Most “how to choose a software development company” guides hand you adjectives: experienced, reliable, proven. Useless. What you need is a scorecard you can run against any vendor and score the same way, including the one writing this. So that’s what this is: 22 questions across the six areas where projects actually succeed or fail, plus what a good answer sounds like and the red flags that should end the conversation.
The single most expensive thing you can get wrong is IP assignment left vague. It outranks price and timeline. It’s the most common post-project dispute, and it surfaces at the worst possible moment, usually when you’re trying to raise money or sell. If you read nothing else here, read the IP section.
We’re gmware, a software development firm with our US office in Austin, TX and engineering centers in Bangalore and Mohali, India. We’ve been the vendor on the answering side of these questions for years, and we’ve cleaned up after vendors who couldn’t answer them. Below: the full 22-question scorecard, the red flags table, and how to run a reference call that actually tells you something.
Here’s the scorecard at a glance: six areas, what each is really testing, and how many questions sit under it. The detail follows.
| Scorecard area | What it tests | Questions | What good looks like |
|---|---|---|---|
| Who writes your code | Team stability, employee vs subcontractor | 4 | Named engineers, CVs, replacement SLA |
| IP & data | Ownership, enforceability | 4 | Full IP assignment in writing, ready NDA |
| Scope changes | Process over chaos | 3 | Written change orders, acceptance gates |
| Security & compliance | Practice, not slideware | 3 | OWASP in SDLC, real compliance track record |
| Post-launch | Year-two reality | 3 | Defined SLA covering your hours |
| References | Track record that survives a call | 5 | Recent, in-industry, willing to talk |
22 questions across six areas
Who actually writes your code
Find out before you sign. The team in the sales meeting is often a different team from the one on the keyboard. Ask for named engineers with CVs, and ask directly whether they’re employees or subcontractors. Subcontracting can be fine. But if the agency subcontracts and those subcontractors never assigned their work to the agency, the IP chain to you is broken and you may not own what you paid for.
- Who are the specific engineers on my project? Good: names, CVs, often a technical call before signing. Red flag: “our team” with no individuals.
- Are they your employees or subcontractors? Good: a clear answer either way, with the IP chain explained. Red flag: evasion.
- Will the team that pitches me be the team that builds? Good: yes, with continuity guaranteed. Red flag: “we’ll assign the right people” after signing.
- Developer turnover and replacement process? Good: a written replacement SLA. Red flag: silence on bench rotation.
The pattern we see in rescue work is a stable, senior team in sales and a rotating cast of juniors in delivery. You pay for the same learning curve more than once. Stable teams cost more per hour and less per project.
IP assignment and data protection in the contract
Get full IP assignment and an NDA in writing before any code exists. This is the section that prevents the expensive dispute. Full assignment of IP to the client, in writing, is the line that determines whether you own your product or merely rent it. A vendor without a ready NDA and IP-assignment template is a vendor who hasn’t done this seriously.
- Will all code and IP be assigned to me, in writing, in the MSA? Good: yes, standard clause, shown on request. Red flag: “you’ll own it” with nothing on paper.
- Do you have an NDA template ready now? Good: sent same day. Red flag: “we’ll sort that out later.”
- If you subcontract, do those people assign IP to you first? Good: yes, documented. Red flag: blank stare.
- Where will my data and credentials live, and who has access? Good: named access controls, least privilege. Red flag: vague reassurance.
Contracting with a US entity under a US master services agreement matters here beyond the rate. It means your IP assignment is enforceable in a US court, not in a jurisdiction where you have no presence and no lawyer.
How the vendor handles scope changes
A defined change process is worth more than a low bid, because scope always moves and the only question is whether the vendor profits from chaos or manages it. Ask exactly how a change gets priced and approved. The honest models price changes transparently; the bad ones use vague scope as a renegotiation engine.
This is also where the fixed-price-versus-time-and-materials question lives. Fixed-price feels safe, but vendors pad it with a 15% to 30% risk buffer you pay even when nothing goes wrong, and research in the International Journal of Project Management finds fixed-price contracts correlate with higher project-failure risk than time-and-materials. The change process matters more than the pricing model.
- How are scope changes priced and approved? Good: written process, change orders. Red flag: “we’ll figure it out.”
- What’s your acceptance process for completed work? Good: defined criteria, sign-off gates. Red flag: none.
- Fixed price, T&M, or hybrid, and why for my project? Good: a reasoned recommendation. Red flag: one model for everything.
Security and compliance posture
Security is a build practice. Ask what they actually do day to day, and skip the question of whether they “take security seriously.” For regulated work, the bar is concrete and a vendor either clears it or doesn’t.
- Do you follow OWASP practices, and how is that enforced in your SDLC? Good: code review, scanning, specifics. Red flag: buzzwords.
- Have you delivered HIPAA / GDPR / SOC 2-grade work? Good: examples and the controls used. Red flag: “we can do that” with no track record.
- What’s your penetration-testing cadence? Good: regular, third-party. Red flag: never tested.
For context on the testing line: a focused small-business penetration test runs $3K to $15K, with the broader market norm at $5K to $35K across web, API, mobile, and cloud scopes. A vendor who’s never priced one has never needed to. Our own cybersecurity practice treats this as table stakes, not an upsell.
What a penetration test costs
What happens after launch
Launch is the start of year two, and the support terms decide how that year feels. Get the SLA in writing (response times, support hours, and maintenance pricing) before you sign, while you still have negotiating room. Sorting it out after the first production incident is too late.
- What are your support response times and hours? Good: defined SLA, your timezone covered. Red flag: “business hours” with after-hours billed at $150 to $350/hr surprise rates.
- How is ongoing maintenance priced? Good: a clear retainer or rate. Red flag: ad hoc.
- Who owns deployment and infrastructure knowledge? Good: documented, handed over. Red flag: lock-in by obscurity.
Running a reference check that’s worth anything
Ask for a client in your industry from the last two years, then actually call them. Skip the case study, which is marketing. The questions that work are the uncomfortable ones, and a vendor should be able to produce a recent, relevant reference without stalling.
- Can I speak to a client in my industry from the last two years? Good: yes, contact provided. Red flag: only old or irrelevant references.
- On the call, ask what went wrong and how they handled it, whether the team stayed stable, and whether they’d hire them again.
A reference call worth anything
| Red flag | What it usually means |
|---|---|
| Vague about who writes your code | Sales team ≠ delivery team; juniors incoming |
| No NDA / IP template ready | Hasn’t done serious contracts; IP risk |
| Slow, scripted sales-stage replies | Slow delivery later, when it costs more |
| Fixed bid, no change process | Renegotiation engine, padded buffer |
| Rates too cheap to be senior | Juniors billed as seniors; rework ahead |
| No recent, relevant reference | Track record won’t survive a phone call |
Here’s the freelancer-versus-agency note, since it comes up: a freelancer fits a ruthlessly-scoped MVP under about $15K, but for production work an agency’s higher rate typically saves 20% to 30% long-term through avoided rework. The classic trap is the freelancer prototype you pay to rebuild.
Freelancer vs agency
What we’d recommend
Run this scorecard against us too. We’d be uneasy if you didn’t. The answers we give: named engineers with CVs and a technical call before signing, full IP assignment under a US master services agreement, a written change-order process, OWASP practices in the SDLC, and a support SLA that covers your hours because our account owners work them. Our product development and cybersecurity engagements both ship with those terms by default, not on request.
The structural answer to most of these questions is our model: an Austin-side technical owner who’s accountable in your timezone and under US law, delivery from Bangalore and Mohali at India economics. The rate gets you the engineers. The accountability gets you a vendor you can actually hold to the scorecard. If you’re earlier in the process and still pricing the build, our custom software cost guide and offshore rates guide carry the numbers.
Tell us what you’re building, run the 22 questions on us, and we’ll give you straight answers on scope, cost, and timeline within 48 hours. Talk to us.