Vendor onboarding · checklist público
Vendor onboarding checklist
40-point pre-adoption checklist organizado 5 categorías (security · compliance · reliability · operational · exit plan) · 4 approval gates por tier · post-onboarding monitoring 6 reglas. Template re-usable cualquier sector · NOT solo AI Empire interno.
🛡️ Security (8 puntos)
- SOC2 Type II report disponible (o equivalent ISO 27001) · audit dentro 12 meses
- Penetration testing report último 12 meses · vendor compartirá bajo NDA
- Encryption at rest AES-256 minimum · documented architecture
- Encryption in transit TLS 1.2+ minimum · TLS 1.3 preferred
- Authentication MFA available · SSO SAML support for Enterprise
- Data breach notification timeline · 24h-72h GDPR aligned · contractual SLA
- Vulnerability disclosure program público · responsible disclosure policy
- Bug bounty program (preferido pero NO mandatory)
📜 Compliance (8 puntos)
- GDPR compliance evidence · DPA available · ready-to-sign
- Data Processing Addendum (DPA) terms reviewed legal · jurisdictional clauses acceptable
- Schrems II considerations · EU data residency available si requerido
- Sub-processor list pública · transparent supply chain
- Data retention policy documented · matches our requirements
- Data export GDPR Art 20 portability supported · formats acceptable
- Audit log access · client puede review activity
- Compliance certifications listed (SOC2 · ISO 27001 · HIPAA · etc) · vigentes verificable
⚙️ Reliability (8 puntos)
- Historical uptime ≥99.9% último 12 meses · status page accessible verificable
- SLA contractual con credits si breach · acceptable terms
- Disaster recovery plan documentado · RTO + RPO declared
- Backup strategy documented · retention period · restore tested
- Multi-region availability si crítico · EU region available
- Incident postmortems públicos · transparency culture verifiable
- Status page con history · NOT just current status · trend evaluable
- Maintenance windows announcement policy · advance notice clientes
🔧 Operational (8 puntos)
- Support SLA documented · response time max acceptable
- Escalation path documented · contact info per-severity
- Documentation quality assessed · accuracy + completeness · maintained current
- Onboarding rigor evaluated · we can self-serve setup OR vendor handholds
- Pricing transparency · NO hidden fees · upgrade path predictable
- Vendor financial stability · revenue · funding · NOT bootstrapped if mission-critical
- Customer references checkable · NOT just testimonials marketing · real conversations
- Cultural fit · async-friendly · honest communication style · NO sales theater
🚪 Exit Plan (8 puntos)
- Exit plan documented BEFORE onboarding · contractual right to data export
- Data export format portable · standard formats (JSON · CSV · SQL dump) · NOT proprietary
- Migration timeline reasonable · contractual notice period · no surprise sunsets
- Alternative vendor evaluated · backup plan exists · NOT vendor lock-in
- API stability committed · semver versioning · deprecation policy 12 meses minimum
- Self-host option available si critical · open source fallback · sovereign option
- Pricing escalation clause · cap annual increase · prevent gouging post-lock-in
- Contract terminate-for-cause clauses · breach detection · graceful exit
Approval gates · 4 tiers vendors
| Gate | Approvers + timeline | Ejemplos |
|---|---|---|
| Tier 4 vendors (mission-critical · PII data) | Founder + legal advisor + security review · 30+ day evaluation · multiple call rounds | Supabase · Stripe · Meta WhatsApp Cloud |
| Tier 3 vendors (operational important) | Founder + technical review · 7-14 day evaluation | Cloudflare · Upstash · Sentry · Cal.com |
| Tier 2 vendors (productivity tools) | Founder solo · 1-3 day evaluation · documented checklist | GitHub · 1Password · monitoring tools |
| Tier 1 vendors (peripheral · low-risk) | Founder self-approve · documented post-hoc | Marketing tools · analytics · communication channels |
Post-onboarding monitoring · 6 reglas
- Quarterly review · vendor health check · SLA actual vs contracted
- Annual full re-evaluation · scoring matrix updated · risk reassessment
- Event-driven review · trigger si breach · pricing change · M&A · major outage
- Cost tracking monthly · alert si trending unexpected up
- Vendor satisfaction survey · clinic admin feedback collected
- Migration drill annual · validate exit plan executable · test backup vendor
¿Quieres adoptar este checklist tu equipo?
Template descargable Markdown disponible bajo NDA Enterprise · adaptable tu organización · ahorra 40+ horas review proceso por vendor · acelera procurement seguro.