This is the list of questions we ask. We send this list out and then do an hour or so phone call to review the answers with the vendors. We then use these answers to rank them in a weighted spreadsheet to help us make our decision. We also add in things like company relationship, user testing etc, but those aren't really things we ask the vendors about.
Anyway here is the list. I'd love feedback on what others ask.
Disaster Recovery and Business Continuity
Do you have redundant sites designed for auto-failover?
How long does it take for the redundant site to take over.
Does this include the time to decide to fail over?
What kind of RTO/RPO are in place and are they actually tested against?
Do you have geographic redundancy?
Can you restore accidentally deleted or corrupted data? How far back can you restore from?
What impact does a failed HD, server, cabinet, switch, data center have?
Is it possible?
Can we do legal holds by user, file, keyword?
Can we get access to “access logs” in the event we need to?
If so how far back can we get?
What does it show us?
Can we see who our users are sharing with?
If so can we easily remove access from an enterprise level?
Do you have a site like trust.salesforce.com for transparent operations?
Is it automatically updated with outages or performance alers?
Is code/data in escrow? If so how often does it get updated?
What is the migrate out plan like?
Can we request a backup of our data including any customizations?
Are you private or publicly owned?
Are you cash flow positive? If not what is the cash burn rate and reserve?
Are you adding new customers? How many?
Do you track your NPS (Net Promoter Score)?
Do you support automatic provisioning and de-provisioning of user accounts?
Do you support LDAP.RADIUS or even better SAML authentication and authorization back to us?
Do you use encryption? If so is it for data in flight, at rest or both? What kind of encryption is it?
Compliance and Privacy
Do we get notified of an investigation?
Can our data be seized as part of another companies investigation?
Is our data recoverable by your organization?
Do you have an SSAE16 or ISAE3402?
Are we allowed to have our third party auditors (or internal auditors) to audit your organization?
Please attach a copy of our master services agreement, terms and conditions or other contracts that we are using.
If you get bought by a competitor can I get my data out and go?
Are there financial penalties for service level agreement failure.
Are maximum increases baked in?
How much notice do you need to give us to terminate?
How much notice do we need to give them if we want to leave? I
Does the contract auto-renew? If so what are the terms?
Are you globally load balanced? If so explain.
Do you use Akamai or other CDN for better performance?
Who do you use for WAN connectivity?
Do you offer “offline” ability? If so it is automatic, or does the user need to know that they will be offline and plan accordingly?
Do you offer built in integration tools to existing systems like SAP, salesforce.com, etc.
If not, how hard is it to build them?
What toolset is used for “custom development”
Are you staffed 24/7?
Can we proactively request assistance if we are doing something off hours?
Is it onsite, email, phone, web or all?
What sort of response time is available?
What is the average tenure of the tier1 staff?
Is there a public knowledgebase available? Is it the same as the internal one or is it filtered?
Can anyone from Enterasys call, or do we only get a certain amount of “authorized users”?
How quickly do new features show up?
Do we need to do anything or do we “magically” get them?
How much notice do we get for training users?
Is the system a true multitenant system?
Do you support multiple clients, like iphone, android, blackberry as well as tablets?
Is it strictly HTML5/browser based? If so which browsers and versions are supported?
Does the system support delegated administration?
How easy is it to automate tasks?
Can we apply roles to groups?
Do we get visibility into what is shared outside of the company, or what access has been granted to third party applications?
Can we enforce enterprise wide restrictions?