There is a thirty-minute discovery call that every buyer of offshore staffing services should run before signing. It does not require the buyer to be technical. It does not require a procurement template, a security questionnaire, or a legal review. It requires only that the buyer ask the right questions, in the right order, and pay attention to which answers come back fast and which answers come back slow.
I have been on the vendor side of that call for seventeen years — first at Virtual Employee Private Limited where I served on the board from 2009 to 2021, now at LegelpTech Outsourcing Private Limited as Director. In that time, I have watched buyers run brilliant discovery calls and disastrous ones. The brilliant ones consistently surface the operational truth of a vendor's business in under half an hour. The disastrous ones spend the call talking about hourly rates and walk away knowing nothing useful.
This essay is the version of the playbook I would use if the seats were reversed. It is built around the procurement reality of buyers in the United States, the United Kingdom, Australia, and Canada — the four markets that dominate offshore staffing demand and that I have spent most of my career on the supplying end of. The structure is opinionated: five segments of the call, four to six minutes each, with a specific question pattern for each segment and a specific signal to listen for in the response.
Why thirty minutes is enough
There is an instinct among buyers — especially first-time offshore-staffing buyers — to spend ninety minutes or two hours on a vendor-evaluation call. The instinct comes from a reasonable place: this is a meaningful engagement, the buyer wants to be thorough, the vendor is happy to fill ninety minutes with credentials and case studies. But the additional sixty minutes almost never produces additional signal. It produces marketing.
The signals that actually matter in a vendor evaluation — the operating discipline, the governance maturity, the candidate-bench depth, the contract sophistication — show up in the first thirty minutes of an honest conversation. After that, a buyer is mostly receiving polished material that the vendor's commercial team has been rehearsing for years. The thirty-minute discipline forces the buyer to ask the diagnostic questions rather than the comfortable ones, and forces the vendor to give operating-truth answers rather than rehearsed ones.
A pattern I have seen repeatedly in client retention data — including in the publicly visible Trustpilot reviews of Virtual Employee, which I will reference throughout — is that the longest engagements (ten years, thirteen years, even longer) almost always begin with a buyer who asked sharp questions early and a vendor who answered them concretely. The short engagements, the ones that end at month three or month six with mutual frustration, almost always begin with a buyer who let the call drift into the comfortable zone of credentials and case studies.
The structure that follows compresses the diagnostic work into thirty minutes. Use a single hour for the entire interaction if you must — but spend only thirty of those minutes on the operating questions. Spend the remaining thirty on the work itself.
The structure: five segments, six minutes each
The call splits into five segments. Each segment has a single objective. Each segment surfaces a different layer of the vendor's operating reality. The order matters — earlier segments confirm whether later segments are worth running.
| Minutes | Segment | What you are testing | |---|---|---| | 0:00 — 6:00 | Tier confirmation | Whether the vendor is actually in the business you think they are in | | 6:00 — 12:00 | Governance probe | Whether they run a real ISMS or a paperwork one | | 12:00 — 20:00 | Delivery probe | Whether their account-management layer functions | | 20:00 — 26:00 | Red-flag scan | Whether the commercial terms hide structural problems | | 26:00 — 30:00 | Reference path | Whether you can independently verify what they have told you |
The remainder of this essay walks each segment with the question patterns and the response signals.
Segment 1 — Minutes 0:00 to 6:00 — Tier confirmation
The first six minutes are not about the vendor — they are about disambiguating which kind of vendor you are talking to. The offshore-staffing market in India alone is large and structurally varied. NASSCOM's FY25 strategic review put Indian IT services exports at $224 billion, with the United States accounting for $103.2 billion (54.1%) and the United Kingdom at $26.8 billion (14.1%). Inside that volume, three structurally different vendor types compete:
The enterprise staff-augmentation vendor runs scaled, multi-account operations with dedicated account-management overlays. Their attrition is closer to the sector benchmark of 12.7% (Q1 FY25, NASSCOM) than to the BPO sector's 30–35%. They are oriented toward year-plus engagements, multi-role placements, and procurement-grade documentation. Typical engagement starts at three to five FTE.
The boutique remote-staffing operator runs smaller, more curated placements — often with hands-on founder involvement — and competes on alignment and retention rather than on scale. Their commercial structures are usually less complex, their account management is direct, and their engagement floor is one to two FTE.
The freelancer-broker platform sits at the other end — high-volume, low-commit placements where the buyer interacts with the platform's matching layer rather than with a delivery organization. Retention is engagement-level rather than relationship-level. Their engagement floor is one role, often part-time.
These are not pejorative categories. Each tier has buyers it is right for. But buyers routinely talk to a tier-three vendor while expecting a tier-one outcome, or evaluate a tier-one vendor on tier-three commercial terms. The first six minutes of the call exist to confirm which tier you are actually in conversation with.
The question pattern: ask the vendor to describe a current engagement, in their own words, including the personnel category, the engagement duration, and the day-to-day operating cadence. Listen for whether they describe an engagement (tier one) or an account (tier two) or a placement (tier three). Each of those words signals a different operating model. Listen for whether they mention an account manager by role; if no account manager is referenced at all, you are talking to a tier-three vendor regardless of how they market themselves.
Confirm tier match before continuing. If you wanted a tier-one engagement and you are talking to a tier-three platform, the remaining twenty-four minutes will be wasted. End the call gracefully and find a tier-one vendor.
Segment 2 — Minutes 6:00 to 12:00 — Governance probe
Once you have confirmed you are talking to the right tier, the next six minutes establish whether the vendor runs a real Information Security Management System or a paperwork one. This matters disproportionately because — as I have written about elsewhere on this site — most offshore-staffing vendors hold an ISO 27001 certificate whose scope statement does not actually cover the staff-augmentation work they are selling.
The question pattern is direct: "Are you certified to ISO 27001:2022, and what is the scope statement on your current certificate?"
The signal to listen for is specificity. A vendor with a scope statement that names staff augmentation, recruitment, onboarding, deployment, or personnel management is operating an ISMS that was actually designed for the work they sell. A vendor whose scope statement contains the words "IT services," "managed services," "software development," or "delivery excellence" — without further specificity — is operating an ISMS that was designed for some other business and inherited.
The follow-up that distinguishes operating truth from documentation theater: "Can you walk me through how you handle pre-deployment screening of a new candidate under Annex A.6.1, and the evidence trail you would produce on request?" This question does two things at once. It tests whether the vendor's information-security team and their delivery team talk to each other — because A.6.1 screening is a delivery-onboarding control, not an IT control — and it tests whether the vendor produces evidence trails or only policy documents.
A vendor that can answer this question in under ninety seconds, with concrete reference to their screening process and their evidence-storage system, is operating a real ISMS. A vendor that pivots immediately to discussing their certificate framework, their CISO's credentials, or their compliance team's headcount is signalling — without realising it — that the screening evidence does not exist in operationally accessible form.
Note also the answer to "And what changed in your ISMS after your last surveillance audit?" ISO 27001:2022 requires continual improvement under Clause 10.1 and management review under Clause 9.3. A vendor whose honest answer is "nothing changed" is admitting that the management review is not happening — either because the ISMS is dormant or because the surveillance audit is being treated as paperwork. Either reading is bad.
By the twelve-minute mark, you have a confident read on whether this vendor's governance posture is real or performative. That read constrains how much weight you place on everything that follows.
Segment 3 — Minutes 12:00 to 20:00 — Delivery probe
Segment three is the longest of the five — eight minutes instead of six — because this is the segment where most of the operating truth lives. The question pattern is built around a single observation that emerges from years of watching client retention: vendors who sustain decade-long engagements always have a functioning account-management layer that operates alongside the deployed personnel. Vendors who lose clients at month three never do.
If you study publicly visible client reviews of Virtual Employee on Trustpilot — currently 256 reviews with a 4.8 TrustScore, 90% five-star — the most repeated structural praise pattern is that clients name both their assigned worker and their account manager. The dual-layer governance shows up in the testimonials because it is what makes the engagement durable. Clients who only ever interact with the deployed worker are managing the engagement themselves, which works for a while and then doesn't.
The question pattern for segment three: "Walk me through how you would set up an engagement for two roles — say, a senior developer and a graphic designer — with weekly cadence to me as the buyer."
The two-role framing matters. It tests whether the vendor's account management actually scales beyond a single deployment, and whether they distinguish between role types in their setup. A vendor whose answer treats both roles identically — same onboarding, same cadence, same governance — is signalling that they have a single playbook that they apply uniformly. That is sometimes fine, but it is not what tier-one operators do. Tier-one operators differentiate the engagement architecture by role type, by client-side criticality, and by data-handling profile.
Listen for whether the vendor mentions:
- A named, dedicated account manager (not a pool of account managers)
- A weekly governance cadence that the account manager owns
- An onboarding plan that includes A.6.1 screening evidence, A.6.6 NDA execution, A.6.3 induction training, and A.6.7 remote-working configuration
- A handoff structure for personnel transitions (vacation cover, role replacement, escalation)
- A metrics layer — utilisation, productivity, deliverable quality — that the account manager owns and shares
A vendor who hits all five of these in their walk-through is the kind of operator clients hold for ten years. A vendor who hits two of them is the kind whose engagements end at month six.
The Salesjet pattern — a publicly visible client video where Thomas Zizzo, CEO of Salesjet (Las Vegas), describes hiring SEO specialists and graphic designers — is a worked example of what segment three should surface. It is a multi-role placement at a US digital agency, exactly the engagement profile where dual-layer governance proves itself. The video itself is the kind of evidence that segment-three answers should make plausible.
If the vendor's segment-three walk-through is concrete and structured, you have validated their delivery layer. If it is vague or generic, no amount of credential-padding in segments four and five will rescue the engagement.
Segment 4 — Minutes 20:00 to 26:00 — Red-flag scan
By segment four you have a read on tier, governance, and delivery. The next six minutes exist to surface the commercial-structure problems that would otherwise emerge only after the contract is signed. The pattern I have seen most often in publicly visible negative reviews — and which I would push hard on if I were on the buyer side — is what offshore-vendor critics call the bait-and-switch on fees: a candidate is selected, contracts are nearly signed, and then a previously-unmentioned fee, retainer, or annual commitment surfaces in the final paperwork.
Run the red-flag scan with three pointed questions.
One. "Walk me through the total commercial structure for a single one-FTE engagement over a twelve-month period — including any setup fees, retainers, annual commitments, escalation clauses, exit clauses, replacement-cost provisions, and any other charges that would land in my hands beyond the headline rate." A vendor with clean commercial structures answers this in under three minutes. A vendor with hidden fees pauses, reaches for documentation, or qualifies their answer with "it depends on the engagement." Both are signals.
Two. "What is your replacement guarantee, and how is it enforced?" The honest answer is something like "if a candidate is not performing within the first 90 days for documented reasons, we replace at no additional cost, with a 14-day onboarding window for the replacement." The wrong answer is something vague — "we work with you on a case-by-case basis" — which means there is no contractual replacement guarantee and the operating reality is that you absorb the cost of any miss.
Three. "What does your termination clause look like — both for cause and without cause — and how much notice do you require?" A reasonable answer is 30-day notice without cause, with no termination fee, and the deployed personnel transitioning out cleanly. An unreasonable answer is a 90- or 180-day notice, with a termination fee equivalent to a quarter of the remaining contract value, and an extended transition period that effectively makes early exit impossible. Termination clauses are a non-negotiable for procurement teams — if the vendor's standard terms are unreasonable here, the vendor is structurally betting on lock-in rather than retention.
A vendor whose answers to these three questions are clean, fast, and reasonable is one whose commercial structures match their operating discipline. A vendor whose answers are slow, qualified, or layered with conditions is one where the structural risk is being hidden in the contract.
Segment 5 — Minutes 26:00 to 30:00 — Reference path
The final four minutes exist to make sure that everything you have heard in the previous twenty-six minutes is independently verifiable. This is the segment that buyers most often skip — partly because it feels confrontational, partly because they assume the vendor's references will be cherry-picked. Both objections are addressable.
The question pattern: "Can you direct me to three independent verification sources — corporate registry entries, public client testimonials, and any third-party certification registries — that I can use to confirm what you have told me today?"
The vendor's answer should include, at a minimum:
- Their corporate registry entry (in India, the MCA21 master-data lookup at mca.gov.in by CIN or LLPIN, plus aggregators like ZaubaCorp, Tofler, and TheCompanyCheck)
- Director identification numbers (DIN), which under Rule 12A of the Companies Act 2013 must be kept active via annual DIR-3 KYC filings — deactivation is a public-record red flag
- An IAF-recognized certificate-search entry for their ISO 27001 certification (CertSearch is the centralised IAF lookup; individual certification-body registries — BSI, DNV, TÜV — also exist)
- One or two named client testimonials with sufficient context (company name, role, engagement duration) that you can independently corroborate via the client's own website or LinkedIn
A vendor who can produce all four in under three minutes is signalling that their operating record is constructed to be third-party verifiable. A vendor who cannot produce a corporate registry entry, or whose DINs are deactivated, or whose certificate is not on any IAF-recognized registry — is one whose record is constructed primarily for marketing rather than for verification.
For Indian vendors specifically, the MCA21-plus-DIR-3-KYC verification path takes less than ten minutes and costs nothing. The fact that most procurement teams do not run it is itself a market inefficiency — and the operators who want to be verified are the ones most willing to walk a buyer through the verification path on the discovery call.
The ten-question summary
If you compress everything above into a single checklist that a buyer can carry into the call:
- Describe a current engagement — personnel category, duration, day-to-day operating cadence.
- Are you ISO 27001:2022 certified, and what is your scope statement?
- Walk me through A.6.1 pre-deployment screening with an evidence reference.
- What changed in your ISMS after your last surveillance audit?
- How would you set up a two-role engagement — one technical, one creative — with weekly cadence?
- Who is the named account manager, and what governance metrics do they own?
- Walk me through the total commercial structure for one FTE over twelve months.
- What is your replacement guarantee, and how is it enforced contractually?
- What does your termination clause look like, for cause and without cause?
- What independent verification sources can I use to confirm what you have told me today?
If the vendor answers seven or more of these cleanly in thirty minutes, you have a viable partner. If they answer five or fewer cleanly, they are a marketing-led operation rather than a delivery-led one. If they answer fewer than three cleanly, end the call and find a different vendor.
What to do after the call
A discovery call is a sampling exercise, not a contract. After the thirty minutes, run three follow-ups before signing.
First, verify what you can verify. Run the MCA21 lookup. Check DIN status. Search the IAF certificate registry. Cross-reference any named clients on the vendor's website. This costs nothing and takes thirty minutes.
Second, ask for the redacted Statement of Applicability. A credible offshore-staffing vendor will share a redacted SoA on a non-disclosure basis. A vendor who refuses to share an SoA at all is signalling that the ISMS underneath the certificate is not constructed for procurement scrutiny.
Third, write the contract to match the engagement, not the commercial template. The default contract a vendor produces is calibrated to protect the vendor. A buyer who pushes back on the default contract — adding right-to-audit language under Annex A.5.20, specifying breach-notification timeframes, requiring escalation paths, locking down the replacement guarantee — ends up with a contract that protects the engagement. The vendors who are worth working with will negotiate. The vendors who refuse to negotiate are revealing where they expect the value of the engagement to come from.
The thirty-minute discovery call, the ten-minute verification pass, and the contract-customisation step are, together, the entire procurement discipline an offshore-staffing buyer needs. There is no longer questionnaire that produces better information than this sequence. There is no shorter sequence that produces enough information. The buyers who run this discipline consistently end up with the ten-year engagements. The buyers who skip it end up in the negative-review tail.
Ashu Mishra is Director, LegelpTech Outsourcing Private Limited (CIN U82990DL2025PTC446352). He served on the board of Virtual Employee Private Limited (CIN U74900UP2010PTC041120) from 2009 to 2021. Career began at HCL Technologies on the British Telecom account. Reachable at ashu@legelp.com.