OnComply
Back to Blog
Best PracticesMarch 8, 2026·5 min read

Vendor Due Diligence Checklist: Everything You Need Before Onboarding

A comprehensive pre-onboarding due diligence checklist covering legal, financial, compliance, and security verification.

Vendor due diligence is the process of verifying that a vendor is who they say they are, can deliver what they promise, and does not represent unacceptable risk before you sign a contract and begin work.

The depth of due diligence should be proportional to the risk the vendor represents. A one-time $500 purchase from a known vendor does not need the same process as a $500,000 annual technology contract with a company that handles your customer data.

This checklist covers the full range of due diligence — apply the sections that are appropriate to the vendor relationship.

Legal and Identity Verification

  • Entity verification. Confirm the vendor's legal entity name, business registration, and jurisdiction. Look them up in the state business registry to confirm they are an active, registered entity.
  • Business license check. Verify they hold the required business licenses for the work they will be performing in your jurisdiction.
  • Professional license verification. If their work requires professional licensure, verify the license is active, in the correct state, and covers the specific work.
  • Sanctions screening. For international vendors or vendors in regulated industries, screen against OFAC and other relevant sanctions lists.
  • Litigation check. A search of public court records for significant pending litigation or judgments can surface risk that is otherwise invisible.

Financial Stability

  • Years in business. A vendor with two years of operating history is higher risk than one with ten. This is not disqualifying, but it is relevant.
  • Financial references. For high-value relationships, request references from other customers who can speak to the vendor's financial reliability.
  • Credit check. For vendors you will be paying in arrears or giving significant advance payments, a business credit report provides useful financial health indicators.
  • Insurance adequacy. Verify insurance coverage meets your requirements — not just that it exists.

Compliance Documents

  • W-9 on file. Collect before the first payment.
  • Certificate of Insurance reviewed. Coverage types, limits, effective dates, and certificate holder verified against your requirements.
  • Professional licenses verified. Active, in-jurisdiction, appropriate scope.
  • Contract executed. Signed by authorized representatives of both parties before work begins.
  • ACH authorization (if paying by direct deposit). Proper authorization form with signature and banking details.
  • Tax exemption certificate (if applicable). Valid for your jurisdiction if the vendor claims exemption.

Data Security (For Vendors with System or Data Access)

  • Security questionnaire completed. A standard vendor security questionnaire assessing their security controls.
  • SOC 2 report reviewed. If the vendor is SOC 2 certified, review their most recent report and note any exceptions.
  • Data Processing Agreement signed. Required for any vendor handling personal data of your customers or employees.
  • Penetration testing / vulnerability assessment. For high-risk vendors with access to critical systems or sensitive data.
  • Encryption standards confirmed. Data in transit and at rest encryption requirements verified.
  • Incident response process reviewed. Understand how they will notify you in the event of a breach.

Operational Capability

  • Reference checks. Speak with two or three current or recent customers about the vendor's delivery, communication, and problem-solving.
  • Subcontractor review. If the vendor uses subcontractors for your work, understand who they are and what their compliance looks like.
  • Business continuity plan. For critical vendors, verify they have a documented plan for maintaining operations through disruptions.
  • Key person dependency. If the relationship depends on one or two specific individuals, understand the vendor's succession plan.

Contract Review

  • Scope of work is specific and measurable. Vague scopes create disputes. Verify the contract describes deliverables in terms both parties can objectively evaluate.
  • Indemnification is mutual and appropriate. Understand what you are indemnifying the vendor for and what they are indemnifying you for.
  • Insurance requirements are specified. The contract should include the insurance requirements and require the vendor to maintain them for the duration of the relationship.
  • Data handling terms are present. If the vendor will have access to any customer, employee, or sensitive business data, the contract must address ownership, handling, breach notification, and deletion.
  • Termination rights are clear. Know what triggers your right to terminate, how much notice is required, and what your obligations are post-termination.
  • Governing law and dispute resolution. Where would a dispute be adjudicated? Is it your jurisdiction or theirs?

Post-Onboarding Considerations

  • Expiration tracking established. All time-sensitive documents (COI, licenses, contract term) entered in your tracking system with alerts.
  • Vendor contact information recorded. Primary contact, billing contact, and escalation contact on file.
  • Review schedule set. High-risk vendors should be re-assessed annually. Lower-risk vendors, every two to three years or upon significant changes to the relationship.

The goal of due diligence is not to find reasons not to work with a vendor. It is to confirm that the vendor relationship is what it appears to be and to surface any risks before they become problems. Most due diligence checklists are completed, filed, and never looked at again — which is fine. The value was in the process of completing them.

All posts
Start Free TrialBook Demo
W-9 CollectionCOI TrackingACH AuthorizationDocument Fill & SignAutomated ValidationRenewal RemindersCan-Work / Can-Pay ControlsVendor PortalCompliance DashboardWebhook IntegrationsEligibility APIAudit-Ready ExportsLicense TrackingGrace Period ManagementCustom FormsW-9 CollectionCOI TrackingACH AuthorizationDocument Fill & SignAutomated ValidationRenewal RemindersCan-Work / Can-Pay ControlsVendor PortalCompliance DashboardWebhook IntegrationsEligibility APIAudit-Ready ExportsLicense TrackingGrace Period ManagementCustom Forms