Bertie Bosrédon
Bertie Bosredon, resources for NGOs and charities
Technology

Questions to ask before choosing a vendor

Vendor demos are designed to impress. They rarely show what breaks in year two, what happens when you want to leave, or what the real cost looks like after the introductory pricing ends. I’ve helped dozens of organisation with tech selection and procurement processes (from simple to very complex). I gathered a list of useful questions you should ask before shortlisting a supplier, signing a contract, or committing staff time to a platform that may be difficult to leave later.

How to use this list

  • Start with the core questions for every vendor
  • Then use the section that matches the type of platform you are buying
  • Ask vendors to answer in writing, not only during a demo
  • Compare answers across vendors using the same criteria
  • Treat vague answers as a risk signal

Core questions for any vendor

Ask these regardless of what you are buying.

Cost and contract

  • What does implementation actually cost, beyond the licence fee
  • What is the expected total cost over three years, including licences, implementation, support, integrations, training, and transaction fees
  • Which features shown in the demo are not included in the quoted price
  • What price increases should we expect at renewal
  • What are the exit costs and the notice period
  • What is the pricing model as we scale, per user, per contact, per transaction, or another model

Data ownership and exit

  • Who owns the data during and after the contract
  • What data can we export if we leave, in which formats, and with what limitations
  • How long does a full export take
  • Is there a cost for data export, migration support, or archive access
  • What happens to our contract, data, and service continuity if the vendor is acquired, restructures, or shuts down

Support and roadmap

  • What is the average support response time, and is that written into the contract
  • What support channels are included, and which ones cost extra
  • Which organisations similar to ours already use this, and can we speak to one directly
  • How is the product roadmap decided, and how are customers informed when timelines or features change
  • What happens if a feature we rely on is removed or significantly changed

Security and access

  • Where is our data hosted, which legal entity provides the service, and could the vendor or its subcontractors be subject to non-EU government access laws such as the US CLOUD Act, even if the data is hosted in Europe
  • What GDPR transfer mechanism, encryption model, subprocessors, and contractual safeguards apply if data, support, administration, or legal access could involve countries outside the EEA
  • Can we manage user roles and permissions ourselves
  • Is there an audit log showing who changed data, settings, exports, or permissions
  • Is multi-factor authentication available or required
  • How are security incidents communicated to customers
  • What security documentation can you share, such as ISO 27001, SOC 2, penetration test summaries, or equivalent evidence

Implementation and responsibilities

  • What implementation work is done by your team, by us, and by third-party partners
  • What skills or staff time do we need internally during implementation
  • What does a typical implementation timeline look like for an organisation like ours
  • What are the most common causes of delay
  • What training is included, and what happens when new staff join later

Red flags to watch for

  • The vendor cannot explain the full implementation cost
  • Exporting your data requires a paid professional services project
  • Support response times are described informally but not written into the contract
  • The roadmap is used to sell features that do not exist yet
  • Integrations depend on custom development but this is not priced clearly
  • Data hosting, ownership, or AI training policies are vague
  • The vendor avoids giving references from similar organisations
Website / CMS
  • Can we move our content out easily if we switch platforms later
  • Does it support multiple languages natively, or is that a workaround
  • Who can edit content without needing a developer
  • How is the site hosted, and what happens during a traffic spike, such as an appeal or a crisis
  • What is included in ongoing maintenance, and what costs extra
  • Can we manage redirects, metadata, accessibility basics, and analytics without relying on a developer for every change
  • How are backups, rollbacks, and staging environments handled
Marketing automation
  • How is email deliverability and sender reputation managed
  • Can we segment audiences using our own custom data fields
  • Does it integrate natively with our CRM and donation platform, or does that need custom development
  • What happens to automation history if we downgrade our plan
  • How is consent and unsubscribe handled across integrated systems
  • Can we test journeys before they go live
  • Can we see why someone entered, skipped, or exited an automation
Donation platform
  • What are the transaction fees, and are they passed to the donor or absorbed by us
  • Is it PCI DSS compliant, and who holds that responsibility
  • How is recurring giving managed, including recovery of failed payments
  • Does it handle Gift Aid or the equivalent tax relief automatically
  • Can donors manage their own recurring gifts without contacting us directly
  • Which payment methods, currencies, and countries are supported
  • How are refunds, chargebacks, failed payments, and reconciliation handled
  • What donor and transaction data is sent back to our CRM
CRM
  • How flexible is the data model, can we add our own fields and relationships
  • What is included in standard reporting, and what needs a paid add-on
  • How easy is bulk import and export of donor data
  • What happens to our historic data and structure if we leave
  • Does it properly support multiple currencies and international donors
  • Can we manage duplicates, household relationships, organisations, and soft credits
  • How are permissions, sensitive data, and restricted records managed
  • Can non-technical staff build useful reports without external support
AI tools
  • Where is our data stored, and is it used to train the vendor's models
  • What happens to outputs and history if we cancel
  • Can we set organisation-wide guardrails, or is it left to individual users
  • Can administrators control which data the AI can access
  • Can we disable AI features for specific teams, users, or datasets
  • Are AI actions logged and auditable
  • Is there a human review step built in, or does output go straight out
  • How are hallucinations, bias, and unsafe outputs monitored or mitigated
  • Can we review or delete prompts, outputs, and conversation history
  • Does the vendor provide documentation suitable for internal AI governance or risk review
  • What is the vendor's policy if the AI produces something incorrect or harmful
Integrations and data flows
  • Which systems do you integrate with natively
  • Which integrations require middleware, custom development, or paid add-ons
  • How often does data sync between systems
  • What happens when a sync fails
  • Can we see and fix integration errors ourselves
  • Are integration logs available
  • Who is responsible for maintaining integrations after launch
  • What happens to integrations when one of the connected systems changes its API or pricing

Simple vendor scoring table

Use this as a lightweight comparison tool. The score matters less than the evidence behind it.

AreaScore 1-5EvidenceRisk levelFollow-up needed
Cost clarity
Data ownership and export
Security and permissions
Support and service levels
Integrations
Implementation effort
Exit risk

Closing note

You will not need every question for every purchase. Choose the ones that match the size, risk, and cost of the decision. Ask for answers in writing, compare vendors consistently, and pay attention to hesitation. A vendor who cannot answer clearly has already given you useful information. And don’t forget, I’m always here if you need external expertise.

Resource last updated 7 July 2026


View more resources