← Software Guides
SOFTWARE

Technology Vendor Due Diligence Checklist: Financial, Legal, and Operational Verification

A structured checklist for verifying what vendors present during the sales process — financial stability, team integrity, contract provisions, and reference quality.

Due diligence is the most frequently skipped stage in technology partner selection. It is also the stage with the highest return on time invested. The logic is straightforward: every other stage of the selection process relies on information the vendor provides and controls. Due diligence is the stage where you verify that information independently.

Most buyers skip due diligence because they have a “good feeling” about the vendor, because the sales process has already consumed weeks and the organization is eager to start the project, or because they simply do not know what to verify or how. These are understandable reasons — and they are responsible for a significant percentage of technology engagement failures.

Due diligence is not about distrust. It is about converting subjective impressions into verifiable facts before committing capital, timeline, and organizational credibility. A vendor that performs well under scrutiny is a vendor you can engage with confidence. A vendor that cannot withstand basic due diligence is a vendor that should not receive your contract.

This checklist is designed to be executed in five to seven business days for each finalist candidate. It integrates with the evaluation methodology described in How to Evaluate a Technology Partner Beyond the Pitch and forms a critical stage in the broader technology partner selection process. For the overarching decision framework, see the buyer-side selection framework.

Stage 1: Financial Stability and Organizational Health

A vendor’s financial health determines whether they can sustain delivery through the full lifecycle of your engagement. Financially distressed firms cut corners, lose talent, deprioritize lower-margin clients, and make decisions that optimize for short-term cash flow rather than long-term client outcomes. A firm does not need to be large to be stable — but it does need to be solvent, growing or steady, and managed with financial discipline.

Checklist items:

  • Annual revenue. Request the firm’s approximate annual revenue for the current and prior two fiscal years. You do not need audited financials — a credible approximation is sufficient. You are looking for trend, not precision.
  • Revenue trajectory. Is revenue growing, stable, or declining? Stable or growing revenue indicates market demand and client satisfaction. Declining revenue indicates attrition, competitive displacement, or management problems — any of which could affect your project.
  • Profitability indicators. You do not need profit margins, but you should understand whether the firm is profitable. A firm that has been unprofitable for multiple consecutive years is burning cash reserves or debt — neither of which is sustainable.
  • Ownership and funding structure. Is the firm bootstrapped, private equity-backed, or venture-funded? Each structure creates different incentive dynamics. PE-backed firms may be under pressure to optimize EBITDA. VC-backed firms may be prioritizing growth over profitability. Bootstrapped firms may be more conservative but also more capital-constrained.
  • Headcount trajectory. Has the firm’s headcount grown, remained stable, or declined over the past twelve months? A firm that has lost 20% or more of its workforce in the past year is experiencing disruption that will affect every client engagement.

Risk Signal

The vendor declines to share any financial information. For a professional services firm asking you to commit $100K or more to an engagement, basic financial transparency is reasonable. Refusal to share approximate revenue, headcount trend, or profitability indicators — even informally — is a risk signal. Firms with healthy financials have no reason to refuse.

Stage 2: Client Concentration and Revenue Risk

Client concentration is one of the most underappreciated risk factors in vendor due diligence. A firm that derives a disproportionate share of revenue from a single client is structurally fragile. If that client reduces scope or terminates the engagement, the vendor faces a financial shock that cascades across all other client relationships — including yours.

Checklist items:

  • Top-client revenue percentage. What percentage of the firm’s revenue comes from their largest single client? Concentration above 30% is a risk factor. Above 50% is a serious red flag.
  • Top-three-client concentration. What percentage of revenue comes from the firm’s three largest clients? Concentration above 60% indicates narrow client diversification.
  • Client tenure. How long has the firm retained its largest clients? Long-tenure, diversified relationships are a positive signal. A firm that has churned through large clients suggests delivery problems or relationship management issues.
  • Revenue pipeline. Does the firm have a healthy pipeline of new business, or is it dependent on renewals from existing clients? A firm with no new-client acquisition is one relationship loss away from contraction.

Common Failure Mode

Ignoring client concentration because the vendor's capabilities look strong. Capability without stability is a time bomb. A vendor that loses its anchor client mid-way through your engagement will prioritize survival over your deliverables. Layoffs, restructuring, and leadership distraction follow — and your project absorbs the collateral damage.

Threshold guidance:

  • Top-client concentration below 20%: Healthy diversification
  • Top-client concentration 20–30%: Acceptable with monitoring
  • Top-client concentration 30–50%: Elevated risk — factor into decision
  • Top-client concentration above 50%: Serious risk — consider disqualification

Stage 3: Team Stability and Retention

The team assigned to your project determines your outcome. A firm with high turnover rotates staff through client engagements, which means institutional knowledge leaves with departing employees, onboarding costs are continuous, and consistency suffers. Team stability is a concrete, measurable indicator that separates firms with strong cultures from firms that churn through talent.

Checklist items:

  • Annual turnover rate. What percentage of the firm’s staff departed in the past twelve months? Industry context matters, but as a general benchmark: below 15% is healthy, 15–25% is manageable, above 25% is a warning sign, and above 40% is a disqualifier.
  • Average tenure. What is the average length of employment at the firm? Average tenure below two years for a firm that has been operating for five or more years indicates chronic retention problems.
  • Proposed team tenure. How long have the specific individuals proposed for your project been at the firm? Team members with less than six months of tenure may not have fully integrated into the firm’s methodology and quality standards.
  • Mid-project staffing policy. What happens if a team member assigned to your project leaves the firm? Does the vendor guarantee a replacement within a specific timeframe? Do you have approval rights over replacements? How is knowledge transfer handled?
  • Bench depth. Does the firm have sufficient depth to replace team members without degrading quality? A ten-person firm that loses two developers cannot replace them easily. A 100-person firm typically can.

Key Evaluation Questions

What is the firm's voluntary turnover rate for the past two years? How many of the individuals proposed for our project have been at the firm for more than twelve months? What is the firm's contractual obligation if a key team member departs mid-engagement? Has the firm had a significant layoff in the past two years — and if so, what caused it?

Stage 4: Insurance and Liability Coverage

Professional liability insurance (errors and omissions coverage) protects both the vendor and the client in the event of a professional failure that causes financial harm. For technology engagements where software defects, security vulnerabilities, or design failures could have material business consequences, insurance coverage is not optional — it is a fundamental risk management provision.

Checklist items:

  • Professional liability (E&O) insurance. Does the firm carry errors and omissions coverage? What are the per-occurrence and aggregate limits? For engagements above $250K, coverage limits should be at least equal to the contract value.
  • General liability insurance. Standard business insurance covering bodily injury, property damage, and related claims. This is a baseline expectation.
  • Cyber liability insurance. If the engagement involves handling sensitive data, personally identifiable information, or financial data, does the vendor carry cyber liability coverage? What are the limits? Does the policy cover breach notification costs, forensic investigation, and regulatory fines?
  • Workers’ compensation. Does the vendor carry workers’ compensation insurance for its employees? This is a legal requirement in most jurisdictions and protects you from vicarious liability claims.
  • Certificate of insurance. Request a certificate of insurance (COI) as a standard due diligence item. A vendor that cannot produce a COI within 48 hours either does not have current coverage or has an administrative problem — both of which are concerning.

Risk Signal

The vendor does not carry professional liability insurance or has coverage limits that are significantly below the contract value. If a professional failure causes financial harm to your organization, the vendor's liability is limited to their insurance coverage and assets. Inadequate coverage means you bear the downside risk of their errors.

A vendor’s contract history reveals how they behave when commercial interests are at stake. Firms that have a pattern of contract disputes, scope disagreements, or client litigation are signaling behavioral tendencies that will manifest in your engagement. A single dispute may be circumstantial. A pattern is diagnostic.

Checklist items:

  • Active litigation. Is the vendor currently involved in any lawsuits? If so, what is the nature of the claims? Active lawsuits from former clients alleging breach of contract, fraud, or IP infringement are serious risk indicators.
  • Past litigation. Has the vendor been sued by a client in the past five years? If so, what was the outcome? Settlements are common and not necessarily disqualifying. Multiple lawsuits with similar allegations indicate a pattern.
  • Contract terminations. Has a client terminated the vendor’s contract for cause in the past three years? What were the circumstances? A vendor that has never had a contract terminated is either very new, very good, or not being forthcoming.
  • Standard contract terms. Request the vendor’s standard contract or master services agreement. Review it for provisions that are unfavorable to the buyer: retained IP ownership, limited liability caps, mandatory arbitration, non-compete restrictions, or aggressive payment terms (net-10, milestone-independent billing).
  • Change order history. What percentage of the vendor’s projects in the past two years experienced change orders? What was the average change order as a percentage of original contract value? Consistent change orders above 15% of original value suggest either chronic underscoping or deliberate low-ball pricing.

Common Failure Mode

Failing to review the vendor's standard contract before negotiation. The vendor's template contract is drafted by their counsel to protect the vendor's interests. Accepting it without careful review means accepting risk allocation that favors the vendor on IP ownership, liability, termination rights, and dispute resolution.

Stage 6: IP Ownership and Work Product Rights

For any engagement involving custom development — software, design, content, or data models — intellectual property ownership is a fundamental commercial provision. The default position for most buyers should be full assignment of all work product created during the engagement. Any departure from this default should be a conscious, negotiated decision with understood trade-offs.

Checklist items:

  • Work product assignment. Does the vendor’s standard contract assign all work product (code, designs, documentation, data models) to the client upon payment? If not, what does the vendor retain?
  • Pre-existing IP. Does the vendor use pre-existing frameworks, libraries, or tools that are incorporated into the deliverable? If so, under what license? Will you have the right to use, modify, and sublicense these components after the engagement ends?
  • Third-party components. Are open-source libraries, third-party APIs, or licensed tools incorporated into the deliverable? What are the license terms? Are there restrictions on commercial use, modification, or distribution?
  • Source code access. Will you receive complete source code, including build scripts, configuration files, and documentation necessary to maintain and modify the deliverable independently?
  • Escrow provisions. For critical systems, consider a source code escrow arrangement where code is deposited with a third party and released to you if the vendor becomes insolvent or fails to meet maintenance obligations.

Key Evaluation Questions

If the engagement ended today, would we own everything that has been built? Could we hire another firm to continue the work without the current vendor's permission or involvement? Are there any components of the deliverable that would be encumbered by the vendor's retained IP rights?

For detailed analysis of how commercial structure affects IP provisions, see Fixed Fee vs Time & Materials.

Stage 7: Reference Verification

Reference verification is the due diligence activity with the highest signal-to-effort ratio. A 30-minute conversation with a former client reveals more about a vendor’s actual behavior than hours of proposal review or presentation evaluation. The key is conducting reference checks properly — with structured questions, multiple references, and at least one back-channel source.

For the complete reference check methodology, see Reference Checks for Technology Partners.

Checklist items:

  • Minimum reference count. Speak with at least three references for each finalist candidate. Three is the minimum for triangulation. Two can produce conflicting signals with no tiebreaker. One is insufficient.
  • Vendor-provided references. Accept them, but understand they are curated. The vendor has selected their most satisfied clients. These references are useful — but only if you ask specific, structured questions that go beyond “Were you satisfied?”
  • Back-channel references. Source at least one reference that the vendor did not provide. Use LinkedIn, industry communities, mutual connections, or your advisor network to identify former clients willing to share their experience. Back-channel references provide unfiltered signal.
  • Reference recency. Prioritize references from engagements completed within the past eighteen months. Older references may reflect a different team, different leadership, or different operational maturity.
  • Reference similarity. The most valuable references are from engagements similar to yours in scope, complexity, and technology stack. A reference from a ten-person marketing website project has limited predictive value for your $500K enterprise platform build.

What to ask references:

  • How did the vendor handle the first significant problem or scope change?
  • Was the team that started the project the team that finished it?
  • How responsive was the vendor when issues arose?
  • Did the project come in on budget? If not, what caused the variance?
  • Would you hire them again for a similar project?

Risk Signal

A reference's answer to "Would you hire them again?" includes qualifications, conditions, or hesitation. Genuine satisfaction is unmistakable — it sounds like enthusiasm. Qualified responses — "Probably, if we..." or "They were fine, but..." — are negative signals disguised as neutral ones. Listen for what the reference does not say as much as what they do.

Stage 8: Interpreting Due Diligence Findings

Raw due diligence data requires interpretation. A single unfavorable finding does not necessarily disqualify a vendor. A pattern of unfavorable findings does. The purpose of this stage is to synthesize your findings into a risk assessment that informs — but does not replace — the selection decision.

Interpretation framework:

  • Green flags. Stable financials, diversified client base, low turnover, strong references, clean contract history, full IP assignment, adequate insurance. A vendor with green flags across all dimensions is a low-risk selection.
  • Yellow flags. Moderate client concentration (20–30%), turnover in the 15–25% range, one qualified reference, or a single past contract dispute. Yellow flags require monitoring and may justify additional contract protections (milestone-based billing, termination provisions, audit rights) but do not necessarily disqualify.
  • Red flags. High client concentration (above 40%), turnover above 30%, multiple contract disputes, refusal to provide financial information, inadequate insurance, retained IP provisions that limit your control over the deliverable. Red flags should trigger either disqualification or a formal risk acceptance decision by the appropriate stakeholder.
  • Disqualifiers. Active litigation from former clients, turnover above 40%, client concentration above 50%, refusal to provide references, inconsistent information across conversations. These findings should result in removal from consideration regardless of other strengths.

Decision discipline: The most common due diligence failure is rationalizing red flags because the buyer has already invested significant time evaluating the vendor and has developed a preference. “Their financials are a bit soft, but their technical team is strong.” “One reference was lukewarm, but the other two were positive.” These rationalizations are the voice of sunk cost bias. Due diligence findings should be weighed at face value, not discounted to preserve a preferred outcome.

Common Failure Mode

Treating due diligence as a formality conducted after the selection decision has effectively been made. When due diligence is performed to confirm a decision rather than to inform it, findings that contradict the preferred outcome are rationalized or ignored. Due diligence should occur before a frontrunner is identified — or at least before a frontrunner is committed to.

Organizations that lack internal experience with vendor due diligence — or that want to ensure the process is conducted independently of internal political dynamics — sometimes engage an external advisor to manage due diligence as a neutral third party. This approach is particularly valuable when the selection involves competing internal stakeholders or when the organization has been burned by a previous vendor engagement.

Conclusion

Due diligence is the highest-return activity in the entire technology partner selection process. It requires five to seven business days of focused effort. The cost of skipping it — measured in failed engagements, contract disputes, staffing disruptions, and the organizational damage of re-selecting a partner — is orders of magnitude higher.

Every item on this checklist can be verified. Financial stability can be assessed. Retention rates can be measured. References can be checked. Contract terms can be reviewed. Insurance coverage can be confirmed. The information exists. The only question is whether the buying organization has the discipline to collect it before signing — or whether they will discover these realities after the contract is executed, when the cost of discovery is dramatically higher. For a diagnostic analysis of what happens when due diligence is skipped, see why technology projects fail.

← Software Guides
Get Started

Start a Conversation

15 minutes with an advisor. No pitch, no pressure.
We'll help you figure out what you actually need.

Buyer-retained. Priced by engagement scope. We'll quote after a 15-minute call.

Talk to an Advisor