A partner wants the firm to standardise on an online PDF editor. They've found three contenders. Your job: vet them properly before procurement signs off.
Architecture and data handling
First question: does the tool upload files to its servers, or process in the browser?
Browser-based: lower data-handling risk, simpler compliance picture. Verify by checking the network tab while using the tool.
Server-side: requires deeper review of where data goes, retention, residency, sub-processors.
Document the answer. For confidential firm work, browser-based is the cleaner choice.
Privacy and policy review
Read the privacy policy and terms of service. Look for:
- Retention periods (shorter is better). - Data sharing or sale clauses (red flag). - Training/AI use of customer data (red flag without opt-out). - Sub-processor list (who else touches the data). - Data residency commitments.
For regulated practice (law, medical, accounting), this is gating — if the policy doesn't fit your client obligations, the tool fails.
Certifications and assurance
- SOC 2 Type II: ideal for vendor risk assessment. - ISO 27001: certifies the vendor's security management. - HIPAA: needed if PHI is processed. - GDPR alignment: DPA available, EU/UK data residency.
Reputable vendors share these under NDA. Smaller vendors may not have them — alternative due diligence (questionnaires, references) may be needed.
Functional fit
- Does it do what your team needs? Sign, encrypt, redact, merge, split. - Does the UI work for your less technical staff? - Does it integrate with your existing systems (DMS, email)? - Does it work on the devices and browsers your team uses?
Functional fit matters as much as security. A secure tool nobody uses doesn't reduce risk.
Pilot and review
Don't decide on paper. Pilot with a small team for 30 days. Track:
- Adoption and friction. - Support response time. - Any incidents or quirks. - Compliance verification (is the tool actually doing what it claims).
Then decide. Renew the assessment annually.
FAQ
How long should vetting take?
A few days of focused effort for a standard tool; longer for regulated industries or large rollouts. Quick wins (browser-based, well-documented) take less time than complex enterprise SaaS.
Who should be involved?
IT/Security, Legal/Compliance, the staff who'll use it. Procurement for contracts. Often a brief committee, not a long process.
Should I require SOC 2?
For most firms above small-business, yes. For micro-firms with no regulated data, alternative due diligence may be acceptable.
What about open-source PDF tools?
Different vetting — focus on code quality, maintainer activity, distribution channel. Desktop open-source removes vendor risk; web-deployed open-source doesn't fully.
A short vetting saves long pain. Browser-based tools like Flint simplify most of the assessment.