Vendor selection for technology in regulated industries is a procurement activity that most legal and commercial teams handle competently and most technical teams handle inadequately. The standard procurement process — issue an RFP, evaluate responses against functional and commercial criteria, review the vendor's SOC 2 report, negotiate contract terms — produces contracts with vendors who are commercially viable and technically capable but may be operationally unsuitable for the regulatory environment the system must operate in. The technical due diligence questions that reveal compliance suitability are specific, often unfamiliar to non-engineering procurement teams, and filter out a significant proportion of vendors.
The Questions That Filter 40% of Vendors Immediately
Six questions, asked early in the procurement process before significant evaluation effort is invested, eliminate vendors who cannot support regulated-industry deployments. First: what is your FedRAMP authorization status, and if you have one, at what impact level? Vendors without FedRAMP authorisation cannot be used in federal systems. Second: are you willing to sign a Business Associate Agreement, and does your BAA cover all services we intend to use? Vendors who do not sign BAAs cannot process PHI. Third: can we receive notification of subprocessor changes before they take effect? Many SaaS agreements allow vendors to change subprocessors with only 30 days' notice after the fact. Fourth: what is your data deletion procedure upon contract termination, and what evidence do you provide? Fifth: when was your last penetration test, who conducted it, and what was the scope? Sixth: how do you handle law enforcement requests for customer data, and will you notify us before complying unless prohibited from doing so?
The subprocessor question deserves particular attention. Most enterprise SaaS vendors have 20-100 subprocessors — cloud providers, monitoring tools, analytics platforms, support ticket systems — all of which may process customer data. Under GDPR, the controller must ensure that every subprocessor provides the same data protection guarantees as the primary processor. A vendor who will not provide a complete subprocessor list, or who changes subprocessors without notice, creates GDPR compliance gaps that the customer cannot manage. This is a binary filter: if the vendor will not provide the list, do not contract with them for regulated data processing.
The Vendor Assessment Framework
Beyond the initial filter questions, a structured technical assessment covers five domains: data handling (where is data stored, who has access, how is it encrypted, how is it deleted), access control (does the vendor support SAML/OIDC SSO, MFA, RBAC, SCIM provisioning), incident response (what is the vendor's notification obligation and timeline, does the vendor have a documented incident response procedure), audit and compliance evidence (does the vendor generate exportable logs, are those logs retained for an appropriate period, will the vendor participate in customer audits), and resilience (documented SLAs for availability and data durability, history of significant downtime and communication).
The assessment should be conducted by a technical team member who understands the regulatory requirements, not by a procurement analyst working from a standard questionnaire. Vendor responses to compliance questionnaires are frequently templated and may describe controls that exist in the vendor's general environment but are not enabled for the customer's specific account. The follow-up question — "can you show us how that control is configured for our account" — is the one that reveals the gap between the questionnaire response and the operational reality.
Contract Provisions That Matter
Several contract provisions have direct compliance implications that procurement teams often negotiate away. The audit right — required by HIPAA and GDPR — should be a non-negotiable provision. The breach notification timeline in the BAA or DPA should be shorter than the regulatory deadline to give the customer time to assess and report. The data portability provision — the right to receive data in a machine-readable format upon termination — prevents vendor lock-in from becoming a barrier to compliance with data subject portability requests.
- Apply the six filter questions before investing significant evaluation effort — vendors who fail these are not viable for regulated workloads
- Require a complete subprocessor list with change notification rights before contracting — make this a non-negotiable commercial requirement
- Assess vendor responses to the technical due diligence framework with a compliance-literate technical team member, not a procurement analyst
- Ask follow-up questions that verify controls are enabled for your specific account, not just present in the vendor's general environment
- Negotiate the breach notification timeline in the BAA or DPA to be shorter than the regulatory deadline — allow time to assess before the regulatory clock starts
- Do not trade the audit right for commercial concessions — it is required by HIPAA and GDPR and cannot be waived
EU AI Act: What CTOs Actually Need to Do Before August 2026
The Vendor Rescue Pattern: How to Recover a Failed Implementation in 12 Weeks
The LLM Hallucination Problem in Regulated Environments: What 'Acceptable Error Rate' Actually Means
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.