Dear Ask the Ethicist,

I need to do some due diligence on a donor who’s planning to make a public and transformational gift to my organization, but I’m not sure where to start! I’d like to find a vendor that would give me access to a wider pool of resources and ideally help with reporting. How can I evaluate a vendor’s services to make sure their product and their information-gathering are ethical?

Sincerely,

Vendor Lost

Dear Vendor Lost,

It’s difficult to understate the importance of protecting your institution’s reputation, particularly when the gift in question will likely end up with a lot of recognition! In our work as prospect researchers, our vendor resources are some of the most important tools in our toolkit. But with such varying practices in for-profit vendors, local and national regulations, and balancing the needs of our organizations, vetting your potential vendors’ data gathering and stewardship practices may feel like it adds one more element of complexity to your job.

To help you get started, consider these overarching questions:

1. What type of data does the vendor process?
2. How is the vendor’s data collected, stored and protected? Are their protocols compliant with your organization’s data protection policies?
3. Determine the reliability of the data, particularly how the information is updated.
4. Research the business’s reputation, both publicly and within the industry.

It’s important to know what type of service each individual vendor provides. Some research tools provide information about prospects (or super-databases of searchable names), and others analyze information provided by the user. Understanding these differences can help you determine the types of questions to ask the vendor during your due diligence.

If the vendor is an information provider it’s important to ask questions to help you understand where the information provided is sourced, as well as how it’s collected, stored and protected. A good starting question is determining what type of data they process. Additionally, how does the company acquire their information? Do they use researchers, or does the technology scrape the web? Are there options for opting out of information that doesn’t align with your organization’s data policies?

If the vendor is an analysis platform it’s important to ask questions that help you understand what happens to the data inputted by the user. Are personal data inputs required to use any part of the tool? If so, are you able to reduce this information (for example, by anonymizing names) and retain functionality of the entire tool? What happens to the data that you as a user input? Is it used for any purpose other than providing analytical results to the client who inputted it? Ask how the network architecture is set up to protect client data — requesting an IT security policy as well as a data protection policy will give you a broader understanding of their protocols.

Evaluating a vendor can be a complex process! Apra’s Vendor Due Diligence Toolkit offers additional resources and best practices that can be incorporated into any institutional policy regarding vendor procurement.

Signed,

The Apra Ethicist