Vetting an IT vendor in India means confirming the company is a registered legal entity, checking its security and quality certifications, verifying real client references, and locking down code ownership and data handling in the contract — before any money moves. It is due diligence, not a vibe check off a polished website. A 250-seat fintech CTO in Austin does not need a fourteenth sales call; they need a checklist that separates the firms that ship from the ones that disappear after the deposit. Here is the one AB7 hands buyers who are evaluating India vendors — including AB7’s own competitors.

The full development service this checklist applies to is the AB7 Digital & Development page, and the engagement tiers are on the AB7 pricing page.

1. Confirm the company is a registered legal entity

Ask for the company’s CIN (Corporate Identity Number) and verify it on the Ministry of Corporate Affairs portal (mca.gov.in). A real Indian private limited shows up with an incorporation date, registered office, and director names. AB7 Solutions, for context, was incorporated in 2013 and runs from Kalkat Bhawan near Airport Chowk in Mohali, Punjab — a verifiable address, not a virtual mailbox. If a vendor cannot produce a CIN in five minutes, stop there.

2. Check security certifications, not logos

Plenty of websites paste an “ISO 27001” badge in the footer. Ask for the certificate PDF, read the certificate number, and check the named scope and the issuing body’s validity date. The certifications that matter for software work are ISO 27001 (information security), SOC 2 Type II (controls audited over time, not a snapshot), and — if the vendor handles US health data — a signed BAA referencing HIPAA. A badge is a claim; a current certificate with a verifiable registrar is evidence.

3. Verify two references you chose, not two they chose

Every vendor has two happy clients on speed dial. Ask instead for a reference in your industry, at your project size, that ended in the last six months — including one engagement that hit trouble and how it was resolved. The answer to “tell me about a project that went sideways” tells you more than ten glowing testimonials. A vendor that has never had a hard project either hasn’t shipped much or isn’t telling you the truth.

4. Read the portfolio for depth, not screenshots

A grid of app screenshots proves nothing. Ask which parts the vendor actually built versus integrated, what the stack was (React, Next.js, Node, Postgres, AWS), and who owns the repo today. For a real build, the team can walk you through an architecture decision and explain a tradeoff they’d make differently now. AB7’s developers work in the same stack a US team would — React, Next.js, Vue, Angular, React Native — so the conversation is technical, not a slide tour.

5. Lock down IP and code ownership in writing

This is where buyers lose the most and notice it last. The contract must state that all work product, source code, and IP transfer to you on payment, that the vendor assigns moral rights, and that no third-party or copyleft-licensed code enters the codebase without written disclosure. Get commit access to your own repository from day one. If the vendor “hosts the code for you” and won’t hand over the keys, you don’t own your product — you’re renting it.

6. Pin down data security and where data lives

Ask which region the data sits in (AWS Mumbai, ap-south-1, versus a developer’s laptop), how access is controlled, and whether the team signs individual NDAs. For a 14-clinic RCM director moving PHI, the answers to “who can see this data and where is it stored” are not optional — they’re the contract. A serious vendor has role-based access, audit logs, and a documented answer. A weak one improvises on the call.

7. Confirm real time-zone overlap

“We work US hours” means nothing without specifics. Ask for the guaranteed daily overlap window in your time zone in writing. India runs GMT+5:30; a dedicated team holding 9:00–13:00 US Eastern as standup-and-collaboration hours is workable, a team available only at 2:00 a.m. your time is not. AB7 deploys professionals on your business hours rather than theirs — but the point stands for any vendor: get the overlap window named in the SOW, not described on a sales call.

8. Test responsiveness before you sign, not after

How fast a vendor replies during the sales cycle is the best case you will ever see — it only gets slower after the contract. Send a technical question mid-evaluation and time the response. Ask who your day-to-day contact is, whether you get a dedicated project manager, and what happens to communication when that person is on leave. A named PM with a backup beats a shared inbox every time.

9. Start with a paid pilot, not the full build

The single best way to vet a vendor is a small, paid, time-boxed scope — two to three weeks, a real feature, a fixed number like $1,500–$4,500 — before committing to the full project. A pilot surfaces everything a reference call can’t: code quality, communication cadence, how change requests are handled, whether estimates hold. AB7 standard roles start from $1,500/month for a dedicated FTE precisely so buyers can start small and scale once the work proves itself, rather than betting a six-figure build on a sales pitch.

10. Check the exit before you check in

Ask what happens if it doesn’t work out. A confident vendor has a clean answer: documented handover, repo access you already hold, no hostage data, a replacement guarantee if a professional isn’t the right fit. AB7 offers a free replacement when a deployed professional doesn’t fit the account — and the AB7 vs Toptal comparison lays out where a dedicated-team model beats a freelance marketplace and where it doesn’t, because the honest answer is “it depends on your work.”

The bottom line

Vetting an India IT vendor is ten concrete checks, not a gut feel: a verifiable CIN, real certificates, references you pick, a portfolio that survives technical questions, IP that transfers to you on payment, named data handling, a written time-zone overlap, tested responsiveness, a paid pilot, and a clean exit. Run all ten and the field narrows fast — the firms that ship answer every one in writing, and the ones that don’t reveal themselves by which question they dodge.

Want this checklist run against your shortlist?

If you’re comparing India vendors right now, AB7 will walk your shortlist through these ten checks — including where AB7 itself is and isn’t the right fit. See the AB7 Digital & Development page and the AB7 pricing page, then call +1 (321) 341-7733, email director@ab7solutions.com, or book a 30-minute call with Ashok.