Procurement, pricing, and contracting

Once you’ve decided on your preferred product, you can move forward with some key remaining pieces. If you start developing confidence in your decision early, you may even be able to start this in parallel during the trial. 

We’ve laid this section out with questions that uncover some aspects of the final stages that can sometimes be opaque or inconsistent. We’d welcome some comments or questions to better understand your needs so we can develop and improve this guide!

How much should I expect to pay?

Most DAP vendors charge based on “Monthly Tracked Users” (MTUs) which are the total unique individuals (profiles) that are sent to the DAP vendor in the prior month. You can assess this from your existing analytics tools or ask your engineering team to provide you with an estimate. You’ll also want to factor in a realistic growth projection over the subsequent year; this can be hard to predict but we encourage you to be realistic and maybe use the prior year’s growth as the baseline. 

When signing up for an annual commitment, you’ll likely have to purchase a bucket of MTUs (i.e., prepay for the amount you expect during the contract period) and then have the option to post-pay if you exceed that MTU amount.

Naturally, cost per MTU is lower if you pre-pay vs. post-pay (because secured revenue is more valuable to any SaaS company), but you can also often renegotiate a contract mid-way to expand the MTUs included if it does seem like you underestimated in the beginning. 

Beyond this the other axis for pricing is the “Plan” you intend to choose, with self-serve starter plans beginning in the low hundreds of dollars per month (at low MTUs) and going to six- or seven-figures at the “Enterprise” level (for high MTUs). 

Of course, pricing does vary quite significantly based on the DAP vendor: smaller, younger vendors such as Product Fruits or fully self-serve vendors like Userflow may charge ~$10k / year whereas more enterprisey vendors like Pendo or premium vendors like Chameleon may charge 2-5x that amount.

You can get an estimate of the potential pricing from most DAP vendor websites although note that this is for the core license fee and there may be additional add-ons that you should enquire about, including:

If proceeding via a self-serve route you typically won’t have much scope for negotiating or adjusting the listed prices, but it can be worth an ask. 

If you are in the sales process for a higher plan and expect to pay in the tens of thousands of dollars, you will likely have some room to negotiate. Vendors have different policies on this; some may start from high list prices and discount substantially, while others may provide negligible reductions. However, in all cases, there should be some room to maneuver, especially if you have a fixed budget and would opt for a different solution if your preferred vendor isn’t able to meet your price. 

It’s also worth considering that vendors typically are motivated if you can move quickly (e.g. commit to a signature date in the near term or before the month/quarter end) and/or if you’re willing to agree to marketing incentives (such as case studies, video testimonials, etc.)

Payment terms can also be negotiated. While some vendors may be strict about paying the full annual amount up front, others may be willing to invoice you on a semi-annual, quarterly, or even monthly basis. 

Most vendors require payment via ACH due to the fees associated with credit card payments, but you can also enquire about this; if you can pay via credit card, you can benefit from associated spending perks. 

We’ve also been seeing the evolution of procurement-as-a-service companies, such as Vendr and Tropic, that negotiate prices with all vendors. From our experience working with them (on the vendor side), they can be variable. In some cases, they stick to a basic script that doesn’t really facilitate a realistic solution and ultimately fall back to the business to make a decision. In other cases, they’ve been smooth and fair to work with, and this has facilitated a good outcome for all involved. 

What are the essential documents to be familiar with?

Pricing proposal/order form

The full details of the price being offered will be shared with you via an “order form” that lists the key items and relevant payment terms etc. This is typically the document that you will sign. 

Here’s the entire one Chameleon uses to understand what they look like.

MSA (Master Services Agreement)/Terms & Conditions

This document captures the usage terms and is something your legal team may want to review. Some key terms that are sometimes discussed/negotiated include: 

• Implications of material breach in the contract/service levels (what happens when something goes drastically wrong)

• Renewal terms (e.g. auto-renew or not; auto-renew has the benefits of giving you the pre-agreed or existing terms again in subsequent years, but means you may end up renewing if you forget to proactively cancel within the notice period)

• Termination terms (on what grounds can you cancel; and are you owed any refunds)

• Insurance coverage (what types of insurance must the vendor have and for what amounts)

• Jurisdiction (in some cases international customers want to change this)

• Taxes (who may be liable for any taxes and fees)

• Logo usage (or other permissions to use your name, data, etc.)

Redlining (i.e. making adjustments) can be expensive for both you and the vendor, so you may face some restrictions based on the size of the contract; for example, the vendor may not accept any changes to their standard terms/MSA for contracts lower than a specific price point (e.g. $24k per year). 

If you require your legal team to review and they expect to redline the terms, it’s worth starting that process as soon as you have identified your product of choice. 

Use Chameleon's MSA example so you know what to expect.

Data Processing Addendum (DPA)

For any customers in the EU working with vendors that hold their data in the US, they must sign a DPA to allow the legal transfer of this data. This DPA identifies the data processor and controller and places legal requirements accordingly. It should also lay out the critical security and privacy practices that the vendor will abide by. 

Most companies are willing to review the vendor’s standard DPA as this most accurately reflects their practices, but your legal / infosec team may want to redline this. Sometimes, the prospect requires the vendor to start from their template, and the vendor will redline that DPA to reflect what they can commit to. 

Here is the DPA that Chameleon uses. 

How should I assess the security posture?

Security and data privacy are critically important when considering a DAP. The DAP will access your application and user data and add risk to your ability to prevent data breaches or unintended leakage. Every customer is naturally concerned about this and most DAP vendors establish strong security practices to minimize risk and build trust and credibility. 

Ultimately, the level of security that a vendor provides represents a risk, and it’s a business decision whether this risk is within an acceptable threshold relative to the potential value. 

Here are some aspects to review and consider when assessing the security posture of any vendor: 

SOC 2 compliance

SOC 2 is the standard for establishing credibility and trust in a company’s processes and practices. However, there are a few key points to understand:

• SOC 2 is not a certification but an audit. The audit tests compliance against many tests (“controls”) and the final report indicates whether there were any gaps (“exceptions”) and justifications/explanations for these. Therefore seeing a SOC 2 compliance badge on a website isn’t sufficient -- you should ask for and review the most recent audit report

• There are two types of SOC 2 audits: Type 1 is a “point-in-time” audit that checks the controls at any single point in time to assess if they were followed; Type 2 is a “period-of-time,” meaning the checks are conducted over months to assess continued compliance. Check to see whether a vendor has Type 1 or Type 2 compliance (the latter is much more robust and rigorous, and harder to pass)

• SOC 2 audits need to be conducted regularly (annually) so you can check when the last audit was completed and when the next audit is scheduled. 

• You may be required to sign an NDA before you gain access to a SOC 2 report because it can contain confidential and sensitive information about the vendor's systems and processes

Learn Chameleon’s compliance here. 

GDPR / CCPA compliance

The EU General Data Protection Regulations and other similar legal frameworks (e.g., CCPA as adopted in California) require data processors to offer additional protections, such as the right to be forgotten (i.e., delete all associated data) or to set clear data retention policies, etc. 

Most vendors will claim GDPR compliance (required to serve most customers) but because there is no certification or precise definition of compliance, this can be hazy to evaluate and hard to keep in check. If you have access to an infosec or security team they may want to dig into the documentation provided by the vendor on their compliance. 

A proxy for this is to assess which larger EU-based customers the vendor already works with, as they likely would have invested more resources into assessing and confirming compliance. 

Learn more about this and Chameleon’s compliance here. 

Security questionnaires

In some cases, customers may request that a vendor provide responses to a set of security questions via a custom security questionnaire to better understand their infrastructure and practices. 

Vendors will typically complete this, but it may be restricted to only higher contract sizes, as it does add cost. These questionnaires serve more as information because responses can be hard to validate. 

Some vendors support this and open-source solutions (such as VSAQ, TrustArc). It may also be possible to directly connect your security team to the relevant security folks at the vendor to answer questions directly. 

Key policies

Your legal team may care about policies that the DAP vendor abides by, including:

Most of these are reviewed as part of SOC 2 compliance, so you may not need to investigate these separately, but you can ask a vendor for their policies if you require. 

Tests and monitoring

DAP vendors may also provide more details about their infrastructure, tooling, etc., in a security overview document/site/article that you can review and pass to your security or engineering team. 

You can also ask about other assessments or practices, such as penetration tests, vulnerability scanning, bug bounty/vulnerability disclosure programs, and continual compliance monitoring, which all help demonstrate the depth, robustness, and importance that a vendor places on its security program.

What happens after signature?

Once you’ve completed all the documentation and procurement processes and signed the order form, pat yourself on the back—now the real fun begins! 🎉

You have arrived after your evaluation and buying journey and now embark on the longer journey of creating an efficient and user-friendly impact for your end-users, product, and company. 

You’ll likely have a “kick-off” session with the Customer Success team (if you are on a plan that supports this) to help ensure you can go live. Luckily, if you’ve followed this document and invested time in the product during the POC phase, you’ll already be many steps ahead, and starting to use the DAP will only be an incremental step.

Over time you should expect to continue deepening your knowledge and practices on how to drive better user engagement through dynamic, contextual, and personalized in-app user experiences, and we’ll offer more advice on this topic in a future edition of this guide. 

In the meantime, there are many more resources on how to be successful below. We’d be interested in your questions or any gaps you’ve found in this guide so we can continue to improve it and help educate the broader community on how to successfully assess, select, and succeed with the best DAP product for their needs!