Direct answer: Ask a compact checklist of 12 questions across IP, staffing, delivery, security, and ops; insist on named senior staffing, a clear IP assignment, escrow for source with a 0.5–1% fee, and payment milestones that cap upfront risk (10/40/50 as industry practice). If a vendor’s proposal costs under $100k for a mid-complexity B2B platform, treat that as a red flag. These checks identify vendors who will actually own outcomes for the next 3 years.

Why this matters: a 5‑engineer product team costs roughly $900k–$1.1M/year fully loaded (US market, 2026 compensation). Paying a third-party $200k–$400k/year for a component that saves you one to two engineers can be justified; paying $100k because a shop 'will figure it out' usually isn't. Your procurement decision is less about hourly rate and more about avoiding a 2–4× rework tax over three years.

A poor vendor choice shows up as three predictable losses: 1) ownership ambiguity that forces you to re-implement a feature later (migration cost: $20k–$200k depending on data and integrations), 2) senior-staffing bait-and-switch that raises bug backlog and delays (senior substitution rates above 30% correlate with schedule slips >30%), and 3) operational debt because the vendor never delivered runbooks or SLOs (SRE-style work that costs $150k+/yr to remediate).

Questions to ask a software development company before hiring — the checklist

Below are the questions you must ask and the good-answer vs. red-flag answer to expect. Each question maps to a concrete decision: hire, run a paid spike, or walk away. These are not negotiation talking points; they are acceptance criteria you can test during a 2–4 week paid validation sprint.

  • IP and ownership
  • Named staffing and substitution policy
  • Delivery milestones, acceptance criteria, and payment terms
  • References and code samples from living deployments
  • Security and compliance posture (pen test, SOC2, GDPR readiness)
  • Operational readiness (runbooks, monitoring, SLOs)
  • Pricing model and 3‑year TCO
  • Exit terms, escrow, and transition plan

1) Who owns the code and IP after delivery? Good answer: "All code and work-for-hire deliverables will be assigned to you; source code is placed in your repo; we agree to a vendor-source escrow in clause X with a 0.5–1% annual fee to cover facilitation." Red flag: "We retain ownership of foundational components; you get a license." Any ambiguity here should be a deal-breaker for product-core work.

2) Who exactly will do the work? Good answer: named leads (Engineering Manager — name, Principal Engineer — name) with a clear % allocation (e.g., Principal 20% capacity, EM 15%). Red flag: a title-only org chart and a clause that allows unspecified "team members" to work on your project. Expect senior substitution rates under 10% in the first 6 months; anything above 25–30% correlates with knowledge loss.

3) How do you price and how are payments staged? Good answer: fixed-price for milestones with measurable acceptance tests; typical split is 10% kickoff, 40% after an agreed alpha with acceptance tests, 50% on production handoff. Red flag: 50%+ upfront or daily/hourly retainer with no deliverable-based milestones.

4) Show me two live references for similar scope and access to the codebase. Good answer: three references including a CTO who will let you review a production commit history, CI pipeline, and incident report. Red flag: curated case studies with no contactable references or references that were project-managed by someone not on engineering leadership.

5) What are your security and compliance controls? Good answer: recent pen test (within 12 months), SOC2 Type II or an explicit remediation plan, logging retention (30–90 days), and a data classification map. Red flag: "We'll follow best practices" with no artifacts and no documented response SLO for vulnerabilities (e.g., 72 hours for critical fixes).

6) What operational artifacts do you deliver? Good answer: runbooks, deployment scripts, alerting thresholds, tracing instrumentation, and a 90‑day operational warranty with an SLO of 1‑hour SEV1 response. Red flag: delivery of 'the code' only and an expectation that your team reverse-engineers operational behavior.

7) What's the 3‑year TCO and who pays for runbooks, maintenance, and license egress? Good answer: an itemized 3‑year forecast — development, infrastructure (e.g., expected $1.5k–$5k/month for staging+prod small SaaS), support retainer, and estimated egress costs. Red flag: a one-line rate card with no TCO and no migration/egress assumptions.

8) What happens on termination or acquisition? Good answer: an exit schedule, transfer-of-knowledge timeline (30 days), and source-escrow activation conditions. Red flag: no exit terms, or the vendor claims escrow only for an additional fee that exceeds 2% of contract value annually.

Ask for named people, not titles; ask for source in your repo, not a ZIP file; and insist payment ties to measurable acceptance criteria — those three checks alone eliminate most risky vendors.

How to interpret vendor answers: red flags and good answers

If a vendor gives you scripted answers, challenge them. Ask for a 2‑week paid spike ($20k–$60k typical) with a 2‑page deliverable: working API endpoints, a CI pipeline pointing at your staging, and a runbook for deploy and rollback. If they refuse a paid spike and prefer long spec-writing phases, they want to lock you into scope creep and time-and-materials billing.

Use small experiments to validate three hypotheses: senior involvement, operational competence, and IP posture. Run a code review session with their proposed Principal Engineer and an internal engineer — if they refuse, treat it as a trust gap. Demand to see a commit history and CI run times — one sign of production discipline is automated tests with <10 minute pipeline runs and >80% of mainline commits passing CI on first run.

Quantify your risk. If vendor staffing shows senior allocation under 20% across a 6‑month engagement, budget 15–25% schedule slippage and a 20–40% higher bug backlog. Translate that into dollars: for a $300k engagement, expect $45k–$90k remediation later if the vendor understaffs seniors.

Vendor scorecard and how to use it

Below is a minimal scorecard you can copy into a spreadsheet and use during vendor calls. Weight the categories by your risk tolerance: IP and staffing usually deserve the highest weights for product-core work.

  1. IP & escrow (weight 25%): assign 0–3 points; 3 = clear assignment + escrow clause 0.5–1%
  2. Named staffing (weight 20%): 0–3 points; 3 = named senior leads with % allocations and CVs
  3. Delivery & payment terms (weight 15%): 0–3 points; 3 = milestone-based 10/40/50 with acceptance tests
  4. Operational readiness (weight 15%): 0–3 points; 3 = runbooks, SLOs, monitoring in place
  5. Security & compliance (weight 10%): 0–3 points; 3 = recent pen test, SOC2 or equivalent artifacts
  6. References & code access (weight 10%): 0–3 points; 3 = contactable references and commit history access

Score each vendor across the six categories and compute a weighted score. Use 60% as a minimum pass threshold for product-core work. If a vendor scores 70–80% and bids significantly below market, probe whether they are under-scoping non-functional requirements or planning to substitute juniors for seniors.

If you'd prefer a ready-made CSV template, download the vendor scorecard and onboarding checklist from our engagement page or have us run a 2‑week vendor validation sprint. The validation sprint is a paid short-term engagement that verifies staffing, code quality, and operational handoff patterns before you commit to a larger contract. See custom software development for how Eltherion runs these validation sprints.

For guidance on modeling longer-term cost, compare the vendor's proposal against a 3‑year TCO model — development + hosting + support. Our framework for that comparison is detailed in "Custom software TCO" and if you're asking AI-specific questions about vendors, our companion checklist "Questions to ask an AI development company" covers data, models, and eval criteria.

What this means for a CTO or technical founder

You should treat vendor selection as a technical risk reduction exercise, not a procurement cost-cutting exercise. Allocate budget for a 2‑4 week paid spike ($20k–$60k) to validate the three core hypotheses: named senior participation, operational handoff, and clear IP. This upfront expense typically saves 2–4× in rework and remediation later.

Don't accept opaque staffing clauses. Insist on a substitution policy that caps senior substitution at 10% in the first 3 months and requires notice and equivalent replacement thereafter. Make acceptance tests part of payment; make source placement into your repo a condition for final payment.

If you're deciding between building in-house vs. hiring a vendor, use the scorecard to translate qualitative answers into dollars: assign a probability of rework and multiply by expected remediation cost. If remediation risk exceeds 25% of contract value, budget to build in-house or hire a senior consultancy instead.

  1. Insist on named senior staff and a substitution cap under 10% for the first 3 months.
  2. Make IP assignment explicit and require source-in-your-repo plus a vendor-source escrow clause (0.5–1%).
  3. Stage payments to milestone-based acceptance tests (recommended 10/40/50) and run a 2‑week paid spike before committing.
  4. Score vendors with a weighted checklist and require references that give commit history and CI access.
  5. Budget for 3‑year TCO, not just the upfront price, and translate staffing risks into expected remediation dollars.

Final path: if this checklist feels tedious, that's intentional. The goal is to convert trust into testable artifacts: names, repos, runbooks, and references. If you need a short vendor validation sprint or help turning answers into a binding SOW, our production custom software development team runs exactly this process and can deliver a validated vendor report in 2–4 weeks.