What Enterprise Clients Check Before Buying Your Software: The Vendor Assessment Decoded
Enterprise clients do not buy software from a pitch deck. They run procurement assessments that can derail deals at the last stage. Understanding what they check, and preparing for it, is as important as building the product.
What Enterprise Clients Check Before Buying Your Software: The Vendor Assessment Decoded
A mid-sized Nigerian software firm loses an enterprise deal late in the sales process almost every month. Not because the product failed the demo or the price was too high — because their vendor assessment response was inadequate. The due diligence process that enterprise clients run on software vendors exists for real reasons, and the vendors who understand those reasons sail through. The ones who treat it as an obstacle to be managed do not.
Enterprise procurement teams are not trying to complicate your sale. They are trying to answer a specific set of questions: Will this vendor still exist in three years? If this software has a security breach, does our organisation bear liability? Can this integration fail in a way that damages our operations? What happens when things go wrong?
The Vendor Assessment Process
Enterprise software procurement typically follows this sequence:
Request for Information (RFI) — Initial screening on capabilities, experience, and rough pricing. This is where many small vendors are eliminated without knowing it. An RFI that asks for three references from organisations of similar size with similar requirements is specifically designed to remove vendors who have not worked at enterprise scale.
Request for Proposal (RFP) — Detailed technical and commercial proposal. Evaluates the proposed solution against specifications. Scoring matrices with weighted criteria are common. This is a content evaluation but also a competence signal — a well-structured, specific response to each criterion demonstrates more about your organisation than the content itself.
Vendor Risk Assessment / Due Diligence — Security questionnaire, financial review, reference checks, site visit. This is the stage that surprises vendors who assumed technical competence was sufficient. An excellent product built by a financially fragile organisation with no security programme is a poor procurement decision.
Commercial Negotiation — Pricing, contract terms, SLAs. This stage rarely kills deals that made it through due diligence. Most commercial terms can be negotiated.
Security Questionnaire
The security questionnaire is the stage most software vendors are least prepared for. A standard enterprise security questionnaire covers 100–200 questions across domains: access control, data handling, incident response, physical security, third-party management, business continuity, and compliance certifications.
What clients are actually checking:
Do you have a formal information security programme? Not a policy document on a shared drive — an implemented programme with ownership, regular review, audit evidence, and named individuals responsible for security. The minimum credible implementation for a small software firm is ISMS documentation, a risk register, user access review logs, and evidence that the programme was reviewed in the last twelve months.
How do you handle our data if the engagement ends? Data return and destruction procedures at contract termination are a frequent deal-breaker for enterprises operating under regulatory requirements. Your answer needs to specify: data returned in portable format within X days, all copies deleted within Y days, destruction certificate provided.
What is your incident response process? Every enterprise client wants to know how quickly you detect security incidents, how you notify them, and what remediation process follows. An honest answer from a small firm: "We detect incidents through [specific tools — Cloudflare Access logs, database audit logs, application error monitoring]. Our notification timeline to clients is 24 hours for identified breaches, which meets the NDPR 72-hour reporting requirement." An inadequate answer: "We take security very seriously."
What certifications do you hold? ISO 27001 is the global standard. SOC 2 Type II is increasingly requested for US-linked clients. PCI DSS if you touch payment card data. Nigerian data protection certification from the NDPC. Many small firms hold none of these. The honest answer in this case is a credible roadmap for certification rather than fabricating compliance.
Third-party vendors: Enterprise clients want to know what third parties have access to their data — your cloud provider, your monitoring tools, your email provider, your development team laptops. Mapping your data flows and being able to answer which vendors touch client data and under what agreements is essential.
Financial Due Diligence
Enterprise clients entering multi-year software dependencies want to know the vendor will exist for the duration of the contract. Financial due diligence for a software vendor typically covers:
Revenue and financial stability: The client usually asks for two to three years of financial statements or management accounts. They are looking for revenue trend, dependency concentration (is 80% of your revenue from two clients?), and basic solvency.
Concentration risk: If your largest client represents more than 40% of revenue, a sophisticated procurement team will flag this. Losing that client could impair your ability to service new enterprise deals. This is why portfolio diversification is a legitimate business imperative, not just a growth aspiration.
Escrow arrangements: For bespoke software with source code, enterprise clients often require source code escrow — a third-party arrangement where the code is held by an escrow service and released to the client if the vendor ceases operations. NCC Group and Iron Mountain provide these services. Being able to offer escrow as an option eliminates a significant concern for clients building long-term dependencies.
Technical Architecture Review
Larger enterprise deals involve a technical architecture review by the client's IT team or a technical evaluator. This goes beyond the demo — it is a review of how you build, how you deploy, and what happens when things fail.
What technical reviewers check:
Hosting and data residency: Where does the data live? Enterprise clients in regulated industries (banking, insurance, healthcare) may have requirements around Nigerian data sovereignty. Knowing your infrastructure — Cloudflare Workers (edge), Railway, Render, AWS Cape Town (af-south-1), or dedicated servers — and being able to articulate it is baseline.
Disaster recovery and RTO/RPO: What is your Recovery Time Objective (the maximum acceptable downtime after a failure) and Recovery Point Objective (the maximum acceptable data loss, measured in time)? "We back up daily to a separate region" is an RTO of hours and an RPO of up to 24 hours. For most enterprise clients, that is acceptable. For financial systems, it is usually not.
Penetration testing and vulnerability management: Has the software been independently tested? When was the last penetration test? How are vulnerabilities managed? An annual penetration test from a credible firm, with remediation evidence, satisfies most enterprise requirements.
API security and integration architecture: For systems that will integrate with the client's existing infrastructure, the technical reviewer will evaluate API authentication methods, rate limiting, error handling, and how integration failures are managed. A well-documented API with OAuth 2.0 authentication, clear rate limit documentation, and webhook retry logic scores materially higher than an undocumented API.
Development security: How do you prevent insecure code from reaching production? Code review requirements, static analysis tools, dependency vulnerability scanning, secrets management — these demonstrate that security is built into the development process rather than bolted on.
Reference Checks
Enterprise clients always check references. They are looking for honest answers to specific questions, not testimonials:
- Did the vendor deliver what they scoped?
- Did timelines slip? If so, how was it handled?
- How did the vendor respond when something went wrong?
- Would you buy from them again for a project of this scale?
What this means for your reference list: Providing references who will give honest, positive accounts of projects that were not universally smooth is more credible than providing references from very small, unchallenging projects. "We had a scope expansion in month three that pushed the timeline out by six weeks, but they were transparent throughout and delivered the full scope" is a better reference than "everything was perfect" — because the former is believable.
Preparing your references: Let reference contacts know they may be called, what the context is, and what aspects of the engagement are likely to be relevant. This is not coaching them to misrepresent — it is making sure they have time to recall the project clearly.
The Preparation Checklist
What a software firm doing enterprise business should have prepared:
- Information security policy and ISMS documentation
- Data processing register (map of what data you hold, where, why, for how long)
- Incident response procedure (documented, not just understood)
- Business continuity and disaster recovery plan
- Penetration test report (within 18 months) with remediation evidence
- Third-party vendor list with DPA status for each
- Insurance certificate (professional indemnity at minimum; cyber liability increasingly requested)
- Reference list with contacts who are briefed and available
- Company financials (two to three years)
- Source code escrow option or explanation
This is not a bureaucratic overhead — it is the documentation of practices that a competent software firm should have regardless of enterprise sales. Building the enterprise practice means building the actual practices first, then documenting them. The documentation is evidence; the practices are the substance.
The firms that win enterprise deals consistently are not necessarily the ones with the best product. They are the ones where the enterprise risk team can write an internal approval memo that makes sense — where the risks are identified, bounded, and mitigated. Make it easy to approve you.
Related Articles
- How to Write a Software RFP That Gets Useful Responses — Getting your requirements right before assessment
- Vendor Lock-In Risk in Enterprise Contracts — Managing platform dependency risk
- Custom Software vs SaaS: An Honest Comparison — Build vs buy framework