top of page


Home / Post

  • Writer's pictureThomas McCourt

Questions you should be asking before purchasing software

Buying software is always an interesting adventure for any company, big or small. Some companies have defined processes when it comes to procurement, while other companies are still figuring out what works best for them. Nonetheless, it is important to ask the right questions to make sure the software purchase is what you need and that you aren’t getting caught up in the buzzword nonsense.

First, it is important to identify “what problem is the business trying to solve?” It is equally important to understand your budget limitations when it comes to what you can and cannot purchase for a solution to whatever problem you are trying to solve. Companies that grasp the issues they aim to address and construct specific 'use-cases' based on their desired outcomes from the software they're considering purchasing often demonstrate a keen understanding of how to maximize the software's potential and achieve optimal success.

Secondly, it is best to understand what restrictions the company has. Besides budget, does your company have restrictions that could hinder the use of certain tools or integrations? How is risk evaluated if at all for third-party tool purchases?

An example of a restriction would be that some companies may have geo-blocking (geo-blocking is where you block services or internet connections based on geographical locations)  and can only accept internet connections to US based companies. That is good and all, but when it comes to SaaS solutions, you may need to ask questions about where data is stored. If data is stored in AWS Frankfurt or Europe, then unless the third-party software can have you specifically pull data from US only regions, this would potentially require an exception as it would be blocked.

Below are some questions put together to assist when evaluating new software. Keep in mind, more questions will come up based on the answers to the main questions, but it is always good to get as much information as possible. We have often seen tools purchased at companies with a 1 year, 2 year or 3 year license that never get setup and used because no one asked any questions, or generated use-cases for what the tool could be used for. Our hope is to prevent that from happening in the future because no one likes to throw money away.

General questions to ask Third-Party vendors on tools:

  1. How does this software stack up to your competitors?

  2. What problems does your software aim to solve?

  3. Is this an on-prem, hybrid or cloud based solution?

  4. To maintain this tool, how many hours a week do you recommend we have staff dedicated to it? Or would this require dedicated resources?

  5. How am I notified of outages?

  6. How frequent are your software releases?

  7. Do you offer a trial period and if so, what if any restrictions exist?

  8. What are the system requirements for running your software?

  9. Does your software integrate with other systems we use?

  10. How often do you release updates, and how are they delivered?

  11. Are there additional costs for premium support or training?

If AI is used:

  1. Is my data used to train the learning model for other customers?

  2. If my data is being used to train for other customers, is my data being anonymized 

  3. How is my data being separated from other data?

  4. Is there a way to disable the use of AI within this tool?

  5. Can you explain the measures in place to protect against unauthorized access to AI training data and models?

  6. What encryption standards and protocols do you employ for data storage and transmission within your AI system?

  7. How do you address potential biases in the AI algorithms that could lead to discriminatory outcomes?

Security questions:

  1. How do you ensure the security of your software and protect against data breaches?

  2. Can you provide details about your approach to encryption for data in transit and at rest?

  3. What measures do you have in place to detect and respond to security threats or attacks?

  4. Do you conduct regular security audits and penetration testing on your software?

  5. How do you handle access control and authentication for users?

  6. Can you provide information about your compliance with industry-standard security frameworks (e.g., ISO 27001, SOC 2)?

  7. What procedures do you have in place for securely managing and storing sensitive user data?

  8. How do you handle security updates and patches for your software?

  9. Can you provide documentation or evidence of your software's security certifications?

  10. What is your policy for disclosing security vulnerabilities and how quickly do you release patches or fixes?

  11. Does this software enforce MFA?


bottom of page