Vendor Evaluation
RFP/RFI process, proof of concept, reference checks, SLA negotiation
Rigorous vendor evaluation prevents costly lock-in, surprise outages, and SLA disappointments that damage product reliability and team credibility. The RFP (Request for Proposal) and RFI (Request for Information) processes provide a structured framework: RFI gathers market information from many vendors; RFP solicits detailed proposals from shortlisted vendors against specific requirements. A Proof of Concept (PoC) with production-representative data and load validates claims before contract signature. Reference checks with existing customers at similar scale and compliance requirements are the highest-signal step most teams skip.
Key Points
- RFI → RFP pipeline: send RFI to 10+ vendors to map the market; shortlist 3–5 for RFP; invite 2 for PoC; select 1 — this funnel prevents premature commitment to a vendor before understanding alternatives
- RFP evaluation criteria: functional fit (must-have feature matrix, scored pass/fail), performance (benchmarks against your actual use case), security (SOC 2 Type II, pen-test reports, data processing agreement), SLA (uptime commitment, support response SLAs, escalation process), and pricing model (per-user, per-API-call, per-GB)
- PoC success criteria must be defined before starting: "vendor passes PoC if p99 API latency < 50ms at 1,000 concurrent users with our data model" — not "we'll decide after we look at it"
- Reference checks: request 3 reference customers at similar scale and industry; ask specifically about: worst incident experienced, support response quality, pricing changes at renewal, and what they would do differently
- Contract negotiation points: SLA credits (meaningful, not 10% of one month's fee), data portability (export format, timeline, cost), termination for convenience clause, pricing caps (protect against per-seat cost explosions at growth)
- Security due diligence: require SOC 2 Type II report (not Type I), penetration test summary, vulnerability disclosure policy, data breach notification timeline (should be < 24 hours), and subprocessor list
- Lock-in assessment: map all integration points to the vendor's APIs; identify which use proprietary formats vs open standards; estimate engineering effort to migrate away (the "exit cost" is a real factor in TCO)
- Vendor health signals: check company funding stage and burn rate (for startups), customer count growth, Glassdoor engineering reviews, GitHub activity for OSS products, and analyst coverage (Gartner Magic Quadrant, Forrester Wave)
Real-World Example
When Figma evaluated database vendors for their multiplayer collaboration infrastructure, they ran a 3-week PoC with their actual document CRDT workload — off-the-shelf PostgreSQL couldn't meet their latency requirements, leading to their custom storage solution; the PoC saved them from a multi-year architectural mistake.