How to evaluate a software vendor before you sign

The single highest-leverage move in any evaluation is to author your own scope first. When the vendor writes the scope, every ambiguity is resolved in their favour and becomes a future change order. When you write it, you set the requirements, the acceptance criteria, and the explicit exclusions.

A strong buyer-authored scope lists what must be delivered with testable acceptance criteria ("the integration syncs X records in under Y minutes with zero data loss"), names the exclusions you've seen vendors slip (data cleansing, environment setup, training depth), and defines the red lines you'll walk away over.

The quoted price is rarely the total cost of ownership. Across ERP, CRM, data, and custom-software deals, the same line items get excluded from fixed-fee proposals and resurface as billable work: data migration and cleansing, integration to your existing systems, additional environments, end-user training beyond a single session, and post-go-live hypercare.

For each exclusion, ask the vendor for a written dollar estimate now, while you still have leverage. "We'll scope that in a change order later" is the most expensive sentence in procurement.

Vendor lock-in is invisible at signing and only surfaces when you try to leave. Proprietary data formats, custom integrations, retrained staff, and egress fees all raise your exit cost. The defense is to make lock-in a number, not a feeling: project the switching cost at years 3, 5, and 7 and put it on the table during negotiation.

Ask explicitly: in what format is my data returned on exit, at what cost, and on what timeline? If the answer is vague, that's the lock-in.

What a vendor shows in a demo and what they commit to in the contract are two different documents. Demoware — features shown but never contractually committed — is one of the most common post-signature surprises. Keep a running list of every capability, SLA, and timeline claimed in the sales process, then check each one against the proposal. Anything demonstrated but not written down is a question, not a commitment.

Confirm where your data lives, how it's encrypted, who can access it, and what happens to it on exit. For regulated buyers, require the vendor to map their controls to your obligations (SOC 2, ISO 27001, HIPAA, GDPR) — not just claim certification. For AI vendors, this is its own discipline; see the AI-vendor guide.

The references a vendor provides are pre-screened to say good things. The signal is in the ones they don't offer: customers of a similar size, in a similar industry, who went live recently. Ask specifically about the gap between the sales promise and the implementation reality, and about anything that became a change order.

Lock your evaluation model — weighted criteria tied to your scope — before proposals arrive, so a slick presentation can't move the goalposts. Then score how much of your scope each proposal actually covers. Proposals that look cheaper usually cover less; a coverage score makes that visible and comparable.