Skip to content
iGaming Platform Provider
Buyer tool · no form · no data sent

iGaming platform RFP checklist

Use this checklist to turn platform claims into comparable responses, scoped evidence, testable acceptance criteria, complete economics, and enforceable contract schedules. It is designed for buyer diligence—not supplier lead generation.

11 diligence sections68 atomic requirements5 deal gatesLast reviewed July 2026

01 · Eligibility

Five deal gates

A proposal is not eligible merely because its total score looks attractive. Resolve these five questions first.

1
Authorisation is unambiguous
The exact legal entity, product, jurisdiction, credential, operator-of-record role, and remaining buyer approvals are mapped. A group-level or partner credential is not enough.
2
Delivery is testable
The proposed launch is broken into owned milestones, dependencies, acceptance tests, remedies, cutover, and rollback. A headline date without that plan does not pass.
3
Economics are comparable
Every proposal is priced against the same scope and buyer assumptions in downside, baseline, and growth scenarios, including pass-through and exit costs.
4
Control survives the deal
Data access, export, front-end control, IP rights, account ownership, and migration assets are explicit and have been tested where practical.
5
Critical promises are enforceable
Service, security, support, implementation, and exit promises are in named contract schedules with acceptance criteria and remedies—not left in a presentation or sales response.

02 · Process

How to use the checklist

Keep the requirement ID intact from the first supplier response through testing, evaluation, negotiation, and the signed schedule.

  1. Step 1
    Freeze the buyer baseline
    Define the proposed entities, markets, brands, products, launch set, volumes, integrations, operating model, timeline assumptions, and three commercial scenarios before suppliers answer.
  2. Step 2
    Issue one atomic response matrix
    Give every supplier the same requirement IDs and one row per requirement. Do not let a slide deck replace the matrix or combine several commitments into one untestable answer.
  3. Step 3
    Build an evidence room
    Link each answer to dated, scoped evidence. Record demonstrations and tests against agreed scripts, environments, data, expected results, exceptions, and owners.
  4. Step 4
    Resolve gates before scoring
    A strong feature score cannot offset an unclear licence route, untestable delivery, incomparable economics, unusable data export, or a critical promise that will not enter the contract.
  5. Step 5
    Run diligence on the proposed scope
    Test the exact product, entity, jurisdiction, configuration, data path, and service model. Group-level credentials and global catalogue totals do not answer a launch-specific requirement.
  6. Step 6
    Convert the answer into schedules
    Before award, move accepted requirements, exceptions, prices, evidence, tests, responsibilities, remedies, and exit steps into named contract schedules.

03 · Evidence

Response and evidence rules

The supplier should answer what is true for the proposed scope, not restate a general capability or attach an unscoped catalogue.

  • One requirement per row. Split an answer if products, entities, jurisdictions, delivery dates, evidence, costs, or contract positions differ.
  • A bare yes is not a response. Require scope, delivery status, assumptions, dependencies, accountable owner, acceptance test, cost, and exceptions.
  • Use the exact proposed product and legal entity. Evidence about an affiliate, wider group, different module, different market, or previous product version is not a match unless the supplier proves the connection.
  • Keep capability status separate: production-ready, configuration required, contracting or approval required, development, roadmap, or unavailable.
  • Treat roadmap as unavailable for the award decision unless the buyer explicitly accepts the gap and a dated, enforceable delivery commitment is agreed.
  • Label evidence separately from the contract: scoped evidence provided, demo only, contract-only, roadmap, not evidenced, or not answered.
  • A source can evidence a current fact; it does not create a future service promise. Implementation, SLA, support, price, security, data, and exit commitments still need contract language.
  • Retain the response, source file, checked date, demo output, exceptions, evaluation, and final schedule reference under the same requirement ID.

04 · Checklist

The 11 RFP sections

Copy each requirement into one response-matrix row. “Accept when” is the minimum evaluation standard, not suggested supplier wording.

2

Implementation, milestones, dependencies, and acceptance

Turn a launch estimate into a scoped delivery plan that the buyer can test, govern, and remedy.

Section gate: Do not approve an unsupported headline launch date.
  1. IM-01Gate

    Define the implementation baseline: products, markets, brands, channels, environments, integrations, data migration, custom work, and exclusions.

    Accept when: The delivery plan and price use the same baseline, and every excluded item has an owner or later decision point.

  2. IM-02Gate

    Provide a milestone plan with deliverables, entry criteria, owners, dependencies, dates, and buyer decision deadlines.

    Accept when: The plan identifies the critical path and separates supplier work from buyer, regulator, content, payment, and other third-party work.

  3. IM-03Must

    Include licensing, payments, game or sportsbook approvals, front end, data migration, security review, testing, training, and operational readiness in the critical path.

    Accept when: No launch-critical dependency sits outside the integrated plan merely because another party owns it.

  4. IM-04Gate

    Define objective acceptance criteria, test data, evidence, defect severity, retest rules, and acceptance authority for each deliverable.

    Accept when: Payment is tied to accepted deliverables where appropriate, and silence or production use does not create accidental acceptance.

  5. IM-05Must

    State the re-planning, cure, fee, service-credit, and termination consequences for supplier-caused delay or failed acceptance.

    Accept when: The contract distinguishes supplier delay, buyer delay, dependency delay, and mutually agreed change, with evidence and notice rules.

  6. IM-06Must

    Document pilot, migration rehearsal, cutover, rollback, go/no-go authority, hypercare, and transition into business-as-usual support.

    Accept when: Named people own each decision, rollback is practical, and open defects have an agreed treatment before launch.

Evidence pack

  • Integrated project plan and responsibility matrix
  • Acceptance-test plan and example acceptance certificate
  • Environment, migration, cutover, rollback, and hypercare runbooks
  • Redacted delivery history for projects comparable in scope, with assumptions stated
3

Pricing, total cost, and pass-through fees

Compare complete economics against one scope instead of comparing unlike headline rates.

Section gate: No commercial ranking until all proposals have been modelled on the same assumptions and three scenarios.
  1. PR-01Gate

    Itemise setup, configuration, custom development, integrations, migration, platform, hosting, minimums, revenue share, usage, third-party, support, and exit charges.

    Accept when: Every charge has a unit, trigger, frequency, currency, tax treatment, responsible entity, and included volume or service level.

  2. PR-02Gate

    Define every commercial measure, including the revenue base, deductions, netting, reporting source, dispute process, and invoice timing.

    Accept when: The buyer can independently reproduce a sample invoice from operational data and the contractual definitions.

  3. PR-03Must

    Disclose pass-through costs, supplier mark-ups, rebates, credits, foreign-exchange rules, taxes, minimums, and third-party price-change exposure.

    Accept when: The contract states which changes can be passed through, what evidence is supplied, and whether the buyer receives corresponding rebates or credits.

  4. PR-04Gate

    Price downside, baseline, and growth scenarios using the buyer's stated brands, markets, modules, volumes, payment mix, support, and term.

    Accept when: The same workbook and assumptions are used for every supplier, with one-off, recurring, variable, and contingent costs separated.

  5. PR-05Must

    State out-of-scope rates, change-control pricing, indexation, tier resets, ramp periods, minimum-commitment treatment, and audit rights.

    Accept when: No material price adjustment can be applied without a defined formula, evidence, notice, and buyer remedy.

  6. PR-06Must

    Include termination, parallel run, data export, migration assistance, knowledge transfer, account transfer, and deletion charges.

    Accept when: Exit costs are priced or capped before signature and feed the same total-cost model as implementation and operation.

Evidence pack

  • Completed pricing workbook with all assumptions unlocked and visible
  • Draft order form, fee schedule, and revenue or usage definitions
  • Sample invoice and reconciliation file
  • Third-party quotes or rate cards supporting material pass-through charges
4

SLA measurement, exclusions, remedies, and service history

Separate advertised availability from a measurable contractual commitment and observed operating evidence.

Section gate: An uptime percentage without component scope, formula, exclusions, reporting, and remedy does not pass.
  1. SL-01Gate

    Define each measured component, service boundary, formula, data source, measurement interval, reporting owner, and dispute process.

    Accept when: The measure covers the buyer-critical journey and cannot be satisfied while a material dependent component is unavailable.

  2. SL-02Must

    State service windows, maintenance allowances, exclusions, force-majeure treatment, third-party dependencies, and degraded-service rules.

    Accept when: Exclusions are narrow, evidenced, time-bounded, and do not remove failures that the supplier can control or mitigate.

  3. SL-03Gate

    Define severity by user and business impact, with acknowledgement, update, workaround, restoration, resolution, and root-cause targets.

    Accept when: Severity cannot be unilaterally downgraded without evidence and the response clock is clear across support hours and time zones.

  4. SL-04Must

    Set recovery point and recovery time objectives for each critical service, plus backup, failover, restoration, and disaster-recovery test obligations.

    Accept when: The objectives match the architecture and the supplier supplies dated test results, findings, remediation, and next-test dates.

  5. SL-05Gate

    Set credits, fee-at-risk, cure plans, escalation, and termination rights for missed targets, repeated breach, or a material incident.

    Accept when: Remedies are claimable from supplier reporting, are not the sole remedy for severe failures, and address patterns as well as single months.

  6. SL-06Must

    Provide a defined-period service history: measured results, severity-one and severity-two incidents, impact, cause, restoration, and corrective actions.

    Accept when: Advertised, proposed contractual, and observed measures are labelled separately and use comparable component definitions.

Evidence pack

  • Draft SLA with formula, exclusions, severity matrix, reporting, and remedies
  • Redacted monthly service reports and raw measurement examples
  • Incident register, representative post-incident reviews, and corrective-action closure evidence
  • Backup restoration, failover, and disaster-recovery test reports
5

Player data, controller roles, access, and export

Make lawful roles, operational access, permitted uses, portability, and post-exit handling explicit.

Section gate: Do not select a platform until the buyer has proved that a complete, usable export can be obtained and reconciled.
  1. DT-01Gate

    Map controller, joint-controller, and processor roles by data flow, purpose, legal entity, product, and jurisdiction.

    Accept when: The data terms match the actual operating model, player terms, integrations, support access, and regulatory responsibilities.

  2. DT-02Gate

    Define permitted and prohibited supplier uses of player, transaction, behavioural, support, derived, aggregated, and model-training data.

    Accept when: Use is limited to agreed purposes; sale, cross-client activation, marketing, and training use require explicit treatment rather than silence.

  3. DT-03Must

    Document residency, transfers, retention, legal holds, deletion, backups, subprocessors, and access locations for every material dataset.

    Accept when: Requirements are mapped to the proposed hosting and support model and changes follow contractual notice and control procedures.

  4. DT-04Must

    Specify buyer access to player, wallet, ledger, bet, game, payment, bonus, consent, KYC, AML, safer-gambling, support, and audit records.

    Accept when: APIs, streams, reports, audit logs, latency, history, rate limits, schemas, environments, and access costs are stated per record type.

  5. DT-05Gate

    Define full and incremental export content, format, schema, identifiers, frequency, encryption, delivery method, validation, and cost.

    Accept when: The export supports reconciliation and migration without relying on undocumented supplier transformation or manual reconstruction.

  6. DT-06Gate

    Run a representative test export and reconciliation before signature, then repeat it on a contractual schedule and before exit.

    Accept when: The buyer receives the test files, schema, reconciliation result, exceptions, remediation plan, and repeat-test right.

Evidence pack

  • Data-flow map, role matrix, processing terms, and records of processing
  • Data dictionary, API or stream documentation, and representative audit logs
  • Sample full and incremental export plus reconciliation report
  • Retention, deletion, backup, residency, transfer, and subprocessor schedules
6

Front-end, integration, and IP rights

Separate supplier technology from buyer assets and secure the practical controls needed to operate, change, and leave.

Section gate: Do not rely on words such as custom, headless, owned, or open API without a deliverable-and-rights map.
  1. IP-01Gate

    Classify supplier background technology, buyer materials, custom code, configuration, adapters, content, design, data, and documentation.

    Accept when: Ownership, licence scope, territory, duration, transfer, modification, sublicensing, and post-termination use are stated for each class.

  2. IP-02Gate

    Assign control of source repositories, build and deployment pipelines, domains, certificates, app-store accounts, analytics, tags, cloud accounts, and secrets.

    Accept when: The buyer has the access needed for its operating model and a documented transfer or continuity path for supplier-controlled accounts.

  3. IP-03Must

    Define delivery, documentation, support, reuse, maintenance, escrow, and continuity rights for custom work and buyer-funded integrations.

    Accept when: The rights support the buyer's intended operation and exit; any supplier reuse or third-party restriction is explicit and priced.

  4. IP-04Must

    Document API coverage, authentication, environments, limits, service levels, versioning, deprecation, backward compatibility, and change notice.

    Accept when: Critical integrations can be built and maintained against stable documentation, with enough notice and support to adopt breaking changes.

  5. IP-05Must

    List every integration, adapter, configuration set, theme, rule, report, and operational document needed to run or migrate the service.

    Accept when: The responsibility and portability of each asset are assigned; no critical asset exists only in an individual or supplier-controlled workspace.

  6. IP-06Should

    Define product-roadmap governance, custom-change control, security patches, regression testing, and compatibility of custom work with upgrades.

    Accept when: The buyer can assess the cost and operational impact of a change before approval and is protected from avoidable customisation dead ends.

Evidence pack

  • Architecture, asset-control, and IP classification diagrams
  • Repository, deployment, account, domain, and certificate access matrix
  • API specification, change log, versioning policy, and sandbox access
  • Draft IP, licence, custom-development, escrow, and change-control schedules
7

Security, audit, subprocessors, and hosting

Validate the controls and infrastructure that apply to the proposed service—not a group-wide badge without scope.

Section gate: Security evidence must name the relevant entity, product, systems, locations, period, exclusions, and unresolved findings.
  1. SC-01Gate

    Provide current independent audit or certification reports with entity, service, system, location, period, exclusions, exceptions, and remediation scope.

    Accept when: Coverage maps to the proposed service and material exceptions have owners, deadlines, compensating controls, and closure evidence.

  2. SC-02Must

    Provide recent penetration-test scope and results for relevant applications, APIs, infrastructure, and tenant boundaries, plus remediation status.

    Accept when: Testing is independent, critical paths are in scope, material findings are retested, and residual risk is disclosed.

  3. SC-03Must

    Describe identity, privileged access, multifactor authentication, least privilege, segregation, joiner-mover-leaver, logging, and review controls.

    Accept when: Supplier, buyer, support, and emergency access are separated and produce retained, buyer-accessible audit evidence where required.

  4. SC-04Must

    Describe encryption in transit and at rest, key ownership and rotation, secrets management, backups, immutability, and restoration controls.

    Accept when: Algorithms, key boundaries, access, rotation, backup scope, retention, and restore testing match the proposed architecture.

  5. SC-05Gate

    Define security-incident detection, severity, notice, updates, evidence preservation, regulator and player support, forensics, and post-incident review.

    Accept when: Notification starts from a clear trigger, is time-bounded, and gives the buyer the information and cooperation needed to meet its obligations.

  6. SC-06Gate

    Map hosting regions, availability zones, tenant model, dependencies, failover, backup, recovery objectives, capacity, and disaster-recovery testing.

    Accept when: The design, SLA, data-location commitments, test evidence, and business-continuity plan describe the same production service.

  7. SC-07Must

    Provide the subprocessor and material technology-supplier register, services, data, locations, assurance, change notice, objection, and replacement process.

    Accept when: The buyer can evaluate changes before they take effect and has a proportionate remedy if an unacceptable dependency cannot be replaced.

Evidence pack

  • Scoped audit, certification, penetration-test, and remediation records
  • Security architecture, access-control, encryption, key, backup, and logging descriptions
  • Incident-response and business-continuity plans plus exercise reports
  • Hosting, data-location, technology-dependency, and subprocessor registers
8

Game, sportsbook, and PSP approvals

Replace catalogue totals with an executable launch matrix for the exact brand, market, entity, and commercial setup.

Section gate: A global game, event, integration, or payment count is not evidence that an item can launch in the target setup.
  1. PA-01Gate

    Build a launch matrix by market, legal entity, brand, product, supplier, credential or approval, status, owner, dependency, cost, and target date.

    Accept when: Every launch-critical row is either ready with scoped evidence or has an owned approval and activation path in the implementation plan.

  2. PA-02Gate

    For casino, list required studios and titles by market, permitted entity, certification or approval, RTP or configuration, device, restriction, and commercial route.

    Accept when: The proposed launch set—not the supplier's global catalogue—is confirmed, priced, approved, and technically available for the target setup.

  3. PA-03Gate

    For sportsbook, define feeds, trading and risk model, markets and event types, integrity controls, settlement and void rules, restrictions, and approvals.

    Accept when: The exact managed or operator-controlled scope, data dependencies, pricing, jurisdictional constraints, and incident responsibilities are documented.

  4. PA-04Gate

    For payments, map PSP, method, acquiring or merchant entity, country, currency, flow, settlement, reserve, chargeback, refund, reporting, and approval status.

    Accept when: Each required deposit and withdrawal flow has confirmed onboarding ownership, technical availability, settlement economics, and operational controls.

  5. PA-05Must

    Assign content, feed, and PSP contracting, certification, onboarding, integration, testing, monitoring, support, invoicing, and replacement responsibilities.

    Accept when: The responsibility schedule and pricing model capture every party needed for the launch and ongoing service.

  6. PA-06Must

    Label each item as production-ready for the proposed scope, requiring configuration, requiring contracting or approval, in development, roadmap, or unavailable.

    Accept when: Roadmap and unapproved items are treated as unavailable for the award decision unless the buyer explicitly accepts that gap.

Evidence pack

  • Market-by-entity launch matrix with dated approval evidence
  • Exact title, studio, feed, event, and PSP availability extracts for the proposed scope
  • Sample content, trading, settlement, payment, and reconciliation reports
  • Draft third-party responsibility, commercial, approval, and replacement schedules
9

Support, escalation, and operating governance

Define how the buyer, supplier, and third parties will operate the service from launch through incidents and change.

Section gate: Support is not 24/7 merely because a contact channel is open; roles, authority, response, and escalation must be explicit.
  1. SU-01Gate

    State support hours, time zones, languages, channels, response coverage, monitoring coverage, and any after-hours restrictions by service tier.

    Accept when: The proposed tier covers the buyer's operating hours and critical services without relying on unpriced or undefined escalation.

  2. SU-02Gate

    Assign L1, L2, and L3 responsibilities across buyer, supplier, content, payment, data, hosting, and other third parties.

    Accept when: A single operating matrix defines intake, diagnosis, ownership, hand-off, communication, workaround, resolution, and closure.

  3. SU-03Must

    Provide severity, escalation, duty-manager, executive escalation, regulator-support, and emergency-change paths with named roles and authority.

    Accept when: Contacts are maintained, tested, and empowered to make time-critical decisions; escalation does not reset the service clock.

  4. SU-04Must

    Define monitoring, alerting, ticketing, status communication, incident, problem, release, change, and maintenance processes.

    Accept when: The buyer receives timely operational visibility and can audit ticket, incident, change, and service-performance records.

  5. SU-05Must

    Scope implementation support, launch hypercare, training, runbooks, knowledge transfer, service transition, and refresher training.

    Accept when: Deliverables, audiences, timing, acceptance, materials, recordings, environments, and extra charges are stated.

  6. SU-06Should

    Define service reviews, roadmap and capacity governance, risk and action logs, change prioritisation, and standard versus premium account-management scope.

    Accept when: Meeting cadence, participants, inputs, decisions, records, and pricing match the level of governance assumed in the proposal.

Evidence pack

  • Support handbook, service catalogue, tier comparison, and escalation matrix
  • Cross-party operating and responsibility model
  • Sample ticket, incident, change, maintenance, and service-review reports
  • Hypercare, training, knowledge-transfer, and governance plans
10

Term, renewal, minimums, and exclusivity

Expose lock-in, timing, volume, price, scope, and suspension mechanics before commercial award.

Section gate: The buyer must be able to model when obligations start, change, renew, and end under every scenario.
  1. CT-01Gate

    Define signature, effective, implementation, acceptance, launch, billing, minimum-commitment, initial-term, renewal, and expiry dates.

    Accept when: No fee, minimum, renewal, or notice period starts from an ambiguous event or before the corresponding service is accepted.

  2. CT-02Must

    State ramp periods, minimum fees or volumes, tiers, shortfall treatment, carry-forward, credits, true-ups, and consequences of market delay.

    Accept when: Downside, delayed-launch, baseline, and growth outcomes can be reproduced in the commercial model.

  3. CT-03Gate

    Set renewal mechanics, notice windows, price review, indexation, currency, foreign-exchange, tax, third-party change, and rejection or termination rights.

    Accept when: Dates and formulas are explicit, reminders are operationally manageable, and material changes give the buyer a proportionate remedy.

  4. CT-04Gate

    Define exclusivity by product, module, content, payment method, jurisdiction, channel, brand, entity, duration, performance condition, and exception.

    Accept when: There is no implied group-wide or future-market restriction, and failure to perform releases the affected exclusivity.

  5. CT-05Must

    Define assignment, change of control, subcontracting, affiliate use, novation, divestment, new-brand, and new-jurisdiction rights.

    Accept when: The contract supports foreseeable corporate and operating changes without unpriced consent leverage or accidental termination.

  6. CT-06Gate

    Limit suspension rights by trigger, affected service, notice, cure, proportionality, regulatory need, player protection, data access, and continuity.

    Accept when: Suspension is no broader or longer than necessary and preserves access needed to protect players, reconcile funds, and comply with obligations.

Evidence pack

  • Term sheet and draft order form with a single date and notice table
  • Scenario model for ramp, minimums, renewals, delayed launch, and price change
  • Exact exclusivity, assignment, affiliate, and change-of-control drafting
  • Suspension process and continuity protections
11

Termination, migration, data access, and continuity

Design the exit while both parties still want the deal, then test whether it is operationally credible.

Section gate: Do not sign without a costed, timed, tested path to protect players, obtain data and assets, and continue or wind down service.
  1. EX-01Gate

    Define termination rights, triggers, notice, cure, insolvency, regulatory failure, security event, repeated SLA breach, illegality, and force-majeure longstop.

    Accept when: Critical failures create usable rights and the buyer is not forced to remain solely because migration is operationally impossible.

  2. EX-02Must

    State fees, refunds, prepaid amounts, minimums, work in progress, disputes, player balances, reserves, settlements, and in-flight transactions on exit.

    Accept when: Financial treatment is defined for normal expiry, buyer convenience, supplier breach, regulatory exit, and insolvency scenarios.

  3. EX-03Gate

    Set transition period, service levels, change limits, parallel run, migration support, knowledge transfer, named resources, rates, and cooperation with a successor.

    Accept when: The period and resource commitment match a realistic migration plan and cannot be withheld because the supplier is being replaced.

  4. EX-04Gate

    Define full and incremental exports, schemas, identifiers, history, media, documents, audit records, delivery timing, encryption, validation, and reconciliation.

    Accept when: The buyer can run parallel validation, correct exceptions, and receive final deltas before service and access end.

  5. EX-05Gate

    List code, configuration, domains, certificates, accounts, credentials, content, integrations, reports, runbooks, and other assets to transfer or continue.

    Accept when: Each asset has an owner, transfer mechanism, dependency, delivery format, date, cost, and fallback if direct transfer is impossible.

  6. EX-06Must

    Define post-exit access, retention, legal hold, return, deletion, backup expiry, deletion certificate, audit, confidentiality, and residual licences.

    Accept when: The schedule preserves required records and access while creating a verifiable end state for data and supplier rights.

  7. EX-07Gate

    Run a tabletop exit before signature using a named scenario, successor, timeline, data set, asset list, responsibilities, and continuity constraints.

    Accept when: Gaps become contract actions with owners and dates; the exit schedule is updated before award rather than deferred to termination.

Evidence pack

  • Draft termination, exit, migration, assistance, and continuity schedule
  • Representative full and incremental exports plus reconciliation results
  • Transferable asset, account, credential, integration, and documentation register
  • Tabletop-exit record, risk log, remediation actions, and costed transition plan

05 · Contract

Contract schedule pack

The final pack may use different names, but every accepted decision-critical answer needs a clear contractual destination. Avoid leaving proposal documents to compete with the signed terms.

Schedule 1
Entity, licence, and scope schedule
Contracting and supplying entities; operator roles; products, brands, markets, credentials, approvals, exclusions, and prerequisites.
Schedule 2
Responsibility schedule
Buyer, supplier, affiliate, regulator, content, payment, hosting, and other third-party ownership across implementation and operation.
Schedule 3
Implementation and acceptance schedule
Baseline, milestones, dependencies, environments, migration, tests, acceptance, delay, cutover, rollback, and hypercare.
Schedule 4
Complete pricing schedule
One-off, recurring, variable, minimum, revenue-share, pass-through, support, change, indexation, audit, and exit charges with definitions.
Schedule 5
SLA, support, and incident schedule
Measured components, formula, exclusions, service levels, severity, response, recovery, reporting, credits, breach, support, and governance.
Schedule 6
Data, security, hosting, and subprocessor schedule
Roles, permitted use, access, export, retention, deletion, security controls, incidents, locations, recovery, audits, and dependencies.
Schedule 7
IP, API, and change-control schedule
Asset classes, ownership and licences, repositories and accounts, custom work, API coverage and versioning, releases, and change pricing.
Schedule 8
Termination, export, migration, and continuity schedule
Triggers, cure, transition service, costs, data and asset delivery, parallel run, successor cooperation, deletion, and tested continuity.

06 · Matrix

Response-matrix columns

Use these columns for each requirement. Keep facts, delivery status, evidence, cost, contract status, and the buyer decision separate so an attractive answer cannot hide an unresolved gap.

Recommended supplier response-matrix columns and entry standards
#ColumnEntry standard
1IDKeep the checklist ID unchanged across response, evidence, evaluation, and contract.
2PriorityGate, Must, or Should; the buyer sets priority before responses arrive.
3RequirementOne atomic, testable requirement per row.
4Supplier responseDirect answer with scope and exceptions; not a link-only or yes/no response.
5Delivery statusProduction-ready, configuration, contract or approval needed, development, roadmap, or unavailable.
6Product / moduleExact product, component, version, and delivery model.
7Legal entityEntity making and delivering the commitment.
8JurisdictionExact market or state; use not applicable only with a reason.
9Assumptions / dependenciesBuyer, supplier, regulator, and third-party conditions.
10Supplier ownerAccountable named role for response and delivery.
11AcceptanceObjective test, evidence, environment, timing, and decision owner.
12One-off costSetup, configuration, integration, migration, custom work, and other triggers.
13Recurring / pass-through costPlatform, minimum, share, usage, support, hosting, and third-party cost.
14Evidence statusScoped evidence provided, demo only, contract-only, roadmap, not evidenced, or not answered.
15Evidence / sourceDated file, record, report, demo output, or test result with scope.
16Contract statusNot proposed, draft, agreed, or signed.
17Contract scheduleExact schedule and clause where the commitment will live.
18Buyer decisionPass, conditional pass, gap accepted, remediation required, or reject—with owner and date.

07 · Award

Final decision rule

Eligibility before preference
A provider cannot win on an aggregate feature or price score while a decision gate remains unresolved.
  1. 1Reject or explicitly escalate any unresolved Gate. Do not average it away.
  2. 2Require every Must to be passed, remediated before award, or accepted by a named buyer decision-maker with the risk and consequence recorded.
  3. 3Compare price only after scope, assumptions, delivery status, third-party costs, term, support, and exit treatment are aligned across all three scenarios.
  4. 4Score Should items only among proposals that remain eligible after the Gate and Must review.
  5. 5Treat a sales answer as provisional until its evidence, acceptance test, cost, responsibility, exception, and contract destination reconcile.
  6. 6Select the lowest-risk eligible proposal for the buyer's stated operating model—not the proposal with the largest unchecked catalogue or highest feature count.

Continue your diligence

Review our scoring methodology, editorial policy, and commercial disclosure. Use the side-by-side comparison to inspect a shortlist, then return to this buyer-owned matrix for evidence, tests, economics, and contract conversion.