Chapter 03 · Working artifact

Due Diligence

Security questionnaires, GDPR / data-residency probes, financial-health checks, reference-call script, and the negotiation playbook for getting from "we like vendor A" to a signed, defensible contract.

Security due diligence

Run this in parallel with the RFP scoring. Security DD typically requires 2–3 weeks because vendors gate the real artifacts behind NDA. Start the NDA the day you put the vendor on the shortlist.

The artifact checklist

SOC 2 Type II report — current within 12 months, reviewed by your CISO or delegate, including bridge letter if > 90 days old
ISO 27001 certificate + Statement of Applicability (SoA)
ISO 27701 or equivalent privacy management certification
Most recent penetration-test executive summary (under NDA), within last 12 months
Vulnerability-disclosure policy or bug-bounty program details
Incident-response plan summary + breach notification SLA
Business continuity / disaster-recovery plan summary with RTO & RPO
Encryption architecture: at-rest algorithm/key-length, in-transit (TLS version), KMS / HSM
Customer-managed key (CMK / BYOK) option — confirm yes/no/roadmap
Tenant isolation model (single-tenant / multi-tenant logical / multi-tenant physical)
Customer-facing audit log on all admin and data-access operations
Sub-processor list URL + notification policy when sub-processors change
Employee background-check policy for staff with access to PII
SAML / OIDC SSO and SCIM for our admin users
API authentication options (API key, OAuth2, mTLS) — confirm rotation procedure

SOC 2 review — what to actually look for

The audit letter on the front is not enough. Open the report and read for these:

Scope. Is the IDV product itself in scope, or only the corporate IT environment? Some vendors have SOC 2 on their internal Google Workspace but not the IDV platform. Demand the product be in scope.
Trust Service Criteria covered. Security is required; Confidentiality, Privacy, and Availability are optional. For an IDV vendor processing PII, you want all four. Processing Integrity is a bonus.
Period covered. Type II must cover at least 6 months — ideally 12 months continuous. Look for "no exceptions" or list of exceptions and the management responses.
Sub-service organizations. If AWS / Azure / GCP is carved-out, that's normal. If a niche vendor is carved-out and inherits half the control responsibilities, that's a problem.

SOC 2 is necessary, not sufficient

A clean SOC 2 means the vendor has controls and follows them. It does not mean those controls are appropriate for handling identity documents at scale. Read the control descriptions, not just the audit conclusion.

Privacy & data-residency due diligence

This is where most IDV deals get hung up at legal review. The questions below surface the issues before legal sees the DPA.

GDPR / data-residency probes

Question	What you want to hear
Where is EU-subject data processed and stored?	EU-region (Frankfurt / Dublin / Paris) with no fallback to US for processing
Where are AI/ML models trained, and on which data?	Either no training on customer data, or training on customer data only with opt-in and only EU-located data for EU users
Does your DPA include current EU SCCs (2021) + UK IDTA?	Yes, as schedules; with TIA (transfer impact assessment) appendix
How do you handle a Subject Access Request (SAR) or right-to-erasure?	Documented runbook, < 30-day SLA, programmatic API exposed to us as controller
What's your default data-retention period? Configurable?	Defaults vary; you want per-jurisdiction configuration so you can match local regulatory requirements (5y FCA, 7y NYDFS, 5y MAS)
How do you handle conflicts between retention requirements (regulator says "retain") and erasure requests (user says "delete")?	They should default to regulatory-retention obligation under GDPR Art. 17(3)(b) and document the user-facing communication
What's your DPO's contact information?	Named individual with EU-region location preferred
Schrems II transfer-impact analysis available?	Yes, on request; vendor has clearly thought about this

Data-flow diagram

Demand a data-flow diagram from each shortlisted vendor. It should show: capture → encrypt → store → process → model-inference → output → retention → deletion, with sub-processors and country flags. If they can't produce one in a week, they don't have a clear picture of their own data flows.

Legal / commercial due diligence

Legal review of MSA + DPA + Order Form typically takes 3–6 weeks. Front-load the issues using the checklist below before sending to outside counsel.

MSA red-flag checklist

Liability cap is at minimum 12 months of fees — and uncapped for breach of confidentiality, IP infringement, and gross negligence
Indemnification covers third-party IP claims and regulatory penalties attributable to vendor
IP: vendor does not claim IP in our user data, models trained on our data, or our configuration / rules
We have audit rights (once per year, reasonable notice, reasonable scope)
Termination for convenience with 90-day notice exists at our option
Termination for cause: material breach, persistent SLA failures (3 in 12 months), regulator action
Transition assistance on termination: data export in machine-readable format; up to 12 months of support at then-current fees
Auto-renewal language: opt-in not opt-out; or opt-out with no less than 30 days' notice
Annual price changes capped at lesser of CPI or 5%
SLA credits are automatic (not request-based) and stack with multiple breaches in a month
Export control and sanctions representations from vendor
Governing law and dispute-resolution forum acceptable to your legal team
Vendor insurance: cyber-liability ≥ $5M, professional liability ≥ $5M, with certificates of insurance available
Assignment / change-of-control: vendor cannot assign without notice; we have termination right if vendor is acquired

The single most expensive clause to miss

Many KYC vendor MSAs default to vendor owns rights to derivative ML training data. That sentence, buried in the IP section, means your verified-user biometrics can train models that compete with you. Reject this every time. Demand: "Customer Data is and remains Customer's property; Vendor will not use Customer Data to train models without explicit written consent."

Financial health diligence

The risk: you sign a 2-year contract with a vendor that runs out of cash in month 9, gets acquired by a competitor, or pivots away from your use case. Most IDV vendors are private; you have to triangulate.

Signals to gather

Signal	How to gather	What it tells you
Last funding round + runway	Crunchbase, PitchBook; ask directly	How long until they need to raise again
Headcount trend (LinkedIn last 24 months)	LinkedIn Insights; ask for headcount today vs 12 months ago	Layoffs without product retrenchment is a yellow flag; layoffs with retrenchment is a red flag
Executive turnover	LinkedIn for CEO, CTO, Head of Product, CFO over 24 months	Multiple senior exits is high risk
Customer concentration	Ask: "What % of revenue from your top customer / top 5 customers?"	>30% from one customer is fragile
Product investment trajectory	Changelog, public roadmap, GitHub activity (if open-source SDKs)	Sustained shipping vs maintenance-only mode
M&A risk	Direct question + industry rumor mill	An acquired vendor pivots, raises prices, or loses key staff

Concrete questions to ask the vendor's CFO / Head of Finance directly

"What is your current cash runway, in months, at current burn?"
"What % of your revenue comes from your top customer? Top 5?"
"What is your gross retention rate over the trailing 12 months?"
"What is your net revenue retention?"
"Are you EBITDA-positive or on a path to profitability? What's the timeline?"
"What's your strategic horizon: are you optimizing for growth, profitability, or exit?"

Some vendors will refuse to answer. Refusal is data. A confident vendor with a healthy business will answer all of these — possibly under NDA — because the answers help them close.

Reference-call script

Reference calls from the vendor are pre-selected to say good things. Your job is to learn what wasn't on the brochure. 30 minutes, structured, two interviewers (one drives, one takes notes).

Pre-call

Find the reference on LinkedIn. Note their role, tenure, and any shared context (alumni, mutual connections).
Send a calendar with a 30-min duration and a one-line agenda: "Reference call about [Vendor] — your candid experience."
Brief your second interviewer on the 3 questions you most need answered.

Opening (2 min)

"Thanks for taking the time. We're [Company], evaluating [Vendor] for [use case]. We'd love your candid take — what's gone well, and what you wish you'd known going in. Nothing you say will be attributed."

The questions (25 min)

Tell me about your deployment. What modules, what jurisdictions, what volume tier, how long live?
What surprised you, positive or negative, after go-live? (This single question, asked early, is the highest-yield question in the script.)
How accurate are their performance claims relative to what you measured? Specifically: false-reject, completion, time-to-decision.
What does the support experience look like at 2 AM during a P1? Have you had a P1?
Have they ever caused you a regulatory or compliance issue? If so, how did they handle it?
How does the relationship change after the contract is signed? Are the people you negotiated with still involved?
How are billing surprises? Any unexpected fees? How transparent is the invoice?
Has pricing gone up at renewal? By how much?
If you were re-doing the evaluation today, would you pick them again? Honestly?
What would you ask the vendor that we haven't?

Closing (3 min)

"This was incredibly helpful. Mind if I reach out again with a follow-up if something comes up?" Always say yes to keeping the door open — you may need them in the post-signature phase.

Run a back-channel reference too

Vendor-supplied references say good things. Find 1–2 customers not on the vendor's reference list — through your network, mutual investors, ex-employees on LinkedIn — and have a 15-minute coffee. This is where you learn the things the vendor wouldn't list as a reference.

Negotiation playbook

You have leverage at exactly two moments: (1) before you sign, and (2) when their contract renewal lands. After that, you have effectively none. Spend it now.

The seven things vendors flex on (in roughly descending willingness)

Per-check unit price. 20–40% off list with reasonable volume is normal. Get tier curves with breakpoints.
Minimum commitments. Vendors will often drop minimums by 30–50% if you push, especially if you push at quarter-end.
Onboarding / implementation fees. Almost always waivable.
Sandbox costs. Should be free; if not, push hard.
Term length. Vendors push for 3 years for price stability; you want 1-year with renewal option. Compromise at 2 years with year-1 renegotiation trigger on volume +/- 30%.
SLA credits. Move the bar up (99.5% → 99.9%) and make credits automatic.
MSA / DPA clauses. Slower flex, but reasonable for material asks (liability cap, IP, termination).

The three things vendors do not flex on

Their cost basis on specific high-cost checks (Travel Rule messaging fees, OFAC-list licensing). They'll absorb little.
Their sub-processor list. They won't change their AWS-vs-GCP footprint for you.
Their published SOC 2 / ISO scope. You can't negotiate the auditor's findings.

Leverage moves

Always be running a second-place option in parallel. Vendors smell when you're locked in. The truthful "we're also evaluating [Vendor B] and have to choose by [date]" is worth 10–20% on price.
Time the close to vendor quarter-end. Late March, late June, late September, late December for most US-based vendors. AEs will discount harder.
Bundle the conversation. Instead of "what's your per-check price," negotiate the whole order form together — checks + AML + monitoring + KYB + minimum. Vendors will trade one for another.
Demand price tiers tied to volume bands. Don't accept a flat per-check rate that doesn't drop as you scale.
Get a renegotiation trigger. "If volume exceeds [X] in any rolling 12-month window, pricing renegotiates downward." Costs nothing today; saves real money in year 2.
Get a most-favored-customer (MFC) clause. Vendors hate these but will sometimes agree to MFC-within-cohort (same vertical, same volume tier).

Common gotchas

The recurring patterns that cost the most. None of these are unique to one vendor; they're industry-wide patterns to inoculate against.

Gotcha	What to do
AML / sanctions screening priced as a separate billable event per check	Insist on either bundled pricing or a heavily-discounted unit price. Track sanctions-screen volume as a separate line in your forecast.
Re-verification fee charged at the same rate as initial IDV	Negotiate re-verification at 30–50% of initial-check price; you've already done the heavy lift.
"Minimum commitment" is annual, billed monthly, with no rollover	Push for quarterly true-up so a slow Q1 doesn't lock in shortfall fees for the year.
"Data export" priced per record at termination	Refuse. Standard data export must be free at termination. Get this in writing in the MSA.
SLA exclusions that swallow real outages ("scheduled maintenance", "force majeure", "third-party")	Tighten exclusion definitions. "Third-party" must mean named, not blanket. Maintenance must be ≤ 4h/quarter with 14-day notice.
Sub-processor changes without notice	Demand 30-day notice with right to terminate for material adverse change in sub-processor list.
Auto-renewal at increased pricing without notice window	Insist on 90-day notice window pre-renewal with pricing disclosure 60 days before. Otherwise opt-in renewal only.
"Per seat" pricing on admin console	Negotiate to flat-rate or generous-band; per-seat economics break when ops team scales.
Manual-review fees that aren't disclosed up front	Demand the full price book (every billable event type). Cross-check against your forecasted manual-review rate.
Document re-submission counted as a fresh check	Negotiate a "session" pricing model: one user-initiated verification flow = one billable check regardless of doc re-submissions.

If you only do five things from this page

Read the actual SOC 2 report, not the cover letter.
Get an exit clause and a transition-assistance commitment in the MSA.
Cap annual price increases at lesser-of-CPI-or-5%.
Refuse vendor IP claims to anything trained on your data.
Run at least one back-channel reference call.