Buying B2B data is unlike most procurement decisions. You can demo the platform. You can see the search interface. You can look at sample records. But the thing you're actually paying for — the integrity of the underlying database — is the one thing the vendor will not show you.
Reference checks help, but only a little. Most buyers will tell you their data vendor is “fine” because they have nothing to compare it against. They've never asked the hard questions either.
What follows is a short list of questions worth asking on every B2B data vendor call — whether you're evaluating a new vendor or auditing the one you already have. They take less than ten minutes. They will tell you more about what you're buying than any feature comparison.
For each question, we describe what a good answer looks like and what evasion sounds like. You can use the difference to calibrate.
Question 1: Where does each individual record come from?
Not the dataset as a whole — each record. If you select any contact in their platform, can the vendor tell you what source that specific person's data was obtained from?
A good answer sounds like:
“Every record in the platform carries a source link. You can click on a contact and see the URL or document where we first observed that person. If it's an email address that was inferred from an observed pattern rather than directly observed, we say that too, and we tell you how it was verified.”
Evasion sounds like:
“We pull from a wide range of public and partner sources to deliver the most comprehensive coverage in the industry.” — or — “Our data acquisition methodology is proprietary, but I can assure you it's fully compliant.” — or, increasingly, — “We don't actually hold the data ourselves; we orchestrate it from upstream providers.”
The pattern to watch for is abstraction. A vendor that can answer this question will answer it concretely, at the per-record level. A vendor that cannot will answer at the dataset level and hope you don't notice the difference.
Question 2: How fresh is the data, and how do you know?
Every contact record has a last-seen date — the last time the vendor confirmed that this person, with this title, at this company, with this contact information, was still accurate. Ask to see it. Specifically, ask whether the timestamp shown is the last time this specific field was verified, or the last time anything in the record was touched.
A good answer sounds like:
“Each field carries its own last-verified timestamp. Job titles are refreshed on one cadence, email addresses on another, phone numbers on another. We can show you a record with the freshness metadata visible.”
Evasion sounds like:
“Our data is refreshed continuously.” — or — “We have a 95% accuracy guarantee.” — or — “We score every record for confidence and freshness using our proprietary algorithm.”
“Continuously refreshed” tells you nothing. A vendor that genuinely refreshes records can tell you the cadence per field and show you the timestamp on any record you point at. “95% accuracy” without methodology behind it is a marketing number, not a measurement. Ask how the 95% was calculated, against what reference set, and when. If you don't get a clean answer, the number was made up.
Question 3: Are you a controller or a processor for this data?
Under GDPR Article 4, a data controller is the entity that decides why and how personal data is processed. A processor handles data on the controller's behalf. These are not interchangeable roles. They imply different obligations, different liability, and different answers when a regulator comes asking.
A vendor that compiles a database of professionals and sells access to it is, structurally, a data controller. The decisions about what data to collect, how to organize it, and what to do with it were made by the vendor — not by the customer. Asking the question forces the vendor to put their answer on the record.
A good answer sounds like:
“For the data in our database, we are a controller. Our privacy policy says so. We respond to subject access requests, we maintain a suppression list, and we are the entity individuals contact if they want to be removed.”
Evasion sounds like:
“We're a processor for our customers; the controllers are the original data sources.” — or — “We don't really hold data, we just orchestrate access to it.” — or — “The customer is the controller because they choose what to do with the data they query.”
The last evasion is the most common and the most misleading. The customer is a controller for what they do with the data after they receive it. The vendor is a controller for the act of compiling and offering the database in the first place. Both can be true. A vendor who refuses to acknowledge their controller role for their own database is positioning themselves to disclaim liability when something goes wrong — and to leave the customer holding the legal bag.
Question 4: What happens when someone asks to be removed?
Walk through the mechanism. When an individual contacts the vendor and asks to be removed, what specifically happens? Is the record deleted? Is a suppression flag set? What prevents the same person from being re-added the next time the vendor's data refresh runs?
A good answer sounds like:
“The personal data is deleted from the active record. A minimal identifier is retained on a permanent suppression list — just enough to recognize the person if they appear again in a future data refresh, so they are not re-indexed. We confirm the removal in writing within seven business days. Once on the suppression list, the person stays suppressed.”
Evasion sounds like:
“We honour all opt-out requests in accordance with applicable law.” — or — “We mark the record as removed and it's no longer surfaced.” — or — “If the data reappears from one of our sources, we treat it as a new record.”
The last evasion is the one that matters most. A vendor that “treats reappearance as a new record” has no real removal mechanism. The person who asked to be removed will be quietly re-added the next month, and the next, and the next. They will have to file the same removal request quarterly, forever. This is not compliance. This is paperwork theatre.
How to use this in a call
The four questions can be asked in five minutes. You do not need a procurement template or a security review. You can ask them in a sales demo. The vendor's reaction to the questions tells you nearly as much as the answers themselves.
A vendor that has built their database responsibly will welcome the questions. They will answer concretely, give examples, offer to show you the metadata in the platform. The conversation will get more technical, not less, as you press.
A vendor that has not will deflect. Answers will get vaguer as you probe. The conversation will be steered back toward features and case studies. You may be told that “our legal team can follow up on that with a memo.” The memo will not arrive, or it will arrive saying nothing.
The deflection is the answer. A vendor who cannot answer these four questions clearly is selling you something other than what you think you're buying.
One more question, if you have time
If you have a few extra minutes in the call, ask one more question: If a regulator wrote to you tomorrow asking for the data lineage on a single record in your database, how long would it take you to produce it?
The answer should be measured in minutes or hours. If the vendor needs “a few weeks to coordinate with our suppliers,” you now know how prepared they actually are for what's coming.
Curious how Fullinfo answers these questions?
We built the product so that all four answers are visible directly in the interface — not buried in a policy document. Request early access and we'll walk you through it.
Request Early Access →This is the second piece in a Fullinfo blog series on what serious B2B data ownership looks like. The first — What it means to actually own your data — sets out the four structural properties of a real data company.