How to Conduct Vendor Due Diligence: A Checklist for Procurement and Legal Teams

Vendor due diligence is the process of verifying that a potential supplier or service provider is financially stable, legally compliant, operationally capable, and a good-faith business partner before entering into a contractual relationship. The depth of due diligence required scales with the relationship's risk: a $500 office supply contract warrants minimal scrutiny; a $2M cloud infrastructure vendor with access to your production data warrants comprehensive review.

This guide provides a structured due diligence framework and checklist for procurement teams, legal departments, and business owners managing vendor relationships.

Why Vendor Due Diligence Matters

Vendor failures cause cascading problems. When a critical vendor goes bankrupt mid-contract, switches leadership, gets acquired, or suffers a data breach, the consequences are not theoretical:

• Operational disruption: Production stops, customer commitments fail, recovery takes months
• Data exposure: A security breach at a vendor with access to your data is your data breach — under GDPR, HIPAA, CCPA, and most breach notification laws, you remain liable for data your vendors hold on your behalf
• Contractual liability: If a vendor's product or service infringes a third party's IP or violates regulations, indemnification gaps can leave you exposed
• Reputational risk: Vendor conduct becomes associated with your brand

The purpose of vendor due diligence is not to create bureaucratic friction. It is to identify risks before they become problems, while there is still leverage to address them.

The Vendor Due Diligence Framework

Vendor due diligence covers five domains:

1. Financial stability — Can the vendor sustain the relationship and meet its commitments?
2. Security and data protection — Can the vendor adequately protect your data?
3. Legal and regulatory compliance — Is the vendor legally compliant in relevant jurisdictions?
4. Operational capability — Can the vendor actually deliver what it is promising?
5. Commercial and contractual terms — Does the contract protect your interests?

The depth of review in each domain should match the vendor's access to your systems, the criticality of their service, and the financial value of the relationship.

Risk-Tiered Due Diligence

Not every vendor requires the same depth of review. Classify vendors by risk tier first:

| Tier | Description | Examples | Due Diligence Level | |---|---|---|---| | Tier 1 | Critical / high data access | Cloud infrastructure, payment processors, healthcare data vendors | Comprehensive (all 5 domains, deep review) | | Tier 2 | Important / limited data access | CRM, HR systems, project management tools | Standard (all 5 domains, targeted review) | | Tier 3 | Routine / no data access | Office supplies, catering, furniture | Minimal (basic financial and legal check) | | Tier 4 | Incidental | One-time contractors, speakers, event venues | Negligible (references, basic credentials) |

Domain 1: Financial Stability Due Diligence

A vendor that goes out of business mid-contract is at best an operational disruption and at worst a catastrophe. Before committing to a significant vendor relationship, assess their financial health.

What to Request or Research

For private companies:

• Last 2-3 years of audited or reviewed financial statements
• Most recent balance sheet (if willing to share)
• References from other customers with similar contract size/scope
• Funding history and current runway (for startups)
• Dun & Bradstreet or credit bureau business credit report

For public companies:

• SEC filings (10-K, 10-Q) — look at cash position, debt, customer concentration, going concern language in audit report
• Any recent material adverse disclosures (8-K filings)

Financial Red Flags

• Net losses for multiple consecutive years without a credible path to profitability
• Very high customer concentration (top customer > 40% of revenue) — their business depends on one relationship that could end
• Rapid leadership turnover in finance or operations
• Recent significant layoffs disproportionate to any disclosed business contraction
• Startup with less than 12 months of runway without a committed next financing round
• Any disclosed going concern qualification in their audited financials

Domain 2: Security and Data Protection Due Diligence

If the vendor will handle your data — even indirectly — security due diligence is not optional. Under GDPR and most US state privacy laws, you remain liable for how your vendors handle personal data on your behalf.

Security Certifications to Verify

| Certification | What It Covers | How to Verify | |---|---|---| | SOC 2 Type II | Security, availability, confidentiality controls (AICPA standard) | Request the actual report (NDA required) | | ISO 27001 | Information security management system | Verify certificate and scope on registrar's website | | PCI DSS | Payment card data security | Verify with their QSA or acquiring bank | | HIPAA | Healthcare data (US) | Business Associate Agreement required; no formal certification exists | | FedRAMP | Federal government cloud (US) | Search fedramp.gov marketplace |

Important: A vendor saying they are "SOC 2 compliant" is meaningless. Request the actual SOC 2 Type II report and read the auditor's opinion and identified exceptions. SOC 2 Type I (a point-in-time assessment) is less rigorous than Type II (6-12 month operational period).

Key Security Questions to Ask

• What data will you store and where will it be stored (geographic location)?
• Who among your employees and contractors has access to customer data?
• How is access controlled and audited?
• What encryption standards do you use (at rest and in transit)?
• What is your incident response procedure and breach notification timeline?
• What is your disaster recovery and business continuity plan?
• Have you suffered any data breaches in the past 3 years? If so, what was disclosed and to whom?
• Do you use subprocessors, and who are they?

Subprocessor Due Diligence

When a vendor uses third-party subprocessors to handle your data (e.g., a SaaS tool that uses AWS for storage, Twilio for SMS, and a third-party analytics platform), your risk extends to those subprocessors. Ask for:

• A list of all subprocessors and the data they handle
• The vendor's process for approving new subprocessors
• Whether you have a right to object to new subprocessors before they are added

Domain 3: Legal and Regulatory Compliance

Before entering a vendor relationship, verify that the vendor is not carrying undisclosed legal risk that could affect the relationship.

Background and Compliance Checks

• Litigation history: Search PACER (US federal courts) and state court systems for active or recent litigation. Significant pending litigation against the vendor is relevant, particularly if it could affect their operations or financial stability.
• Regulatory sanctions: Check relevant regulatory databases (OFAC sanctions list, FDA warning letters, FINRA BrokerCheck, HHS exclusion database for healthcare vendors, etc.)
• Business registration: Verify the vendor is properly registered in jurisdictions where it operates
• Professional licenses: For licensed professions (law, accounting, engineering, healthcare), verify active licenses

Data Processing Agreements (DPAs)

If the vendor will process personal data of your customers or employees under GDPR, CCPA, HIPAA, or other applicable data protection laws, you need a formal Data Processing Agreement before data is shared. The DPA specifies:

• The scope and purpose of data processing
• The vendor's obligations as a data processor
• Security measures required
• Subprocessor rules
• Breach notification obligations
• Data retention and deletion requirements

Never share personal data with a vendor before a DPA is in place.

Employment and Labor Compliance

For vendors providing staffing, professional services, or labor-intensive services:

• Are their workers properly classified (employees vs. independent contractors)?
• Are they compliant with applicable wage and hour laws?
• Do they have appropriate workers' compensation and employer liability insurance?

Misclassification liability can transfer to you as the contracting party in some jurisdictions and under certain arrangements.

Domain 4: Operational Capability Due Diligence

Financial stability and legal compliance mean little if the vendor cannot actually deliver what they are promising.

Reference Checks

Ask for 3-5 customer references with similar contract scope, scale, and use case. The reference check questions that matter:

• Have you experienced any service outages or failures? How were they handled?
• Does the vendor meet its SLA commitments consistently?
• How responsive is the support team to issues?
• Has pricing changed significantly over the relationship?
• Would you renew if you could restart the relationship today?

Request references you can actually call, not email-only references. Written references are always positive. A 15-minute call reveals much more.

Service Level Agreement (SLA) Review

Review the SLA against your operational requirements:

• Uptime guarantee: 99.9% = 8.7 hours downtime/year; 99.99% = 52 minutes/year. Know the difference.
• Scheduled maintenance windows: When do they maintain systems and how are you notified?
• Support response times: What tier is your account and what response time is guaranteed?
• Remedies for SLA breach: Credits only, or actual damages? Are credits calculated automatically or do you have to claim them?

Business Continuity and Disaster Recovery

• What is their RTO (Recovery Time Objective — how long to restore service after an outage)?
• What is their RPO (Recovery Point Objective — how much data loss is acceptable if they restore from backup)?
• Have they tested their DR plan in the past 12 months? Can they provide the test report?
• If the vendor ceases operations, can you retrieve your data? In what format?

Domain 5: Commercial and Contractual Due Diligence

The contract documents the relationship and allocates risk between the parties. Before signing a vendor agreement, review:

Key Vendor Contract Provisions

Limitation of liability: Most vendor contracts cap their liability at the fees paid in the prior 12 months. If their service failure could cost you far more than you pay them annually, the cap is inadequate. Negotiate carve-outs for data breaches, confidentiality violations, and IP infringement.

Indemnification: Does the vendor indemnify you for IP infringement claims arising from their product? For data breaches caused by their negligence? Understand exactly what events trigger their indemnification obligation and what the cap on that obligation is.

Data ownership: Who owns the data you upload or generate within the vendor's platform? Can they use your data to train AI models? Aggregate your data with other customers' data for analytics they sell?

Exit provisions: What are your rights if you want to leave? What notice is required? What does it cost to exit early? Can you export all your data in a usable format, and how long does the vendor retain your data after the relationship ends?

Auto-renewal: Most SaaS contracts auto-renew unless you send notice 30-90 days before the renewal date. Calendar the notice deadline.

Use the Vendor Contract Analyzer to extract all key provisions from a vendor agreement with page-level citations — limitation of liability cap, indemnification scope, data ownership terms, termination rights, and auto-renewal provisions — in minutes.

Vendor Due Diligence Checklist

Financial

• [ ] Obtained and reviewed financial statements or credit report
• [ ] Assessed funding runway (if startup)
• [ ] Checked for going concern qualifications
• [ ] Verified no recent significant layoffs or leadership departures

Security

• [ ] Requested and reviewed SOC 2 Type II report (if applicable)
• [ ] Verified relevant certifications (ISO 27001, PCI DSS, etc.)
• [ ] Obtained complete subprocessor list
• [ ] Reviewed incident response and breach notification procedures
• [ ] Executed Data Processing Agreement (if personal data involved)

Legal

• [ ] Searched for active litigation
• [ ] Checked applicable regulatory sanctions databases
• [ ] Verified business registration and professional licenses
• [ ] Confirmed worker classification practices (if staffing/services vendor)

Operational

• [ ] Completed at least 3 customer reference calls
• [ ] Reviewed SLA uptime, support, and remedy terms
• [ ] Understood DR/BCP plan and last test date
• [ ] Confirmed data portability and exit procedures

Contractual

• [ ] Reviewed limitation of liability cap vs. potential loss exposure
• [ ] Confirmed IP indemnification scope
• [ ] Verified data ownership and permitted use provisions
• [ ] Calendared auto-renewal notice deadline
• [ ] Reviewed termination rights and exit costs

Key Terms for Vendor Due Diligence

• Due Diligence: The investigation process conducted before entering a significant business relationship
• Indemnification: Contractual obligation to compensate for losses arising from a specified event
• Force Majeure: Clause excusing performance due to extraordinary events outside a party's control
• NDA: Non-disclosure agreement typically signed before sharing confidential information during vendor evaluation

---

Upload any vendor agreement to the Vendor Contract Analyzer to instantly extract key provisions, identify red flags, and get answers to specific questions about the contract — with page-level citations.