You've found a software tool that looks perfect. The pricing is right, the features tick every box, and the sales rep was convincing. Before you sign the agreement and hand over access to your client data, your payroll system, or your accounting software โ€” stop and run a few checks.

This guide explains exactly how to check a software vendor in Australia before signing a contract. It covers what to look for, why each check matters, and how to do it. At the end, we'll show you how to run all of it in 60 seconds automatically.

Why this matters now: Under the Australian Privacy Act, if you share personal information with a software vendor and they suffer a breach, you may have a Notifiable Data Breach obligation โ€” even if the breach wasn't your fault. The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024, strengthened these obligations significantly.

Step 1 โ€” Check the ABN and business registration

The most basic check: is this actually a real, registered Australian business?

Go to abr.business.gov.au and search for the vendor's name or ABN. You're looking for:

If you can't find an ABN, ask for it. A legitimate Australian business will provide it without hesitation. If they can't or won't, walk away.

Step 2 โ€” Check for data breaches

Has this vendor's domain appeared in a known data breach? This is one of the most important checks and it's completely free.

Go to haveibeenpwned.com and search for the vendor's domain. If their domain has appeared in a breach, it means customer data associated with their platform was exposed at some point.

A breach finding doesn't automatically disqualify a vendor โ€” what matters is whether they disclosed it, what they did about it, and how long ago it was. A 5-year-old breach they handled well is very different from a recent undisclosed one.

What to ask if you find a breach: When did it occur? How many records were affected? Were customers notified? What remediation steps were taken? Are those vulnerabilities now patched?

Step 3 โ€” Check the sanctions lists

If your vendor is on the Australian DFAT consolidated sanctions list or the US OFAC Specially Designated Nationals list, you could be violating Australian law by paying them.

You can search the DFAT list manually at dfat.gov.au. Search for the company name and any known directors.

This check is particularly important if your vendor is international, uses offshore entities, or operates in higher-risk jurisdictions.

Step 4 โ€” Check the SSL certificate

SSL (the padlock in your browser) is the baseline of website security. If a software vendor's website doesn't have a valid, properly configured SSL certificate, that's a serious concern for any product handling your data.

Go to ssllabs.com/ssltest and enter the vendor's domain. You're looking for a grade of A or A+. A grade of C or below means their TLS configuration is outdated and potentially vulnerable.

Step 5 โ€” Check email security (SPF, DKIM, DMARC)

Email authentication controls prevent fraudsters from impersonating the vendor and sending phishing emails that appear to come from them. If a vendor hasn't configured these, their domain can be spoofed โ€” and you or your clients could receive convincing fake emails from "their" domain.

Check SPF and DMARC records using mxtoolbox.com. A vendor with no DMARC policy (or a policy of p=none) provides no protection against domain spoofing.

Step 6 โ€” Check the domain age

How old is the vendor's domain? A company claiming 10 years of experience with a 6-month-old domain is telling you something important โ€” and it's not good.

Use whois.domaintools.com to look up when the domain was first registered. Combine this with their ABN registration date to build a picture of how established the business really is.

Step 7 โ€” Search for adverse media

Has this company appeared in news articles about fraud, scams, data breaches, regulatory actions, or court proceedings? A quick Google search for "[vendor name] fraud" or "[vendor name] breach" can surface important information.

Also check if they've been subject to ACCC enforcement action at accc.gov.au/media-releases.

Step 8 โ€” Check their security headers

Security headers are technical controls a website can implement to protect visitors from common attacks. A vendor with missing security headers hasn't followed basic web security best practices.

Check at securityheaders.com. You want to see grades of A or B. Consistent F grades across multiple checks suggest a vendor that doesn't prioritise security.

Step 9 โ€” Review their privacy policy

Read it. Not every word โ€” but look for:

If any of these questions are unanswered in their privacy policy, ask them directly in writing before signing.

Step 10 โ€” Check their internet presence and history

Does this vendor have a credible, verifiable online presence? Search for them on LinkedIn, check if their website has years of history on the Wayback Machine, and look for independent reviews on G2 or Capterra.

A vendor with no LinkedIn presence, a website with no history, and no independent reviews is a much higher risk than one with 5+ years of verifiable online presence.

The 10-check summary table

CheckFree toolTimeRed flag
ABN verificationabr.business.gov.au2 minNo ABN, cancelled, wrong entity
Data breach historyhaveibeenpwned.com1 minRecent undisclosed breach
Sanctions checkdfat.gov.au3 minAny match
SSL certificatessllabs.com5 minGrade C or below
Email securitymxtoolbox.com2 minNo SPF, no DMARC
Domain agewhois.domaintools.com1 minVery new domain, old claims
Adverse mediaGoogle + ACCC5 minFraud, breach, enforcement news
Security headerssecurityheaders.com2 minGrade F
Privacy policyVendor's website10 minNo data deletion, no breach notice
Internet presenceLinkedIn, Wayback Machine5 minNo history, no reviews

Total time manually: approximately 30-40 minutes per vendor.

Run all 13 checks automatically

Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds โ€” sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.

Check a vendor free โ†’

Free to view ยท $19.99 for the full report ยท No subscription

What to do with the results

Once you've run these checks, you'll have one of three outcomes:

The Privacy Act obligation you can't ignore

Under the Australian Privacy Principles, your business is responsible for how personal information is handled by your vendors. If a vendor you've engaged suffers a data breach affecting your clients, you may be required to notify both affected individuals and the Office of the Australian Information Commissioner (OAIC).

Running these checks before signing is not just best practice โ€” for businesses covered by the Privacy Act, it's part of meeting your obligation to take "reasonable steps" to protect personal information.

Bottom line: A 30-minute vendor check before signing could save you from a data breach, a regulatory investigation, or losing client trust. Do it every time โ€” not just for new vendors, but when renewing contracts with existing ones too.