Vendor Due Diligence Checklist

Business registration and legal entity verification. Confirm the vendor is a registered legal entity through GLEIF (Legal Entity Identifier) databases. ThirdProof's investigation of Stripe verified its legal entity identifier and corporate registration automatically. Domain age and registration history. Check WHOIS records for domain age — a 30-year domain history (like Stripe's) indicates established presence, while a recently registered domain warrants scrutiny. Corporate officer verification. Confirm leadership identities against business registry records. Jurisdiction and entity structure. Document the vendor's country of incorporation and any parent/subsidiary relationships that affect regulatory exposure.

OFAC SDN screening. Check the vendor entity, its officers, and its parent company against the U.S. Treasury's Specially Designated Nationals list. This is a mandatory gate — no contract proceeds without cleared screening. Multi-regime sanctions check (EU, UK, UN). For vendors with international operations, screen against EU Consolidated Sanctions, UK OFSI, and UN Security Council lists. Wise operates across 50+ countries, making multi-regime screening essential. SEC enforcement filing search. Query SEC EDGAR for enforcement actions, 10-K risk disclosures, and material litigation. FDIC institution check. For financial vendors, verify against the FDIC BankFind database for institution status and failed bank records. Adverse media and enforcement actions. Search news archives and regulatory databases for enforcement actions, breaches, lawsuits, and compliance failures. ThirdProof's investigation of Wise revealed multiple AML-related enforcement actions from CFPB and international regulators — findings that sanctions screening alone would miss.

SSL/TLS configuration. Check protocol version (TLSv1.2 minimum, TLSv1.3 preferred) and cipher strength. Stripe and Dropbox both scored A+ on SSL/TLS analysis. HTTP security headers. Evaluate Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and related headers. Common gap: QuickBooks scored F (0/100) on HTTP security headers despite being a major financial platform. Infrastructure exposure. Scan for open ports, exposed services, and known CVEs. Stripe showed only 2 open ports with zero CVEs — minimal attack surface. Malware and phishing status. Check the vendor's domain against malware databases and phishing blocklists. IP reputation. Query abuse databases for reports of malicious activity from the vendor's IP ranges. Domain reputation across threat intelligence engines. Cross-reference the domain against 90+ security engines for malicious or suspicious flags.

SOC 2 Type II report. Request directly from the vendor. SOC 2 reports are not published in a central registry, so independent verification requires scanning the vendor's trust page and cross-referencing claims. BambooHR claims SOC 2, SOC 1, and PCI DSS on its trust page — all classified as vendor-attested until the actual reports are obtained. ISO 27001 certification. Check for current certification from an accredited certification body. HITRUST CSF certification. Relevant for healthcare vendors and business associates handling PHI. FedRAMP authorization status. Verify at marketplace.fedramp.gov — not the vendor's marketing page. Dropbox is not listed on the FedRAMP Marketplace despite maintaining 10 other compliance certifications. PCI DSS compliance level. Required for any vendor processing, storing, or transmitting cardholder data. Request the Attestation of Compliance (AoC).

Published subprocessor list. Identify the vendor's subprocessors (fourth parties) and assess downstream risk. ThirdProof's subprocessor discovery scanner checks for published lists — a surprisingly common gap. Stripe, Wise, and QuickBooks all lacked publicly discoverable subprocessor pages during investigation. Fourth-party risk assessment. For each identified subprocessor, evaluate whether it introduces additional risk to your data. Data residency documentation. Confirm where the vendor stores and processes your data, particularly for cross-border transfer compliance under GDPR, CCPA, and data sovereignty requirements.

Of the items above, ThirdProof covers 22 automatically in a single investigation: business registration (GLEIF), domain registration (WHOIS), sanctions screening (OFAC/EU/UN via OpenSanctions), SEC EDGAR filings, FDIC institution check, adverse media (multiple news APIs), web archive history, domain analysis (DNS, TLS), HTTP security headers, SSL/TLS analysis, certificate transparency, website security scan, infrastructure exposure, threat intelligence (multiple engines), IP reputation, malware and phishing check, trust page scanner (certification claims), FedRAMP registry check, subprocessor discovery, and company intelligence.

The remaining items — requesting SOC 2 reports, executing DPAs, reviewing contractual terms, and conducting internal security reviews — are flagged as recommended actions in the investigation report with specific timelines and compliance citations. Start your first investigation free — no credit card required.