Bad, Good, Ideal — How to Choose a SaaS Provider
Vendors lie about ROAS, SOC 2, and GDPR. Here is the bad, good, and ideal vendor due diligence checklist — what to ask, what to verify, and the six lies to listen for.
A founder I know was on a vendor call last spring. The deck was clean. The rep clicked into a case study showing a 70% lift in ROAS, on a store nobody had heard of, in a window of six weeks. They tell you the lift is repeatable. They tell you their pipeline is full of stores like yours. They tell you the next onboarding slot is Tuesday.
But.
The founder signed without a vendor due diligence pass. Three months later they had spent thirty thousand dollars with nothing to show. The "70% lift" was one cherry-picked client in one cherry-picked window, and the rep knew that when they put the slide up. The founder had been burned by a cherry-picked stat — once is enough.
This is a structured vendor due diligence checklist for SaaS — bad, good, ideal — for founders without a procurement team who cannot afford 1.5–3 founder-months wasted on a vendor that will not survive the second QBR. Most pitches carry one of six recurring lies; a competent vendor due diligence pass exposes all six in an hour.
The information-asymmetry problem vendor due diligence solves
The vendor has done this pitch four hundred times. You will do it twice. The vendor has a lawyer reviewing the DPA. You have a Notion doc.
Acronyms used below:
- DD
Due Diligence — the structured review you run on a vendor before signing.
- ROAS
Return On Ad Spend — revenue per dollar of ad spend.
- GDPR
General Data Protection Regulation — the 2018 EU privacy law.
- CCPA
California Consumer Privacy Act — the 2020 California privacy law.
- CPRA
California Privacy Rights Act — CCPA's stricter 2023 successor.
- SOC 2
Service Organization Control 2 — an AICPA controls report. Type 1 (point in time) or Type 2 (six- to twelve-month window).
- DPA
Data Processing Agreement — the GDPR Article 28 contract spelling out a processor's duties.
- GPC
Global Privacy Control — a browser signal broadcasting opt-out under CCPA / CPRA.
Vendor due diligence works because the vendor knows the answers and you can ask for receipts. The asymmetry collapses the moment you ask for a document instead of accepting a claim.
The six vendor lies
Read across before you read down. Every row is one lie; every column is what an honest vendor sounds like at a different rung. Your job is to find a vendor whose answers stichying together across all six rows put them in "Good" or "Ideal."
| Vendor lie | Bad | Good | Ideal |
|---|---|---|---|
| "ROAS will increase 70%" | Cherry-picked single client | Cohort range with bands | Public methodology + range |
| "We are SOC 2" | Self-attested | Type 1 report | Type 2 with TSC scope |
| "We are GDPR/CCPA compliant" | Marketing claim only | DPA + sub-processor list | Documented Article 28 contracts |
| "Fingerprinting is fine" | "Industry standard" | Conditional disclosure | Consent (EU/UK) + opt-out (US) |
| "We have alerts" | "Yes" with no details | Status page | SLA + paging + post-mortem record |
| "No database — first-party" | Hand-wave | Diagram on call | Documented architecture |
But.
A table is not a contract. The vendor due diligence matrix is something to compare against in real time on the next call — so you can ask the follow-up question they did not rehearse.
Lie 1 — "ROAS will increase 70%"
Every paid-marketing vendor cherry-picks.
Bad
one slide, one number, one client, one window.
Good
a cohort range — "across our last twenty customers, ROAS lift ranged from 8% to 34% in the first ninety days."
Ideal
a public methodology document with a range that names assumptions and segmentation.
The vendor due diligence question: "What was the lowest-performing client in the last six months and what happened?" A real cohort gives you the bottom of the band without flinching.
Lie 2 — "We are SOC 2"
SOC 2 is a controls audit, not a security badge.
Bad
"We are SOC 2." No report attached. Self-attestation has no weight.
Good
A SOC 2 Type 1 — produced by a named CPA firm at a point in time. The report asserts controls as of a date.
Ideal
A SOC 2 Type 2 covering a six- or twelve-month window, with the Trust Services Criteria scope (security, availability, confidentiality, processing integrity, privacy) named, and the examiner's opinion qualifications visible.
The cost side of SOC 2 is a separate piece on the SOC 2 cost question and when it actually makes sense that pairs with this checklist.
Lie 3 — "We are GDPR / CCPA compliant"
Nobody is GDPR-compliant the way a building is up to code. GDPR is a process and a contract; compliance is a posture, not a stamp. A vendor claiming a regulatory stamp without producing a DPA is making a marketing claim, nothing else.
Vendor due diligence asks for:
- A signed DPA, GDPR Article 28-shaped. GDPR Article 28 lists every required clause; the DPA must contain all of them or the contract is non-compliant on its face.
- A current sub-processor list. Every sub-processor (AWS region, email vendor, analytics vendor) is part of your processing chain.
- The lawful basis under GDPR Article 6. If consent, ask how the record gets to them, in what format, and what happens when it expires. Consent is a strict standard under GDPR Article 4(11) — freely given, specific, informed, unambiguous.
If they cannot produce these in 24 hours, the answer is no.
Lie 4 — "Fingerprinting is fine"
This is the lie that gets vendors sued. Fingerprinting — building a stable identifier from device characteristics, font lists, canvas hashes, timezone, and a dozen passive signals — is treated very differently in the EU/UK and the US. In some jurisdictions an undisclosed fingerprint is, plainly, illigal.
The hard rule, jurisdiction-by-jurisdiction:
- EU and UK — consent-required. GDPR Recital 30 names device fingerprints as identifiers that combine with other data to create profiles, making the resulting data personal data. ePrivacy Directive Article 5(3) — as amended by the 2009 update with Recital 66 — requires prior, informed consent before storing or accessing information on a user's terminal device, except for strictly-necessary access. Vendor due diligence requires prior consent before fingerprinting an EU or UK visitor. Period.
- United States — disclosure-required, opt-out-respected. Under CCPA and CPRA, fingerprinting that identifies a consumer is "personal information" and the consumer has a right to opt out of the sale or sharing of it. The Global Privacy Control browser signal counts as a valid opt-out under California Attorney General guidance. The vendor must disclose the practice in the privacy notice and honor GPC, but does not need prior consent the way the EU regime requires.
A vendor saying "fingerprinting is industry standard" without a per-jurisdiction answer either does not understand the regime or is betting you will not notice. We have seen one provider call the practice "compliance-safe" — a sentence that means nothing in any legal regime.
Lie 5 — "We have alerts"
"We have alerts" sounds like an answer but is not one.
Bad
"Yes." No detail.
Good
A public status page with an incident history.
Ideal
A documented SLA, a paging policy naming who gets paged within how many minutes, and a post-mortem record for the last six months — including incidents resolved before customers noticed.
The vendor due diligence question: "When was your last incident, who got paged, and how long until the first customer-facing update?"
Lie 6 — "No database — we are first-party"
Some vendors describe themselves as "first-party" or "no-database" because the phrasing sounds privacy-friendly. Data is stored somewhere in every real architecture. The question is who controls the bucket and how long the retention is.
Bad
hand-wave.
Good
a diagram on a call.
Ideal
documented architecture with retention windows, encryption-at-rest details, and a transaprency note about which sub-processors hold the bytes.
Read GDPR Article 30 — a vendor who cannot describe their data flows in writing cannot help you produce yours.
What to verify in the DPA
Once a vendor clears the six lies, the next vendor due diligence pass is the DPA. The clauses below are the ones founders most often skip — and most often regret.
Article 28 clause completeness
Every required Article 28(3) clause present — purpose, duration, data type, data subjects, instructions, confidentiality, security, sub-processor authorization, data-subject assistance, breach notification, return-or-deletion, examination rights.
Sub-processor list with notice period
A current list and a contractual notice period (30 days standard) before any change.
Sub-processor objection right
The right to object — not just be notified — with a defined remedy.
Cross-border transfer mechanism
Standard Contractual Clauses, an adequacy decision, or another Article 46 mechanism named explicitly. A bare GDPR-compliance claim is not a transfer mechanism.
Breach notification window
72 hours is the GDPR Article 33 controller obligation; the processor must be faster.
Examination rights
Either a direct review right or contractual receipt of the SOC 2 Type 2 annually under NDA.
Return-or-deletion clause
What happens to the data when the contract ends. Specify both options and a deadline.
Liability cap and carve-outs
A cap of "fees paid in the last 12 months" with no carve-out for data-protection violations pushes the regulatory risk onto you. Push back.
A vendor that has done vendor due diligence before has a redlined DPA template ready.
The "ideal" vendor — saas vendor selection done right
The ideal vendor is not the one with the fewest "Bad" answers. It is the one whose answers describe a posture you can predict. You want a vendor who, when asked a question they have not rehearsed, says "I do not know — let me get back to you in two days." That answer survives a QBR, a regulator letter, and a board meeting.
The other shape: their pitch matches their architecture. The deck does not contradict the documentation. The sales rep does not contradict the engineer. The DPA does not contradict the privacy notice. When the documents agree, vendor due diligence is verifying alignment, not catching contradictions.
FAQ
How long should a vendor due diligence pass take?
Two to five business days for a SaaS contract under fifty thousand dollars a year. One day for the call, two to four for document review, one for follow-ups. If a vendor pressures you to compress this window, the pressure itself is the signal.
What is the single most important document?
The DPA, paired with the most recent SOC 2 Type 2 report. Together they tell you who is accountable for the data and what controls have been independently examined.
Is a SOC 2 Type 1 enough?
For a low-risk vendor handling no personal data, often yes. For a vendor touching customer personal data or payment data, no — Type 1 is a snapshot, and a snapshot does not tell you whether the controls operated effectively over a period.
How do I ask about fingerprinting?
Ask it as a per-jurisdiction question: "Walk me through how you handle device identifiers for an EU visitor versus a California visitor." A vendor that answers cleanly — consent path for the EU side, disclosure-and-opt-out path for the US side — has thought about this. A single global answer means they have not.
Closing
The point of vendor due diligence is not to catch every vendor in a lie. The point is to filter out the vendors whose answers do not survive one follow-up question. Use the matrix on the next call. Ask for the receipt every time. Vendor due diligence is the cheapest founder-month you will ever spend.
References
- GDPR Recital 30 (device fingerprints as identifiers): https://gdpr-info.eu/recitals/no-30/
- ePrivacy Directive Article 5(3) (terminal-device access requires consent): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058
- 2009 ePrivacy amendment, Recital 66 (cookie/identifier consent clarification): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0136
- GDPR Article 4(11) (definition of consent): https://gdpr-info.eu/art-4-gdpr/
- GDPR Article 28 (processor obligations): https://gdpr-info.eu/art-28-gdpr/
- GDPR Article 30 (records of processing activities): https://gdpr-info.eu/art-30-gdpr/
Vadim Sharapov is the founder of Loomaru — revenue recovery infrastructure for Shopify stores. If your ad platforms can't see 5–15% of your conversions, loomaru.com.
Want to know what your store's gap looks like, and what closing it would do to monthly revenue?