Why CFOs need their own procurement framework
The default 2026 productivity-software buy goes like this. HR shortlists three vendors after reading a buyer guide. IT runs a 30-minute security review. The CFO signs the contract on the recommendation. The contract has a 3-year auto-renew, a USD-denominated price that creeps 8% per year, and no documented data-export clause. Three years later, the buyer realizes the platform is producing per-employee scores that the manager cannot defend in appraisal conversations, the team has built workflows around the platform that make migration painful, and the renewal conversation is happening at 1.27x the original list price.
That outcome is what the 18-question checklist below exists to prevent. The questions are designed to be vendor-agnostic — they work the same way against any platform in the AI workforce analytics or productivity intelligence category — and they map to the four categories where CFO-level risk concentrates: architecture (will this break), compliance (will this expose us), pricing (will this scale on TCO), implementation (will this deploy).
Category 1: Architecture (5 questions)
Q1 — What is the deployment model?
Cloud-only, hybrid, or on-prem. Cloud-only is fastest to deploy and lowest TCO, hybrid and on-prem are required for some EU and India-government buyers. Ask the vendor for the deployment model in writing and the percentage of their customer base on each. Vendors below 80% cloud-only are usually services companies disguised as SaaS.
Q2 — What is the desktop agent footprint?
RAM, CPU, network bandwidth. A modern agent should sit under 150 MB RAM, under 3% sustained CPU, and under 10 MB/hour network. Anything above 500 MB RAM is a heavy agent that will produce IT-helpdesk tickets for the next 12 months. Ask for benchmark numbers in the vendor MSA, not just the marketing site.
Q3 — What integrations are native vs custom?
Slack, GitHub, Jira, calendar (Google/Microsoft), payroll (Keka, Zoho, Razorpay for Indian buyers), SSO/SAML, SCIM. Native integrations ship in 1-2 days. Custom integrations require professional services and add 15-40% to the year-one cost. Ask for the native vs custom split, in writing, before signature.
Q4 — What is the AI model architecture?
On-vendor models, third-party LLM (OpenAI, Anthropic, Google), or hybrid. The question matters for two reasons — explainability (third-party LLMs are harder to audit) and data residency (third-party LLM calls may exit your contracted region). Get the AI architecture documented before signature.
Q5 — What is the platform's update cadence and downtime SLA?
Monthly minor releases and quarterly major releases is typical 2026 cadence. Downtime SLA should be 99.5% or better; 99.9% is the standard for paid tiers. Anything below 99.5% indicates an operationally immature vendor.
Category 2: Compliance (5 questions)
Q6 — Where is the data physically hosted?
The first compliance question. EU-hosted is now a hard requirement for any EU client work; India-hosted (Mumbai/Hyderabad AWS or Azure) is increasingly required for DPDP Act readiness. Verify data residency in the MSA, not the marketing site. Ask for the specific cloud region and the provider — AWS Mumbai, Azure Hyderabad, GCP Frankfurt — and confirm that no operational metadata transits outside the contracted region.
Q7 — What is the SOC 2 / ISO 27001 / DPDP posture?
SOC 2 Type II under NDA, ISO 27001 certification, DPDP Act readiness checklist (Indian buyers), EU AI Act gap assessment (EU client exposure). Ask for the dated artefacts. A vendor unable to produce a SOC 2 Type II report in 5 business days is signalling either operational immaturity or active audit failures.
Q8 — How does the AI explainability layer work?
The single most-skipped compliance question. EU AI Act Article 14 and GDPR Article 22 both require explainability on automated decision systems. A productivity platform that produces a per-employee score with no per-signal breakdown creates regulatory exposure on appraisal-cycle use. Ask the vendor to show the explainability UI in the demo — a real decomposition (focus density 32%, meeting load 18%, commit cadence 27%, etc.) not just a single aggregate number.
Q9 — What is the breach-notification SLA?
DPDP Act requires 72 hours; GDPR requires 72 hours; most US frameworks accept 5-7 days. Get the breach-notification SLA in writing and confirm the notification covers both confirmed breaches and material incidents (not just confirmed exfiltration).
Q10 — What is the sub-processor list?
Every cloud SaaS vendor uses sub-processors — AWS or Azure for infrastructure, Stripe for billing, third-party LLM for AI, email-delivery providers, observability services. Ask for the full sub-processor list and the country-of-operation of each. Any sub-processor in a non-contracted region is a data-residency violation in waiting. Our CISO question set covers the full sub-processor evaluation methodology.
Category 3: Pricing (4 questions)
Q11 — What is the fully-loaded TCO across 3 years?
List price plus integration setup plus onboarding plus required add-ons (SSO, SCIM, custom dashboards, support tier) plus realistic renewal increment (5-15% per year is standard). Ask the vendor for a 3-year TCO sheet on letterhead; a vendor who refuses or stalls is hiding either an aggressive renewal model or a heavy professional-services dependency.
Q12 — Is there an INR pricing tier?
For Indian buyers, this question alone can change the vendor outcome. USD-priced vendors at SMB scale come in 35-60% above INR-tier vendors when fully loaded. Ask for the INR list price (not just USD with conversion) and confirm there is no currency-fluctuation pass-through clause in the MSA.
Q13 — What is the exit clause and data portability?
The single most-skipped procurement question. 30-day data export in open format (CSV/JSON), retained for 90 days post-termination, no proprietary lock-in. Negotiate this in week one of procurement, not at renewal. A vendor without a clean exit clause is a vendor planning to use switching cost against you at renewal.
Q14 — What is the renewal-increment cap?
5-7% is reasonable; 10-15% is aggressive; uncapped is unacceptable. Negotiate a cap into the MSA at year one. Vendors that resist a renewal cap are signalling that their revenue model depends on uncapped renewal lifts.
Category 4: Implementation (4 questions)
Q15 — What is the realistic setup time?
5-10 days for SMB cloud deployment; 30 days for mid-market with SSO + SCIM + integrations; 60-90 days for enterprise with custom integration work. Anything quoted at 6 months at SMB scale is a disguised custom-services engagement. Ask for setup-time references from three customers of similar size and industry.
Q16 — What does the onboarding playbook look like?
A modern vendor has a documented week-by-week playbook — week 1 agent deployment, week 2 baselining, week 3 dashboard launch, week 4 manager training. If the vendor cannot produce a documented playbook, the onboarding will be ad-hoc and the deployment will overrun by 2-3 weeks. Our pilot framework documents the structure you should expect.
Q17 — What is the employee self-view rollout protocol?
The self-view should launch on the same day as the manager dashboard. If the vendor's playbook ships self-view 6 weeks after the manager dashboard, the rollout is structurally a monitoring deployment, not a productivity intelligence deployment, and employee adoption will fail. Self-view-day-one is the litmus test.
Q18 — What is the customer success and support tier structure?
What is included in the standard tier vs the premium tier — dedicated CSM, response-time SLA, training sessions, quarterly business reviews. Ask the vendor for the support tier matrix in writing. Many vendors price the standard tier aggressively low and require the premium tier (20-40% higher) to get usable customer success.
Vendor red flags table
| Pattern | What it signals | Action |
|---|---|---|
| Screenshots on by default | Compliance-light buyer base, EU AI Act risk | Hard pass for EU client work |
| Single-number productivity score, no decomposition | Explainability gap, GDPR Art. 22 exposure | Hard pass |
| No INR pricing tier | TCO inflation 35-60% for Indian buyers | Negotiate or skip |
| "6-month deployment" at SMB scale | Disguised custom services engagement | Walk |
| No 30-day data export clause | Switching-cost lock-in at renewal | Hard negotiate or walk |
| Uncapped renewal increment | Revenue model depends on renewal lifts | Hard negotiate |
| No employee self-view, or self-view 6+ weeks after manager dashboard | Monitoring deployment, not intelligence deployment | Adoption will fail; walk |
| SOC 2 Type II not producible in 5 days | Operational immaturity or active audit failures | Walk |
| Sub-processor list incomplete or refused | Data-residency violation risk | Hard pass |
The 30-day evaluation playbook
Days 1-5 — vendor longlist and shortlist scorecard
Build the longlist (5-7 vendors), run the 12-criteria scorecard from our AI workforce analytics buyer's guide, narrow to two vendors.
Days 6-20 — pilot on one team
15-25 person team, two weeks of baseline, two weeks of dashboards live, the 18-question checklist run against both vendors in parallel.
Days 21-25 — CISO and HR review
Sub-processor list audit, DPIA review, data-residency confirmation in writing, employee-council notification (EU) or worker-consent flow (India), HR appraisal-cycle integration review.
Days 26-30 — contract negotiation
Renewal-increment cap, exit clause, INR pricing tier, fully-loaded TCO sign-off. Sign the MSA, expand to next two teams in W5.
Free: CISO Procurement Checklist for AI Productivity Vendors
10 questions every CISO and IT-services CEO should ask before signing — data residency, DPIA, AI auditability, breach SLA, retention, SCIM/SSO, sub-processors, right to audit. Includes scoring rubric and pass / hold / walk thresholds.
Free: Productivity ROI Calculator
Calculate the 3-year fully-loaded TCO and projected ROI for any productivity software platform. Includes integration cost, renewal increment, INR vs USD pricing comparison, and per-team throughput delta inputs.
Further reading on gStride
Frequently asked questions
Why should a CFO be involved in productivity software procurement?
Because productivity software is now a multi-stakeholder buy — HR owns adoption, IT owns deployment, the CISO owns compliance, but the CFO owns the contract value and the TCO. A USD 10/user/mo vendor at 200 users is USD 24K/year, which is a CFO-level signature in most Indian and APAC SMB structures. The CFO also owns the question that no other stakeholder owns: is the productivity ROI larger than the total spend, and is the exit clause clean enough to walk if it isn't?
What is the difference between a buyer's guide and a procurement checklist?
A buyer's guide is positioning — which vendor to choose. A procurement checklist is risk management — which questions to ask any vendor before signing. The checklist is vendor-agnostic; it works the same way against gStride, ActivTrak, Hubstaff, or any platform in the category. The point is to surface the structural failure modes (lock-in, hidden costs, compliance gaps, AI explainability gaps) before contract signature, not after.
How long should a procurement evaluation take?
30 days for SMB and mid-market, 60-90 days for enterprise. The 30-day shape covers vendor longlist (5 days), shortlist scorecard (5 days), CISO and HR review (5 days), 30-day pilot on one team (the pilot can run inside the 30-day window because it starts at day 6), and contract negotiation (final 5 days). Anything longer than 60 days at SMB scale usually means the procurement is stuck on either security review or budget approval, not on the vendor evaluation itself.
What is the single most-skipped procurement question?
Question 13 — exit and data portability. Buyers focus on entry (pricing, features, setup time) and forget the exit clause. A productivity platform with no documented 30-day data export in open format (CSV/JSON) creates a 6-12 month switching cost when the buyer eventually wants to leave. Negotiate the exit clause into the MSA in week one of procurement, not at renewal.
What are the top three vendor red flags?
One: screenshots on by default — indicates the vendor is selling to compliance-light buyers. Two: "six-month deployment" quoted at SMB scale — indicates a disguised custom-services engagement. Three: no INR pricing tier for Indian buyers — inflates TCO 35-60%. Any one of these should pull the vendor down the scorecard; two of three should remove them from the shortlist.
Should a CFO ask about AI explainability?
Yes — and most CFOs don't, which is why this checklist puts AI explainability in the Compliance category as Question 8. The EU AI Act Article 14 and GDPR Article 22 both require that automated decision systems explain their outputs. A productivity platform that produces a per-employee score with no per-signal breakdown creates regulatory exposure that the CFO will inherit at audit time. It is a finance-level question, not just an HR-level question.
What is the right size for a pilot?
15-25 people, one team, two weeks of baseline, two weeks of dashboards live. Smaller pilots produce statistically weak deltas; larger pilots stretch into change-management complexity that the pilot is not designed to handle. The pilot is a measurement exercise — it should produce a number you can defend in a contract decision conversation.
How should the CFO compare TCO across vendors with different pricing models?
Normalize to per-user-per-year fully-loaded cost — entry price plus integration setup plus onboarding plus required add-ons (SSO, SCIM, custom dashboards, support tier). USD-priced vendors at SMB scale typically come in 35-60% above INR-tier vendors when fully loaded. The shortlist should compare 3-year TCO not month-one list price, including the realistic renewal increment (5-15% per year is common).
What documentation should the vendor provide before signature?
Six artefacts at minimum — DPIA (or template), SOC 2 Type II report (under NDA), data residency confirmation in writing, sub-processor list, sample audit log export, and a 30-day data export sample in the buyer's preferred format. A vendor unable to produce these in 5 business days is signalling either operational immaturity or a deliberate friction strategy on compliance buyers.
How does this checklist change for Indian vs US vs EU buyers?
Indian buyers weight India-pricing and DPDP Act readiness higher; EU buyers weight EU AI Act readiness and EU-hosted data residency higher; US buyers weight SOC 2 and HIPAA (where applicable) higher. The 18 questions are the same — the weighting and the acceptable-answer thresholds shift by geography. The CISO-side question set carries the same structure across all three contexts.
Run the 18 questions on a 30-minute call with gStride
Architecture, compliance, pricing, implementation — walked through on a live tenant. INR pricing, no screenshots, 30-day data export clause in the MSA. Bring your CFO question list.
Book a 30-min procurement walkthrough Run the ROI calculatorPricing references are as of 2026-05-19 and reflect publicly-listed vendor pricing pages; mid-market negotiated rates routinely deviate 15-30%. Verify all pricing, sub-processor, and compliance posture on the vendor's site before final decision. Regulatory references (EU AI Act, GDPR, DPDP Act) are informational and should be confirmed with your in-house counsel; this article is not legal advice.