You've found a software tool that looks perfect. The pricing is right, the features tick every box, and the sales rep was convincing. Before you sign the agreement and hand over access to your client data, your payroll system, or your accounting software โ stop and run a few checks.
This guide explains exactly how to check a software vendor in Australia before signing a contract. It covers what to look for, why each check matters, and how to do it. At the end, we'll show you how to run all of it in 60 seconds automatically.
Why this matters now: Under the Australian Privacy Act, if you share personal information with a software vendor and they suffer a breach, you may have a Notifiable Data Breach obligation โ even if the breach wasn't your fault. The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024, strengthened these obligations significantly.
Step 1 โ Check the ABN and business registration
The most basic check: is this actually a real, registered Australian business?
Go to abr.business.gov.au and search for the vendor's name or ABN. You're looking for:
- An active ABN (not cancelled)
- Correct GST registration if they're charging GST
- The legal entity name matches what's on the contract
- The registration date โ a company registered 3 months ago claiming 10 years of experience is a red flag
If you can't find an ABN, ask for it. A legitimate Australian business will provide it without hesitation. If they can't or won't, walk away.
Step 2 โ Check for data breaches
Has this vendor's domain appeared in a known data breach? This is one of the most important checks and it's completely free.
Go to haveibeenpwned.com and search for the vendor's domain. If their domain has appeared in a breach, it means customer data associated with their platform was exposed at some point.
A breach finding doesn't automatically disqualify a vendor โ what matters is whether they disclosed it, what they did about it, and how long ago it was. A 5-year-old breach they handled well is very different from a recent undisclosed one.
What to ask if you find a breach: When did it occur? How many records were affected? Were customers notified? What remediation steps were taken? Are those vulnerabilities now patched?
Step 3 โ Check the sanctions lists
If your vendor is on the Australian DFAT consolidated sanctions list or the US OFAC Specially Designated Nationals list, you could be violating Australian law by paying them.
You can search the DFAT list manually at dfat.gov.au. Search for the company name and any known directors.
This check is particularly important if your vendor is international, uses offshore entities, or operates in higher-risk jurisdictions.
Step 4 โ Check the SSL certificate
SSL (the padlock in your browser) is the baseline of website security. If a software vendor's website doesn't have a valid, properly configured SSL certificate, that's a serious concern for any product handling your data.
Go to ssllabs.com/ssltest and enter the vendor's domain. You're looking for a grade of A or A+. A grade of C or below means their TLS configuration is outdated and potentially vulnerable.
Step 5 โ Check email security (SPF, DKIM, DMARC)
Email authentication controls prevent fraudsters from impersonating the vendor and sending phishing emails that appear to come from them. If a vendor hasn't configured these, their domain can be spoofed โ and you or your clients could receive convincing fake emails from "their" domain.
Check SPF and DMARC records using mxtoolbox.com. A vendor with no DMARC policy (or a policy of p=none) provides no protection against domain spoofing.
Step 6 โ Check the domain age
How old is the vendor's domain? A company claiming 10 years of experience with a 6-month-old domain is telling you something important โ and it's not good.
Use whois.domaintools.com to look up when the domain was first registered. Combine this with their ABN registration date to build a picture of how established the business really is.
Step 7 โ Search for adverse media
Has this company appeared in news articles about fraud, scams, data breaches, regulatory actions, or court proceedings? A quick Google search for "[vendor name] fraud" or "[vendor name] breach" can surface important information.
Also check if they've been subject to ACCC enforcement action at accc.gov.au/media-releases.
Step 8 โ Check their security headers
Security headers are technical controls a website can implement to protect visitors from common attacks. A vendor with missing security headers hasn't followed basic web security best practices.
Check at securityheaders.com. You want to see grades of A or B. Consistent F grades across multiple checks suggest a vendor that doesn't prioritise security.
Step 9 โ Review their privacy policy
Read it. Not every word โ but look for:
- Where is data stored? (Australia, US, Asia?)
- Who are their sub-processors? (other companies they share your data with)
- What is their breach notification timeline?
- How do they handle data deletion on contract termination?
- Do they sell data to third parties?
If any of these questions are unanswered in their privacy policy, ask them directly in writing before signing.
Step 10 โ Check their internet presence and history
Does this vendor have a credible, verifiable online presence? Search for them on LinkedIn, check if their website has years of history on the Wayback Machine, and look for independent reviews on G2 or Capterra.
A vendor with no LinkedIn presence, a website with no history, and no independent reviews is a much higher risk than one with 5+ years of verifiable online presence.
The 10-check summary table
| Check | Free tool | Time | Red flag |
|---|---|---|---|
| ABN verification | abr.business.gov.au | 2 min | No ABN, cancelled, wrong entity |
| Data breach history | haveibeenpwned.com | 1 min | Recent undisclosed breach |
| Sanctions check | dfat.gov.au | 3 min | Any match |
| SSL certificate | ssllabs.com | 5 min | Grade C or below |
| Email security | mxtoolbox.com | 2 min | No SPF, no DMARC |
| Domain age | whois.domaintools.com | 1 min | Very new domain, old claims |
| Adverse media | Google + ACCC | 5 min | Fraud, breach, enforcement news |
| Security headers | securityheaders.com | 2 min | Grade F |
| Privacy policy | Vendor's website | 10 min | No data deletion, no breach notice |
| Internet presence | LinkedIn, Wayback Machine | 5 min | No history, no reviews |
Total time manually: approximately 30-40 minutes per vendor.
Run all 13 checks automatically
Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds โ sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.
Check a vendor free โFree to view ยท $19.99 for the full report ยท No subscription
What to do with the results
Once you've run these checks, you'll have one of three outcomes:
- Green โ onboard with standard contract conditions. No red flags. Proceed, but make sure your contract includes breach notification obligations and data deletion on termination.
- Amber โ onboard with conditions. Some findings that need addressing. Raise them directly with the vendor and get written responses before signing.
- Red โ do not onboard. Significant red flags. Either negotiate hard on security commitments or find a different vendor.
The Privacy Act obligation you can't ignore
Under the Australian Privacy Principles, your business is responsible for how personal information is handled by your vendors. If a vendor you've engaged suffers a data breach affecting your clients, you may be required to notify both affected individuals and the Office of the Australian Information Commissioner (OAIC).
Running these checks before signing is not just best practice โ for businesses covered by the Privacy Act, it's part of meeting your obligation to take "reasonable steps" to protect personal information.
Bottom line: A 30-minute vendor check before signing could save you from a data breach, a regulatory investigation, or losing client trust. Do it every time โ not just for new vendors, but when renewing contracts with existing ones too.