Evaluating a technology vendor before signing any contract means verifying, in a structured manner, whether that company has the technical capability, legal compliance, and operational stability to deliver what it promises. Essential criteria include internationally recognized certifications, a proven history of incident response, compliance with the LGPD, transparency in information security processes, and post-contract support capability. Ignoring this step exposes the company to financial, legal, and reputational risks that may be irreversible. Why Due Diligence for IT Vendors Is Neglected — and Why That Is a Costly Mistake Every year, Brazilian companies sign contracts with technology vendors based on sales presentations, informal recommendations, or simply the lowest available price. The result appears months later: exposed systems, compromised customer data, noncompliance with the LGPD, and contracts that fail to define clear responsibilities in the event of an incident. Due diligence for a technology vendor is not bureaucracy. It is the process that separates reliable partners from operational risks disguised as solutions. For decision-makers — CIOs, CEOs, legal directors, and procurement managers — having a clear evaluation protocol is as important as any contractual clause. This guide delivers exactly that: a framework with objective criteria so your company can evaluate any IT vendor before signing any document. 1. Certifications and Credentials: The Non-Negotiable Starting Point What Certifications Really Say About a Vendor International certifications are not portfolio decorations. They represent external audits confirming that the company’s processes follow globally recognized standards. When evaluating a technology vendor, certifications are the first filter — and a powerful one. The main certifications you should require, or at least question: ISO/IEC 27001: international standard for information security management. Indicates that the company has formal policies, controls, and processes to protect data. ISO/IEC 27701: extension of ISO 27001 focused on privacy and personal data protection, directly related to LGPD compliance. EC-Council (CEH, CHFI): credentials in cybersecurity and digital forensics, important for offensive security or investigation providers. EXIN Information Security: recognized certification covering threats, risks, laws, and regulations — essential for professionals handling sensitive data. How to Verify the Authenticity of Certifications Requesting the certificate is not enough. Serious vendors provide the certificate number, certification body, and expiration date. You can — and should — confirm directly on the issuing organization’s website. Be cautious of vendors presenting certifications without registration numbers, expired certifications, or certifications issued by unknown entities. 2. Operational History: What the Past Reveals About the Future How to Analyze an IT Vendor’s Track Record A vendor with decades in the market is not automatically trustworthy, but one without a verifiable history represents a significant risk. During the evaluation process, look for: Documented use cases: Can the vendor present concrete examples of projects similar to yours? Names, industries, and achieved results? Verifiable references: Not just client names, but contacts who can speak about their experience with the vendor. Public incidents: Research whether the vendor has been involved in data breaches, lawsuits, or negative news related to security or contractual noncompliance. Length of operation and financial stability: Very young companies or those with a history of frequent ownership changes deserve deeper analysis. The Risk of Vendors Without Their Own Laboratory In the information security market specifically, there is a critical distinction between vendors that have their own infrastructure and those that outsource their entire operation to subcontractors. A vendor that depends entirely on third parties to perform forensic analysis, penetration testing, or incident response transfers to you the risk of a chain you neither control nor know. 3. LGPD Compliance: An Obligation, Not a Differentiator Why the Vendor’s Compliance Is Your Problem Brazil’s General Data Protection Law (LGPD) is clear: when your company hires an operator — meaning any vendor that processes personal data on your behalf — you, as the controller, are jointly responsible for the proper processing of that data. This means a vendor’s failure can result in sanctions against your company. What to Verify Before Hiring When evaluating a technology vendor’s LGPD compliance, include the following questions in the due diligence process: Does the vendor have a mapping of the personal data processed in its operations? Is there an updated Privacy Policy and a designated Data Protection Officer (DPO)? How does the vendor handle requests from data subjects (access, deletion, portability)? In the event of an incident involving personal data, what is the notification protocol to the ANPD and to your company? Does the contract include specific liability clauses regarding data processing? Vendors that cannot answer these questions objectively represent an immediate legal risk. 4. Technical and Incident Response Capability How to Evaluate What Is Behind the Sales Proposal A technology vendor’s commercial proposal presents the best possible scenario. Your evaluation needs to go further — to understand what happens when things do not go as planned. Essential questions for this phase: What SLA (Service Level Agreement) is contractually guaranteed for critical incident response? Does the vendor have a dedicated incident response team, or is this service outsourced? How are vulnerability tests conducted on the vendor’s own systems? Does the vendor perform regular penetration tests on its infrastructure? How often? By whom? Is there a documented and tested Business Continuity Plan (BCP)? The Difference Between Reactive and Proactive Monitoring Mature vendors do not wait for incidents to happen before taking action. They maintain continuous vulnerability analysis through automated monthly checks and complement this with annual penetration tests conducted by certified professionals. This proactive model is what separates a reliable security partner from a vendor that only reacts once the damage has already occurred. 5. Contractual Transparency: What the Contract Should (and Should Not) Include Critical Clauses Many IT Contracts Ignore A well-structured contract with a technology vendor is not just a legal document — it is the instrument that defines accountability. Before signing, verify whether the contract includes: Scope and deliverables: What exactly is being contracted? What are the acceptance criteria? Measurable SLAs: Response time, guaranteed availability, penalties for noncompliance — everything must be defined in numbers, not vague terms such as “in a timely manner.” Incident management: Who notifies whom, within what timeframe, and with what information in the event of a security failure? Data protection: Specific clauses regarding the processing, storage, and deletion of personal data, aligned with the LGPD. Audit rights: The contract should provide your company the right to audit the vendor or request compliance reports periodically. Exit and transition: What happens when the contract ends? How will your data be returned or deleted? Is there a guaranteed transition period? Warning Signs in IT Contracts Avoid contracts that: Excessively limit the vendor’s liability in cases of failure; Do not include SLA clauses or make them too vague to enforce; Do not mention the LGPD in contracts involving any processing of personal data; Prevent external audits or customer inspections; Transfer all risk of incidents caused by the vendor entirely to the customer. 6. Independent Validation: Why You Should Not Rely Only on the Vendor’s Self-Assessment The Problem With Vendor-Conducted Evaluations Every vendor presents its best side during a sales process. Internal reports, selected testimonials, and certifications displayed on the website tell the story the vendor wants to tell. For a robust hiring decision — especially in technology and information security — independent validation is irreplaceable. The Role of an Independent Validation Partner Companies specializing in information security auditing and consulting act as independent partners in this process. With more than 20 years of experience in the Brazilian market and the largest forensic laboratory in Brazil, STWBrasil performs impartial technical evaluations that include: ISO 27001 and ISO 27701 compliance audits: verification that the vendor truly adheres to the standards it claims to follow, with detailed executive and technical reports. LGPD compliance assessment: independent analysis of the vendor’s data processing procedures. Vulnerability analysis: identification of weaknesses in the vendor’s infrastructure that may pose risks to your company. Technical due diligence: in-depth review of security architecture, internal policies, and incident response capability. CISO as a Service: for companies that need specialized guidance without hiring a full-time security executive. Having an independent technical partner by your side during vendor evaluation transforms a subjective process into an evidence-based process. 7. Practical Checklist: How to Evaluate a Technology Vendor in 7 Steps Use this checklist as a structured guide during any IT vendor evaluation process: Step 1 — Certification Verification Request certificates with registration numbers and validity dates Confirm authenticity directly with the certification body Verify whether the certificates cover the services being contracted Step 2 — Operational History Analysis Request documented use cases in similar industries Contact verifiable references Research public history of incidents or litigation Step 3 — LGPD Compliance Due Diligence Ask about the designated DPO and data mapping Review the Privacy Policy and data subject response procedures Verify the incident notification protocol Step 4 — Technical Capability Assessment Request detailed SLAs with measurable metrics Ask about the frequency and methodology of penetration tests and vulnerability analyses Verify the existence of a documented and tested BCP Step 5 — Contract Review Verify the presence of audit clauses Confirm specific LGPD and incident management clauses Review data exit and transition clauses Step 6 — Independent Validation Hire an independent technical audit separate from the vendor Request a compliance report issued by a third party Evaluate results with the support of an information security specialist Step 7 — Continuous Evaluation Define a periodic vendor reevaluation cycle (semiannual or annual) Include a contractual clause granting audit rights during the contract term Establish performance indicators monitored regularly Evaluating a Technology Vendor Means Protecting Your Business The decision to hire a technology vendor is, in practice, a decision about risk. Every contract signed without proper due diligence is a gamble involving your company’s data, your customers’ trust, and your business’s legal compliance. The process described in this guide does not need to be long or expensive. It needs to be structured and based on concrete technical criteria — not commercial promises. For companies that need specialized support in this process, STWBrasil offers auditing, consulting, and independent validation services that turn vendor evaluation into an objective, documented, and legally robust process. With international certifications, more than two decades in the market, and the largest digital forensic laboratory in Brazil, STWBrasil acts as a trusted partner for decision-makers who cannot afford to make mistakes when choosing a technology vendor. Want to evaluate your next technology vendor with independent technical support? Contact STWBrasil’s specialists and discover how structured due diligence can prevent risks that no contract can fully repair.
