Most SMBs we talk to have been burned at least once by an outsourcing partner. The pattern is consistent: charming sales pitch, fast initial delivery, gradual drift, and one day the lead developer stops answering calls and the client realizes nobody on their side knows where the database is hosted. The good news is that almost every one of those disasters could have been predicted in a single 90-minute pre-signing conversation. The 12 questions below are the ones we use ourselves when we vet a new sub-contractor, and the ones our most sophisticated clients ask us. If a prospective partner cannot answer most of them with specific, concrete details, the right move is to keep shopping.
The Four "Ownership" Questions
1. Whose name is on the domain registrar account? The correct answer is "yours, from day one." Any answer that involves the vendor "holding it for you" is a lock-in pattern.
2. Where will the production database live, and whose credit card pays for it? The correct answer is a hosting account in the client's name, billed to the client. Vendors who insist on hosting "on our infrastructure for convenience" are creating a future hostage.
3. Will we get the source code under a license that allows us to hire anyone we want to maintain it? The correct answer is "yes, plain commercial work-for-hire, no per-seat clauses, no ongoing royalty." Read the contract — these clauses hide in the fine print.
4. What happens to our custom AI prompts, MCP servers, and automation scripts if we terminate? 2026 addendum — this is the new layer. If a partner has built custom AI tooling for you, that tooling is part of your IP. Confirm it in writing.
The Four "Quality and Process" Questions
5. Show me the last bug ticket you closed for an existing client. Not a sales-ready screenshot — an actual ticket from their tracker, with timestamps, comments, and the eventual fix. A vendor who cannot show this in 30 seconds either does not use a tracker (red flag) or does not have a working production client (bigger red flag).
6. What is in your CI pipeline, and can I see a real CI run? In 2026, a competent partner has automated tests, linting, security scanning, and a deployment pipeline you can watch run. If their answer is "we test manually" or "we deploy by SFTP," you are about to live in 2014.
7. How do you review AI-generated code? This question did not exist three years ago. In 2026 it is essential. The right answer involves a human review gate, AI-generated diff disclosure in PRs, and a policy on which model touches your code. "We just trust the AI" is a deal-breaker.
8. What is your incident response playbook for a security event? Ask for a specific recent example. Watch how they describe communication with the client during the incident — silence during incidents is the failure mode that kills relationships.
The Four "Commercial and Continuity" Questions
9. How are you priced — fixed-fee, time-and-materials, or retainer? And why? There is no single correct answer, but there is a wrong answer: a vendor who cannot explain when each model is appropriate. A vendor who only does T&M for everything will let projects sprawl. A vendor who only does fixed-fee will under-scope and renegotiate.
10. If your founder gets hit by a bus tomorrow, what happens to my project? Bluntly worded on purpose. The right answer involves at least two senior engineers familiar with your codebase, documentation that is not in any one person's head, and a clear escalation contact at a parent agency, partner network, or — at minimum — a named successor.
11. What is your client retention rate, and can I talk to a client who left voluntarily? The first half of this question is easy to fluff. The second half — "a client who left voluntarily" — is what tests honesty. A confident partner has a clean answer ("Client X left because they hired in-house, here's their email, ask them") because they manage exits well. A partner who flinches at this question is hiding something.
12. What is the one thing we should not hire you for? A partner who knows their limits — "we are excellent at Laravel + Flutter SMB builds; we do not do high-frequency trading or HIPAA-regulated medical SaaS, hire X for that" — is a partner you can trust with the things they do say yes to. A partner who claims competence in everything is a partner who will deliver mediocrity in most things.
How to Run This Conversation
Send the 12 questions to the prospective vendor 48 hours before the meeting. Vendors that prepare for this conversation tend to be the same vendors that prepare for client meetings in general. The act of preparing forces them to think about the answers seriously; the quality of the prepared answers tells you most of what you need to know.
During the meeting, do not let yourself be charmed past the specifics. If an answer is vague, ask for an example. If they cannot produce an example, that is the answer to the question. Take notes. Compare notes across two or three vendors.
Why We Wrote This
We work in a market where many partners are competent, some are excellent, and a few will silently damage your business for years. The damage usually does not show up while the relationship is going well — it shows up at the exit, when an SMB tries to take their product back and discovers they cannot. The whole point of these 12 questions is to test the exit before you sign the entrance.
If you ask us these 12 questions, we will answer all of them on the spot. If a partner cannot, you have learned something more valuable than the answer would have been.