You've signed up for a new SaaS tool, hired a new software contractor, or renewed a vendor contract. Somewhere in the back of your mind a question forms: is this company actually safe to deal with? Do I know enough about them?

That instinct is right. And it's surprisingly easy to answer. Here is exactly how Australian small businesses can check whether a software vendor is safe — the fast way and the thorough way.

The honest starting point: Most software vendors are fine. But the ones that aren't can cause serious damage — data breaches, sudden shutdowns, fraud. The cost of a 30-minute check is nothing compared to the cost of getting it wrong.

The 5 fastest checks (under 10 minutes total)

If you only have 10 minutes, do these five:

1. Check the ABN (2 minutes)

Go to abr.business.gov.au and search for the vendor's name or ABN. Confirm the ABN is active and the entity name matches what's on the contract or invoice. A cancelled ABN or a mismatch between the trading name and legal entity is an immediate red flag.

2. Check for data breaches (1 minute)

Go to haveibeenpwned.com and search for their domain. If their domain appears in a known breach, that's something to ask about before handing over your client data.

3. Check the SSL certificate (2 minutes)

Go to ssllabs.com/ssltest and enter their domain. A grade of A or B means their encryption is properly configured. A grade of C or below means outdated security — for a tool handling your data, that's a concern.

4. Check the domain age (1 minute)

Go to whois.domaintools.com and search their domain. Compare the registration date with how long they claim to have been in business. A very new domain combined with claims of long experience is a red flag.

5. Quick Google search (3 minutes)

Search "[vendor name] breach", "[vendor name] fraud", and "[vendor name] scam". Look at the first two pages of results. Any news articles about data breaches, ACCC enforcement, or fraud should prompt a deeper investigation.

The 6 deeper checks (30 minutes total)

If you have more time or the vendor will have access to sensitive data, add these:

6. Sanctions screening

Check the DFAT consolidated sanctions list at dfat.gov.au. Search the vendor name and any known directors. This is a legal obligation for Australian businesses, not optional.

7. Email security check

Go to mxtoolbox.com and search their domain for SPF and DMARC records. A vendor without DMARC can have their domain impersonated to send phishing emails that look like they come from the vendor.

8. Security headers

Go to securityheaders.com. A grade of A or B means their web application has basic security controls in place. Persistent F grades indicate a development team that doesn't prioritise security.

9. Privacy policy review

Read their privacy policy specifically for: data storage location, breach notification timeline, who they share data with (sub-processors), and data deletion on contract termination. If any of these aren't addressed, ask in writing before signing.

10. Independent reviews

Search for the vendor on g2.com, capterra.com, or trustpilot.com. Independent reviews can surface reliability issues, customer support problems, and data handling concerns that don't appear in any automated check.

11. ACCC enforcement check

Search accc.gov.au/media-releases for the vendor name. Any enforcement history should be disclosed and explained.

Run all 13 checks automatically

Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds — sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.

Check a vendor free →

Free to view · $19.99 for the full report · No subscription

Red flags that should stop you

What "safe" actually means

No vendor is zero risk. "Safe" means you've done due diligence proportionate to the risk, the vendor's security posture is adequate for the sensitivity of what you're sharing, and your contract includes appropriate protections.

A vendor that passes all the above checks isn't guaranteed to be perfect. But a vendor that fails multiple checks is telling you clearly that security is not a priority for them — and your data will reflect that priority.

Under the Australian Privacy Act: If you share personal information with a vendor and they suffer a breach, your business may have Notifiable Data Breach obligations regardless of who was at fault. Running these checks before signing — and documenting that you did — is part of meeting your "reasonable steps" obligation under APP 11.