data.day
procurement / vendor-risk / exit

The Reverse RFP: Tell Me Why We Should Trust You

Stop buying features. Demand written answers on jurisdiction, subpoenas, privileged access, and a 30-day exit before any demo begins.

Sven Civic Sven Civic

The Day the Demo Was Cancelled—By Design

The diplomatic incident was a calendar invite titled “Product Demo (Exciting!)”.

The vendor arrived with a slide deck, a rehearsed narrative, and a quiet expectation: we would be impressed, then negotiate details later. Our team had seen this play before. Features first. Trust last. Exit never.

We opened with a different ritual.

“We will not attend a demo today,” we said, politely. “Not until we understand jurisdiction, disclosure obligations, privileged access, and the exit timeline in writing.”

The room stiffened. The vendor tried to recover: “We’re compliant. We’re encrypted. We have many municipal customers.”

We replied: “Compliance badges are not treaties. We cannot outsource trust. We serve the Citizen.”

This is the core problem with modern procurement: it is optimized for shopping, not sovereignty. We are asked to compare feature lists while quietly accepting that our data may be governed elsewhere, accessed by unknown parties, and trapped behind proprietary export formats.

We ended the meeting with a single document: the Reverse RFP.

The Trap: Procurement that asks for features and price first, and governance last.

The Exit Strategy: A trust-first questionnaire that forces the vendor to declare—on paper—what power they hold over us.

Why Feature-First Procurement Fails Municipalities

A municipality is not a startup. We cannot “move fast and fix later” when “later” involves child welfare records, disability services, protected addresses, and public trust.

Feature-first procurement fails because it:

  • Rewards theater. Demos are designed to dazzle. Risk rarely demos well.
  • Defers the hard questions. Jurisdiction and exit are postponed until after emotional commitment.
  • Creates sunk-cost surrender. After months of evaluation, teams accept unacceptable terms to avoid starting over.
  • Produces fragile accountability. When auditors ask “why this vendor,” we answer with features—while the risk lived in the contract.

This is unacceptable to the municipality. If we cannot explain our sovereignty posture to the public, we have not done our job.

The Trap: Vague assurances become binding reality the day we sign.

The Reverse RFP: The Questions That Matter

The Reverse RFP is not long. It is sharp. It is designed to be answered in writing by someone who can be held accountable: legal, security, and operations.

Below is a practical template we can use immediately.

Reverse RFP Template (Trust-First)

A. Jurisdiction and Governing Law

  • Identify the contracting entity and all processing entities (parent/subsidiaries).
  • List governing law and dispute venue.
  • Confirm whether the provider or any subprocessors are subject to the US CLOUD Act or equivalent foreign compelled-access regimes.
  • Provide a complete list of subprocessors and their jurisdictions.

B. Technical Power: Access and Key Custody

  • Who can access Citizen data content, and under what conditions?
  • Describe privileged access pathways (support, incident response, maintenance).
  • Who holds encryption keys? Can the provider rotate, escrow, or recover keys without municipal approval?
  • Provide audit log details: immutability, retention, and export format.

C. Legal Demands and Disclosure

  • Describe how legal demands are handled and who evaluates them.
  • Commit to notify the municipality of demands unless legally prohibited.
  • Commit to challenge overbroad demands where allowed.
  • Provide transparency reporting practices.

D. Data Movement and Telemetry

  • Describe all data flows, including logs, analytics, and diagnostics.
  • Identify any processing on foreign infrastructure, including support tooling.
  • Default telemetry settings for municipal tenants (on/off). If optional, list how we disable it.

E. Incident Practice

  • Incident response timelines, communications, and post-incident reporting.
  • Forensic support boundaries: who accesses what, and where are they located?
  • Evidence handling and chain of custody expectations.

F. Exit Terms (Non-Negotiable)

  • Export within 30 days, including content, metadata, and audit logs.
  • Open formats. Documented APIs. No proprietary “trade embargo” formats.
  • No excessive fees to retrieve our records. No professional services ransom.
  • Data deletion commitments and verification after exit.

We do not need the vendor to be perfect. We need them to be legible.

The Exit Strategy: If a vendor cannot answer these questions clearly, they are not ready to hold municipal power.

How We Use the Reverse RFP in Practice

We run procurement in three gates:

  1. Gate 1: Written Trust Test (Reverse RFP)

    • Pass/fail on jurisdictional clarity, access boundaries, and exit feasibility.

  2. Gate 2: Technical Validation

    • Only after sovereignty terms are acceptable do we evaluate functionality.

  3. Gate 3: Contract as Treaty

    • Every answer becomes a clause, an annex, or a binding exhibit.

This approach changes the incentives. Vendors stop selling dreams and start declaring terms. That is the point.

What We Accept—and What We Do Not

We can accept compromise on user interface, reporting polish, and roadmap ambitions. We cannot compromise on borders.

We cannot negotiate on:

  • Unknown subprocessors.
  • Unbounded privileged access.
  • Hidden telemetry.
  • Exports that require proprietary tooling.
  • Exit timelines that depend on vendor goodwill.

If the city cannot extract its records in open formats, we do not own the records. We are renting them.

[TO EDITOR: Guidance for illustration]

Draw a two-lane funnel:

  • Left lane labeled “Feature Demo → Emotional Buy-In → Contract Surrender.”
  • Right lane labeled “Reverse RFP → Sovereign Terms → Demo → Contract Treaty.” Add a border checkpoint icon at the Reverse RFP gate.

The Sovereign Decision

At the end of the week, two vendors refused to complete the Reverse RFP. One provided partial answers and asked to “discuss live.” One answered fully, including an explicit exit plan and clear jurisdictional statements.

We selected the vendor that could be held to paper.

This is not hostility. It is governance.

The Citizen does not need us to be impressed. The Citizen needs us to be sovereign.

FAQs

What is a Reverse RFP?

A short, written trust test we require before demos: jurisdiction, access, legal compulsion, incident practice, and exit.

Will vendors refuse to answer?

Some will. That is valuable information. A vendor unwilling to state terms clearly is not a partner for a municipality.

How does this help audits and leadership?

It creates a documented rationale: we selected the vendor that accepted sovereign terms, not the one with the loudest demo.