Vendor Verification

Vendor Verification: Questions to Ask Before You Sign

By Jeff Wray

A software vendor can look credible in the first meeting and still leave ownership with unanswered questions. Before you sign, verify the basics: who is doing the work, where the work will live, how access is handled, and what happens if the relationship changes.

The Goal Is Not Suspicion. It Is Clarity.

Good vendors should welcome clear expectations. A serious verification process protects both sides because it removes ambiguity before money, access, and timelines are committed.

A clean vendor relationship should answer:

  • Who is responsible for architecture and technical decisions?
  • Who has access to repositories, cloud accounts, credentials, and production data?
  • Where will code, documentation, and deployment history live?
  • How are changes reviewed before they reach production?
  • What does transition look like if either side ends the relationship?

The Vendor Verification Checklist

1. Identity and Responsibility

Ask for the names and roles of the people who will make technical decisions, write code, approve releases, and manage support. You do not need unnecessary personal detail, but you do need accountable owners.

2. Repository and Access Model

The repository should be visible to the company from the start. Clarify who owns the organization, who has admin rights, how branches are reviewed, and how access is removed when people leave.

3. Cloud and Production Control

Make sure the cloud tenant, billing, production credentials, logs, monitoring, backups, and deployment process are documented. Vendor convenience should not become company dependency.

4. References and Work Samples

Ask for examples that resemble your project in complexity and operating requirements. A polished portfolio is useful, but a technical walkthrough tells you more.

5. Payment, Scope, and Handoff Terms

Contract terms should explain what is included, what is excluded, what artifacts are delivered, and what happens if the scope changes. The handoff path should be clear before anyone needs it.

Signals That Need a Deeper Review

Access is vague

The vendor cannot clearly explain who owns the repository, cloud tenant, deployment process, or credentials.

No technical owner

Meetings are handled only by sales or account roles, while architecture and release decisions remain unclear.

No artifact trail

There is no regular access to commits, documentation, decision records, test results, release notes, or support history.

No handoff plan

The contract does not explain how the company receives code, documentation, credentials, and deployment knowledge.

The Bottom Line

Vendor verification is not about assuming bad intent. It is about making sure ownership, access, communication, and accountability are clear before a business-critical system depends on the relationship.

Need a neutral technical read before signing?

A fractional CTO can review the vendor, scope, access model, and handoff plan before the work becomes difficult to unwind.

Contact Jeff