and total cost
Frequently Asked Questions
What is an IT vendor risk assessment?
A structured evaluation of a potential vendor before signing a contract. It covers financial stability, security posture, contract terms, integration capabilities, support SLAs, and exit options — surfacing risks that could cost your business money or disrupt operations after you've committed.
How long does vendor due diligence take?
For a significant contract (over $10,000/year or mission-critical system), plan 4–6 hours of work spread over 1–2 weeks — time to request documents, contact references, test support, and review contracts. For lower-stakes contracts, a streamlined version takes 1–2 hours. The time investment scales with the size and criticality of the commitment.
What's the most important thing to check in vendor due diligence?
Contract terms, specifically termination rights and data export. A vendor can be financially stable, technically excellent, and well-supported — but if you can't exit without a $25,000 penalty and your data is held hostage, none of those strengths matter when you need to switch. Check the exit before you commit to the entry.
Do I need a lawyer to review an IT vendor contract?
For contracts over $50,000/year or with complex liability clauses, yes. For smaller contracts, you can do a competent review yourself using the checklist above — focus on the five clauses: early termination penalty, auto-renewal terms, data export rights, price escalation, and termination for convenience. Most red flags are obvious once you know what to look for.
What's the difference between vendor evaluation and vendor due diligence?
Vendor evaluation compares vendors on features, pricing, and fit. Vendor due diligence assesses risk — whether the vendor is financially stable, whether the contract protects your interests, whether their security posture is adequate. Most SMBs do evaluation. Few do due diligence. The combination is what enterprise buyers do before every significant commitment.
Get the vendor due diligence checklist
Enter your email and we’ll send you a printable due diligence checklist and vendor risk scorecard template — the full framework from this article in a single document.
No spam. Unsubscribe anytime.
Free Offer
Get a vendor risk assessment for your stack
Answer 5 quick questions about your current vendors. Get a risk assessment and specific negotiation recommendations within 24 hours.
Take the Free 2-Minute Assessment →No credit card. No sales pitch. Just honest advice.