47 criteria to evaluate any vendor before you sign
✓ 47 evaluation criteria
✓ 6 categories
✓ Print-ready
✓ getvendorsage.com
How to use this checklist: Work through each category before signing any vendor contract.
Check each item once confirmed. A vendor that can't answer a question is itself a red flag.
Score vendors on the scale at the bottom — don't choose anyone below 70%.
✓ Tip: Print this checklist or use browser checkboxes to track each vendor evaluation
💰
1. Pricing & Cost Structure
9 items
All-in pricing is disclosed upfront (no hidden setup, onboarding, or migration fees)
Per-user vs. flat pricing is clearly defined — you know exactly what triggers cost increases
Overage billing terms are documented (what happens if you exceed storage, API calls, seats)
Price lock or rate-increase cap negotiated for multi-year agreements negotiate
Auto-renewal clause reviewed — cancellation window and notice period are acceptable
Cancellation penalty and early-termination fee clearly stated
Volume discount or SMB pricing tier available (vendors often don't advertise this)
Free trial or pilot period offered before full commitment
Payment terms acceptable (net-30, annual vs. monthly, invoicing vs. credit card)
🔒
2. Security & Compliance
10 items
SOC 2 Type II report available (not just Type I — Type II covers a testing period)
Data encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2+)
SSO (Single Sign-On) and MFA supported — required for any tool with sensitive data
Role-based access controls (RBAC) allow you to restrict what each user can see/do
Breach notification SLA defined — how fast do they notify you if they're compromised?
Data residency requirements met (EU, US, or other jurisdiction requirements)
Penetration testing conducted annually — ask for summary results
Your data is not used for vendor's AI training or sold to third parties
Data deletion policy on contract termination (when and how is your data removed?)
Relevant compliance certifications held (HIPAA, PCI-DSS, ISO 27001 — as required for your industry)
📞
3. Support & Service Levels
8 items
Response time SLA for critical issues documented (P1 within 1 hour is standard for critical)
Uptime guarantee (SLA) documented — 99.9% minimum, 99.95%+ for critical systems
Support channels included in your tier (email only vs. phone vs. dedicated CSM)
Business hours vs. 24/7 support — matches your team's operating hours
Dedicated customer success manager (CSM) assigned — not just ticket queue
Onboarding and implementation support included (not a separate paid service)
SLA credits defined — what compensation do you get if uptime SLA is missed?
Status page and incident communication process exists and is accessible
⚙️
4. Integration & Technical Fit
8 items
Native integrations with your existing stack (CRM, ERP, ticketing, communication tools)
REST API available with documentation — enables custom integrations if needed
Data import/export in standard formats (CSV, JSON, XML) — not proprietary lock-in
Migration path from current tool clearly documented (no data trapped)
Mobile app or responsive web for your team's devices (iOS, Android, desktop)
User permissions model matches your org structure (team, department, admin levels)
Product roadmap shared — major upcoming changes won't break your workflow
Change management and version release cycle acceptable (frequency, breaking changes policy)
🏢
5. Vendor Viability & References
6 items
Company has been operating for 3+ years or has clear funding runway (avoid vendor death risk)
Customer references from companies similar to yours (industry, size) — actually called them
Checked G2 / Capterra / Trustpilot reviews from verified customers in last 12 months
No major acquisition rumors or instability signals (leadership turnover, layoffs, pivots)
Data escrow or portability guarantee if vendor goes out of business
Legal jurisdiction and dispute resolution process acceptable for your team
📄
6. Contract & Legal
6 items
Contract reviewed by legal or an advisor before signing (not just sales-provided summary)
Indemnification clause protects you from IP infringement by vendor's product
Liability cap is reasonable (not just $100 or "fees paid in last 30 days")
No unilateral right to change pricing or terms during contract period critical
DPA (Data Processing Agreement) in place if vendor processes personal data
Exit clause allows termination for convenience with reasonable notice (not just cause)
🚩 Red Flags — Walk Away If You See These
These 9 warning signs cost SMBs an average of $23K/year in unexpected vendor costs
🚩
Vague pricing with "contact us" for everything. If they won't publish pricing, they're going to charge you more than others.
🚩
Auto-renewal with 60+ day cancellation window. Designed to trap you. You'll miss the window and renew by default.
🚩
No SOC 2 report — "we're working on it." If they handle your data and don't have it, that's a security risk, not a process delay.
🚩
Proprietary data format with no export. Your data gets trapped. Migration costs will be 3–5x what you're paying in SaaS fees.
🚩
Support is "community forums only" at your tier. When something breaks, you're on your own — or paying extra for help.
🚩
Contract allows unilateral price increases. "We reserve the right to modify pricing at any time" in the ToS means next year's renewal could cost 40% more.
🚩
Demo doesn't match real product. If they show you slides and mock-ups but won't give you a live trial, they're hiding rough edges.
🚩
No reference customers willing to talk. Every vendor will give you references — if they hesitate, ask why.
🚩
They need your credit card to start a "free trial." Legitimate trials don't require payment info. They're betting on your forgetting to cancel.
📊 How to Score Your Vendors
Count how many items you could check for each vendor you're evaluating.
Divide by 47 to get a percentage. Use this scale:
90–100%
42–47 items
✓ Strong fit
75–89%
35–41 items
⚠ Negotiate gaps
60–74%
28–34 items
⚠ High risk
<60%
<28 items
✗ Walk away
Want someone to do this for you?
VendorSage reviews your current IT stack and finds overspend — free 30-minute call, no pitch.