Software Vendor Due Diligence: What to Check Before You Sign

Why Most Enterprises Skip Due Diligence (And Pay For It Later)

Enterprise software procurement teams face constant pressure: move fast, deploy solutions, drive digital transformation. In that urgency, due diligence often becomes the casualty. Legal reviews the contract, IT validates the technology, and procurement signs. Most teams check the boxes.

The problem is that software contracts are designed asymmetrically. Vendors spend millions building licensing engines, audit mechanisms, and escalation clauses specifically to extract maximum value over time. They know exactly what happens when you miss a renewal window, when you exceed a licensing threshold, or when a competitor acquires your vendor.

The statistics tell the story: 65% of enterprises have at least one contract with unfavourable auto-renewal terms they don't even know about. The average enterprise carries 3-5 software contracts with unilateral price increase rights that vendors exploit the moment a new CFO arrives or budget pressures force harder negotiations.

This article walks through exactly what you need to verify before you sign—the specific traps vendors build into contracts, the concentration risks that can lock you into dependencies, and the due diligence framework that prevents you from becoming another cautionary tale.

Financial Stability: Is Your Vendor Going to Be Here in 5 Years?

Before you build your business on a platform, you need certainty that the vendor won't disappear, get acquired, or pivot away from your industry segment.

The financial stability check includes:

• Revenue trajectory and growth rate. Declining revenue in core products is a red flag. Vendors often obscure this by bundling revenue or acquiring their way to growth. Look for actual license growth, not acquisition-driven growth.
• Customer concentration. If one customer represents more than 15-20% of revenue, the vendor's strategy is hostage to that relationship. If that customer leaves or renegotiates, the vendor's business model breaks.
• Burn rate and runway. For SaaS and cloud vendors, understand their cash burn. Private companies won't always disclose this, but you can request it as part of vendor questionnaires. A vendor with 18 months of runway is a bankruptcy candidate.
• R&D investment and product roadmap maturity. Vendors cutting R&D are pivoting away from the category. If your product is not a growth vector, expect stagnation or sunsetting.
• Acquisition activity and debt levels. Heavily leveraged vendors (common post-PE acquisition) are more aggressive on pricing and are more likely to be acquired again. Each acquisition carries acquisition risk (see VMware below).

Request a Dun & Bradstreet report, analyze their latest financial filings if public, and ask your vendor directly about customer concentration and roadmap investment. Most vendors will decline, which tells you something important.

Licensing Model Red Flags: Terms That Will Cost You More Than You Think

The licensing model is where vendors build in the escalation engine. This is where your 3-year deal becomes a 5-year deal at 40% higher rates.

Watch for these common traps:

• Indirect access / floating seat models. SAP is famous for this. Their contracts allow them to charge for any system that "indirectly accesses" SAP data. A finance system that feeds into SAP? That's indirect access. A data warehouse that pulls SAP data? Indirect access. Your audit bill skyrockets.
• Metric creep. Licensing tied to headcount, revenue, transactions, or data volume. Vendors build in assumptions about growth, but they rarely adjust contracts when you scale. A growth company will be audited and charged for exceeding metrics within 3-5 years.
• Consumption-based models without caps. AWS, Azure, and Salesforce all offer consumption pricing. Without negotiated caps, your bill can double in a single month. Always negotiate maximum monthly spend or per-unit price floors.
• Named user vs. concurrent user traps. Named users lock in cost per person. Concurrent users create an incentive to batch usage. But the licensing meters are often inaccurate or designed to generate audit disputes. Request demonstration of the metering and audit rights language before signing.
• Usage tiers that reset annually. Tiered pricing is common (lower per-unit rates as volume increases), but some vendors reset your tier every contract year instead of maintaining your cumulative volume. That's a hidden escalation.

The licensing model conversation should be detailed and documented. Build a cost model for three scenarios: flat usage, 25% growth, and 50% growth. Model what you'll actually pay under the vendor's licensing terms. If the vendor can't articulate exactly how licensing will scale, the contract is unfavorably ambiguous in their favour.

Contract Traps to Identify Before You Sign

Vendor contracts contain specific language designed to lock you in, limit your options, and give the vendor maximum leverage in renewal negotiations.

Auto-Renewal Clauses and Evergreen Provisions

What to check: Explicitly negotiate the auto-renewal language. Replace "automatic renewal" with "expires on [date] with no renewal unless both parties agree in writing." Push back on any notice period longer than 60 days, and insist on written reminders at 120 days and 30 days before expiration. Lock in renewal pricing upfront (no more than 3-5% annual increase). If the vendor won't accept this language, you're seeing their true negotiation posture.

Unilateral Price Increase Rights

Some contracts include language granting vendors the right to increase prices unilaterally each year. This is often hidden in renewal terms or in language around "inflation adjustments" or "index-linked pricing."

Example language: "Vendor may increase fees by up to 10% annually, effective upon written notice to Customer 30 days prior to the renewal date." You have no recourse—accept the increase or lose the software.

What to check: Negotiate fixed pricing for the entire term. If the vendor insists on escalation, cap it: "Annual increases not to exceed 5% per year, with written notice at least 90 days in advance, with Customer right to terminate for convenience at increased rates." Some vendors will accept annual caps tied to CPI or a specific index (e.g., "increase capped at annual US CPI or 3%, whichever is lower").

Audit Rights and Compliance Language

Audit rights are where vendors generate unexpected costs. Oracle, Salesforce, and SAP all maintain aggressive audit programs. The audit language in their contracts gives them broad rights to access your systems, examine your records, and demand payment for unlicensed usage.

Oracle example: Oracle's standard language grants them the right to audit "all hardware, software, and records related to the licensed software." In practice, this means Oracle auditors can demand access to your entire IT infrastructure. They've been known to audit customer networks and demand payment for software running on systems that merely *coexist* with Oracle products (even if that software is unrelated).

What to check: Audit language should be specific and limited. Negotiate language like:

• Audits only upon reasonable business suspicion of non-compliance, not routine/random audits
• At least 30 days' written notice before any audit
• Audits limited to systems running the specific licensed product
• Vendor must provide audit plan, scope, and specific questions in advance
• Customer may have counsel present during audit
• Audit results are confidential and covered by non-disclosure
• If audit shows less than 5% non-compliance, vendor pays audit costs

Many vendors will resist this language, but large enterprises have successfully negotiated it. If a vendor refuses to limit audit scope, that tells you they intend to use audits as a negotiation weapon.

Termination for Convenience Limitations

Standard contract language should allow you to terminate for any reason with reasonable notice (30-90 days) and pay only for the remainder of the term. Some vendors instead require:

• Termination only for cause (vendor breach), not convenience
• Termination fees equal to remaining contract value (locking you in fully)
• Notice periods of 180+ days with continued payment obligation
• Termination permitted only at annual renewal dates, not mid-term

What to check: Insist on termination for convenience on 60 days' notice, with payment obligation limited to: (a) accrued fees through termination date, and (b) no penalty. Lock in exactly what happens to data, credentials, and access when you terminate. Specify that you own your data and can export it in standard formats.

Vendor Concentration Risk: When You're Too Dependent on One Supplier

Concentration risk is the business risk you're taking by building dependencies on a single vendor or a single product line. The risk isn't just technical (what if the product is discontinued?)—it's also commercial (what if the vendor is acquired and priorities shift?).

Concentration risk assessment includes:

• Revenue impact if the product is discontinued. If your customer experience or operations depend on a single platform, and that platform is discontinued, what's the business impact? Is it a line item or a core dependency?
• Data portability and switching costs. If you need to migrate to a competitor, how difficult is the migration? Can you export your data in a format that competitors accept? Is the data model proprietary? Switching costs should be analyzed and factored into the contract value.
• Percentage of IT budget. If a single vendor represents more than 15-20% of your IT budget, that's a concentration risk. You're making strategic bets on that vendor's roadmap, not on your own strategic priorities.
• Organizational dependencies and team skills. If your team has built expertise in a single platform, losing that platform leaves your team vulnerable. Build multi-vendor expertise into your staffing model.
• Market consolidation trends. Is the market consolidating? Are competitors being acquired? What's the acquisition likelihood for your specific vendor?

The Acquisition Risk: What Happened When Broadcom Bought VMware

No vendor due diligence case study is more instructive than what happened when Broadcom acquired VMware in late 2023.

VMware customers had multi-year contracts with favorable economics: predictable pricing, flexible renewal terms, and competitive terms negotiated over years of relationships. When Broadcom took over, they immediately announced new pricing: customers saw 200-400% price increases on their VMware agreements.

A customer with a $5M annual VMware contract suddenly faced $15-20M annual costs. For some enterprises, that was 1-2% of their entire IT budget. Customers couldn't exit—their infrastructure was entirely built on VMware. Negotiations were futile because Broadcom held all the leverage.

The acquisition risk for VMware was visible if you knew where to look:

• Broadcom's post-acquisition integration playbook. Broadcom had acquired Symantec, Brocade, and CA Technologies. Every acquisition followed the same pattern: consolidate customer bases, eliminate product overlap, eliminate channel overlap, then raise prices aggressively.
• VMware's prior independence efforts. Broadcom had spun VMware out from Dell specifically to prepare it for acquisition and provide a standalone revenue asset. Broadcom wanted that asset.
• Market dynamics. Hypervisor market was maturing and commoditizing. Broadcom wanted to extract maximum value during the transition to cloud-native. They did.

What should VMware customers have done?

• Included acquisition/change-of-control language in the contract: "If Vendor is acquired, Customer has the right to terminate the agreement on 90 days' notice without penalty."
• Negotiated price protection language: "Annual price increases are capped at 5% per year. If Vendor is acquired, annual cap is reduced to 3% for remainder of term."
• Built exit strategies into the architecture: evaluate open-source alternatives (KVM, Proxmox) and cloud-native alternatives in parallel with VMware deployment.
• Spread workloads across hypervisors: containerization, Kubernetes, cloud-native architecture reduce hypervisor vendor dependency.

For your due diligence now: Ask your vendor directly about acquisition risk. Who might acquire them? What's the acquisition likelihood over the next 3-5 years? Most vendors won't answer, but the question itself signals that you're thinking like a sophisticated buyer.

Technical Due Diligence: Lock-In, Migration Costs, and Data Portability

Technical due diligence is where you verify that switching costs are acceptable and that you're not building permanent dependencies on proprietary technology.

Key questions:

• Data export and portability. Can you export your data in standard formats (CSV, JSON, SQL dumps, standard APIs)? Or is your data trapped in proprietary formats? Request a sample data export in advance. If the vendor can't provide it, assume data lock-in.
• API completeness and stability. Are all product features accessible via standard APIs, or are critical features only accessible through the UI? Can you build integrations? Is the API stable across versions, or do breaking changes require code rewrites?
• Single sign-on (SSO) and identity integration. Can you integrate SSO (SAML, OAuth) or is the vendor maintaining a separate identity store? If it's separate, exiting the vendor means identity migration complexity.
• Custom code and extensibility. If your team has built custom code (scripts, plugins, extensions), will that code survive a migration to a competitor? Some vendors lock you into their customization language or platform-specific APIs. Others embrace standard languages and frameworks.
• Historical data and audit trails. Can you export historical data and audit logs, or are those trapped in the vendor's system?

Run a technical migration assessment with your IT team. Identify the switching costs in time, resources, and disruption. If switching costs exceed $500K-1M, that's a lock-in signal. Price your contract accordingly.

How to Conduct Independent Pricing Benchmarking Before Negotiations

Most enterprises accept the vendor's initial pricing as the "market rate." That's almost never true. Independent benchmarking is where you discover negotiating leverage.

Benchmarking approach:

• Talk to peer companies. If your company is in healthcare, insurance, or financial services, peer discussions reveal actual pricing paid by comparable organizations. Use industry forums (HIMSS, Gartner analyst briefings, industry association procurement groups) to find peers willing to share pricing. Most do, off the record.
• Analyze Gartner contract reviews. Gartner maintains a database of software contracts and the actual economics agreed by companies. If you have a Gartner account, your analyst can provide benchmark data on typical pricing for your software category and company size.
• Request the vendor's standard price list and volume discounts. Ask the vendor directly: "What is your published standard pricing, volume discounts, and average discount for companies of our size?" Some vendors will provide this. Many won't, which signals that pricing is entirely negotiable.
• Engage a procurement advisor early. If you're signing a $1M+ contract, it's worth engaging a vendor-agnostic procurement firm to conduct benchmarking and negotiate terms. The leverage they find usually pays for themselves many times over.
• Compare TCO across competitors. Don't just compare licensing fees. Include implementation, customization, training, and support costs. A "cheaper" license can be far more expensive overall.

Build a benchmarking summary: "Market rates for [product category] range from [low] to [high] for companies of our size, based on [data sources]. Vendor's opening proposal is [price], which is [above/below] market range."

Building Your Due Diligence Checklist

Use the checklist below to systematize your vendor due diligence. Add it to your procurement intake process and make it standard for any software contract over $100K.

Your Next Steps

Vendor due diligence is not a compliance box. It's the core of protecting your enterprise from expensive lock-in, unexpected costs, and strategic dependencies you didn't intend to create.

Start here:

1. For any software contract over $100K, run this due diligence framework. Assign a procurement lead and give them authority to request additional information from the vendor.
2. Document findings in a risk summary: what are the red flags? What are the acceptable risks? What needs to be negotiated before you sign?
3. Negotiate high-risk terms before signature. The most expensive time to discover audit vulnerabilities, pricing traps, or lock-in language is after you've signed.
4. Build a contract repository and track renewal dates. Use the free estimate tool to identify which contracts are likely negotiation opportunities.

Related Reading

Dig deeper into specific vendor trap categories:

• Contract Red Flags: 10 Clauses That Cost Enterprises Millions
• The Auto-Renewal Trap: How to Avoid Getting Locked Into Another Year
• VMware's Broadcom Acquisition: What It Means for Your Licensing Costs
• Oracle Audit Rights: What You're Actually Signing Away
• Software Audit Defence: Protecting Your Enterprise from Vendor Audits