Most Australian small businesses sign vendor contracts after a product demo and a quick Google. No checks on the company, no security review, no contract conditions protecting their data. Then something goes wrong โ a breach, a vendor going under, a product shutdown โ and they have no recourse.
This 15-point checklist gives you a structured process for vetting any vendor before signing. It covers business legitimacy, security posture, compliance obligations, and contract protections. Bookmark it and use it every time.
When to use this checklist: Before signing any new vendor contract. Before renewing an existing contract. When a vendor requests additional data access. When you're onboarding a new SaaS tool for your team.
Section 1 โ Business legitimacy (5 checks)
- ABN verified: Search abr.business.gov.au. Confirm the ABN is active, the entity name matches the contract, and GST registration is correct if they're charging GST.
- Domain age confirmed: Use whois.domaintools.com. A vendor claiming years of experience should have a domain to match. New domain + old claims = red flag.
- No sanctions matches: Search DFAT consolidated list (dfat.gov.au) and US OFAC SDN list. Search vendor name and any known directors.
- No ACCC enforcement actions: Search accc.gov.au/media-releases for the vendor name. Any enforcement history should be disclosed and explained.
- Credible internet presence: LinkedIn profile, Wayback Machine history, independent reviews (G2, Capterra, Trustpilot). No presence at all is a risk signal.
Section 2 โ Security posture (5 checks)
- No known data breaches: Search vendor domain on haveibeenpwned.com. If breaches are found, ask for the vendor's incident report and remediation summary.
- SSL certificate grade A or B: Test at ssllabs.com. Grade C or below means outdated TLS configuration. Grade F means serious security issues.
- Email authentication configured: Check SPF and DMARC at mxtoolbox.com. A vendor without DMARC can have their domain spoofed to send phishing emails.
- Security headers present: Test at securityheaders.com. Look for Strict-Transport-Security, Content-Security-Policy, X-Frame-Options. Missing headers = basic controls absent.
- No adverse security media: Google "[vendor name] breach" and "[vendor name] hack". Recent undisclosed incidents that appear in media are serious red flags.
Section 3 โ Privacy and compliance (3 checks)
- Privacy policy reviewed: Does it state data storage location, breach notification timelines, sub-processors, and data deletion on termination? If any are missing, request written answers before signing.
- Data residency confirmed: Where is your data stored? For Australian businesses with Privacy Act obligations, data stored offshore adds complexity to your compliance obligations. Ask specifically โ "Is data stored in Australia?"
- Certifications checked: Does the vendor hold ISO 27001, SOC 2 Type II, or Australian Essential Eight certification? These aren't mandatory but their presence (or absence) signals the vendor's security maturity.
Section 4 โ Contract conditions (2 checks)
- Breach notification clause included: Your contract should require the vendor to notify you within 72 hours of any actual or suspected security incident affecting your data. This is aligned with the Australian Privacy Act Notifiable Data Breaches scheme.
- Data deletion on termination: The contract should require the vendor to securely delete or return all your data within 30 days of contract termination, and provide written certification. This is required under APP 11.2.
Run all 13 checks automatically
Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds โ sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.
Check a vendor free โFree to view ยท $19.99 for the full report ยท No subscription
How to score the results
| Section | All green | 1-2 amber | Any red |
|---|---|---|---|
| Business legitimacy | ONBOARD | REVIEW | DO NOT ONBOARD |
| Security posture | ONBOARD | CONDITIONS | DO NOT ONBOARD |
| Privacy & compliance | ONBOARD | CONDITIONS | CONDITIONS |
| Contract conditions | SIGN | NEGOTIATE | DO NOT SIGN YET |
Using this checklist for renewals
Don't just run this checklist when you first onboard a vendor. Run a simplified version (at minimum: breach check, sanctions check, and privacy policy review) when you renew any contract. Vendors change. What was safe 2 years ago may not be safe now.
Time to complete manually: 30-45 minutes per vendor. Automated via Validios: 60 seconds. The automated version runs all 13 checks simultaneously against live data sources and generates a 12-page audit-ready PDF report with contract conditions aligned to Australian law.