Procurement invents a rule you can't clear on paper.
You are through technical. Legal is drafting. Then procurement circulates a new requirement. A US entity, a domestic MSA, SOC 2, a $2M E&O policy. It looks like a shakedown. It is actually a risk officer building the memo they would have to write if this failed.
You cleared technical review. The engineering lead confirmed in writing that they are comfortable with your team. Legal is drafting the MSA. You are, by any reasonable read, one signature away. Then procurement forwards a new document with new requirements. A US-registered entity as the contracting party. An MSA governed by Delaware or New York law and signed by an officer physically in the US. SOC 2 Type II. A $2M E&O policy underwritten by a carrier in-country. A named US-based day-to-day contact. A data residency clause you cannot honestly meet.
The first read is that procurement is trying to kill the deal. Maybe there is a preferred vendor upstream. Maybe someone got a phone call. You go back to the champion, who is as surprised as you are. They push back internally and get told: these are standard requirements. You look them up and find they are not, in fact, standard. They are procurement's requirements for this deal.
This is not a shakedown. It is a memo.
The person on the procurement side is not trying to extort you. They are a risk officer whose job is defined by post-mortems. If the vendor ships and everything goes well, no one thanks them. If the vendor fails and there is a review, every requirement they did not put in the contract becomes a line in the executive summary of what went wrong. So they add every requirement they can find, and then some, because the marginal cost of adding one is zero and the marginal cost of missing one is their job.
The requirements are not a negotiating position. They are the answer to a question they were asked upstream: "What are we doing to make sure this offshore vendor does not blow up on us?" Every bullet in that email is a sentence they can copy-paste into a memo six months from now.
Which means the requirements will not go away because you argued them. They will go away only if the risk officer gets something else they can put in the memo instead. Something that sounds like it addresses the underlying concern without requiring you to spin up a Delaware LLC in two weeks.
What the champion needs from you
Your champion cannot win this fight on your behalf. They can hand procurement a substitute. Something that reads, to a risk officer, like "we did diligence, we have recourse, we have a named US party, we can point to a policy." That substitute has to exist before the fight starts. If you build it during the fight, procurement reads it as improvised and rejects it.
What works, in our experience: an independent audit report scored against a published rubric. A live verification page the buyer's team can visit and screenshot. A named US-based accountability contact (not a salesperson, an operations counterpart) with a response SLA in writing. A revocation policy the buyer can read and understand. None of that requires you to become a US company. All of it produces paper the risk officer can put in front of their boss.
It does not clear every list. It clears the specific concern the list was written to address. In practice that is usually enough, because the list was a proxy for the concern, not the concern itself.
When the list is real
Sometimes the list is not a proxy. Regulated industries (healthcare, financial services with certain data types, government-adjacent work) actually do require SOC 2, actually do require the contracting entity to be domestic, and will not budge. If you are selling into those industries as a small offshore agency, you are not losing to trust. You are losing to a regulatory floor you have not cleared. A different problem. A badge does not solve it. Investing in the certifications, or partnering with a US shop that carries them, is the honest answer.
For everyone else (most mid-market SaaS, most services, most B2B software), the list is a proxy. The substitute works.
- 01Procurement's new requirements are the memo they would have to write if this failed. Every bullet is defensive.
- 02You cannot argue the list away. You can only give the risk officer something better to put in the memo.
- 03A scored audit, a public verification page, a named US contact, and a revocation policy are that something better.
- 04In regulated industries the list is real, not a proxy. A badge does not clear it. Invest in the actual certification or partner up.
The rubric is the fastest way to fix what killed the last deal.
Five pillars, published weights, and the specific evidence that moves each score. Buyers respect the paper trail more than they respect the promise.