The purpose is to extract, consolidate and analyse data and present it through an interactive web interface. This would likely include sales, inventory, and other operational data.
Strict control is the primary issue as far as I am concerned. It would require at least the following:
1) We would have to review and certify all code in the triggers. The ability to do this is already in doubt as it has been presented as a proprietary product. A strict NDA may be enough but there is some resistance even with this.
2) We would install the triggers. Object ownership would not be given to the vendor. Granular permissions would be set to enforce appropriate access to views and tables
3) Changes to the triggers would have to be re-certified.
4) The vendor would have no access to any administrative functions. They would not have any object creation permissions.
5) Any indexing related to their queries would also need to be certified and subject to change management. Optimization of indexing would be biased in favor of our application.
One big issue is who excepts liability for problems. If we certify their triggers but something slips through QA that seriously degrades performance, then our customers will not be happy. But because we certified it, who takes the hit for any costs incurred due to the failure?