GEO vendor diligence: a procurement-grade checklist before you sign

GEO tooling is crowded with black boxes and aspirational dashboards. A serious procurement process protects your brand, your data, and your executives from signing a contract that cannot survive audit season.

Security and data handling

• Where do prompts and results live? Region, retention, subprocessors.
• Do you train models on customer data? Under what opt-in/opt-out?
• Can we delete data on request? What is the SLA?
• How are credentials and API keys stored and rotated?

Methodology and reproducibility

• Prompt design: fixed vs dynamic; who approves changes; version control.
• Engines: which assistants or APIs; how do you handle rate limits and drift?
• Scoring: transparent rubric or opaque score? How are ties broken?
• Reruns: same prompts and engines for comparability, or moving target?

Measurement honesty

Ask for examples where the product refuses to claim attribution. Vendors who promise revenue lift without your CRM integration should explain exactly what they mean—and what they will not say in writing.

Commercial and exit

• Export formats; data portability; what happens on downgrade.
• SLAs for outages during a campaign window.
• Right to audit logs for enterprise procurement.

One-page scorecard for the committee

Rate each vendor Green / Yellow / Red on security, methodology, evidence quality, and implementation burden. Force a written minority note from IT or Legal when something is Yellow—silence becomes technical debt.