What This Guide Covers
-
- Who will actually be building your product — not just pitching it
- Time zones, overlap hours, and what happens when something breaks urgently
- IP ownership, NDA timing, and UK GDPR obligations across borders
- How to handle scope changes when your team is 3,000 miles away
- UK sector compliance: FCA, NHS, IR35, and data residency
- Commercial structure, milestone payments, and exit terms
You’ve made the decision to outsource. Good. Now comes the part most people rush: the conversation before the contract.
Most UK businesses walk into vendor discovery calls with three questions — how much, how long, and have you done this before? They leave with a quote, a portfolio link, and a handshake. Three months later, they’re dealing with a timeline that’s slipped, a codebase they don’t fully own, and a team they’ve never actually met.
The questions that actually protect you aren’t about price or portfolio. They’re the ones specific to outsourcing itself — about what happens when your team is in London and the developers are in another time zone, another legal jurisdiction, another regulatory world.
This guide is specifically about the questions that only matter because you’re outsourcing: the ones about geography, governance, legal protection, UK compliance, and what happens when something goes wrong from 3,000 miles away.
According to the Deloitte Global Outsourcing Survey 2024, 80% of executives plan to maintain or increase their outsourcing investment — yet Gitnux’s analysis of outsourcing statistics puts communication problems as the top challenge, affecting 42% of clients. The gap between intention and outcome almost always traces back to conversations that didn’t happen before work started.
First, a quick sense check: are you actually ready to outsource?
Before you speak to a single vendor, ask yourself these four questions honestly.
-
- Do you have a clear problem statement — not just a list of features you want, but a defined outcome the software needs to deliver?
- Do you have someone internally who can own the relationship, make decisions within 24 hours, and attend sprint reviews?
- Do you have at least a rough idea of budget and timeline, even if they’re likely to shift?
- Are you genuinely ready to share enough context for a team to build something meaningful?
If the answer to any of these is no, the problem isn’t finding the right vendor — it’s that you’re not ready for the vendor conversation yet. A project discovery and scoping phase can help you get there before you start approaching outsourcing partners, and it’ll save you a significant amount of time and money compared to finding out mid-build that the brief was unclear.
None of this needs to be perfect. But walking into outsourcing conversations without these things puts you at a real disadvantage — and the vendor’s quote will reflect the ambiguity, usually in ways you won’t notice until it’s too late.
The questions nobody warns you to ask
Section 1: Who you’ll actually be working with
This sounds like basic vendor due diligence, but the outsourcing context adds a specific wrinkle: the team presenting to you is almost never the team building your product.
Ask: Can I meet the specific developers, QA engineers, and project manager who will work on my project — not the team that will pitch to me?
This is the single question most UK businesses forget to ask. You are entitled to meet the actual people before you sign. A serious outsourcing partner will arrange this without hesitation. If there’s resistance, or if you’re told “we’ll assign the team after contract signature,” that’s meaningful information.
Ask: How do you handle it if a key developer leaves mid-project?
Developer attrition in outsourcing is real. According to Gitnux, quality issues in outsourced code lead to 27% average rework rates — and a significant proportion of those quality drops happen when team continuity breaks. Ask specifically: what’s the handover protocol? How quickly can a replacement be allocated? How is context transferred so your project doesn’t stall for two weeks while a new developer reads through existing code?
Ask: Will any of this work be subcontracted to parties outside your company?
Some outsourcing agencies subcontract work to freelancers or other agencies without disclosing it. This affects quality control, IP risk, and accountability. You need a straight answer — and you need it in writing in the contract.
Section 2: The geography gap — time zones, overlap hours, and what happens when things go wrong
This is the section most blogs gloss over with “time zone differences can be managed with the right processes.” That’s true, but it’s not helpful. What you need to know is specifically how this particular vendor manages it.
Ask: What are your team’s actual working hours, and how many hours per day will overlap with UK business hours?
Don’t accept a vague answer about “flexible hours” or “we accommodate UK clients.” Ask for the specific overlap window in hours. A team based in India (IST) has roughly 3–4 hours of overlap with UK business hours in a normal working day. Eastern Europe gives you 6–8 hours. The overlap window determines how quickly you can get a decision made, a bug resolved, or a misunderstanding corrected.
Ask: If something critical breaks at 4pm on a Friday UK time, what happens?
This is a real scenario. Ask it directly. Who is contactable? What’s the response protocol? Is there an on-call arrangement, and is it included in the engagement cost or billed separately? The answer will tell you a lot about how the vendor thinks about client relationships, not just delivery.
Gitnux’s research found that time zone differences cause significant delays in 60% of offshore projects. The difference between the 40% that manage it well and the 60% that don’t isn’t geography — it’s process. Ask to see theirs.
Ask: What does your async communication protocol look like on days when there’s no live overlap?
You’ll have days — around UK bank holidays, or during periods when your contact is travelling — where real-time communication isn’t possible. What’s the written handoff process? How are blockers documented and escalated? How quickly are async messages acknowledged? A vendor who says “just ping us on Slack” doesn’t have a process. A vendor who walks you through their async sprint documentation protocol does.
Section 3: IP, legal protection, and the contract clauses that actually matter
This section matters more for outsourcing than for any other development model, because the legal landscape gets genuinely complex the moment intellectual property crosses international borders.
Ask: Where will the code be written, stored, and hosted during development — and which country’s law governs our contract?
This is a question most people don’t know to ask. If a developer in India writes code, and that code is stored on servers in Germany, and the contract is governed by English law — who owns what, and what are your remedies if something goes wrong? A reputable outsourcing partner will have a clear, simple answer to this. If they don’t, it signals that IP and jurisdiction haven’t been thought through rigorously.
Ask: Will you confirm in writing that all code, designs, documentation, and architecture decisions transfer to us on final payment — with no retained rights?
Full IP transfer needs to be explicit in the contract, not implied. The word “full” matters. Some vendors retain rights to code libraries, reusable components, or frameworks they’ve developed — which is sometimes legitimate, but you need to understand exactly what you’re licensing versus owning outright. Our guide on how to protect your IP when working with a development agency covers the specific contract clauses to look for, and it’s worth reading before you enter any negotiation.
Ask: Will you sign an NDA before we share our technical specifications or business logic?
This should happen before the detailed discovery conversation, not after you’ve already shared everything. Any serious outsourcing partner will sign without hesitation. Reluctance is a red flag.
Ask: How do you handle data protection obligations for UK user data processed by your team?
Under UK GDPR, your outsourcing partner is a data processor the moment they handle, store, or access personal data belonging to your users — even if they’re based outside the UK. They need to sign a Data Processing Agreement that meets ICO standards. Ask whether they’ve done this before, what their data handling procedures are, and whether they hold ISO/IEC 27001 certification. The Data (Use and Access) Act 2025 updated the ICO’s Transfer Risk Assessment process in early 2026 — any vendor handling UK personal data should be aware of this.
Why It Matters Specifically in Outsourcing
Section 4: How scope changes actually work across borders
Scope changes are normal in any software project. But in outsourcing, they carry specific risks that don’t exist in the same way when your team is down the corridor.
Gitnux’s data puts scope creep as a factor in 35% of outsourcing projects, with budget overruns of 20–30% as a result. The reason scope creep is harder to manage in outsourcing isn’t that vendors are less disciplined — it’s that the feedback loop is slower, the change conversations happen in writing rather than in person, and the cost implications take longer to surface.
Ask: Walk me through exactly what happens when I want to change something mid-sprint.
You want specifics. Who do you contact? How is the scope change documented? How is the cost and timeline impact assessed? How long does approval take? Who needs to sign off on both sides? A vendor with a mature change control process will be able to walk you through this in under two minutes. One without a formal process will use words like “we’re flexible” and “we’ll figure it out.”
Flexibility without process is how outsourcing budgets double. Understanding how scope creep gets managed in outsourced software projects before you start gives you a much stronger footing in these conversations.
Ask: What’s your process for a sprint where delivery falls short of what was planned?
Every outsourced project has at least one sprint that doesn’t deliver what was expected. How the vendor handles that moment is more revealing than anything in their sales materials. Do they tell you immediately? Do they try to catch up quietly in the following sprint? Do they adjust the timeline, or absorb the shortfall? Ask for a real example.
Section 5: UK-specific compliance and regulatory questions
This section is almost entirely absent from generic outsourcing checklists, and it’s where UK businesses most commonly get caught out.
Ask: Are you familiar with the UK regulatory requirements that apply to our product?
This is not a question to ask once and move on. Different sectors have fundamentally different compliance requirements:
-
- Fintech: FCA authorisation implications, Consumer Duty obligations, Open Banking standards, PSD2
- Health tech: NHS Digital standards, CQC requirements, DTAC (Digital Technology Assessment Criteria)
- Public sector / government: NCSC guidelines, accessibility standards (WCAG 2.2), GDS principles
- Any product handling personal data: UK GDPR, ICO compliance, data residency requirements
A vendor who has never worked in your sector will learn about these constraints on your project’s timeline and budget. One who has worked in your sector already knows them. The distinction is significant.
Ask: How do you handle IR35 if you’re placing individual contractors within our organisation rather than delivering a managed project?
If the engagement structure means individual developers are working under your direction rather than the vendor managing delivery, IR35 may apply — and the liability sits with you as the client, not the vendor. Get this clarified before the commercial structure is set.
Ask: Can you provide references from UK clients who have worked with you on a similar type of project in a similar regulatory context?
UK businesses have specific expectations around communication style, governance, and contractual norms. A reference from a US or European client is useful; a reference from a UK company in a comparable industry is genuinely valuable. The working relationship will feel different — ask to speak directly with someone who can speak to that.
Section 6: What the commercial structure actually means for you
Most outsourcing pricing conversations focus on the headline rate. The conversations that actually matter are about the structure around the rate.
Ask: How do you structure payment, and what specifically triggers each milestone?
Milestone payments tied to working, demonstrable software protect you far more than time-based invoicing. Ask what specifically counts as a milestone — is it a working demo? Passing a defined test suite? Client sign-off on sprint review? Vague milestones (“completion of phase 2”) are effectively time-based billing with extra steps.
For a clear breakdown of how different pricing models actually work in practice, Emvigo’s guide to software outsourcing pricing models is worth reading before these conversations, so you know what to push back on.
Ask: What does exit look like if this engagement isn’t working?
Ask this early, when the relationship is positive and both sides are motivated to be reasonable. What’s the notice period? What does code handover look like? Will documentation be complete and usable? How are in-progress sprints handled? A vendor who welcomes this question is one you can trust with the exit if it ever comes to it.
Ask: What’s included in your post-launch support, and how long does it last?
This is where a significant number of hidden costs in outsourced software projects appear. Get specific: is there a bug-fix warranty period? What’s the SLA for critical issues? Is ongoing support billed at hourly rate from day one, or is there a structured support arrangement? A project doesn’t end at go-live — plan for what comes after it.
The questions that tell you the most about a vendor
After 29 specific questions, here are the three that consistently reveal the most about whether an outsourcing vendor will actually work for you:
“Tell me about a project that went wrong and what you did about it.”
Every serious vendor has had a project hit significant problems. What you’re listening for isn’t the absence of problems — it’s honesty about what happened, clarity about what they did, and ownership of their role in it. Vendors who can’t answer this question, or who describe every past project as a success, are telling you something important.
“Can I speak to a UK client you’ve worked with in the last 12 months?”
References are non-negotiable. Specifically UK references from recent projects are more useful than a global portfolio from three years ago. Call the reference and ask one question: “Did they flag problems early, or did you usually find out about them late?”
“What do you need from us to make this engagement successful?”
The answer reveals how a vendor thinks about the relationship. Vendors who say “just a clear brief and quick decisions” are being honest and practical. Vendors who give a non-answer, or who say “just leave it to us,” are telling you their preferred engagement model — one where the client is minimally involved, which almost always leads to a product that doesn’t quite fit.
Frequently Asked Questions
What makes outsourcing questions different from questions you’d ask any software company?
When you hire a development company to work alongside your team, most risks are manageable face-to-face. When you outsource across borders, a whole category of additional questions comes into play: which country’s law governs the contract, how UK GDPR applies when data is processed overseas, how time zone gaps are bridged when something urgent happens, and how intellectual property is protected across jurisdictions. These are questions that don’t come up with a UK-based agency — and they’re the ones most people forget to ask until they’ve already signed.
How does UK GDPR apply when I outsource to a team outside the UK?
If your outsourcing partner handles, stores, or accesses personal data belonging to your UK users — which includes basic user account data, not just sensitive categories — they become a data processor under UK GDPR. You remain the data controller and carry the compliance responsibility. In practice, this means your contract must include a Data Processing Agreement that meets ICO standards, and you should understand where that data is stored and processed. Following the Data (Use and Access) Act 2025, the ICO updated its Transfer Risk Assessment process in early 2026, which affects any cross-border data transfers involving UK personal data.
What should I look for in an outsourcing partner’s experience with UK regulatory requirements?
The most useful evidence is sector-specific case studies with named UK clients and measurable outcomes. Ask specifically whether they’ve worked with FCA-regulated businesses (if you’re in fintech), NHS or CQC-regulated environments (if you’re in health tech), or GDS-compliant public sector work (if your product touches government users). Regulatory familiarity isn’t something a vendor can fake convincingly for long — ask specific questions and listen to how fluently they answer.
How should I handle time zone differences with an offshore development team?
The most important thing is to define the overlap window precisely and build your communication structure around it. Agree on a specific window each day when real-time communication is possible, and agree on a documented async protocol for everything outside that window — how blockers are raised, how long acknowledgement takes, how handoffs are structured between the end of one team’s day and the start of the other’s. The teams that manage time zone gaps well don’t do it through goodwill — they do it through written process.
Is it normal to ask to meet the actual development team before signing?
Completely normal, and you should insist on it. You’re entering a relationship where that team will have access to your codebase, your user data, and potentially your business logic. Meeting the specific developers, QA engineers, and project manager assigned to your project — not just the sales team — is basic due diligence. Any vendor that’s reluctant to arrange this before contract signature is worth treating with caution.
What’s a reasonable notice period in an outsourcing contract?
For most engagements, 30 days is standard. What matters as much as the notice period is what the exit looks like: whether all code and documentation are handed over in a usable state, whether in-progress sprints are completed or credited, and whether there’s a structured transition support period. Negotiate exit terms while the relationship is positive — it’s much harder to do once it’s already broken down.
