Start with Data Lineage

The single most important question you can ask a data vendor is: where does this data come from, and how does it get to me? The answer should be specific. "We aggregate from multiple sources" is not an answer. You want to know the original collection mechanism (first-party consent, public records, licensed third-party feeds, web scraping), the update cadence for each source, and how conflicts between sources are resolved when the same record appears with different values.

Ask for a data lineage document or dictionary. Reputable vendors maintain one. It should map each field in the schema back to its source type and note any derived or modeled fields (fields computed rather than observed). Modeled fields are not inherently bad, but you need to know which ones they are so you understand the uncertainty attached to them.

Pay particular attention to how often the vendor re-verifies records rather than simply inheriting stale values from an upstream source. Contact records degrade fast: roughly 25 to 30 percent of B2B contact data becomes outdated each year as people change jobs, companies reorganize, and phone numbers reassign. A vendor who cannot tell you their re-verification cadence is likely serving you old data wrapped in a fresh delivery.

Licensing Model Red Flags

Data licensing agreements are where procurement teams routinely get hurt. The main red flags to look for:

  • Seat-based vs. record-based pricing ambiguity. Some contracts price by the number of users who can access the data, others by records consumed. Make sure you know which model applies and whether there are overage penalties if you exceed projected usage.
  • Downstream use restrictions. Many data licenses prohibit using the data to build derived products, train models, or resell to third parties. If any of those use cases are relevant to your business, get explicit written permission before signing. Verbal confirmation from a sales rep is not sufficient.
  • Attribution requirements. Some vendors require you to attribute them in client-facing reports or disclosures. This matters if you are white-labeling insights or building products where the underlying data source is not visible to the end user.
  • Auto-renewal clauses with short cancellation windows. A 30-day cancellation window inside a contract that auto-renews annually can trap you. Negotiate for a 60 to 90-day window and calendar the date the moment you sign.
  • Exclusivity claims. Be skeptical of vendors who claim their data is exclusive. Most identity and firmographic data is sourced from the same small set of upstream providers. Ask directly whether the same underlying records are licensed to competitors.

CCPA/CPRA Compliance Checklist

If your vendor supplies consumer data (even in a B2B context, since many B2B records include personal information about individuals), California privacy law applies. The CCPA and its amendment, the CPRA, impose obligations on both the data vendor and on you as the downstream buyer.

  • 1
    Consent documentation Ask for evidence that consent was obtained at the point of collection for any record involving a California resident. Reputable vendors can produce representative consent flows or consent audit logs. If they cannot, that is a significant risk indicator.
  • 2
    Opt-out propagation The vendor should have a process for honoring opt-out and deletion requests and propagating those suppressions to downstream licensees, including you. Ask how quickly opt-outs are reflected in deliveries. "At the next monthly refresh" is too slow for compliance purposes.
  • 3
    Data Processing Agreement (DPA) You should have a signed DPA in place that designates the vendor as a Service Provider or Contractor under CCPA/CPRA, not just a third party. This distinction determines who bears liability for certain processing activities.
  • 4
    Sensitive personal information handling CPRA created a new category of "sensitive personal information" with stricter handling requirements. Check whether any fields in the dataset (precise geolocation, financial data, health-related signals) fall into this category and whether the vendor's practices address it.
  • 5
    Indemnification scope Confirm that the vendor's indemnification clause covers regulatory fines and third-party claims arising from their data, not just their direct breach of contract. Data privacy fines can materially exceed the contract value.

SLA and Uptime Guarantees

For vendors delivering data via API, the SLA is a material term, not boilerplate. Scrutinize three specific numbers: uptime commitment (99.9% sounds good but allows for roughly 8.7 hours of downtime per year), response time latency guarantees for real-time lookups, and data freshness SLAs (maximum age of a record at time of delivery).

Ask what happens when the vendor misses an SLA. Credits against future invoices are the most common remedy, but credits often expire quickly and may require you to file a claim within a short window. If the vendor's data feeds into a revenue-generating product, consider whether credits adequately compensate for downstream business impact or whether you need a termination-for-cause clause tied to repeated SLA breaches.

Practical tip: Request the vendor's historical uptime data for the past 12 months. A vendor confident in their infrastructure will share it readily. Hesitation or vague answers here are a warning sign worth noting.

API and Delivery Format Evaluation

Even the cleanest data creates friction if the delivery mechanism does not fit your stack. Before signing, get API documentation and actually read it. Evaluate the following:

  • Authentication model. OAuth 2.0 and API key authentication are both workable, but single-token schemes with no rotation support are a security concern for production integrations.
  • Rate limits and burst behavior. Understand the requests-per-second cap and what happens at the limit: hard rejections, queuing, or automatic throttling. A silent throttle that delays responses by seconds is worse than a clear rate-limit error in many workflows.
  • Schema stability. Ask for the vendor's field deprecation policy. How much notice do they provide before removing or renaming a field? Breaking schema changes with short notice can cause production incidents.
  • Bulk delivery options. For large enrichment jobs, real-time API calls are often impractical. Confirm whether the vendor supports batch file delivery (S3, SFTP, or similar) and whether the batch files are available in your preferred format (JSON, CSV, Parquet).
  • Sandbox environment. A proper sandbox with representative synthetic data is a basic expectation. Vendors who require production credentials to test are asking you to take on risk before you have validated the integration.

Pilot Terms and What to Measure

Always run a pilot before a full commitment. A legitimate vendor will accommodate a 30 to 60-day paid or free trial on a defined subset of records. During the pilot, measure three things rigorously.

First, match rate: what percentage of your input records the vendor can return a result for. A low match rate on a segment you care about is a deal-breaker regardless of quality on matched records.

Second, accuracy: how often the vendor's output agrees with ground truth you already hold. Spot-check phone numbers against known-good contacts, verify employment data against LinkedIn profiles for a sample, and test email deliverability on a subset before sending live campaigns.

Third, freshness: look specifically at records where you know the ground truth has changed recently (a contact who moved companies in the last 90 days, for example) and see whether the vendor's data reflects the change. This stress-tests the re-verification cadence claim.

Reference Checks Worth Making

A vendor's case studies are marketing material. References from real customers are more useful, but only if you ask the right questions. Do not just ask "are you happy with the vendor?" Ask specifically: what has broken, how quickly was it resolved, and has the vendor ever missed a compliance commitment or SLA in a way that affected your operations?

Try to speak with someone in a technical role (data engineer, platform lead) rather than relying exclusively on a business champion who may not be close to day-to-day operational issues. The person who manages the integration sees the problems the account executive does not.

Also check the vendor's public track record: enforcement actions from the FTC or state attorneys general, data breach disclosures, and civil litigation history are all public record. A quick search before signing is basic due diligence that surprisingly few teams do consistently.

If you want a second opinion on a vendor you are currently evaluating, or need help designing a pilot framework for your specific use case, talk to the TechySales team. We work with data buyers and sellers daily and can give you an unvarnished view of how vendors in your category actually perform in production.

Related reading

CCPA Compliance for Data Brokers →
Opt-out obligations, CAN-SPAM, TCPA, and privacy-by-design in B2B outreach
What CDOs Ask Before Signing →
Eight due-diligence questions data buyers raise before committing