Choosing an IT vendor: Questions from a CTO and Tech Lead

- Does the team have experience with your specific set of technologies?
- Do they work with current versions of Ruby (e.g., 3.4+), Rails (e.g., 8.x), PostgreSQL, Sidekiq, Stimulus, Hotwire?
- What frontend frameworks do they support (e.g., Tailwind, React, Vue)?

Tip: Ask for examples of the architectures they use—e.g., monoliths, modular Rails, systems with separated frontends.

- How often do they update dependencies?
- Do they use tools like bundler-audit, dependabot, rubocop?
- What is their process for patching critical vulnerabilities (e.g., CVEs in gems)?

Tip: Ask if they have a maintenance checklist and what their policy is for updating production environments.

- Can they leverage Turbo and Stimulus to build applications without excessive JavaScript?
- Are they familiar with Action Cable and Active Job, and do they use background jobs (e.g., via Sidekiq)?

Tip: Check if they have actually implemented such solutions in production applications.

- Do they use CI pipelines (e.g., GitHub Actions, GitLab CI, CircleCI)?
- What is their test coverage?
- Do they use RSpec, FactoryBot, system tests with Capybara?

Tip: A team without tests and deployment automation is a major red flag for long-term collaboration.

- Has the team implemented applications of a similar scale (e.g., CRM, ERP, marketplace, B2B tools)?
- What was their role—from analysis to implementation and maintenance?

Tip: Ask about project metrics: number of users, monthly traffic, integrations with external APIs.

- Can they show repositories, code snippets (if possible), project documentation, or provide contact with a technical client (e.g., CTO or PM)?

Tip: If not, ask about the possibility of speaking with a developer who will be assigned to your project.

- Does the company have a team dedicated exclusively to Ruby on Rails, or is it one of many languages used occasionally?

Tip: Specialized teams have established practices, ready-made templates (boilerplates), and a better understanding of typical Rails issues (e.g., N+1, ActiveRecord query performance).



It's important to establish who will be implementing the project and how the team's work will be organized.

• Team composition: How many programmers will be assigned? Does the team also include an architect, QA, PM, UI/UX designer?


• Experience: What is the experience level of the team members? How many seniors, how many juniors?


• Dedication: Will the team work exclusively on your project, or on others concurrently?


• Employment: Will the project be carried out by permanent employees or contractors?


• Rotation and absences: Does the company have an action plan in case of key personnel departures or vacations? How is knowledge transferred within the team?

It's worth understanding the vendor's way of working—from methodology to tools and client communication.

• Methodology: What methodology does the team use—Agile (Scrum, Kanban) or waterfall? What does a typical process look like from planning to deployment?


• Estimation and changes: How are time estimates created? How does the team handle scope changes and limit "scope creep"?


• Tools: What project management tools do they use (e.g., ClickUp)? Does the client have access to task tracking?


• Client collaboration: Do they plan for regular meetings, demos, joint planning, and ongoing consultations?


• Version control: Do they have an established Git workflow (branching, code review, release)? What does the deployment process look like?

Code quality directly translates into system stability, speed of implementing changes, and maintenance costs. A good partner not only writes code but has implemented processes that protect that code.

• QA process and responsibility: Does the project have a formal quality assurance process? Is testing handled by a designated QA, or are tests done by developers? Structured QA (manual and automatic) significantly reduces the number of regressions.


• Automated tests: Does the team write unit tests (RSpec, Minitest), integration tests, and end-to-end (e2e) tests? What is their coverage threshold? Lack of tests is a warning sign, especially for projects with a long lifecycle.


• Code review and coding standards: Does every merge go through code review? Does the team adhere to internal code standards (e.g., style guide, Rails conventions)? These are the foundations of code quality and longevity.


• CI/CD tools and quality analysis: Does the team use CI/CD (GitHub Actions, GitLab CI, CircleCI)? Do they use Rubocop, SimpleCov, linters, CodeClimate, SonarQube? Automation detects problems before they reach production.


• Quality metrics: Does the team monitor quality—e.g., test coverage, bug fix time, number of critical bugs? Good practices are not just processes, but also hard data.

See also:
5 steps to prepare an organization for a new IT system implementation



An IT provider should not only create functional software but also ensure data security, access control, and clear rules for code ownership.

• Confidentiality and NDA: Will the partner sign a Non-Disclosure Agreement (NDA) before project discussions? A professional provider should not have an issue with this—a lack of consent may indicate a low standard of work or a risk of misuse.


• Code copyright: Does the contract clearly state that the source code will be your property? Will parts of this code not be used in other projects? Ownership should be clearly regulated—preferably in the form of transfer of proprietary copyrights or an exclusive license.


• Access and data security: How is access to repositories and environments controlled? Does the team use password managers, encryption, the principle of least privilege? Pay attention to whether access is audited and restricted according to good DevSecOps practices.


• Secure coding (OWASP): Do developers apply secure coding principles consistent with the OWASP Top 10? Does the project account for defense against XSS, CSRF, SQL Injection? Ask about how code is audited for security and how the team mitigates risks.


• Security tests and vulnerability scanning: Does the project undergo security tests—automatic scanning (e.g., Brakeman, bundler-audit), manual tests, penetration tests? For applications processing user data, this is an absolute necessity.


• Backups and disaster recovery plan: Does the company regularly perform code and data backups? What is the disaster recovery procedure? Ensure the partner has a disaster recovery plan and a clearly defined backup frequency.

Effective communication is fundamental—it's worth establishing rules for cooperation and how to contact the team.

• Communication channels and methods: What tools will be used (e.g., Slack, Google Meets, Zoom)? How often do meetings take place (stand-ups, status updates, demos)?


• Point of contact: Who will be the main point of contact? Will it be a Project Manager or Tech Lead, and what will their availability be?


• Language and working hours: What language will communication be conducted in, and do the team's working hours align with yours?


• Access to progress: Does the client have access to the repository, testing environment (staging), and progress reports?


• Feedback and improvements: Are retrospectives planned, and is there an opportunity for ongoing feedback?

After deployment, the application requires further care—it's worth checking if the provider offers this.

• Ongoing support: Does the company offer ongoing support, e.g., development, monitoring, fault resolution? Under what conditions?


• Warranty: Is there a warranty period after implementation? How long does it last and what does it cover?


• Development and scaling: Is it possible to further develop the application and scale the team in the future?


• Knowledge transfer: Is documentation, instructions, and training provided for independent system maintenance?

Choosing an IT provider is a strategic decision. Asking the right questions will allow you to assess technical competencies and the quality of cooperation. Expect clear, specific answers and full transparency in processes. This list will help you choose a partner who will ensure high quality, security, and a professional approach to your project.