Vendor Evaluation & Negotiation Framework

Why This Matters

Vendor decisions are mission decisions, not just technology purchases. When you sign a five-year contract with a library vendor, you're making a commitment that shapes everything your library can do: what collections you can offer, whose data you protect, which patrons get served well, and which ones get left out entirely.

Vendor lock-in is real. After year two or three, switching costs become prohibitive. You\'ve trained your staff on their system, migrated your data, changed your workflows. The vendor knows this. The time to push back on bad terms (when you have leverage) is before you sign, not after you're locked in for 60 months.

Every vendor choice either advances or undermines your equity commitments. You can\'t separate "our pricing decision" from "the service hours we\'re cutting in our lowest-income neighborhood." You can't separate "our data privacy policy" from "whether undocumented immigrant families trust us."

This guide gives you a framework to evaluate vendors through a mission lens. Not just "is it cheap?" but "is it worth it?" Not just "do they promise support?" but "what happens when they fail?" Not just "are people using it?" but "is everyone using it?"

The Five Risk Domains: How to Evaluate Vendors Like a Library Leader

Understanding Vendor Risk

Vendor decisions shape your library's entire future. But vendor lock-in is real. After year two or three, switching costs become prohibitive. The time to negotiate (when you have leverage) is before you sign.

When you're evaluating a vendor, five critical areas can cause problems. These domains cover the full lifecycle of the vendor relationship, from deciding whether to talk to them through the day you need to extract your data because they failed you.

Domain 1: Vendor Stability. Will They Still Be There in Year 5?

The question: Is this vendor financially healthy enough to keep operating for the duration of your contract? Do they have the expertise to support what they're promising? Are they growing or dying in the market?

Vendor failures are deeply disruptive. If your ILS vendor goes out of business, you lose access to your entire catalog. You\'re forced into an emergency migration. Staff are stretched thin. Patrons lose access to their holds. Meanwhile, you're probably still contractually obligated to pay the dying vendor's final invoices.

What to evaluate:

• Company financial health: Company size, funding, growth trajectory. A vendor with 500+ employees and recent funding is less likely to disappear than a one-person operation. Ask: "How many libraries are you currently serving? What's your annual revenue?" A vendor refusing to answer is a red flag.
• Time in business: Newer vendors (under 3 years) are higher risk due to startup failure rates. Vendors losing market share to competitors are riskier than those with stable or growing presence.
• Team stability: Has leadership been consistent? Is there an active product development team, or just a support team keeping things limping along?
• References from similar libraries: Talk to libraries like yours. Listen for: "We had to migrate data in a rush when they got acquired" or "Support disappeared when the founder left."

Domain 2: Contract & Data Terms. Can You Actually Leave?

The question: What happens to your data if you need to exit? How much will it cost to switch vendors? Are you locked in by contract language that makes leaving prohibitively expensive?

Lock-in is how vendors extract value. If leaving costs $200K in migration expenses and six months of staff time, you won't leave even if the vendor is terrible. The time to negotiate exit terms is upfront, when you have leverage.

What to evaluate:

• Data export requirements: Demand specific language: "Vendor shall provide complete export of all Customer Data, in MARC format and vendor-proprietary format, within 30 days of written request, at no additional cost." Don\'t settle for vague timeframes and negotiated rates, because that\'s code for "we'll drag it out and charge you."
• Total cost of ownership: It's not just the license fee. Calculate: License + implementation + customization + training + migration costs + switching costs. A vendor might charge $80K/year but require $500K in implementation. Be realistic about internal staff time too.
• Price increase mechanisms: Cap annual price increases. Standard: "No more than 3% annually, or CPI whichever is lower." Don't accept "prices may increase in line with market conditions" (vendors will claim market conditions to justify anything).
• Auto-renewal traps: Watch for contracts that auto-renew unless you give written notice 90+ days before expiration. This kills negotiations. Better: demand 90-day outs from auto-renewal without penalty.
• Exit costs: What happens when you leave? Can you take your data for free or is there an exit fee? Push back: "Exit from this contract may occur with 90 days written notice, with no penalty fees beyond prorated expenses through notice date."

Domain 3: Support & Governance. Will They Actually Help When Things Break?

The question: When something goes wrong (and something will), does the vendor have an obligation to fix it? Or are they just collecting fees while you're stuck?

Most vendor relationships fail on support, not features. The feature set is usually fine. But when a critical system goes down during your busiest day and support doesn't respond for 48 hours, you learn what the vendor really thinks of your contract.

What to evaluate:

• Service Level Agreements (SLAs) with teeth: Demand specific commitments:
  • Critical issues (system down): 4-hour response, 1-hour acknowledgment
  • High severity (major functionality broken): 8-hour response
  • Medium: 24-hour response
  • Low: 5 business days
  Include penalties: "If vendor misses response time by 4+ hours, customer receives $500 credit toward next invoice."
• Uptime guarantees: Demand 99.5% monthly uptime minimum. That's about 3.6 hours of allowed downtime per month. Include penalty credits: 1% credit for every 0.5% below the guarantee.
• Vendor staff continuity: Ask: "If my account manager leaves, how do you transition accounts?" You want account documentation in their system with 30-day overlap with the new rep.
• Training and onboarding: Is initial training included or paid separately? Can your whole team get trained? Is documentation available in formats your team can actually use?
• Escalation procedures: If your main contact can't solve an issue, what happens? "If issue not resolved in 10 days, escalates to Product Manager; if not resolved in 20 days, escalates to VP of Customer Success; if not resolved in 30 days, customer may terminate contract."

Domain 4: Security & Compliance. Can Patrons Actually Trust You?

The question: What\'s the vendor doing with patron data? Who can access it? Can you verify they\'re protecting it? Are they using it to train AI systems without permission?

Patron data is sensitive. For some patrons (undocumented immigrants, domestic violence survivors, LGBTQ+ youth), this data could be dangerous if exposed. The biggest new risk is AI training. Vendors are now quietly adding language that lets them use your patron data to train AI systems: forever, for free, and for vendor profit.

What to evaluate:

• Data encryption and access controls: Demand encryption in transit (HTTPS) and at rest. Ask: "Who inside your company can access customer data, and what controls prevent unauthorized access?"
• Breach notification: "Vendor shall notify customer within 24 hours of discovering breach, provide details of scope and nature, and cooperate with any required notifications to patrons/regulators." Don't accept "notify in reasonable timeframe."
• Subpoena procedures: "Vendor shall not disclose patron data in response to subpoena without notice to customer. Vendor shall seek to limit disclosure scope." This protects vulnerable patrons.
• Third-party data sharing: Ask: "Do you share patron data with any third parties?" You want a strict list and approval rights.
• AI training restrictions: This is where vendors sneak in predatory language. Demand: "Vendor shall not use Customer Data, including usage patterns, search queries, patron activity logs, to train AI or machine learning models without Customer's prior written consent."
• Audit rights: You should be able to audit vendor compliance through: (a) annual security audit reports (SOC 2 Type II); (b) upon reasonable notice, physical or remote audit; (c) documented AI system testing reports; (d) written certification of compliance.

Domain 5: Equity & Long-Term Fit. Who Gets Left Out?

The question: When you implement this vendor, will service improve for everyone, or only for some people? Will it require cutting services to low-income areas to fund it? Does the system actually work for patrons with disabilities, non-English speakers, or vulnerable populations?

Equity isn\'t a bonus feature; it\'s a core mission issue. A vendor that's great for English-speaking patrons but inaccessible for blind patrons, or that works great in wealthy neighborhoods but forces you to cut hours in low-income areas, that vendor is embedding inequality into your service model.

What to evaluate:

• Accessibility compliance (WCAG 2.1 AA): The vendor should demonstrate: tested with screen readers (NVDA, JAWS), fonts adjustable to 48pt+, color contrast tested and adjustable, keyboard navigation for all features, video captioned, PDFs accessible. If the vendor says "we have an accessibility team" but can\'t show test results, you're not getting WCAG 2.1 AA compliance.
• Language support: What languages does the interface support? Is Spanish support built-in or machine-translated? Ask the vendor to describe their Spanish-language support in Spanish. If they can\'t, it\'s probably not native.
• Algorithmic bias and testing: If the system includes AI recommendations or search ranking: Has vendor tested for algorithmic bias? Do results from marginalized communities get deprioritized? Who audits this: just the vendor, or external auditors too?
• Cost impact on service: Does implementing require cutting hours in low-income branches? Eliminating a service? If the cost savings come from cutting service to the patrons most dependent on the library, you haven\'t actually saved money. You\'ve transferred that cost to the people least able to afford it.
• Pricing structure impact: How is the vendor pricing this? Per-library flat fee? Per-patron? Per-circulation? This matters for equity. Per-circulation pricing might force you to cut hours at branches serving people who need it most.

How to Use Your Risk Score

The evaluation wizard scores vendors on a 45-point scale across these five domains.

Low Risk (15-22 points)

This vendor has manageable risks across all domains. They're financially stable, committed to data protection, invested in accessibility, have reasonable contract terms, and solid support. You can move forward with confidence.

Next steps: Negotiate standard contract terms (auto-renewal outs, price increase caps, SLA penalties). Get the accessibility and AI training language in writing. Set up post-implementation monitoring. Plan quarterly check-ins on SLA compliance.

Moderate Risk (23-35 points)

This vendor has some concerns that need attention before you sign. These aren\'t deal-breakers, but they\'re areas where you need to negotiate hard or implement compensatory controls.

Next steps: Identify the highest-risk domain and prioritize negotiation there. Create compensatory controls for risks you can\'t negotiate away. Set specific expectations for vendor improvement in writing. Build exit optionality into the contract. If you're accepting moderate risk, negotiate harder on the exit clause.

High Risk (36-45 points)

This vendor has significant issues across multiple domains. Before you sign, you need to either get dramatic contract concessions that shift risk back to vendor, or walk away and find a different vendor.

Next steps: Be honest: Is this vendor worth the risk? If they\'re the only option and have critical features you can\'t do without, your options are limited. If you must proceed:

• Demand significant contract protection: shorter terms (2 years instead of 5), hard right to exit if conditions aren't met, aggressive SLA penalties, specific fixed remedies
• Negotiate domain-specific protections based on what's risky
• Implement heavy monitoring: monthly vendor performance reviews, quarterly audits, six-month equity impact reviews

Red Flags That Should Stop You

Some contract issues are so predatory they're deal-breakers on their own. Push back hard or walk away:

The AI Training Trap

"Customer grants Vendor a worldwide, non-exclusive, royalty-free license to use, reproduce, and create derivative works from Customer Data for purposes of improving Vendor's services, including but not limited to machine learning and artificial intelligence development."

The vendor wants to use your patron data forever, for free, to train AI systems they'll sell to other customers. This is predatory. Demand instead:

"Vendor shall not use Customer Data, including usage patterns, search queries, patron activity logs, or any data generated by Customer\'s use of the Service, to train, develop, improve, or create machine learning models, artificial intelligence systems, or derivative products without Customer\'s prior written consent. Any such use requires a separate written agreement specifying scope, duration, compensation (if any), and audit rights."

The "AI Is Unaccountable" Trap

"Vendor provides AI-powered features on an "as-is" basis. Vendor makes no warranties regarding accuracy, reliability, or performance of AI-generated content."

You're liable if the AI screws up. Demand instead:

"Vendor shall be liable for damages arising from AI features that: (a) produce outputs that violate applicable law, (b) fail to perform materially as documented, or (c) result from defects in Vendor's AI design, training, or implementation."

The "No Audit Rights" Trap

"Customer agrees not to reverse-engineer, decompile, or attempt to discover the underlying algorithms, models, or training data used in Vendor's AI features."

You can't audit whether the AI is biased or compliant with regulations. Demand instead:

"Customer has the right to: (a) receive annual reports on AI system performance, bias testing results, and training data sources; (b) request third-party audit reports (SOC 2, ISO 27001) that include AI systems; and (c) audit Vendor\'s compliance with this Agreement\'s AI provisions."

The "We're Not Liable" Trap

"Vendor's indemnification obligations under Section [X] do not apply to any claims arising from or related to use of AI-powered features."

If someone sues because of vendor\'s AI, vendor won\'t defend you. Demand instead:

"Vendor shall defend, indemnify, and hold harmless Customer from any claims, damages, or liabilities arising from: (a) AI outputs that infringe third-party intellectual property rights; (b) AI outputs that violate applicable privacy laws; (c) defects in Vendor\'s AI design or implementation; or (d) Vendor\'s failure to disclose known AI limitations."

Case Study: How Equity Impact Hides in Spreadsheets

A 15-branch public library system is evaluating a new discovery system. The vendor is $80K cheaper annually. On paper, this looks like a win. But the migration requires 3 months of heavy IT staff time. The budget office can't fund both the vendor fees and keep current staffing, so they decide: fund migration by cutting 2 FTE reference positions. Which branches get hit? The three serving the lowest-income neighborhoods: 80% non-English speakers, 45% household income under $35K, significant unhoused community.

The logic was: "These branches have the lowest circulation, so cutting there has the smallest percentage impact." But the real impact was on the populations most dependent on librarian help navigating systems, immigration processes, and language support. Reference desk hours dropped from 45 to 30 hours/week. This was supposed to be temporary. It\'s now year 3 and hours haven\'t been restored. Circulation at these branches actually dropped by 12%, because patrons shifted to under-staffed phone reference.

The lesson: When evaluating vendors, always ask: "Whose services are being cut to fund this decision?" If the answer is "branches in low-income neighborhoods," you haven\'t actually saved money. You\'ve transferred cost to the people least able to bear it. That's a mission failure, regardless of vendor quality.

When to Call a Consultant

You can evaluate most vendors yourself. But there are moments when outside help is worth the investment:

• Get legal review for: Enterprise vendor contracts, any contract with AI training language, consortium negotiations, high-value contracts (if vendor cost exceeds $500K over contract term, legal review costs $2K-5K and often saves tens of thousands)
• Get equity impact assessment from: Someone with accessibility expertise if you serve blind/low-vision patrons, someone with experience in diverse communities, external equity auditor
• Get technical review for: Open-source implementations, complex integrations, security-critical systems
• Get negotiation support for: First time negotiating with enterprise vendors, consortium negotiations, any contract where you're facing power imbalance

The investment in consulting ($2K-10K) usually saves you hundreds of thousands in contract negotiations or prevents catastrophic implementation failures.

Your Next Steps

Getting started with vendor evaluation requires intention. Run the wizard above to get a risk score for your current or prospective vendor. Download the Evaluation Matrix to compare multiple vendors objectively. Review the Red Flag Guide before your next contract conversation. Use the Negotiation Checklist when the contract arrives. If you're uncertain, that\'s what experienced consultants are for. This framework exists because vendor decisions are too important to leave to chance. Your community is depending on you to choose vendors that serve them, not vendors that extract value from them.

Download Templates

These downloadable templates give you structured frameworks for evaluation, negotiation, and assessment. Each is designed to be filled in by your team and can be shared with board committees or used in vendor conversations.

Next Steps

Getting started with vendor evaluation isn\'t complicated, but it does require intention. Here\'s what comes next:

• Run the wizard above — Get a quick risk assessment for your current or prospective vendor.
• Download the Evaluation Matrix — If you're comparing multiple vendors, use this to make it objective.
• Review the Red Flag Guide — Before your next contract conversation, know what language to watch for.
• Use the Negotiation Checklist — When the contract arrives, you'll know exactly what to push back on.
• Get consulting support — If you need help reading a specific contract or preparing for vendor conversations, that's what I do.