English

The Pre-Purchase Vendor Diligence Checklist for Mid-Market Buyers

The operations team went live in February. Onboarding went well. The team liked the tool. By June, the quarterly business review was showing promising adoption data. And then in October, a rep from a competitor reached out to "discuss options" — which was the first signal. By November, the target vendor had quietly paused hiring. By December, the CEO sent an all-company email about "strategic restructuring." By January, the product was in maintenance mode and support response time had climbed from four hours to four days.

The company had signed an annual contract. They'd paid for twelve months. They got nine months of a functioning product and three months of uncertainty, followed by a migration they hadn't planned for.

Nobody had checked the vendor's financial health before signing. Nobody had asked about funding runway, investor backing, or how many enterprise contracts were in the book. It wasn't due diligence. It was a demo and a reference call.

This guide is the diligence process that mid-market companies should run before signing any SaaS contract over $10K/year. It's calibrated for operators: not enterprise procurement teams running six-week evaluations, but leaders who need real rigor in two to three days.

Why Mid-Market Companies Are Especially Vulnerable

Mid-market companies sit in an awkward spot in the vendor ecosystem. They move faster than enterprise buyers, which makes them attractive to early-stage vendors looking for quick revenue. They have more budget than SMB buyers, which makes them worth pursuing. And they often lack the institutional diligence muscle that larger companies have built from years of vendor failures. Gartner's market guide for SaaS management notes that mid-market organizations face disproportionate vendor concentration risk compared to enterprise buyers who distribute spend across larger, more stable vendors.

The AI SaaS wave has made this worse. Hundreds of AI-native tools have launched in the past two years. Many are well-funded but pre-revenue. Many are revenue-positive but burning more than they're earning. And many are credible-looking in a demo while being genuinely fragile as a business.

Your job in diligence isn't to be paranoid. It's to ask the questions that surface the risks you'd want to know about before you're eighteen months into a migration. And if you're already running a full vendor evaluation, how to run a SaaS RFP covers how to integrate this diligence checklist into a structured three-week selection process.

The Six Diligence Domains

Domain 1: Company Viability

The most important question for any vendor under five years old or without obvious enterprise scale: are they going to exist in three years?

You won't get audited financials from a private company. But you can get enough signals to make a judgment.

What to check:

  • Funding stage and most recent round date. Seed and Series A companies have 18-24 months of runway on average from their last raise. If the last raise was more than 18 months ago and there's no announced Series B, ask directly about runway.
  • Investor quality. Tier-1 VC backing (a16z, Bessemer, Sequoia, Accel) doesn't guarantee success but does correlate with portfolio support and bridge capacity. Unknown or angel-only backing increases risk.
  • Headcount trend. Check LinkedIn employee count over the past 6-12 months. Declining headcount is a yellow flag. Mass layoffs without public communication are a red flag.
  • Customer concentration. Ask whether any single customer represents more than 15% of ARR. If yes, losing that customer creates a materially different business.
  • Revenue growth signals. Vendors won't give you ARR, but they'll often confirm the direction. "We've grown 3x in the last 18 months" is a meaningful signal. Vague answers are too.

Vendor financial health indicators (for private companies):

Signal Green Yellow Red
Last funding round <18 months ago 18-30 months ago >30 months ago
Headcount trend Growing Flat Declining
Customer tier Enterprise + mid-market mix Mid-market only SMB-heavy
Investor backing Tier-1 VC Tier-2 VC Angel only
Response to runway question Direct, confident Deflects to traction Refuses to engage

Domain 2: Security Certifications

Security certifications are the floor of diligence, not the ceiling. A SOC 2 Type II report tells you the vendor had documented controls at audit time, not what they're doing with your data today or how they'd respond to a breach.

What to check:

  • SOC 2 Type II (not Type I). Type I is a point-in-time attestation. Type II covers a 6-12 month period. For anything touching customer data, Type II is the baseline standard. The AICPA's SOC 2 overview explains the difference between report types and what each covers.
  • ISO 27001 if you operate in regulated industries or international markets. The ISO 27001 standard from iso.org defines the complete requirements for information security management systems.
  • GDPR Data Processing Agreement (DPA) if any EU personal data is involved.
  • HIPAA Business Associate Agreement (BAA) if any health data is involved.
  • Penetration test summary (at minimum, date of last test and scope).

Ask to see the actual report, not a badge on a website. Legitimate vendors share SOC 2 reports with NDAs. Vendors who refuse to share reports under NDA are a yellow flag. For a plain-language breakdown of what each certification actually covers, SOC 2, ISO 27001, and GDPR for buyers explains the differences and what specific questions each framework answers.

Domain 3: Data Handling and Residency

This domain has become significantly more complex with AI-enabled tools. The questions you'd ask a traditional SaaS vendor have expanded to cover how the vendor's AI models interact with your data. The NIST AI Risk Management Framework provides a structured approach for evaluating how vendors govern the AI systems that process your organizational data.

What to check:

  • Where is data stored geographically? US, EU, both?
  • Is there a data residency option for your region if required?
  • Is your data used to train the vendor's AI models? If so, can you opt out?
  • What data does the product collect beyond what you explicitly submit?
  • What is the data retention policy? How long is your data held after contract termination?
  • What is the data deletion policy? How long does deletion take and can it be verified?

For AI-enabled tools, the data handling questionnaire from Evaluating AI-Enabled SaaS covers the additional layer specific to AI model training and inference.

Domain 4: Support SLAs

Support quality is impossible to evaluate from a sales demo. It becomes visible six weeks after go-live when something breaks at 4pm on a Friday.

What to check:

  • First response time by severity tier (P1/P2/P3). What does each tier mean and what's the SLA?
  • Does the SLA include a resolution time commitment, or just a first-response time?
  • Is the support team onshore, offshore, or a mix? What are the coverage hours?
  • Is there a named customer success manager, or is support queue-based?
  • What does the escalation path look like for a P1 outage?
  • What is the uptime SLA, and what are the credit terms for missed SLAs?

Reference call script — support questions:

When you call a reference customer (which you should always do, and more on that below), ask specifically:

  1. How often did you open support tickets in the first 90 days?
  2. What was the typical first-response time for a P2 issue?
  3. Have you ever had a P1 outage? What happened and how was it handled?
  4. What's your relationship like with your customer success manager?

Domain 5: Integration and API Maturity

A tool that can't connect to your existing stack is a data silo. Evaluating integration maturity before you sign prevents the six-week integration project you didn't budget for. If CRM integration is a key requirement, the when to hire a CRM consultant guide explains how integration complexity affects the resourcing decision.

What to check:

  • Does a native integration exist for your CRM, HRIS, and primary workflow tools?
  • Is the integration maintained by the vendor or by a third party?
  • What happens when a connected platform has a breaking API change? Who fixes it?
  • Is there a public API with full documentation?
  • What are the API rate limits?
  • Are there known integration limitations (read-only vs. bidirectional sync, field mapping constraints)?

Ask to see the integration documentation, not a demo. Developer-quality documentation is a proxy for API maturity.

Domain 6: Customer Reference Quality

A vendor will give you their best reference customers. That's expected. But how you run the reference call determines how much information you actually get.

Reference call script (8-10 questions):

  1. How long have you been using the platform and what's the scope of your deployment?
  2. What was the hardest part of the implementation and how did the vendor support you through it?
  3. How has the product changed since you signed, both positively and where it's fallen short?
  4. How would you describe the support responsiveness when you've had a serious issue?
  5. Has pricing changed since your original contract? If so, how and how much notice did you get?
  6. What does the product do well that you didn't fully appreciate before you bought?
  7. What doesn't it do well that you wish you'd known before signing?
  8. Have there been any security, compliance, or data handling issues you're aware of?
  9. If you were buying this decision again, what would you do differently?
  10. Would you renew, and why?

The most valuable questions are 7, 8, and 9. Listen for hedging on question 7. Listen for a pause on question 8. The answer to question 9 is almost always worth more than the vendor pitch.

Ask the vendor for references from companies similar in size and industry to yours. A 5,000-person enterprise is not a useful reference for a 150-person mid-market company.

The 40-Point Diligence Checklist

Company Viability (8 points)

  • Funding stage and last round date confirmed
  • Investor quality assessed
  • Headcount trend checked (LinkedIn or Crunchbase)
  • Customer concentration question asked and answered
  • Revenue direction confirmed
  • Key person dependency assessed (founder-run vs. management team in place)
  • Acquisition or sunsetting risk discussed
  • 3-year roadmap reviewed for strategic continuity

Security Certifications (6 points)

  • SOC 2 Type II report reviewed (not just badge confirmed)
  • Report period confirmed (must be within 12 months)
  • ISO 27001 confirmed if applicable
  • GDPR DPA received and reviewed
  • Penetration test date and scope confirmed
  • Bug bounty or responsible disclosure policy confirmed

Data Handling (6 points)

  • Data storage geography confirmed
  • Data residency option confirmed if required
  • AI model training data policy confirmed
  • Data collected beyond explicit submission documented
  • Data retention policy confirmed
  • Data deletion timeline and verification process confirmed

Support SLAs (6 points)

  • SLA tiers and definitions confirmed in writing
  • First response and resolution time by severity confirmed
  • Support coverage hours confirmed
  • Escalation path for P1 documented
  • Uptime SLA and credit terms confirmed
  • CSM assignment and engagement model confirmed

Integration and API (7 points)

  • Native integration list reviewed against your stack
  • Integration maintenance responsibility confirmed
  • API documentation reviewed (quality assessment)
  • API rate limits confirmed
  • Known integration limitations documented
  • Bidirectional sync capability confirmed for critical objects
  • Integration roadmap for planned connections confirmed

Customer References (7 points)

  • Minimum two reference calls completed
  • References matched by company size and industry
  • Support responsiveness assessed via reference call
  • Pricing changes discussed with references
  • Security/compliance issues surfaced or ruled out
  • Implementation experience confirmed
  • Renewal decision and rationale collected

Red Flag Escalation Matrix

Some findings in diligence warrant stopping the evaluation. Others are manageable. This matrix helps you triage:

Finding Response
SOC 2 Type II not available Stop evaluation or escalate to legal/IT; don't waive this
Last funding >24 months ago, no Series B Require escrow/data export clause in contract; consider annual-only commitment
Reference customer unable to verify renewal Pause evaluation pending additional references
Vendor declines to share DPA Legal must review before any data flows; don't sign without it
Customer concentration >25% in one customer Acknowledge risk explicitly; require SLA credit terms for outage
No escalation path documented for P1 Require written escalation procedure before signing
AI training on customer data, no opt-out Require DPA amendment or data processing addendum

What Good Diligence Takes

For a $20K-100K annual SaaS purchase, expect diligence to take two to three business days for a competent IT lead or operations director:

  • Day 1: Background research, financial signals, certification review
  • Day 2: Reference calls, support SLA review, integration documentation review
  • Day 3: Data handling confirmation, checklist consolidation, risk summary for decision-maker

For purchases under $10K/year, a lighter version of this checklist (15-20 items, one reference call) is proportionate. For purchases over $100K/year, add a formal security questionnaire and legal review of data handling terms.

Learn More