Ten criteria to evaluate any Vietnam-based outsourcing partner before signing. Written from the Hanoi side by a founder who's been on both sides of vendor selection. No vendor names. No paid placements. Honest, opinionated, and actionable.
Vietnam has 200,000+ software engineers and roughly 500 outsourcing firms with at least 50 staff. Picking the right one for your project takes more than a Clutch search and a Zoom call. The vendor sales process is optimized to look good in a 60-minute pitch; the things that determine whether your project ships on time and to spec are mostly invisible during sales.
This guide is the evaluation framework we'd use if we were buying, not selling — drawn from conversations with 30+ international clients across the US, Australia, Japan, Singapore, and Canada who've worked with Vietnam vendors before us. Use it as an RFP rubric, a vendor-meeting prep document, or just a sanity check on your shortlist.
Vendors love quoting total headcount. The metric that actually matters is senior-engineer percentage. Mid-market vendors with 5,000+ engineers often staff projects with juniors and rotate them quarterly; the seniors are reserved for enterprise accounts and sales-meeting flybys. Ask: what's the senior:junior ratio on YOUR project specifically? Anything below 30% senior is a red flag for non-enterprise contracts. Ask for the named engineers' LinkedIn profiles before contract.
Watch out for: "We have 800 senior engineers" — meaningless. "Three of those eight engineers on your project have 7+ years and 2+ AI deployments" — meaningful.
Generic outsourcing experience doesn't transfer cleanly to specialized work. A vendor that shipped 200 e-commerce sites is not the right pick for a HIPAA-grade healthcare AI project — the team patterns, security mindset, and review discipline are different. Ask for 3 references in your specific industry + use case. "Fintech" is too broad; "fraud-detection ML for B2B payment processors with PCI-DSS scope" is the right level of specificity.
Watch out for: Beware case studies older than 18 months — engineering practice moves fast in AI/ML; what worked in 2023 may be obsolete now.
ISO 9001:2015 (Quality Management) and ISO 27001 (Information Security) are baseline for any vendor handling enterprise data. ISO 22301 (Business Continuity) matters for mission-critical engagements. Ask for: the certificate number, the certifying body, and the certificate validity dates. Cross-check on the certifier's website. Several mid-market vendors have published expired or fabricated certificates.
Watch out for: "We're ISO-aligned" is not the same as "ISO-certified." Verify on the certifier's registry.
Where the contract is governed matters as much as what it says. Vietnam-law contracts protect Vietnamese vendors more than foreign buyers. For foreign clients, the safer structures are: (a) Singapore-law contract via the vendor's Singapore entity (most common, well-tested), (b) UK-law or US-law contract via the vendor's incorporated entity in that jurisdiction (rarer, more expensive). Ask: "Under what law and jurisdiction will the contract be governed?" Then ask: "Does your team have the entity in that jurisdiction, or is this paper-thin compliance?"
Watch out for: Some vendors offer Singapore-law contracts via shell entities. Ask for the registration number + ACRA business profile.
Full code ownership should transfer to you on final payment, with no carve-outs for "vendor frameworks" or "proprietary libraries." Ask: is there a code escrow agreement? Is the working repo accessible to your team during the engagement? Vendors that gate the repo behind a release schedule are protecting their leverage, not your IP.
Watch out for: If the vendor's standard MSA has a "vendor retains rights to all reusable components" clause, push back hard. That clause is how vendors lock you in.
Vietnam is GMT+7. Synchronous communication with US clients (GMT-5 to GMT-8) is hard — you get a 1-3 hour overlap window in the morning Vietnam / evening US. For US clients: insist on (a) a senior engineer or PM available during 8am-11am EST, (b) async-friendly project management (Linear, Asana, Notion with documented updates daily), (c) weekly video calls. For Japan/Korea/Australia: overlap is much better; 4-6 hours of business-day overlap is normal.
Watch out for: "24/7 support" usually means a junior on-call in Vietnam who escalates to senior engineers when they're asleep. Test responsiveness with a Friday-afternoon question.
For AI/ML projects specifically: ask how they measure success. The right answer involves: a frozen eval set, scoring functions per task type, regression tracking, and CI gates. The wrong answer is "we test thoroughly" or "the model worked great in our tests." If they don't have an eval framework, they don't have a way to detect when the model gets worse. Whatever they ship will rot.
Watch out for: If the vendor pitches AI/ML capabilities but can't explain their eval methodology in 90 seconds, they're not actually shipping AI in production.
GDPR, HIPAA, PDPA (Singapore + Vietnam + Thailand), PIPEDA (Canada), APPI (Japan), EU AI Act — each is its own compliance regime. Ask: which of these does your team have direct deployment experience with, and can you walk me through your DPA template? "We're GDPR-aware" is not a compliance answer. "We've deployed GDPR-compliant AI for two German fintech clients in the last 18 months, here's the DPA we use, here are the residency controls" is.
Watch out for: Vendors who can't produce a written DPA in 24 hours probably don't have one. Ask early.
Most engagements should be fixed-fee with a clear scope. Time-and-materials engagements work for genuinely exploratory phases (a 2-week discovery), but T&M for the bulk of a project incentivizes the vendor to take longer. Vendors that exclusively quote T&M are revealing they can't (or won't) commit to scope estimates. Ask: "What percentage of your engagements are fixed-fee?" If less than 60%, that's a signal.
Watch out for: "We can do fixed-fee" with a scope so vague the vendor has unlimited change-order leverage is just T&M with extra steps.
Founder-led vendors (~10-300 engineers, owner still actively engineering) tend to ship better quality for the same price than larger PE-backed vendors. Reason: the founder's reputation IS the company, so the work has direct skin-in-the-game. PE-backed vendors at 1,000+ headcount optimize for growth metrics (utilization, sales conversion) rather than per-project quality. This isn't universal, but it's the modal pattern in Vietnam IT services 2026. Ask: who founded the company, are they still operating, do they have an engineering background.
Watch out for: PE-acquired vendors often retain the founder's name for 1-2 years post-acquisition for brand continuity, then quietly transition. Check LinkedIn for current title vs original.
Copy this list into your next vendor evaluation. Score each vendor 1-5 per criterion. Anything below 3 on more than three criteria is probably a pass.
We offer a free 30-minute call where a NKKTech senior consultant reviews your vendor shortlist and the criteria you're using. We'll tell you honestly which signals to weight more or less for your specific project. No pitch — even if NKKTech isn't the right fit for you, we'd rather help you find the vendor that is.
Book a free shortlist review