Buying enterprise software is hard. Vendors are polished. Demos are curated. And the gap between "what it does in a sales presentation" and "what it does on day 90 of your deployment" can be enormous. These ten questions help you cut through the noise and evaluate vendors on the things that actually matter.
1. How does your pricing scale as our team grows?
Per-seat pricing sounds reasonable until you start growing. A platform that charges $150/user/month becomes a $36,000/year line item for a 20-person team — and that number goes up every time you hire, onboard a partner agency, or add a contractor. Ask specifically: "If we add 10 more users next year, what does that cost?" The answer tells you a lot about how vendor incentives align with yours. Flat platform pricing means your vendor grows when you succeed — not just when you add seats.
2. Who manages hosting, updates, and backups?
"We install it on your servers" sounds like flexibility. In practice, it means you're responsible for OS patching, application updates, backup monitoring, and incident response — either with your own IT team or an additional managed services contract. Ask vendors to be explicit: what do they manage, and what falls on you? A truly managed SaaS platform removes that operational burden entirely and is usually the lower total-cost option once you account for IT overhead.
3. Can you show me the audit trail for a single record?
Every vendor will tell you they have audit logging. Ask them to show you — live, without advance preparation. Pull up a record and ask: "Who last viewed this? When was it modified? What changed?" If the answer is a blank stare or a "we'll need to run a report for that," the audit trail isn't what they described. In regulatory and legal environments, immutable, per-record audit history isn't a nice-to-have. It's a requirement.
4. What does deployment and onboarding actually look like?
"We'll send you setup documentation" is not onboarding. Ask for a specific timeline: what happens in week one, week two, week four? Who is your point of contact? How is your data migrated from your current system? What training is included, and in what format? Software deployments fail most often not because of technology, but because the vendor handed off too early and the client was left to figure things out alone. White-glove onboarding with a defined timeline and dedicated support contact is what you should insist on.
5. How configurable is it — and who does the configuring?
"Highly configurable" is one of the most overused phrases in enterprise software. Ask the follow-up: "Who configures it — your team, or ours, and how long does a change take?" Some platforms require a developer to change a field label. Others let your administrator do it in two minutes from a UI. For medicolegal operations especially, where terminology, workflow stages, and field requirements vary by jurisdiction, admin-level configurability isn't a luxury — it's a prerequisite for successful adoption.
6. What compliance frameworks do you support, and can you prove it?
HIPAA, CJIS, NIST CSF — these terms appear in almost every vendor deck. Ask for documentation: a security whitepaper, a controls matrix, a third-party assessment, or a CSA STAR registration. If a vendor can only say "we're compliant" without showing you the evidence, that claim deserves skepticism. Good security posture is documented, audited, and publicly verifiable. Anything less is marketing copy.
7. What does your disaster recovery plan look like?
Ask for the RPO (recovery point objective) and RTO (recovery time objective) — the maximum acceptable data loss and downtime in a failure event. Then ask: "When did you last test it?" A disaster recovery plan that has never been tested is a plan that may not work when you need it. Geographic redundancy, off-site backups, and documented restore procedures should be standard, not premium add-ons.
8. How do you handle our data if we leave?
This question makes vendors uncomfortable, which is exactly why you should ask it. Can you export all of your data, in a usable format, at any time? Is there a cost to do so? What happens to your data after your contract ends — and how long does the vendor retain it? Data portability is the difference between a vendor relationship and a vendor dependency. You should own your records, full stop.
9. How active is your development roadmap, and how do I influence it?
A platform that hasn't had a meaningful update in eighteen months is a platform in slow decline. Ask to see recent release notes and the public roadmap. Ask how customer feature requests are handled — is there a process, or does "we'll look into it" mean it disappears? Active development, a versioned changelog, and a documented process for customer input are signs of a vendor that's actually investing in the product you're buying.
10. Can I talk to a current customer in a similar operation?
References are table stakes — but ask for one that matches your situation: similar team size, similar operational context, similar regulatory environment. A reference from a county coroner's office matters more to another coroner than a generic "enterprise government" reference. If a vendor can't produce one, ask why. Sometimes the honest answer is "we're newer to this market" — which is fine to admit. What's not fine is a vendor who can't produce any verifiable customer validation at all.
Use These as a Scorecard
Run every vendor through the same ten questions. Score them. The gaps become obvious quickly. Vendors who answer confidently, with documentation and specifics, are the ones worth your time in a second round. Vendors who deflect, generalize, or promise to "follow up with more detail" are telling you something important about how your support experience will go post-signature.
We're happy to be evaluated against this list. Below are a few places to start if you'd like to pressure-test Zeph against any of these questions.
Ask Us These Questions Directly
We don't do scripted demos. Tell us what you're evaluating, what your office needs, and what concerns you most — and we'll show you the specific answers to whatever questions matter most to your team.