·Strutter Team

IT Procurement RFP: The Questions Your Vendor Hopes You Won't Ask

How to write an IT procurement RFP that surfaces real risks. Covers security, integration, data ownership, SLAs, migration, and true total cost.

Most technology RFPs fail before the first response arrives. They focus on features, ask vendors to confirm compliance checkboxes, and skip the questions that reveal whether a vendor can actually deliver in your environment. Vendor sales teams are practiced at answering the questions you ask. They are not practiced at answering the ones you do not include.

This guide covers the questions that matter in an IT procurement RFP: security depth, integration architecture, data ownership, SLA substance, and what it costs to leave if things go wrong.

Why most IT RFPs miss the mark

Feature questions are easy to answer and easy to fake. "Does your platform support single sign-on?" Yes. "Do you offer an API?" Yes. None of those answers tell you whether the vendor's SSO supports your identity provider or whether their API is well-documented and stable enough to build against.

IT procurement requires a different category of question. Not "does it have this feature" but "how does this work in practice" and "what happens when it fails."

Security and compliance questions

These are the questions vendors most often answer with marketing language instead of specifics. Push past the language.

SOC 2 and ISO 27001

"Do you hold SOC 2 Type II certification?" is not enough. Follow up: "What is the scope of your audit? Which trust services criteria are in scope?" Some vendors hold certifications covering only a narrow subset of their infrastructure. Ask for the report, not just confirmation it exists. A vendor who hesitates to share a redacted summary has findings they do not want you to read.

Penetration testing

Ask: "How often do you conduct third-party penetration testing, and by whom? What was the most significant finding from your last pen test, and how did you remediate it?" The first part tells you they do it. The second tells you whether they take it seriously.

Incident response

Ask: "Walk me through what happens if you detect a breach affecting our data. What is your notification timeline and what information does the notification include?" You want specifics on timeline (hours, not "promptly") and notification channel.

Data residency and sovereignty

Ask: "Where is our data stored? List every country and cloud region where our data may reside, including backups and disaster recovery replicas." For regulated industries, this question can eliminate a vendor before any further evaluation.

Integration architecture questions

Integrations are where technology implementations break down. A vendor who says "we have an API" and a vendor who provides documentation, webhook capabilities, authentication methods, and an API uptime SLA are not the same vendor.

Ask about your specific systems. If you are integrating with Salesforce, Workday, or ServiceNow, ask: "Have you integrated with [system name] before? Describe the integration architecture, data flow, and any limitations." A vendor with real experience gives specifics. A vendor who will be figuring it out during your implementation gives generalities.

Ask about data sync and rate limits. "What is the real-time sync capability of your API?" and "What are the rate limits on your API endpoints?" tell you whether integration claims hold up under actual usage.

Ask who owns the integration. "If the integration breaks, who is responsible for fixing it: your team, our team, or a third party?" Ownership is ambiguous in more vendor contracts than it should be.

Ask about authentication standards. "Does your API support OAuth 2.0? Do you support IP allowlisting?" These questions reveal whether the vendor meets your security team's requirements before you pull them into a detailed review.

Data ownership questions

Data ownership questions are the most important in any technology RFP and the ones most often missing from it.

Data export. "If we decide not to renew, what is the process for exporting our data? What formats are available, and what is the timeline?" Some vendors make this deliberately slow or expensive.

Data deletion. "After contract end, how long until our data is permanently deleted from your systems, including backups?" "Deleted" and "marked for deletion" are not the same thing.

Data portability mid-contract. "Can we export a full copy of our data at any time? Is there a cost?" Organizations that cannot export their own data are more dependent on the vendor than they realize.

Subprocessors. "Provide a list of all subprocessors who may access or process our data. What controls govern them?" Your vendor's security is only as strong as their least-secure subprocessor.

SLA substance questions

Most SLAs look similar on paper. What matters is in the definitions and remedies, not the headline numbers.

Uptime definition. "What counts as downtime for your SLA? Does planned maintenance count? Does degraded performance count?" A vendor whose SLA excludes maintenance windows and defines downtime as "complete unavailability" offers a much weaker guarantee than the headline number suggests.

SLA remedies. "What is the remedy if you miss your SLA? What percentage of annual contract value is the maximum credit we can earn in a year?" If the answer is under 10%, the SLA has little real consequence for the vendor.

Support SLA by severity. "What are your support tiers and response time SLAs? How do you define Severity 1?" A vendor who defines it as "complete system outage" leaves many real-world issues in slower tiers.

Escalation. "If our ticket is not resolved within SLA, who do we contact and what changes?"

Migration and offboarding questions

Switching costs are one of the most under-examined factors in technology procurement. High switching costs create vendor lock-in that is difficult and expensive to undo.

Migration in. "What does data migration from our current system look like? Who does the work? What is included in the contract price, and what is billed separately?" Vendors often quote a low base price and bill migration as professional services. Ask for a fully loaded estimate before comparing proposals.

Migration out. "If we move to a different vendor in three years, what does that process look like? Can you connect us with a customer who has migrated away?" This question is uncomfortable for vendors. The discomfort is informative.

Dependencies. "What would we lose if we left your platform? What are the stickiest aspects?" An honest vendor answers. A vendor who says "nothing, we make it easy to leave" probably is not being fully honest.

True cost of ownership questions

For a deeper look, see Total Cost of Ownership in Vendor Selection. Here are the IT-specific questions to ask in the RFP.

Implementation costs. "Provide a fully loaded implementation estimate, including professional services, integration work, training, and any third-party tools. Break this out separately from subscription pricing."

Ongoing professional services. "What configuration changes require professional services? What can our administrators do without vendor involvement?" Some platforms charge for changes that should be self-service.

Upgrade and usage costs. "Are major version upgrades included in our subscription? How is pricing affected by data volume, user count, or API call volume? Describe any thresholds that trigger a price increase." Usage-based surprises are common in year two.

How to weight these questions in your evaluation

IT RFPs typically warrant higher weights on security than most other procurement categories. A framework that works:

  • Security and compliance: 3x weight
  • Integration architecture: 2x weight
  • Data ownership and portability: 2x weight
  • SLA substance: 2x weight
  • Pricing and total cost: 1x weight
  • Product fit and features: 1x weight

Adjust based on your situation. Highly regulated environments may push security to 4x. If cost is the primary constraint, pricing moves up. Define weights before reading any responses. Adjusting weights after reading proposals is how procurement decisions get rationalized instead of made.

For a complete vendor evaluation criteria framework, see Software Vendor Evaluation Criteria: 50 Questions to Ask Before You Buy.

Run your IT RFP in Strutter

Strutter lets you build an RFP with the questions above, set weights per question, and collect structured vendor responses. When responses arrive, Strutter scores them automatically and builds the comparison matrix, with all vendor answers side by side.

Create your IT RFP at rfp.strutterai.com. The free tier covers your first RFP, full AI scoring, and the comparison matrix.