How to Choose a Software Development Company: A 27-Point Checklist

I have been on both sides of this transaction. As a founder hiring a shop. As a shop being hired. As an investor watching portfolio companies sign contracts they did not understand. The pattern: most software project failures are vendor-selection failures, not engineering failures. The wrong shop will fail with any scope. The right shop will adapt to any scope.

This is the checklist I would send to a friend before they signed anything. 27 points, grouped into six categories. If a vendor cannot answer 22 of them clearly inside two calls, they are not the right vendor.

1. Can I see three live URLs of production work shipped in the last 12 months? If they say no, the engagement is not what you think it is. Live URLs only — not screenshots, not "we cannot show you because of NDAs" if they have three NDAs in a row.
2. Can I call one client reference directly? Names, phone numbers, real people. Not just "we have a Slack channel with our clients."
3. Do the GitHub profiles of the senior engineers actually show recent activity? A blank or year-old GitHub for a senior dev is a yellow flag.
4. Can they walk me through one finished project — what changed mid-build, what they learned, what they would do differently? Vague answers here mean they have never actually shipped.
5. What is the one project they took on and regret? Honest answer required. Shops that cannot name one are lying.

6. Who owns the source code on delivery? Answer must be: you do. Period. No "licensed back to client" tricks.
7. What does the kill-fee look like if I exit at week 4? A real shop will quote a percentage of the milestone or a capped early-exit clause. "All money is non-refundable" is a hard no.
8. What IP transfer paperwork is signed and when? Should be at every milestone payment, not just at final delivery.
9. What does the warranty period cover? Typically 30 to 90 days post-launch for bugs in scope-delivered functionality. Should be in writing.
10. Mutual NDA or one-way? Mutual is the only acceptable answer.
11. Who is liable if there is a security breach during testing or deployment? Should be capped and named in the contract.

12. How often will I get a written progress report? Weekly minimum. Show me a sample from a current client (with their permission and identifying details stripped).
13. Who is my single point of contact, and what happens if they go on PTO? Must have a named secondary.
14. What is your async response SLA? Real shops can answer this. "We will get back to you" is not an SLA.
15. What collaboration tools do you default to? If they want to use 4 tools you do not use, you are paying for their preference.
16. How do you handle a scope dispute mid-build? Process must be defined. "We will figure it out" is the wrong answer.

17. How do you store production credentials we share with you? 1Password Business, AWS Secrets Manager, or equivalent. If the answer is a shared spreadsheet or a chat tool, walk.
18. Are all engineers on the project employees with background checks, or subcontractors? Mixed is fine, but you should know.
19. What is the MFA posture across all tooling that touches our code? Hardware key minimum for production access.
20. Is the development infrastructure in your control or ours? Should be either — but the answer should be deliberate, not accidental.
21. Do you run pentests on what you build? Most do not. See our combined dev + pentest model for the version where the answer is yes.

22. Fixed-fee per phase, hourly with a cap, or T&M? Fixed-fee per phase is the right default for product builds. T&M is appropriate for discovery, staff aug, and ongoing maintenance retainers.
23. What triggers a change order? Defined trigger plus a price for re-quoting. "Anything not in the spec" is too broad.
24. What is your payment schedule? Should be milestone-tied, not calendar-tied.
25. Is there a discount for an upfront commitment? Sometimes yes, sometimes no — but the answer should not be "we never discount." Real shops have flexibility.

For pricing model context, see the Stripe cost calculator for billing-side cost modeling, and the published ranges on our custom software and custom CRM service pages.

26. What is the post-launch support model and pricing? Should be either a flat retainer with defined hours or T&M with a notice period. "We will figure it out at the time" is wrong.
27. What does the handoff look like if I bring it in-house? Should include a documented runbook, deployment access transfer, and a handoff call. If any of those are missing, the engagement is going to end badly.

Some answers should end the conversation immediately. These three come up the most.

Deal-killer 1: "We will own the code and license it back to you."

This is a vendor lock-in trap. Walk.

Deal-killer 2: "We do not give references, NDAs prevent it."

Either they have no references they would willingly share or every single client has demanded an unusual gag. The first is a problem. The second is statistically unlikely.

Deal-killer 3: "Our senior engineers do not get on calls — that is what the PM is for."

You are buying engineering, not project management. If the engineers are inaccessible during sales, they will be inaccessible during the build.

I run my own shop through this checklist annually. Here is where we land in 2026.

• Live URLs: published on the case studies page
• Client references: provided on request after the first call
• Senior engineer involvement: I (Bill) write or review every line of production code
• Pricing: fixed-fee per phase, published ranges on the services overview
• Contracts: source code yours from day one, milestone-tied IP transfer, capped early-exit
• Communication: weekly Friday written progress report, daily Slack/email response inside business hours
• Security: we run pentests on what we build, 1Password Business, hardware-key MFA
• Post-launch: 30-day support included, optional retainer thereafter, documented handoff for in-housing

If those line up with what you are looking for, the next step is a scoping call. If they do not, the checklist is yours regardless — use it on whichever shop you do pick.