Skip to content
Vetting rubric · v1.2 · Effective 1 April 2026

What an agency had to prove to carry the Prevouched mark.

The full, published specification. Five pillars, weighted criteria, evidence requirements, tier floors, and the conditions under which the mark is suspended or revoked. Written so a buyer can inspect a specific team, and so an applicant knows exactly what will be scored.

How to read this page
If you are a buyer

You landed here from a badge or the directory.

This page tells you exactly what an agency had to prove to carry a Prevouched mark, and the events that will strip that mark. The five pillars each cover a way offshore engagements typically fail. The tier floors below show the minimum score required for Verified, Backed, and Managed.

If you are an agency

Read this before you apply.

Every criterion lists what we look at, the evidence you will need to produce, the bar you must clear, and the patterns that count against you. If most items describe how your team already works, the application will be quick. If not, the rubric itself is the gap analysis.

Shorthand used throughout: is the five-level scoring scale. is the weighted total across pillars, scored 0–100. is the minimum a pillar or composite must reach for a given tier. Hover, tap, or focus any dotted term for a plain-English definition.

Glossary

Terms used on this page.

Every dotted term below is also hoverable inline throughout the rubric. Written for readers who have never worked with a vetting scorecard before.

Disqualifying evidence on a single criterion.
Present but not sufficient. Must be fixed before the mark can issue.
The published minimum. Evidence is present and a reviewer can verify it.
Clearly above the bar on substance, consistency, and how recent the evidence is.
Best-in-class against the reference examples the reviewer panel scores from.
The minimum evidence a criterion must show to score L2 (Meets bar).
The weighted total score across all five pillars, on a 0–100 scale.
The minimum scores required to issue a given tier.
A single L0 score anywhere. Blocks the mark at every tier.
The share a pillar contributes to the composite. All five weights sum to 100%.
The share a criterion contributes to its pillar score. Criterion weights inside one pillar sum to 100%.
Reference examples reviewers score against so scores mean the same thing across teams.
A fresh review of the pillars affected by a change or complaint.
The annual confirmation that the evidence on file is still current.
The mark is not currently valid. Verification page shows Suspended until re-vetting concludes.
Re-attestation window closed without a submission. Directory listing is demoted.
The mark has been withdrawn. The agency may re-apply after a 90-day cooling-off period.
Scoring scale

Five levels. One descriptor each.

Every criterion in every pillar is graded on the same five-level scale. Reviewers anchor each score to the descriptor and a reference example from the calibration set.

L0
Fail
Disqualifying evidence. The mark cannot be issued at any tier, regardless of the overall score.
L1
Below bar
Below the pillar's minimum bar. The team must fix the gap before we can issue the mark.
L2
Meets bar
Meets the published bar. The evidence is present and a reviewer can verify it.
L3
Strong
Clearly above the bar on substance, consistency, and how recent the evidence is.
L4
Exemplary
Best-in-class against the reference examples the reviewer panel scores from.

Critical-failure rule · Any criterion graded L0 blocks issuance at every tier.

Composite & tier floors

Pillar scores roll up. Tiers gate the mark.

Each pillar score is the weighted average of its criteria, normalized to 0–100. The composite is the weighted sum across pillars. Tier floors are published; the underlying calibration keys stay internal.

Tier
Verified
70composite ≥
What a buyer gets

For the buyer: the team met every pillar's minimum bar under reviewer inspection. Evidence is on file. Runs on the agency's own delivery process.

Floor

All pillars ≥ 60. No criterion below level 2.

Tier
Backed
82composite ≥
What a buyer gets

For the buyer: a named US-based Prevouched liaison joins your weekly call, reads the same updates you do, and is the escalation contact when something is off.

Floor

All pillars ≥ 70. Past-work and References pillars ≥ 80.

Tier
Managed
90composite ≥
What a buyer gets

For the buyer: Prevouched is inside the contract on the specific engagement, with defined obligations. Reserved for opt-in projects that pass legal review.

Floor

All pillars ≥ 80. Security pillar ≥ 85. Legal review gated.

01
Technical screen
25%
of composite
02
Past-work review
20%
of composite
03
Reference checks
20%
of composite
04
Communications assessment
20%
of composite
05
Security and process baseline
15%
of composite
Revocation

A mark that cannot be taken away isn't trust.

The rubric is point-in-time. The status is live. These are the events that move an agency from Approved to Suspended, Lapsed, or Revoked. And the action Prevouched takes when each fires.

01
Quality-of-attestation event

A client complaint corroborated by evidence. Missed SLA, undisclosed subcontracting, material misrepresentation.

Action

Suspension within 5 business days pending re-vetting on the affected pillars.

02
Security or contract breach

Confirmed data incident, IP dispute, or material breach of the engagement contract.

Action

Immediate suspension. Revocation on confirmation. Directory listing removed.

03
Periodic re-attestation lapse

Annual re-attestation not completed within the published window.

Action

Status changes to Lapsed on the verification page. Directory listing demoted.

04
Reviewer-panel down-grade

Routine re-vetting returns a composite below the tier floor.

Action

Tier reduced or mark revoked. Agency may re-apply after a 90-day cooling-off period.

Worked examples

How two real-looking applicants come out of the rubric.

Pillar scores below are illustrative. Composed from the actual weights and tier floors so the arithmetic is reproducible. Both applicants clear the L0 critical-failure rule.

Applicant A. Senior generalist studio

Even profile, strongest on references.

Applicant A. Senior generalist studio. Per-pillar score, weight, contribution, composite, and issued tier.
PillarScoreWeightContrib.
01 · Technical screen7825%19.5
02 · Past-work review8220%16.4
03 · Reference checks8820%17.6
04 · Communications7420%14.8
05 · Security & process7015%10.5
Composite78.8
TierVerified
Applicant B. Strong technical, weak operations

High technical score, security/comms gap.

Applicant B. Strong technical, weak operations. Per-pillar score, weight, contribution, composite, and issued tier.
PillarScoreWeightContrib.
01 · Technical screen9125%22.8
02 · Past-work review8420%16.8
03 · Reference checks8020%16.0
04 · Communications6220%12.4
05 · Security & process5515%8.3
Composite76.2
TierVerified
Reading the result

Applicant A composites at 78.8 and earns Verified. Applicant B composites at 76.2, above the Backed composite threshold. But the Communications and Security pillar scores sit beneath the Backed and Managed floors, so the panel issues at Verified with remediation on pillars 04 and 05 before a tier upgrade is considered.

Pillar 01 · 25% of composite

Technical screen

We score engineering judgment, not tool familiarity. Two senior engineers read the team's real production code and compare it against a shared set of reference examples the panel has scored before.

Reviewers
Two senior engineers; a third on split decisions.
On file
Reviewer notes, per-criterion score, repo references, threshold pass/fail.

Readability, naming, module boundaries, idiomatic use of language and platform.

Pass bar (Meets bar)

Consistently readable by a new reviewer. Modules have obvious seams. No load-bearing cleverness.

Evidence required
  • Two production repositories (read-only access)
  • One self-selected exemplar with reviewer commentary
Red flags
  • The same scaffold copy-pasted across services instead of shared
  • Untyped inputs and outputs in a typed language
  • Style and conventions change within a single repository

Choice of patterns relative to the problem; explicit handling of failure modes; cost-of-change discipline.

Pass bar (Meets bar)

Decisions are defensible and reversible. Trade-offs are named, not avoided.

Evidence required
  • Architecture write-up for one shipped system
  • One decision the team would now make differently
Red flags
  • Split into many services with no written reason for the split
  • No documented approach to retries, duplicate requests, or partial failure
  • Abstractions built before a second use case exists

What is tested, how, and at what cost. Test selection, flakiness controls, CI signal quality.

Pass bar (Meets bar)

Critical paths have tests that fail loudly when broken. CI signal is trusted, not muted.

Evidence required
  • Coverage of one critical path with rationale
  • CI configuration and last 30 days of run signal
Red flags
  • Test suites made up mostly of snapshot tests
  • Failing tests routinely dismissed by re-running the pipeline instead of investigating
  • No integration tests covering paid or revenue-critical features

Review depth, turnaround, and the substance of the discussion in pull requests.

Pass bar (Meets bar)

Reviews engage with substance. Disagreement is documented. Authors are not their own approvers.

Evidence required
  • Sample of 10 recent PRs across the team
  • Stated review SLA and adherence
Red flags
  • More than half of merged pull requests approved with only "looks good" and no substantive comment
  • No record of a reviewer blocking or requesting changes in the last quarter

Borderline cases only. A 60-minute pairing on a small, real problem; we watch reasoning, not typing speed.

Pass bar (Meets bar)

Engineer states assumptions, validates them, and produces a working sketch with named trade-offs.

Evidence required
  • Reviewer transcript and rubric notes
Red flags
  • Engineer will not explain their thinking out loud
  • Cannot adapt when the reviewer introduces an intentional ambiguity
Pillar 02 · 20% of composite

Past-work review

Screenshots and mockups are not evidence. We grade shipped work you can open, outcomes the team can prove they caused, and how long their clients stay.

Reviewers
One senior engineer plus one liaison.
On file
Case-study dossier, retention timeline, outcome scoring with sources.

Real, accessible work. Live URLs, repos, or recorded walkthroughs. Not mockups.

Pass bar (Meets bar)

Two reviewers can independently verify the team's contribution.

Evidence required
  • At least three accessible deliverables from the last 24 months
Red flags
  • NDA cited as the reason no work at all can be discussed or shown under reviewer NDA
  • Only mockup PDFs, no shippable artifact

What changed because the team was involved. Numeric where possible, narrative where not.

Pass bar (Meets bar)

Outcomes are named, sourced, and tied to the team's actual work.

Evidence required
  • Before/after metrics or client-attested narrative
  • Identification of the team's specific scope
Red flags
  • Outcomes claimed by the team that happened before their engagement started
  • Percentage improvements quoted with no baseline number

How long clients stay and why. Renewals and scope expansions count more than headline logos.

Pass bar (Meets bar)

Median engagement >9 months; renewals on at least two of the last five.

Evidence required
  • Engagement timeline for the last five clients
  • Renewal and expansion record
Red flags
  • Repeated short pilots (around six weeks) that rarely convert into longer work
  • Client departures cluster around one specific team lead

Evidence that the team can say no, re-scope, and protect the engagement from drift.

Pass bar (Meets bar)

Team can cite at least one engagement where they pushed back and the relationship survived.

Evidence required
  • One example of a refused or re-scoped request and the reasoning
Red flags
  • Every engagement grew in scope without ever re-negotiating price
  • No record of a difficult scope conversation with any client

Code, docs, and credentials transfer cleanly at engagement end.

Pass bar (Meets bar)

A non-author can stand the system up from the handoff alone.

Evidence required
  • Sample handoff package or runbook from a prior engagement
Red flags
  • Credentials or code withheld at engagement end to pressure renewal
  • No documented checklist for ending an engagement cleanly
Pillar 03 · 20% of composite

Reference checks

We speak with prior clients on the record using the same set of questions for every agency, and we keep the notes on file. References an agency cannot or will not provide are themselves a signal.

Reviewers
One liaison; second-listener on negative signal.
On file
Reference roster, call transcripts or structured notes, per-call scoring.

Number, recency, and seniority of references actually reached.

Pass bar (Meets bar)

Three reachable references within the last 24 months; two completed structured calls.

Evidence required
  • Three references contacted; at least two with decision-maker authority
Red flags
  • Only one reference is actually reachable
  • All references come from a single industry while the agency claims to serve many

Did the team ship what was promised, in roughly the time and cost they said?

Pass bar (Meets bar)

Majority of references confirm delivery on substance, with reasonable variance on time and cost.

Evidence required
  • Reference rating on delivery vs. scope, with examples
Red flags
  • Multiple references describe budget or timeline overruns that the team did not raise until after the fact

How the team behaved when something went wrong. Escalation speed, transparency, recovery.

Pass bar (Meets bar)

References can name at least one incident handled with proactive disclosure.

Evidence required
  • Reference recounting of one incident or near-miss
Red flags
  • References cannot recall a single difficult moment on the engagement
  • Long periods of silence followed by unexpected invoices

Two questions asked verbatim. Hesitations are scored.

Pass bar (Meets bar)

Unprompted yes from at least two of three references.

Evidence required
  • Direct quotes; pauses and hedges noted
Red flags
  • An initial yes that becomes a no once the reference is asked a follow-up question

Whether the references offered are willing to discuss weaknesses, not just strengths.

Pass bar (Meets bar)

Each reference identifies a real area to improve.

Evidence required
  • At least one substantive weakness named per call
Red flags
  • Every reference is uniformly positive, suggesting they were coached or hand-picked
Pillar 04 · 20% of composite

Communications assessment

Most offshore engagements break down on written communication before they break down on code. We test writing, calls, scope conversations, and how the team raises bad news.

Reviewers
One liaison.
On file
Writing sample, call recording, structured rubric.

A 500-word async update on a synthetic engagement scenario.

Pass bar (Meets bar)

Lede first, decisions named, asks unambiguous, no buried risk.

Evidence required
  • Submitted sample graded against the calibrated reference set
Red flags
  • Status updates that hide the actual blocker several paragraphs in
  • Long unstructured paragraphs with no headings, bullets, or clear asks

Functional English on the call, on the page, and under disagreement.

Pass bar (Meets bar)

Comprehension and expression are not the bottleneck of the conversation.

Evidence required
  • Live call segment; reviewer scoring
Red flags
  • Rehearsed answers that fall apart when the reviewer asks a follow-up question

Stated SLA for async response and adherence over a one-week observation window.

Pass bar (Meets bar)

First response within stated SLA on all three; substantive response within one business day.

Evidence required
  • Logged turnaround on three test messages across the window
Red flags
  • First reply is an emoji acknowledgement with no substantive follow-up

Can the team scope realistically and push back on a request that doesn't fit?

Pass bar (Meets bar)

Team narrows scope, names trade-offs, proposes a smaller first delivery.

Evidence required
  • Synthetic intake scenario; reviewer transcript
Red flags
  • Team agrees to anything the buyer proposes
  • Team quotes a price without asking a single clarifying question

How the team raises a slip, an overrun, or a quality issue.

Pass bar (Meets bar)

Issue stated plainly, with impact, options, and a recommended path.

Evidence required
  • Roleplay segment; reviewer notes
Red flags
  • Bad news softened with so many qualifiers the actual issue is unclear
  • News only surfaced after the client asks directly
Pillar 05 · 15% of composite

Security and process baseline

This is not a formal security audit or a SOC 2 certification. We confirm the team handles client data, access, and contracts at a level a serious buyer can defend to their own security team.

Reviewers
One reviewer with infosec background; legal review on contract hygiene.
On file
Checklist, supporting documents, attestations on file.

Where client data lives, who can read it, how long it is retained, how it is deleted.

Pass bar (Meets bar)

Written policy exists, is followed in practice, and survives reviewer questioning.

Evidence required
  • Data-handling policy; sample DPA
Red flags
  • Production data copied onto personal laptops
  • No process for deleting client data when the engagement ends

SSO, MFA, least-privilege, joiner and leaver discipline.

Pass bar (Meets bar)

MFA enforced; leavers off all systems within one business day.

Evidence required
  • Identity-provider configuration screenshot; leaver checklist
Red flags
  • Shared administrator accounts used by multiple people
  • Former employees still have access to client repositories

Source control, branch protection, deploy controls, change management.

Pass bar (Meets bar)

Mainline protected; deploys are reviewed; rollback is rehearsed.

Evidence required
  • Repository protection rules; deploy pipeline overview
Red flags
  • Engineers push directly to the main branch with no review
  • Manual edits to production systems with no audit trail

A documented process, a recent test of it, and at least one post-mortem on file.

Pass bar (Meets bar)

Process exists, has been used, and led to a documented change.

Evidence required
  • IR runbook; one redacted post-mortem
Red flags
  • Team reports no incidents have ever occurred, which is not credible at their scale

MSA quality, IP assignment, subcontractor disclosure, insurance.

Pass bar (Meets bar)

IP cleanly assigns to the client. Subcontractors are disclosed. Insurance is current.

Evidence required
  • Sample MSA; certificate of insurance; subcontractor policy
Red flags
  • Ambiguity about who owns the delivered code
  • Subcontractors used but not disclosed to the client
  • Professional liability insurance has lapsed
Calibration

Reviewers train on the same reference set.

Quarterly calibration sessions re-anchor scoring against shared exemplars at L1, L2, L3, and L4 in every pillar. Drift between reviewers is measured and tracked.

Appeals

One appeal per cycle, heard by a second panel.

An agency may contest a scoring decision once per vetting cycle. The re-review is conducted by reviewers who did not sit on the original; their score stands.

Changelog

Rubric versions are dated and preserved.

Each agency record states the rubric version it was issued against. A new rubric does not retroactively re-grade prior cohorts. Re-attestation does.