Vendor Evaluation Guide

Employee Monitoring Demo Guide: 25 Questions to Ask Every Vendor Before You Buy

Buyers who enter employee monitoring demos without a structured question list get sold to rather than conducting a genuine evaluation. Sales representatives are trained to control demo flow, demonstrate strengths, and redirect questions about weaknesses. This guide hands control back to the buyer with 25 specific questions organized by category, along with what an acceptable answer looks like and what signals a problem.

Updated: April 2026 Read time: 14 min

Book an eMonitor Demo Start Free Trial

Why Most Employee Monitoring Demos Fail the Buyer

Employee monitoring demos are structured by vendors to showcase strengths and minimize exposure of gaps. A standard 45-minute demo covers a polished feature walkthrough, a customer success story, and a pricing discussion. The buyer leaves with impressions rather than verified answers. What is missing is precisely what matters: whether the product does the specific things the buyer needs, whether compliance documentation is real and ready, and whether the pricing on the screen reflects what they will actually pay.

A Gartner study found that 67% of B2B software buyers report discovering capability gaps after purchase that they believe should have been identified during the evaluation process. For employee monitoring software specifically, where compliance failures carry legal consequences and poor design creates ongoing operational overhead, this gap has real financial implications. The 25 questions in this guide are organized to fill that evaluation gap.

How Should You Use This Demo Question Framework?

This demo question framework is designed to be used in two ways. First, send the full list to the vendor 48 hours before the demo with a note that you will be asking all 25 questions and expect live product demonstrations for the feature questions. Vendors who respond positively to this are demonstrating product confidence. Vendors who push back or try to schedule a longer follow-up call to cover some questions are signaling areas of concern.

Second, bring the printed list to the demo and take notes on each answer. For compliance and security questions, note whether the vendor answered from documentation they shared on screen or from verbal representations they promised to follow up on. Documentation that exists is vastly different from documentation that will be prepared after the sale. Verbal representations about compliance features are not contractually binding.

The questions are organized across five categories, reflecting the five dimensions where employee monitoring vendors most frequently fail buyers: features, compliance, security, integration, and pricing and support.

Category 1: Feature Questions (5 Questions)

Feature questions should always involve live product demonstration, never a description of what the product can do. A vendor who describes a feature rather than showing it may be describing a roadmap item or a configuration that requires professional services setup rather than a standard capability.

Question 1: Can you demonstrate the specific feature I need, live in the product right now?

The most important feature question is also the simplest one. Name the feature that matters most to your use case (screenshot monitoring, DLP alerts, GPS tracking, real-time activity monitoring) and ask to see it demonstrated in the live product, not in a recorded video or a slide. A vendor with a mature product can do this instantly. A vendor who redirects to a video or schedules a follow-up "technical demo" for specific features is flagging a gap.

Acceptable answer: The vendor shares their screen and navigates to the feature in the actual product.

Red flag: "We have a great video of this" or "our technical team will schedule a separate call."

Question 2: How are screenshots configured: at the agent level on the employee device, or in the admin console?

This question reveals the flexibility and security of the screenshot architecture. Screenshot configuration should happen in the admin console, not on the employee device. Admin-side configuration means a standard user cannot disable screenshot capture, change frequency, or manipulate what is captured. Agent-side configuration introduces integrity risks. The answer also reveals whether screenshot frequency is configurable per user group (important for privacy-sensitive departments like HR or legal).

Acceptable answer: All screenshot settings are configured in the admin console with no settings accessible to the monitored employee. Frequency is configurable per policy or user group.

Red flag: Vague answer about "settings" without specifying where, or inability to show the configuration screen live.

Question 3: What is the data latency between an activity occurring on an employee device and it appearing in the dashboard?

Data latency matters for use cases involving real-time management, security incident response, and attendance verification. Some monitoring platforms buffer data and sync every 15 to 30 minutes, which is adequate for productivity reporting but inadequate for security monitoring or live support team management. The acceptable answer depends on the buyer's use case, but the vendor should be able to give a specific number rather than "near real-time."

Acceptable answer: A specific number — "activity data appears within 60 seconds," for example, with an explanation of what triggers immediate sync versus what batches.

Red flag: "Near real-time" or "it depends" without specifying on what.

Question 4: Can you filter the dashboard by team, location, department, and job type simultaneously?

Dashboard filtering capability determines how useful the platform is for organizations with complex team structures. A platform that only supports single-dimension filtering (by team OR by location, but not both) creates significant reporting limitations for multi-site, multi-department organizations. Ask to see this filtering applied live in the demo environment.

Acceptable answer: Live demonstration of multi-dimensional filtering in the dashboard.

Red flag: "We support team-based filtering" without demonstrating multi-dimensional capability, or a promise to "check with the product team."

Question 5: What happens when an employee goes offline — how is their status represented, and how is the data gap handled when they reconnect?

Offline handling is a meaningful indicator of platform maturity. Simple platforms mark employees as offline and lose data for the offline period. More sophisticated platforms capture activity locally during the offline period and sync it when connectivity is restored. The latter is critical for field teams, remote employees in areas with unreliable connectivity, and laptop users who work on flights or in locations without internet access.

Acceptable answer: Offline activity is captured locally and syncs automatically upon reconnection, with a clear status indicator distinguishing "offline but working" from "not working."

Red flag: Offline periods are represented as gaps or inactivity in the timeline without capturing actual activity data.

Category 2: Compliance Questions (5 Questions)

Compliance questions are the category where vendors most frequently deflect with verbal reassurances and promises of follow-up documentation. Real compliance readiness means documentation that exists now, not documentation that will be prepared after you ask for it. Treat any compliance question that receives a "our legal team will follow up" response as a significant evaluation signal.

Question 6: What jurisdictions is your platform compliant in, and can you show me the documentation for each?

A vendor claiming GDPR compliance should be able to show you their Data Processing Agreement and Records of Processing Activities on the spot, not promise to send them later. Ask specifically about the jurisdictions relevant to your employee population: GDPR (EU), UK GDPR, CCPA (California), state-specific electronic monitoring statutes, and any other relevant frameworks. Note which compliance claims come with documentation versus which come with verbal assurances.

Question 7: Can you show me your GDPR Data Processing Agreement right now, during this demo?

The GDPR DPA is not a document that takes time to find. A GDPR-compliant vendor has it on their website, in their help center, and readily available during sales conversations. If the vendor cannot share their DPA within 60 seconds of this request — either by pulling up a URL or sending a link in the meeting chat — that is a compliance readiness signal. The DPA should specify: processing categories, sub-processors, data transfer mechanisms, and breach notification timelines.

Question 8: Do you have a SOC 2 Type II report, and can I review it under NDA?

SOC 2 Type II certification means an independent auditor has tested the vendor's security controls over a period of at least 6 months and found them effective. SOC 2 Type I only means controls exist at a point in time; Type II means they function consistently. For employee monitoring software storing sensitive behavioral data, Type II is the appropriate standard. A vendor without a current Type II report represents a security risk regardless of their verbal assurances about security practices.

Question 9: How do you handle employee Data Subject Access Requests?

Under GDPR (and equivalent regulations including UK GDPR and California CCPA), employees have the right to request all personal data held about them. For a monitoring platform, this includes activity logs, screenshots, productivity scores, and any behavioral data. Ask the vendor how DSARs are handled: does their platform have a self-service DSAR export function, or does it require manual compilation by the vendor? What is their response timeline? What data formats are provided? An organization with 500 employees in the EU should expect to receive DSARs and needs a practical, efficient process for responding within the regulatory 30-day deadline.

Question 10: What is your data retention policy, and can I configure different retention periods for different data types?

GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is not retained longer than necessary for its stated purpose. A monitoring platform that retains all data indefinitely is not GDPR-compliant. Ask for the default retention periods for each data category (activity logs, screenshots, attendance records, productivity scores), whether these are configurable per jurisdiction, how deletion is technically implemented, and whether deletion is verifiable through an audit log.

Category 3: Security Questions (5 Questions)

Security questions should probe the specifics of data architecture, not the vendor's general security philosophy. Specific architectural answers (AES-256 at rest, AWS GovCloud or EU region data centers, 72-hour breach notification) are verifiable. Philosophical answers ("we take security very seriously") are not.

Question 11: Where, specifically, is my data stored, and in which data centers?

Data residency is a legal requirement in multiple jurisdictions, not just a preference. EU employee data under GDPR must be stored within the EU or in a country with an adequacy decision. Ask which cloud provider the vendor uses, which regions or data centers are available, whether you can choose your data residency region, and whether there is a single-tenant deployment option for sensitive deployments. "Secure US data centers" is not an acceptable answer for an organization with EU employees.

Question 12: What encryption standard is used for data at rest and data in transit?

AES-256 encryption at rest and TLS 1.2 or higher in transit are the minimum acceptable standards for a monitoring platform storing behavioral and activity data. Ask the vendor to confirm the specific standards used. If they cannot answer with a specific standard — AES-256, not just "encrypted" — that is a signal about their technical documentation quality and security maturity more broadly.

Question 13: How do you handle a security incident affecting your platform, and what is your notification timeline?

GDPR requires organizations to notify their supervisory authority of a data breach within 72 hours of becoming aware of it. For the organization to meet this requirement, their monitoring vendor must notify them within hours of detecting a breach, not days. Ask the vendor for their written incident response procedure, their contractual commitment on notification timeline, and whether the DPA includes a specific notification SLA. A vendor who cannot specify a contractual notification timeline is creating GDPR compliance risk for their customers.

Question 14: What is your penetration testing schedule, and can I see a summary of results?

Annual penetration testing by an independent security firm is the minimum acceptable standard for a platform storing sensitive employee behavioral data. Vendors committed to security conduct testing at least annually and are willing to share summary findings (not necessarily the full report) under NDA with enterprise customers. A vendor who has not conducted recent penetration testing, or who is unwilling to share any results, is signaling a security program that does not invite external scrutiny.

Question 15: How is role-based access control implemented, and who can access which data?

Ask the vendor to demonstrate RBAC configuration live in the product. Specifically probe: can data access be scoped to a manager's direct reports only, can screenshot access be restricted to a subset of administrators, can different administrators have different permissions (some with configuration access, others with read-only data access), and are all access events logged in an audit trail. RBAC that exists only in theory rather than implemented in the product is a meaningful gap for compliance and security.

Category 4: Integration Questions (5 Questions)

Integration questions should, wherever possible, involve live demonstrations in the product. Integration capabilities that exist as documented APIs are different from integration capabilities that require professional services configuration, which are different from integration capabilities that are "on the roadmap." The difference matters significantly for deployment timelines and TCO.

Question 16: Can you show me SSO configuration in the product right now?

SSO via SAML 2.0 should be a standard, self-service configuration, not a professional services engagement. Ask the vendor to navigate to the SSO configuration screen live and explain the setup process. This establishes whether SSO is a native feature, an add-on that requires separate activation, or a capability that exists in documentation but requires support team involvement. Note whether SSO is included in the tier you are evaluating or requires an upgrade.

Question 17: Can you demonstrate the API or show me the API documentation?

Monitoring platform APIs are important for organizations that want to pull monitoring data into BI tools, SIEM platforms, or custom dashboards. A vendor with a mature API can show you the documentation or a live API call during the demo. Ask specifically about: authentication method (OAuth 2.0 preferred), rate limits, available endpoints, data formats (JSON/CSV), and whether API access is included in the tier you are evaluating or an add-on.

Question 18: How does your tool import users from Active Directory or an HRMS?

User provisioning via Active Directory sync or SCIM is a non-negotiable requirement for organizations above 100 employees. Ask the vendor to demonstrate the AD sync configuration or SCIM setup. Ask specifically: is this a one-time import or a continuous sync, how quickly are deprovisioned users' access revoked when they are removed from AD, and which identity providers (Okta, Azure AD, Google Workspace) are supported. Continuous sync with near-real-time deprovisioning is the appropriate standard; one-time import requires manual offboarding, which is a security risk.

Question 19: Which HRMS and payroll platforms does your product integrate with natively?

Native HRMS integrations (BambooHR, Workday, ADP, SAP SuccessFactors) are meaningful for organizations that want monitoring data to flow into HR workflows. Ask whether each integration is a pre-built connector or a custom API implementation, whether it is bidirectional (syncing employee data both ways) or unidirectional, what data is synced, and whether the integration requires professional services to configure. A native connector that configures in minutes is operationally different from a "supported integration" that requires a 40-hour professional services engagement.

Question 20: If I need a custom integration not currently supported, what is the process and cost?

Custom integration requirements are common in enterprise evaluations. Ask the vendor about their typical engagement model for custom integration work: do they provide a professional services team, a partner referral, or API documentation for the customer's own development team? What are typical timelines for custom integrations? What is the cost structure? Understanding the custom integration path before signing avoids surprises when a required integration is not available as a native connector.

Category 5: Support and Pricing Questions (5 Questions)

Pricing and support questions should extract specific, written commitments rather than general reassurances. Vague answers about pricing — "it depends on your needs" — and support — "we provide comprehensive support" — are signals to probe harder. Every pricing and support commitment that matters should be in the contract, not in a sales conversation.

Question 21: What is your SLA for critical issues, and what qualifies as "critical"?

Ask the vendor to specify: their definition of a critical vs. high vs. medium priority issue for a monitoring platform, the response time SLA for each priority level, the resolution time target for critical issues, and whether these SLAs are contractually binding or best-effort commitments. A monitoring platform that is down or producing inaccurate data affects payroll, compliance, and operations simultaneously. Sub-4-hour response for critical issues with a contractual commitment is an appropriate standard.

Question 22: What is included in your standard support tier, and what requires an upgrade?

Support tier structure is a significant TCO variable that is frequently not discussed during initial demos. Ask specifically: what channels are available (email, chat, phone), what are the hours of coverage, what is included versus what requires a premium support add-on, and whether dedicated customer success management is included or an upgrade. Organizations with compliance-sensitive monitoring deployments need timely support access and should understand the cost of the support tier that gives them that access.

Question 23: Can you show me the pricing for my exact user count, including all features I need, right now?

This question breaks the sales cycle convention of deferring pricing to a separate call. A vendor who can give you a complete quote on the spot — showing base licensing, any add-on features you have asked about, implementation fees, and total annual cost for your specific headcount — is demonstrating pricing transparency. A vendor who needs to "talk to their account team" to give you pricing you are going to pay is using a negotiation tactic rather than practicing straightforward pricing.

Question 24: What does the contract lock-in look like, and what happens to pricing if my headcount changes significantly?

Contract flexibility is relevant for growing organizations and for organizations managing seasonal headcount variation. Ask: what is the minimum commitment term, is there an early termination fee and how is it calculated, can you add users at any time and at what price, can you reduce users at renewal only or at any time, and what happens to pricing if headcount grows beyond the current tier's range. Organizations with rapidly scaling headcount should request contractual provisions for predictable pricing at higher tiers rather than leaving enterprise tier pricing to future negotiation.

Question 25: How do customers cancel their subscription, and what is the process for data export at cancellation?

Cancellation process questions reveal vendor confidence in their product's ongoing value. A vendor confident in retention makes cancellation straightforward. Ask: can cancellation be completed in the product without talking to anyone, what is the notice period, is there a data export grace period after cancellation, in what format is data exported, and how long does the vendor retain data post-cancellation. Vendors who make cancellation difficult, require conversations with retention teams, or provide no post-cancellation data export period are increasing your switching costs and should be evaluated accordingly.

How to Score Vendor Responses: A Post-Demo Evaluation Framework

After completing demos with multiple employee monitoring vendors, the 25-question framework generates a comparative dataset that makes side-by-side vendor evaluation structured rather than impressionistic. The following scoring approach converts qualitative demo observations into a quantitative comparison.

Score each question on a 0-2 scale: 0 for a deflected or vague answer without documentation, 1 for a verbal answer without live demonstration or documentation, 2 for a documented or live-demonstrated answer. Weight compliance and security questions at double value, since these represent the highest consequence failure modes. The maximum possible score using this weighted approach is 70 points.

Vendors scoring above 55 represent low evaluation risk. Vendors scoring 40-55 warrant follow-up on specific gaps. Vendors scoring below 40 on this framework have significant undocumented claims that should be treated as unverified during contract negotiations. Any vendor with a score of 0 on Question 7 (GDPR DPA availability) or Question 3 (data storage location) should be eliminated from consideration for deployments involving EU employees, regardless of overall score.

This scoring approach has a secondary benefit: it creates a written evaluation record. If a post-purchase capability dispute arises, having documented demo observations and vendor responses gives the buyer a basis for negotiation. Sales representations made during demos are difficult to enforce contractually, but a documented record of what was claimed and what was demonstrated is far more useful than no record at all.

What Does an eMonitor Demo Look Like?

An eMonitor demo is a working product session, not a produced presentation. The demo environment uses a real product instance with realistic data, and every feature question receives a live demonstration rather than a description. Compliance documentation including our GDPR Data Processing Agreement is available on request before, during, or after any demo without a follow-up scheduled.

eMonitor's monitoring platform includes real-time activity monitoring, configurable screenshot capture with admin-side configuration only, AI-assisted productivity scoring, DLP with USB and file monitoring, attendance and scheduling, and GDPR-compliant data handling. The Professional tier at $6.90/user/month includes SSO, API access, and unlimited data exports with no add-on fees. The Enterprise tier at $13.90/user/month adds Active Directory sync, SCIM provisioning, granular RBAC, and multi-jurisdiction compliance documentation.

eMonitor is trusted by 1,000+ companies and rated 4.8/5 on Capterra across 57 reviews. The 7-day free trial requires no credit card and provides access to the full Professional tier feature set, so the evaluation can begin with hands-on use rather than a vendor-guided demo alone.

Frequently Asked Questions: Employee Monitoring Vendor Evaluation

What questions should I ask during an employee monitoring software demo?

The most important questions during an employee monitoring software demo cover five areas: feature demonstration (ask to see specific features live, not in slides), compliance documentation (request GDPR DPA and SOC 2 report on the spot), security architecture (data storage location and encryption standard), integration capability (demo SSO and API live), and pricing transparency (total cost for your exact user count including all add-ons).

How should I prepare for an employee monitoring vendor demo?

Prepare for an employee monitoring vendor demo by documenting your top 5 required features and asking to see each demonstrated live. Prepare a compliance checklist covering your jurisdictions. List your integration requirements and ask specifically about each. Bring a written question list and take notes on which questions the vendor deflects or answers vaguely — vague answers on compliance and security are meaningful signal about the vendor's readiness.

What is a red flag during an employee monitoring software demo?

Red flags during an employee monitoring software demo include: the vendor uses slides instead of the live product for feature demonstrations; they cannot show you the GDPR Data Processing Agreement on request; compliance questions receive "our legal team will follow up" responses; pricing requires a follow-up call to get a clear number; and the cancellation process is described vaguely or requires a conversation with an account manager.

Should I ask about data retention during an employee monitoring demo?

Yes. Data retention policy is a critical compliance and operational question for employee monitoring. Ask specifically: what is the default retention period, is it configurable per jurisdiction, how is data deleted at the end of the retention period, and can you configure different retention periods for different data types such as screenshots versus activity logs. GDPR requires proportionate retention, meaning indefinite data retention is not compliant for EU employee monitoring.

What integration questions should I ask an employee monitoring vendor?

Ask employee monitoring vendors to demonstrate SSO configuration live during the demo. Ask about Active Directory sync or SCIM provisioning with a live demonstration of user import. Ask about API availability and whether it requires a higher-tier subscription. Ask about HRMS integrations and whether they are pre-built connectors or custom API work. Verify that all integrations you need are included in the tier you are evaluating, not add-ons requiring separate purchase.

How do I evaluate employee monitoring screenshot configuration during a demo?

During a demo, ask the vendor to show screenshot configuration in the admin interface. Ask: can screenshot frequency be configured per user group or department, can screenshots be excluded for applications containing sensitive data, are screenshots stored encrypted, who can view screenshots based on RBAC settings, and how screenshots are handled when an employee has personal content visible during work hours.

What contract questions should I ask before signing an employee monitoring agreement?

Before signing an employee monitoring agreement, ask: what is the minimum contract term and early termination fee, what add-on features are not included in the quoted price, how is pricing adjusted if headcount changes mid-contract, what is the data export process and format at contract end, how do you cancel and what is the notice period, and whether the cancellation process requires talking to a person or can be completed within the product itself.

How do I verify that an employee monitoring vendor is GDPR compliant?

Verify GDPR compliance during an employee monitoring demo by requesting the vendor's Data Processing Agreement for immediate review, their documentation of where EU employee data is stored, their process for handling Data Subject Access Requests within 30 days, and their breach notification procedure including timeline. A GDPR-compliant vendor has these documents ready and shareable during the demo; a non-compliant vendor will deflect or promise follow-up documentation.

What security questions are essential when evaluating employee monitoring software?

Essential security questions for employee monitoring software evaluation include: what encryption standard is used for data at rest (AES-256 is the minimum acceptable standard), where is data stored and in which data centers, what is the incident response procedure for a breach including contractual notification timeline, is there a current SOC 2 Type II report, and what is the penetration testing schedule with summary results available under NDA.

How long should an employee monitoring software demo last?

An employee monitoring software demo should last 60 to 90 minutes to cover all evaluation categories adequately. A vendor who insists on a 30-minute demo is limiting your evaluation time. Request a 60-minute minimum: the first 30 minutes for the vendor's prepared demonstration and the second 30 minutes for your structured question list and live feature testing of your specific requirements.