Vendor evaluation guide
Ask the Questions That Expensive Software Demos Avoid.
Evaluate software against workflows that can fail: offline capture, evidence integrity, access boundaries, approvals, exports and recovery. Require every vendor to prove the same scenarios with the same test data.
Start with a pass-or-stop gate
A long feature score can hide one unacceptable risk. Write the non-negotiable gates first, then compare convenience features only among vendors that pass. A useful gate has an owner, a test, required evidence and a clear failure condition.
- Scope: name the countries, commodities, sites, teams, languages, connectivity conditions and regulated records in scope.
- System responsibilities: record which geology, laboratory, GIS, ERP, identity and document systems must remain authoritative.
- Risk: identify records that must never be silently overwritten, exposed across tenants or lost during a retry.
- Proof: define the export, access-control, offline, recovery and audit demonstrations required before commercial scoring.
- Exit: agree the data, metadata, attachments, audit history, formats, timing, assistance and cost required to leave.
Use one decision checklist for every vendor
Field and workflow fit
- Can a user complete a critical task without connectivity and see what is saved, pending, failed or conflicted?
- Can the vendor replay duplicate submissions and interrupted attachment uploads without producing duplicate evidence?
- Are approvals, corrections and reversals explicit states with responsible actors, timestamps and reasons?
- Can terminology, units, currencies, languages and jurisdiction packs change without creating a customer-specific product fork?
Security, privacy and tenancy
CISA's Secure by Demand guide encourages software customers to make security an explicit procurement demand. NIST's Secure Software Development Framework gives purchasers and suppliers a shared vocabulary for discussing development practices. Convert those principles into evidence requests:
- demonstrate tenant isolation at database, object-storage, queue, cache, search and export boundaries;
- show how privileged support access is approved, time-limited, justified and audited;
- provide the vulnerability-handling, dependency, backup, restoration and incident-notification process;
- map processors, data locations, retention, deletion, legal hold and international transfers for the selected deployment.
Accessibility and adoption
Ask for task-based keyboard, screen-reader, zoom, contrast, error-recovery and mobile tests—not an unsupported accessibility badge. The W3C's WCAG overview explains that conformance depends on testable success criteria. Include representative field users and assistive-technology users in acceptance where possible.
Make the demonstration reproducible
Give each shortlisted vendor a controlled test pack with fictional records. Ask the vendor to import it, work offline, create a conflicting edit, restore connectivity, resolve the conflict, approve a correction, export the complete record and show the audit trail. Record the environment, product version, configuration, participants and result. A slide or roadmap statement is not implementation evidence.
Evidence to retain with the decision
- requirements-to-test matrix and named decision owners;
- demo script, test data, recordings and unresolved exceptions;
- architecture, data-flow, subprocessor and responsibility diagrams;
- commercial schedule, implementation assumptions and change-control rules;
- export sample, restoration proof and contractual exit provisions.
Limitations
This checklist is not a security assessment, legal opinion, geological review or complete RFP. Applicable mining, privacy, employment, records, securities and accessibility duties vary by jurisdiction and use case. Validate requirements with qualified specialists, test the configured product rather than a generic environment, and re-check official sources before issuing procurement documents.
Continue the evaluation
Review how OreLynx connects operational workflows, the trust and evidence questions, and the implementation approach. If you already have a workflow map, use a structured assessment to identify the smallest useful implementation scope.