AI vendor-risk report
Before you build, check the vendor first
Answer a short intake, upload a proposal if you have one, and get a personalized risk read before you sign.
A polished proposal can still hide the painful parts: ownership, handover, BAA coverage, review process, support, and whether the AI is real or just wearing a blazer. This check turns the blanks into a risk report you can use on the next vendor call.
Start the check
Run the vendor-risk read
Four required answers get you a baseline report. Free text and uploads make it sharper.
What should we call you?
What the report checks
The flow asks about your build, the data involved, your stage, and which green flags the vendor has already given you clearly. Blank flags become the risk list.
Build types in the intake
- Membership or community platform
- Patient or practice platform
- Course or certification academy
- Coaching or expert-led platform
- Replacing one that is not working
- Still scoping the idea
- Something else
Data-risk choices
- Yes, health or patient data
- Personal, but not health data
- General account or member data only
- Not sure yet
Process stage
- Just researching
- Comparing proposals
- Picked someone
- Mid-build
- Rebuilding after a bad one
Scale signal
- Just starting
- Under 1,000
- 1,000 to 10,000
- 10,000+
The twelve vendor green flags
1. Will they sign a BAA, and how do they handle patient data?
If members or patients enter health data, this is the whole ballgame. A security promise without a BAA is not enough.
2. Do you own the code and the cloud accounts?
A custom platform should leave you with assets you control. Renting your own build back from the vendor is a strange hobby.
3. Do they name the senior builders who will write the code?
A careful vendor can tell you who is on the keyboard. If the pitch team disappears after the sale, that is useful information.
4. Does code get reviewed before it goes live?
For member data, payments, or clinical workflows, one person pushing straight to production is not a process.
5. Can they show something real working in about two weeks?
A working slice finds risk while the budget is still small. Three months of silence is not a milestone.
6. How do they price changes when the scope moves?
The suspiciously cheap bid usually collects the difference later, just in a worse mood.
7. Is the AI they are pitching something they have shipped?
AI on a slide is cheap. AI that works on messy input, with a human able to catch mistakes, is a different build.
8. Who answers when something breaks at 2am?
You want a person who owns the outcome, not a support address that discovers time zones at the worst possible moment.
9. What happens if you stop working with them?
A healthy build keeps running and can be handed to another team. A trap needs the original vendor forever.
10. Are they building one platform, or bolting tools together?
One coherent platform is why you build. A pile of plugins can still be useful, but it should not be priced like custom software.
11. How does this hold up when usage grows?
A custom build should not hit the same ceiling as the tools you are leaving. Ask for the scaling plan before growth makes it loud.
12. Can they show a real product they shipped and still stand behind?
Anyone can show logos. Fewer teams can walk through a running product and own the decisions inside it.
A proposal is not a platform
HighCraft built a HIPAA-aligned EMR and patient portal with AI-assisted intake, clinical workflows, Stripe billing, and release review. This is the kind of risk we check before code gets expensive.
The report is not a fake AI wrapper around a score. The band is deterministic, the advice is written around your answers, and uploaded screenshots or PDFs are read by Claude when you provide them.