Own your stack
Vet a Vendor Before You Sign
What a vendor’s website tells you in about five minutes, using a web browser and a few free tools. No coding, no terminal, nothing you have to install. This is all public, all legal, and all things the vendor already shows every visitor.
A sales rep will tell you their product is secure, private, and trusted by everyone. Their website will tell you the truth, if you know where to look. You do not need to be technical. You need a browser, five minutes, and five questions. Run them before the demo, and you will walk into the meeting knowing things the rep was not planning to mention.
One ground rule before you start, in the box near the bottom: stay on the public side of the door. Everything here is just looking at what the site hands every visitor. None of it involves logging in, guessing passwords, or “testing” anything.
1. Who is the site sending your patrons to?
Most websites quietly load code from other companies, ad networks, analytics firms, data brokers. On a tool that will touch your patrons’ reading records, that matters a lot.
Do this
- Open the vendor’s site in Chrome or Firefox.
- Press F12 (or right-click anywhere → Inspect), and click the Network tab.
- Reload the page. Watch the list fill up, then read the domains in the left column.
Easier version: install uBlock Origin or Privacy Badger (free), visit the site, and click the icon to see what it blocked and who it came from.
Green flag: the page mostly talks to the vendor’s own domain, plus maybe a font or a map.
Red flag: ad networks, marketing trackers, “session recording,” or unfamiliar tracking domains, especially if they fire before you click “accept” on any cookie notice. On a student-data tool, that is a question worth asking out loud.
2. Does the security match the promises?
Vendors love to put “ISO 27001,” “SOC 2,” and “GDPR” badges on the page. You can check, in seconds, whether the site itself is actually configured with basic protections, or whether the badges are just pictures.
Do this
- Go to securityheaders.com, paste the vendor’s URL, and read the letter grade.
- Do the same at the Mozilla Observatory (on MDN) for a second opinion.
- For the encryption itself, paste the URL into SSL Labs (ssllabs.com/ssltest).
Green flag: solid grades, and the security claims on the site line up with what the scanners find.
Red flag: a near-failing grade sitting right next to an “ISO 27001 / information security” badge. A company that is genuinely certified hardens its own front door. A mismatch is something to ask them to explain.
3. What does the privacy policy actually say?
This is the one most people skip, and it is where the real commitments live, or don’t. You are reading for specifics, not vibes.
Read the privacy policy for
- Whether it names the third parties (subprocessors) it shares data with, or just waves at “trusted partners.”
- Whether your patrons’ data can be used to train AI models. Silence here is its own answer.
- Retention and deletion: how long they keep data, and whether you can get it back or have it erased.
- For schools: whether it speaks to student data, FERPA, and COPPA, and whether they will sign a Data Privacy Agreement (DPA).
Green flag: specific, names its subprocessors, addresses student data directly, and offers a DPA.
Red flag: a generic “we value your privacy” template, no named third parties, and nothing about AI training on a product whose whole pitch is AI.
4. Who owns and funds this, and what is the real pitch?
The page aimed at you is the friendly one. The page aimed at investors is often more honest about what the company is actually building. Read both.
Do this
- ICANN Lookup (lookup.icann.org) or whois.com: how old is the domain, and who registered it? A brand-new domain behind privacy protection, paired with claims of being “trusted by hundreds,” is worth a second look.
- BuiltWith or Wappalyzer: what platform and analytics the site runs on.
- Search the company on its accelerator or funding profile (Y Combinator’s directory, Crunchbase), LinkedIn, and recent press. Then compare that pitch to the one on the marketing site.
Green flag: the story they tell librarians and the story they tell investors are the same story.
Red flag: a warm “we just want to help librarians” site sitting on top of an investor pitch about building a data or “intelligence” platform, with your library as the way in. The gap between the two is the thing to understand before you sign.
5. Do the claims hold up?
Unsourced statistics. “98% of schools don’t have a library system,” that kind of thing. If a number has no source and your professional gut says it is wrong, it probably is.
Anonymous testimonials. “Maria K., School Librarian,” no school, no link. Real references can be named and contacted.
Badges with no certificate. A real ISO or SOC 2 certification has a number and a document. If the badge is just an image that links nowhere, treat it as decoration.
Bonus tell of competence: right-click → View Page Source (Ctrl+U). If the words you see on screen are nowhere in the source, the site is built entirely in JavaScript, which means search engines and AI assistants often can’t read it either. Not a dealbreaker, but it tells you something about how the thing was built.
Stay on the public side of the door
Everything in this guide is reading what a vendor already publishes to every visitor. That is normal, and it is legal. Two lines you do not cross:
Don’t break in. No trying logins, no guessing passwords, no “vulnerability scanners,” no poking at admin or account pages. That stops being careful reading and becomes unauthorized testing, which can get you in trouble. Look at the storefront, not through the back window.
Report what you saw, not a verdict. “The site loads an unlisted third-party tracker and scores an F on security headers” is a fact you can put in an email. “They’re spying on kids” is a conclusion you can’t prove from the curb. Bring the observation to the vendor and ask them to explain it. Often that conversation is the whole point.
Print this · or save the page as PDF
The five-minute vendor check
- Trackers: DevTools → Network tab. Who besides the vendor does the page contact? Any trackers firing before consent?
- Security: securityheaders.com grade. Does it match the compliance badges on the site?
- Privacy policy: Names its subprocessors? Says whether patron data trains AI? Offers a DPA? Speaks to FERPA / COPPA?
- Ownership & funding: Domain age (ICANN Lookup). Does the investor pitch match the librarian pitch?
- Claims: Stats sourced? Testimonials named? Certification badges backed by real certificates?
- Boundary check: Did I stay on public pages, and am I reporting observations rather than verdicts?
The tools, at a glance
| Tool | What it tells you | Cost |
|---|---|---|
| Browser DevTools (F12) → Network | Every third party the page contacts | Built in |
| uBlock Origin / Privacy Badger | Trackers, in plain sight | Free |
| securityheaders.com | Web security configuration, graded | Free |
| Mozilla Observatory (MDN) | Second security opinion | Free |
| SSL Labs (ssllabs.com/ssltest) | Encryption grade | Free |
| ICANN Lookup / whois.com | Domain age and registrar | Free |
| BuiltWith / Wappalyzer | Platform and analytics stack | Free |
| Common Sense privacy ratings; Internet Safety Labs | Independent app and ed-tech privacy reviews | Free |
None of this replaces a real security review or a lawyer reading the contract. It is the five minutes that tells you whether you need one, and it gives you specific, checkable questions to bring to the table. You do not have to take the vendor’s word. You never did.
Tools & references
Free, independent tools. securityheaders.com (web security headers, graded); the Mozilla Observatory on MDN; Qualys SSL Labs (TLS); ICANN Lookup (domain registration); BuiltWith and Wappalyzer (tech stack). Browser DevTools is built into Chrome, Firefox, Edge, and Safari; uBlock Origin and Privacy Badger are free extensions.
Privacy reviews you don’t have to run yourself. Common Sense privacy evaluations and Internet Safety Labs publish independent reviews of ed-tech apps. The Markup’s Blacklight scans a site for trackers in plain language (confirm it is still live before relying on it).
For student-data contracts. A signed Data Privacy Agreement, and alignment with FERPA and COPPA, are the baseline for any tool touching minors’ records. The Student Data Privacy Consortium maintains model agreements many districts already use.
This page is a method, not legal advice. It tells you what to look at and what a good or bad answer looks like; the judgment, and the contract, are yours.
New filings
One note when something actually changes. Quiet by design, no sponsors, no kickbacks, no upsell.
Follow by RSS. No form, no third party, nothing collected.