STD-GOV-127: Vendor Evaluation Framework
| Field |
Value |
| Standard |
STD-GOV-127 |
| Title |
Vendor Evaluation Framework |
| Status |
Draft |
| Owner |
CDO |
| Created |
2026-04-03 |
| Review |
Annually |
Purpose
Establish a consistent, scored framework for evaluating technology vendors before procurement and on an ongoing basis. Simpaisa integrates with PSPs, banks, identity providers, cloud services and SaaS tools across six markets. Poor vendor selection creates operational risk, compliance exposure and costly migration. This framework ensures every vendor is assessed objectively against weighted criteria.
Scope
All technology vendors including: payment service providers (PSPs), banking partners (API integrations), cloud infrastructure providers, SaaS tools, identity and KYC providers, security tooling vendors and professional services firms providing technology deliverables.
Scoring Matrix
Total score: 100 points. Minimum passing score: 70/100.
| Category |
Weight |
Max Score |
Description |
| Technical Fit |
30% |
30 |
API quality, performance, scalability, integration effort |
| Security & Compliance |
25% |
25 |
Certifications, data handling, regulatory alignment |
| Financial Stability |
15% |
15 |
Revenue, funding, market position, longevity risk |
| Support Quality |
15% |
15 |
SLA, response times, escalation paths, documentation |
| Exit Strategy |
15% |
15 |
Data portability, contract terms, migration feasibility |
Technical Fit (30 points)
| Criterion |
Points |
Scoring Guide |
| API design quality |
8 |
RESTful, versioned, documented, idempotent |
| Performance & latency |
7 |
Meets Simpaisa's SLO requirements (p99 < 500ms) |
| Scalability |
5 |
Can handle 2x current peak volumes |
| Integration effort |
5 |
SDK availability, sandbox environment, sample code |
| Technology alignment |
5 |
Compatible with Go, SurrealDB, KrakenD stack |
Security & Compliance (25 points)
| Criterion |
Points |
Scoring Guide |
| SOC 2 Type II or equivalent |
8 |
Current report available, no critical findings |
| PCI DSS compliance |
6 |
Level 1 for payment vendors; N/A scores full for non-payment |
| Data processing agreement |
4 |
GDPR-standard DPA, data residency commitments |
| Encryption standards |
4 |
TLS 1.2+ in transit, AES-256 at rest |
| Vulnerability management |
3 |
Published disclosure policy, patching cadence |
Financial Stability (15 points)
| Criterion |
Points |
Scoring Guide |
| Revenue/funding |
5 |
Profitable or well-funded with 18+ months runway |
| Market position |
5 |
Established in target markets, reference customers |
| Longevity risk |
5 |
Low acquisition/shutdown risk, diversified revenue |
Support Quality (15 points)
| Criterion |
Points |
Scoring Guide |
| SLA availability |
5 |
99.9%+ uptime SLA with financial penalties |
| Incident response time |
4 |
P1: 15 min, P2: 1 hour, P3: 4 hours |
| Documentation quality |
3 |
Comprehensive, current, searchable |
| Escalation path |
3 |
Named account manager, engineering escalation |
Exit Strategy (15 points)
| Criterion |
Points |
Scoring Guide |
| Data portability |
5 |
Full data export in standard formats, API access |
| Contract flexibility |
5 |
No lock-in > 12 months, reasonable termination terms |
| Migration feasibility |
5 |
Alternative vendors available, migration effort < 3 months |
Mandatory Requirements
Regardless of score, the following are non-negotiable:
- Security questionnaire — Vendor must complete Simpaisa's security questionnaire before proceeding.
- SOC 2 or equivalent — SOC 2 Type II, ISO 27001 or equivalent certification required for any vendor handling Simpaisa data.
- Data processing agreement — Signed DPA covering data handling, residency, breach notification and deletion.
- Reference checks — Minimum 2 reference customers in financial services or payments.
Evaluation Process
- Request — Team submits vendor evaluation request via Beads issue with tag
vendor-eval.
- Questionnaire — Vendor completes security questionnaire and provides certifications.
- Scoring — Evaluator scores vendor against the matrix. Minimum 2 independent scorers.
- Review — Scores averaged and presented at ARB (for critical vendors) or Platform Team meeting.
- Decision — Approve (≥ 70), conditional approve (60–69 with remediation plan), reject (< 60).
- Contract — Legal review of commercial terms, DPA and SLA.
Annual Re-evaluation
- All critical vendors (payment processing, core infrastructure) re-evaluated annually.
- All non-critical vendors re-evaluated every 2 years.
- Re-evaluation triggered immediately if: security incident, acquisition, significant service degradation or certification lapse.
- Re-evaluation uses the same scoring matrix. Score drop below 70 triggers remediation or replacement planning.
Vendor Criticality Classification
| Criticality |
Definition |
Re-evaluation |
Examples |
| Critical |
Directly involved in transaction processing or security |
Annual |
PSPs, banks, HSM provider |
| High |
Platform infrastructure or data processing |
Annual |
Cloud provider, SurrealDB |
| Medium |
Development or operational tooling |
Biennial |
CI/CD, monitoring, SaaS |
| Low |
Non-essential, easily replaceable |
Biennial |
Design tools, utilities |
Actions
| # |
Action |
Owner |
Deadline |
| 1 |
Finalise security questionnaire template |
Security Lead |
2026-Q2 |
| 2 |
Score all existing critical vendors against matrix |
Platform Lead |
2026-Q2 |
| 3 |
Establish vendor re-evaluation calendar |
Platform Lead |
2026-Q3 |
| 4 |
Create vendor scorecard dashboard in Grafana |
Platform Lead |
2026-Q3 |
References
STD-GOV-134-THIRD-PARTY-RISK-MANAGEMENT.mdSTD-GOV-124-ARCHITECTURE-REVIEW-BOARD-CHARTER.mdVENDOR-INTEGRATION-REGISTER.md