Vendor Due Diligence Explained
Vendor due diligence is the process of checking whether a supplier, contractor, software provider, subcontractor, service provider, or business partner is reliable enough for the role it will play in your business.
Small businesses do not need a complicated enterprise vendor-risk program. They do need a practical way to avoid obvious vendor surprises: uninsured contractors, weak support, missing backup options, vague contracts, poor data handling, unclear ownership of accounts, no exit plan, or a single vendor that can stop revenue overnight.
This guide explains vendor due diligence in plain language for U.S. small businesses. It covers vendor tiering, business stability, operational capability, cyber and data questions, insurance verification, contract review, continuity planning, renewal review, and a simple one-page vendor runbook.
- Key takeaways
- What vendor due diligence means
- Vendor tiering diagram
- Why due diligence matters
- Tier 1, Tier 2, and Tier 3 vendors
- Practical due diligence checks
- Cybersecurity and data access questions
- Insurance and COI checks
- Contract terms to review
- Vendor continuity and exit planning
- One-page vendor runbook
- FAQ
Key takeaways
- Vendor due diligence should be scaled to vendor importance. Critical vendors need more review than easy-to-replace tools.
- The biggest vendor risks are usually dependency, data access, weak contracts, poor support, insurance gaps, unclear exit rights, and no backup plan.
- A certificate of insurance is useful, but it should be reviewed against the contract and supported by required endorsements where needed.
- Software vendors need special review for account ownership, access control, MFA, data export, incident notice, and recovery steps.
- Due diligence should end with a practical decision: approve, approve with controls, require changes, use a backup, or decline the vendor.
What vendor due diligence means
Vendor due diligence means reviewing a vendor before relying on it. The goal is not to prove that the vendor is perfect. The goal is to understand whether the vendor is suitable for the role, what could go wrong, how serious the impact would be, and what controls should exist before the vendor becomes important.
Vendors can include:
- suppliers and distributors;
- subcontractors and trades;
- software-as-a-service platforms;
- payment processors and financial tools;
- payroll and accounting providers;
- IT providers and website vendors;
- marketing, design, and professional service firms;
- delivery, logistics, and transport providers;
- manufacturers and product suppliers;
- landlords, facilities vendors, and maintenance contractors.
Vendor due diligence is closely related to Vendor Risk Explained, Third-Party Risk Explained, Contract Risk Explained, and Business Continuity Planning Explained.
Vendor tiering diagram
The easiest way to avoid over-processing is to tier vendors by business impact. A payment processor deserves more review than a low-cost design tool that can be replaced in an afternoon.
Simple vendor due diligence tiering
Why due diligence matters
Many vendor failures are not completely random. Warning signs often appear before the failure: vague support terms, no backup contact, weak insurance, unclear contract language, missing data-export rights, poor onboarding, repeated delays, billing confusion, or no one inside the business knowing how to recover if the vendor fails.
Vendor due diligence helps a business answer practical questions:
- What breaks if this vendor fails?
- How fast would the failure affect customers or revenue?
- Does the vendor handle sensitive data, money, systems, payroll, or customer records?
- Does the vendor carry suitable insurance?
- Does the contract give the business a usable exit path?
- Can the business retrieve its data?
- Is there a backup vendor or manual workaround?
- Who owns the vendor relationship internally?
Vendor due diligence is not only about buying safely. It is also part of Risk Mitigation Strategies Explained and Enterprise Risk Management Explained.
Tier 1, Tier 2, and Tier 3 vendors
Not every vendor deserves the same review. A small business can use three simple tiers.
| Tier | Plain-English meaning | Examples | Review level |
|---|---|---|---|
| Tier 1 | Critical vendor. Failure could stop revenue, operations, compliance, data access, or customer delivery. | Payment processor, payroll, core supplier, IT provider, booking system, cloud software, key subcontractor. | Full review: contract, insurance, access, continuity, backup, support, data, renewal tracking. |
| Tier 2 | Important vendor. Failure causes disruption, delay, extra cost, or customer friction, but workarounds exist. | Marketing platform, secondary supplier, logistics partner, maintenance vendor, non-core software. | Medium review: business fit, support, insurance if relevant, basic contract and exit terms. |
| Tier 3 | Convenience vendor. Easy to replace and low impact if it fails. | Low-risk tools, optional services, commodity supplies, non-sensitive subscriptions. | Light review: basic reputation, cost, cancellation, data exposure, and owner approval. |
Practical due diligence checks
Vendor review should be practical, not performative. The checks below are designed for small businesses that need useful answers without building a corporate procurement department.
| Review area | Questions to ask | Why it matters |
|---|---|---|
| Business identity | What is the legal name? Who owns or operates the business? Is the contract in the right name? | A mismatch can create payment, insurance, tax, or claim problems. |
| Experience and capability | Have they handled similar work, scale, location, industry, or customer type? | Capability should match the role, not just the sales pitch. |
| Capacity | Can they support your volume, timing, location, and service expectations? | A vendor can be competent but still overloaded. |
| Support and escalation | Who do you contact when something breaks? What happens after hours? | Support failure can turn a small problem into an outage. |
| Financial and operational stability | Are there warning signs such as repeated delays, unstable pricing, or poor communication? | Vendor instability can become your operational problem. |
| References and reputation | Are there credible references, examples, reviews, or industry signals? | Past performance is not perfect, but patterns matter. |
| Exit plan | How do you leave, retrieve data, recover records, or transition to another vendor? | No exit plan creates dependency risk. |
For a broader view of vendor exposure, see Vendor Risk Explained and Supply Chain Risk Explained.
Cybersecurity and data access questions
Software, IT, marketing, payroll, accounting, payment, website, hosting, CRM, and support vendors may hold or access sensitive business information. That changes the due diligence conversation.
- Does the vendor support multi-factor authentication?
- Can your business own the account, or is it tied to one employee’s personal email?
- Can access be limited by role?
- Can admin access be reviewed and removed quickly?
- Can your data be exported in a usable format?
- Where are backups, recovery options, and account recovery codes stored?
- What happens if the vendor suffers a data incident?
- Will the vendor notify you promptly about security incidents affecting your data or account?
- Does the vendor use subcontractors or subprocessors that matter?
- What happens when the contract ends?
Cyber-related vendor issues connect with Cyber Liability Insurance Explained, Incident Reporting for Businesses Explained, and Business Continuity Planning Explained.
Insurance and COI checks
For contractors, subcontractors, delivery providers, professional service vendors, technology providers, trades, property-related vendors, and higher-risk suppliers, insurance verification can be important.
Insurance review should match the vendor’s work. Do not request paperwork just to collect it. Request the coverage types that connect to the actual exposure.
| Vendor work type | Insurance to consider reviewing | Related guide |
|---|---|---|
| Contractor or onsite service provider | General liability, workers’ compensation, commercial auto where relevant, umbrella where required. | General Liability Insurance Explained |
| Professional service provider | Professional liability or E&O coverage. | Errors and Omissions Insurance Explained |
| Technology or data vendor | Cyber liability, technology E&O, privacy-related coverage where available. | Cyber Liability Insurance Explained |
| Delivery or transport provider | Commercial auto, cargo, general liability, workers’ compensation where applicable. | Insurance Requirements by Business Type |
| Supplier or manufacturer | Product liability, general liability, recall-related coverage where relevant. | Product Liability Insurance Explained |
A certificate of insurance should be reviewed carefully. Confirm the named insured, policy period, policy type, limits, and any required endorsements. See Certificate of Insurance Explained, Additional Insured Explained, and Business Liability Limits Explained.
Contract terms to review
A vendor contract should do more than set the price. It should define the work, responsibilities, limits, support, data, risk transfer, and exit path.
| Contract area | What to check | Why it matters |
|---|---|---|
| Scope of work | What exactly is included, excluded, and required from each party? | Vague scope creates disputes and missed expectations. |
| Service levels | Response time, uptime, delivery standards, escalation, and support hours. | Critical vendors need clear support expectations. |
| Payment terms | Deposits, billing, late fees, refunds, price changes, auto-renewal, and cancellation. | Payment surprises create cash-flow and contract risk. |
| Insurance requirements | Coverage types, limits, certificates, additional insured, waiver, and renewal proof. | Insurance wording should match the risk being transferred. |
| Indemnification | Who defends or reimburses whom, and for what claims? | Broad indemnity can create exposure beyond the contract price. |
| Data and confidentiality | Who owns data, who can access it, how it is protected, and how it is returned. | Data access can become operational, cyber, and legal risk. |
| Subcontracting | Can the vendor outsource the work? Must you approve subcontractors? | Unknown subcontractors can create hidden third-party risk. |
| Termination and exit | How either party can end the agreement, retrieve records, and transition services. | A bad exit clause can trap the business. |
For more detail, see Contract Risk Explained, Indemnification Clauses Explained, and Risk Transfer Explained.
Vendor continuity and exit planning
The most important vendor due diligence question is often simple: what happens if this vendor fails?
A vendor can fail in several ways:
- the service goes offline;
- support stops responding;
- delivery times become unreliable;
- prices increase suddenly;
- the vendor loses key staff;
- the vendor is acquired or shuts down;
- the vendor suffers a cyber incident;
- the vendor terminates your account;
- the vendor refuses to release usable data;
- the vendor no longer meets contract or insurance requirements.
For Tier 1 vendors, the business should have at least a basic continuity answer:
- Who notices the failure?
- Who decides whether to switch to the backup?
- What is the manual workaround?
- Where are credentials and recovery codes stored?
- How is customer communication handled?
- How long can the business operate without the vendor?
- What records must be exported regularly?
These questions belong in Business Continuity Planning Explained and can also be tracked in a Risk Register.
One-page vendor runbook
A one-page runbook turns due diligence into something useful during an outage, dispute, cyber incident, or transition.
Renewal and ongoing review
Vendor due diligence is not finished after onboarding. Critical vendors should be reviewed periodically, especially when contracts renew or the business changes.
- the contract renews;
- pricing changes materially;
- the vendor misses delivery or support expectations;
- the vendor starts handling more data or more critical work;
- your business becomes more dependent on the vendor;
- the vendor changes ownership, platform, subcontractors, or support model;
- insurance certificates expire;
- an incident, outage, complaint, cyber alert, or near miss occurs.
Common mistakes
- Reviewing every vendor the same way: Critical vendors deserve more attention than low-risk convenience tools.
- Ignoring account ownership: Vendor accounts tied to one employee’s personal email can become a recovery problem.
- Collecting COIs without reading them: Named insured, limits, dates, and endorsements matter.
- Not planning the exit: A vendor is riskier when the business cannot retrieve data or transition quickly.
- Forgetting subcontractors: A vendor may rely on unknown third parties that affect service, data, or insurance.
- Trusting sales promises over contract wording: Support, uptime, ownership, and exit rights should be written clearly.
- Not updating after changes: A vendor that was low-risk last year may become critical this year.
FAQ
Does every vendor need due diligence?
Every vendor needs at least a basic sanity check, but not every vendor needs deep review. Focus detailed due diligence on vendors that can affect revenue, customer delivery, data, compliance, safety, payroll, payments, operations, or reputation.
What is the first thing to check?
Start with impact. Ask what breaks if the vendor fails. If the answer is “nothing important,” keep review light. If the answer is “sales stop, data is lost, payroll fails, or customers are affected,” treat the vendor as critical.
Should I always request a certificate of insurance?
Not always. COIs are most useful for contractors, subcontractors, professional service providers, onsite vendors, transport providers, higher-risk suppliers, and vendors whose work could create liability. The request should match the risk and contract.
What matters most for software vendors?
Account ownership, MFA, admin access, data export, backup/recovery, incident notice, support escalation, renewal terms, and exit rights are usually more useful than generic vendor paperwork.
How often should critical vendors be reviewed?
Many small businesses can review Tier 1 vendors at least annually, at renewal, after incidents, and whenever the vendor starts handling more important operations, systems, money, customer data, or compliance-sensitive work.