Sophie Laurent, YuSMP Group
Sophie Laurent Compliance & Delivery Lead, YuSMP Group · Specialises in vendor due diligence and GDPR-aligned software delivery for EU and US clients

TL;DR — vendor selection at a glance

Choosing a software development company well comes down to six dimensions. Score each candidate against them before you compare price:

  • Certifications: ISO 27001 (information security) + SOC 2 Type II (US/EU enterprise) + GDPR Article 28 DPA for EU data
  • IP & NDA: mutual NDA before spec sharing; contract assigns all IP to client; code held in client-owned repo
  • Portfolio fit: at least 2 projects in your complexity tier and industry, delivered in the last 24 months
  • Engagement model: fixed price (stable small scope) / T&M (evolving product) / dedicated team (continuous velocity)
  • References: 2–3 live reference calls, not just written testimonials on a profile page
  • Communication: timezone overlap, named project manager, defined escalation path

Good vs cheap: the real trade-off

The $25/hr offshore team and the $65/hr nearshore senior team both promise to build your product. The difference shows up 6 months in. Vendors charging below-market rates typically compensate by:

  • Staffing projects with junior engineers who require intensive oversight
  • Using undisclosed subcontractors, which creates IP chain-of-title risk
  • Omitting security controls, audit logging and compliance architecture (expensive to retrofit)
  • Delivering working demos that mask architectural debt requiring rewrites at scale

Gartner research on IT outsourcing consistently shows that rework rates on low-cost engagements average 20–40% of total hours. On a $150,000 project, 30% rework is an extra $45,000 that never appears in the proposal. Add the management overhead your team bears while shepherding an underperforming engagement, and the “cheap” option frequently costs more than a well-scoped engagement with a senior partner.

This does not mean you need the most expensive vendor in the market. It means value for quality is the correct optimisation target, not the lowest hourly rate. For a full economic comparison, see our guide to outsourcing vs in-house development.

Certifications: ISO 27001, SOC 2, GDPR

Certifications are not bureaucratic overhead — they are independently audited evidence that a vendor has implemented specific controls. Here is what each one means in practice:

ISO 27001

The international standard for information security management systems (ISMS). An ISO 27001-certified vendor has undergone a third-party audit of its policies, access controls, incident response procedures, supplier management and physical/cloud security. Certification is issued by accredited bodies and requires annual surveillance audits. For any project involving personal data, financial data or regulated information, ISO 27001 is the baseline expectation — not a differentiator.

SOC 2 Type II

A US-origin audit standard, now widely required by US and EU enterprise procurement. Type I is a point-in-time assessment; Type II covers a sustained period (typically 6–12 months) and is therefore far more meaningful. A SOC 2 Type II report gives your security team direct evidence that controls were actually operating over time, not merely documented. If your product will hold US customer data, SaaS clients or health records, a SOC 2 Type II vendor is typically a procurement requirement. See our article on SOC 2 Type II for SaaS startups for context on what the audit covers.

GDPR compliance (Article 28 DPA)

Under the GDPR, if your vendor will process personal data of EU residents on your behalf, they are a “data processor” and Article 28 requires a written Data Processing Agreement (DPA). This is not optional and cannot be waived. The DPA must specify: processing purposes and duration; data categories; sub-processor disclosure; data subject rights support; deletion/return of data on contract end; and audit rights. Verify the DPA before onboarding, not after a data breach.

security certification document review during software vendor due diligence
Reviewing certification documents — ISO 27001 certificate, SOC 2 Type II report, Article 28 DPA — should happen before shortlisting, not after contract signing. Ask for current certificates, not marketing claims.

Security, NDA and IP protection

IP and data protection in software outsourcing is governed by contract law, not trust. The following contractual protections are non-negotiable:

Mutual NDA before spec sharing

Any vendor who declines to sign an NDA before receiving your technical specifications is a vendor you should not be working with. The NDA should be mutual (protecting both parties), cover trade secrets and technical know-how, and specify jurisdiction and remedies. For US clients, Delaware or New York law is standard; for EU clients, the governing law should match your primary operating country.

IP assignment clause

Your contract must include a work-for-hire clause that explicitly assigns all intellectual property created during the engagement to your company. Confirm that this extends to: source code, design assets, documentation, test suites, CI/CD scripts and any custom libraries. Also verify that the vendor does not include GPL-licensed open-source components in deliverables without disclosure (GPL “virality” can affect your ability to keep the product proprietary).

Code repository ownership

All code should be committed to a repository owned and controlled by your organisation from day one of the engagement. Never accept a model where the vendor controls the primary repository. On contract termination, require handover of all credentials, access tokens, infrastructure configuration and deployment scripts.

Sub-contractor disclosure

Ask explicitly whether any work will be performed by subcontractors or freelancers, and require their identities to be disclosed. Each subcontractor must be bound by equivalent NDA and IP assignment terms. Undisclosed sub-contracting is a common source of IP chain-of-title disputes and security incidents.

Social proof: case studies and references

Portfolio and references are the most reliable leading indicators of delivery quality. Evaluate them critically, not cursorily.

Portfolio evaluation

Look for at least two projects in your complexity tier (simple / medium / enterprise) and your industry vertical, delivered within the last 24 months. Recency matters: a 2018 fintech case study tells you nothing about the vendor’s current team, toolchain or compliance posture. Ask whether the lead engineers from the referenced project are still at the firm.

software development agency portfolio review meeting with case study documents
Evaluating a vendor’s portfolio in depth — asking about architectural decisions, team composition and post-launch outcomes — reveals far more than reading the case study landing page.

Reference calls

Written testimonials on Clutch or a vendor’s own website are curated marketing material. Live reference calls are different. Ask the vendor for 2–3 references from similar-complexity projects. In the call, cover:

  • Did the project deliver on time and within 15% of initial budget?
  • How did the vendor handle scope changes and unexpected technical challenges?
  • How was communication during the engagement — proactive or reactive?
  • What would you do differently if you engaged them again?
  • Would you hire them again for your next project?

A vendor who cannot produce a live reference client is a vendor with something to hide.

Engagement models compared

The engagement model determines who bears scope risk, how costs are structured and how adaptable the engagement is to changing requirements.

Model How it works Best for Risk
Fixed price Agreed scope, timeline and price. Changes via formal change requests. Well-defined MVP, short build (<$75k), stable requirements Vendor inflates price to absorb scope risk; spec ambiguity causes disputes
Time & Materials Billed on actual hours and materials. Scope can evolve sprint-to-sprint. Iterative product development, SaaS, discovery-to-build continuity Budget overrun without strong PM oversight; requires active client involvement
Dedicated team Named senior engineers embedded in your delivery team. Monthly retainer. Continuous development, scaling an existing product, long-term engagement Knowledge concentration risk; requires strong in-house product ownership

Most mid-market builds benefit from a hybrid approach: a fixed-price discovery and architecture phase (4–6 weeks), followed by T&M delivery sprints with monthly budget caps. This reduces up-front scope risk while maintaining delivery flexibility. For long-running products, a dedicated team model with quarterly objectives gives the best balance of velocity and accountability.

Red flags to watch for

The following patterns, individually or in combination, indicate elevated delivery risk:

  • Fixed price quoted without discovery — any vendor who quotes a firm fixed price on a medium or complex system without a 4–6 week discovery phase is either underestimating or hiding scope assumptions that will surface as change requests mid-project.
  • No current ISO 27001 or SOC 2 certificate on request — claiming compliance without being able to produce the certificate is not compliance.
  • References who cannot be contacted directly — written testimonials only, no live contact details.
  • Vendor-controlled code repository — if the vendor owns the repo, you are dependent on them to access your own product at any point, including in a dispute.
  • Vague sub-contractor policy — “we may use partners” without specific disclosure is a data processing and IP risk.
  • Unrealistic timelines relative to scope — a senior team delivering a 4-month build in 6 weeks should raise questions about what is being omitted (testing, security review, documentation).
  • No named project manager — “the team will be your point of contact” is a communication structure that breaks down under pressure.
  • Excessive non-disclosure requests for basic company information — legitimate vendors provide company registration, insurance certificates and financial references; excessive opacity about the business is a due-diligence red flag.

15 questions to ask every software development vendor

Use these questions in your initial RFP response review and in follow-up calls. Weak or evasive answers reveal more than polished answers.

  1. Can you provide your current ISO 27001 certificate and, if applicable, your most recent SOC 2 Type II report?
  2. Do you have a standard Article 28 GDPR Data Processing Agreement, and can we review it before signing?
  3. Who will own the intellectual property of all work delivered — specifically source code, design assets and documentation?
  4. Will any work be performed by subcontractors or freelancers? If so, who are they and what NDA/IP terms are they bound by?
  5. In which repository will our code be held, and will we have full admin access from day one?
  6. Can you provide 2–3 reference clients from projects in our complexity tier we can contact directly?
  7. What is your proposed engagement model for our project, and why?
  8. Who will be the named project manager, and what is your escalation process when issues arise?
  9. What is your engineering team’s average seniority, and what is your current team turnover rate?
  10. How do you handle scope changes under a fixed-price contract?
  11. What security practices are built into your development process (code review, SAST, dependency scanning, penetration testing)?
  12. How do you manage data localisation and processing for EU personal data under GDPR?
  13. What are your standard handover deliverables at end of contract (code, credentials, documentation, knowledge transfer)?
  14. What SLA do you offer on post-launch support and bug fixes?
  15. Can you provide a fully itemised cost breakdown by phase, with explicit assumptions for each line item?

Vendor scorecard template

Use this weighted scoring matrix to compare shortlisted vendors objectively. Adjust weights to reflect your priorities (regulated industries should weight security higher; startups may weight communication and agility higher).

Dimension Weight Score 1–5 Weighted score
Technical certifications (ISO 27001, SOC 2, DPA)20%  
Portfolio fit (complexity tier & industry)20%  
Reference quality (live calls, recency)15%  
IP & contract terms15%  
Engagement model & pricing transparency15%  
Communication & timezone fit10%  
Team seniority & retention5%  
Total100%  

A vendor scoring below 3.0 on certifications or IP terms should be eliminated from the shortlist regardless of their total score — these are threshold criteria, not trade-off criteria. For context on what the full engagement lifecycle looks like once you have selected a partner, see our guide to the custom software development process.

FAQ

How do I choose a software development company?

Start with certifications and compliance fit (ISO 27001, SOC 2, GDPR DPA). Review the portfolio for projects in your complexity tier and industry from the last 24 months. Verify IP ownership and NDA terms contractually. Compare engagement models against your scope stability. Run live reference calls — not just written testimonials. Score candidates on a weighted matrix and eliminate any vendor that falls below threshold on certifications or IP terms, regardless of price.

What certifications should a software development vendor have?

ISO 27001 is the baseline for any engagement involving sensitive data. SOC 2 Type II is standard for US enterprise procurement. GDPR Article 28 DPA is mandatory for EU personal data processing. Industry-specific additions: HIPAA for US health data, PCI-DSS for payment processing, ISO 13485 for medical devices. Ask for the actual certificate or audit report, not a marketing claim of “compliance.”

How do I protect my IP and data when outsourcing?

Four contractual protections are non-negotiable: mutual NDA before spec sharing; IP assignment clause transferring all created IP to your company; code held in your own repository from day one; and a GDPR Article 28 DPA if EU personal data is involved. Also require explicit disclosure of any subcontractors and confirm they are bound by equivalent terms. Have legal counsel review all clauses — not just the SOW — before signing.

Fixed price or time and materials for software development?

Fixed price is appropriate for well-defined, stable small builds (typically under $75,000). Time & materials is better for iterative, evolving products where requirements will change during delivery. A dedicated team retainer suits long-running continuous development. The most pragmatic approach for mid-market builds is a fixed-price discovery phase (4–6 weeks) followed by T&M delivery, which combines scope clarity with delivery flexibility.

What are red flags in a software development agency?

Key red flags: fixed price quoted without a discovery phase; no current ISO 27001 or SOC 2 certificate; references who cannot be contacted directly; vendor-controlled code repository; vague subcontractor disclosure; unrealistic timelines relative to scope; no named project manager; and excessive opacity about the company’s legal and financial status.

How do I check references for a software development company?

Ask for 2–3 live reference contacts from projects in your complexity tier delivered in the last 18 months. Call them directly. Ask whether the project delivered on time and budget, how scope changes and problems were handled, whether they would hire the vendor again, and what they would do differently. Cross-reference with Clutch or G2 reviews, but treat live calls as the primary signal — curated written testimonials are not a substitute.

Last updated 8 June 2026. Certification requirements reflect ISO/IEC 27001:2022, AICPA SOC 2 and GDPR Regulation (EU) 2016/679 as of the publication date. Legal requirements vary by jurisdiction; consult qualified legal counsel for contract review.