Skip to content
Vendor/Architecture

Vendor Selection

Structured vendor evaluation with weighted decision matrix, red flags checklist, and kill criteria. No vendor lock-in without exit strategy.

Cadence

Per-vendor evaluation

Timebox

1–2 weeks per vendor

Process at a glance

Difficulty

High

Last validated

Jan 26, 2026

This artifact is designed to keep every team aligned on the who, what, and when of your process, not just the steps.

Decision Matrix

Adjust Weights (1-5)

Vendor A

67

Vendor B

79

Vendor C

58

Pro-Owner perspective: This document frames your systems as a technical estate — an asset to be stewarded, documented, and bequeathed. Treat these steps as craftsmanship: protect the continuity, auditability, and transferability of your digital legacy.

What it is

A multi-criteria evaluation framework for selecting vendors (SaaS, hardware, services) with weighted scoring, red flag detection, and mandatory exit strategy planning. Evaluation covers: functionality, cost, security, support, contract terms, and vendor viability. Kill criteria (automatic disqualifiers) prevent wasting time on non-starters.

The framework produces a decision matrix comparing vendors across weighted criteria, a red flags report (contract lock-in, security gaps, poor support), and an exit strategy (how to leave if vendor fails or pricing becomes untenable).

Why it matters

Vendor selection without structure leads to: (1) optimizing for the wrong criteria (cheapest vs most suitable), (2) missing red flags (auto-renewal clauses, data export fees), (3) vendor lock-in with no exit path. Systematic evaluation prevents buyer's remorse and creates negotiation leverage.

Without exit strategies, you're trapped: "We can't leave Vendor X because they won't export our data" or "Contract renews automatically and we missed the cancellation window."

How we do it

  1. Define criteria (before vendor contact):
    • Functionality: Must-have vs nice-to-have features. Weight by business impact.
    • Cost: Total cost of ownership (license + support + integration + training + exit).
    • Security: SOC2, data residency, encryption, access controls, breach notification.
    • Support: SLAs, response times, escalation paths, community/documentation quality.
    • Contract: Terms length, auto-renewal, cancellation notice, pricing predictability.
    • Vendor viability: Funding, customer count, revenue growth, acquisition risk.
  2. Weight criteria: Assign weights (1-5) based on business priorities. Security-critical projects weight security highest. Cost-sensitive projects weight TCO highest.
  3. Score vendors: Each vendor scored 1-5 per criterion. Weighted score = criterion score × weight.
  4. Red flags check:
    • Contract: Auto-renewal without opt-out, data export fees, termination penalties > 1 month fees.
    • Security: No SOC2/ISO cert, unclear data residency, no breach notification clause.
    • Support: No SLA, community-only support, undocumented APIs.
  5. Kill criteria (automatic disqualifiers):
    • No data export (vendor hostage situation).
    • Pricing changes without notice (contract allows arbitrary price increases).
    • No API/integration path (requires manual workarounds).
  6. Exit strategy: For recommended vendor, document:
    • Data export method (API, bulk download, support request).
    • Contract termination requirements (notice period, penalties).
    • Migration effort estimate (time, cost, risk).

What you receive

  • Decision matrix: Vendors compared across criteria, weighted scores, total scores.
  • Red flags report: Per-vendor assessment of contract/security/support risks.
  • Exit strategy: For top 2 vendors, documented exit paths (data export, contract termination, migration).
  • Recommendation: Top vendor with justification (why it scored highest, risks acknowledged).

All artifacts stored in decision log (Notion, Confluence, Git repo) for future reference.

Evidence

Interactive decision matrix:

  • Weighted matrix: Criteria rows, vendor columns, weighted scores calculated live.
  • Weight adjustment: Drag sliders to change weights, watch scores update (sensitivity analysis).
  • Red flags panel: Per-vendor red flag checklist with severity (blocker, high, medium).
  • Kill criteria section: Automatic disqualifiers listed. Any vendor triggering kill criteria marked as "Not recommended."
  • Example scenarios: Security-critical evaluation (weights security 5/5) vs cost-sensitive (weights TCO 5/5).

Download vendor selection package (templates + checklists + contract review guide): [Link]

Failure modes & guardrails

Failure mode: Weights don't reflect reality
Guardrail: Validate weights with stakeholders before scoring. Security lead validates security weight, finance validates cost weight.

Failure mode: Red flags ignored ("we'll negotiate later")
Guardrail: Red flags must be addressed before contract signature. No exceptions.

Failure mode: Exit strategy deferred
Guardrail: Exit strategy documented before contract signature. If vendor won't provide export method, that's a kill criterion.

Failure mode: Vendor scores inflated by sales demos
Guardrail: Require proof-of-concept (POC) with real data. Demos don't count toward functionality scores.

Related Process Artifacts

Business OpsHigh

Quarterly Business Reviews

Executive-level operational review covering reliability, security, cost, roadmap, and risks. Evidence-driven, no theater. Decides budget and priorities for next quarter.

Quarterly·3–4 hours prep, 2 hours meeting
DiscoveryMedium

Discovery Workshop

Structured discovery session to surface technical debt, clarify scope, and establish shared operational vocabulary before implementation begins.

Per-engagement start·3–4 hours
Vendor/ArchitectureLow

Architecture Decision Records

Lightweight documentation of significant architecture decisions with context, alternatives considered, and reversal policy. Searchable, version-controlled museum of choices.

Per-decision (as needed)·30–60 min per ADR