Services

Move Security Due Diligence Before the Signature: A 14-Point Checklist That Reveals Whether Your Vendor Actually Guards Your Data

2026.07.07 · 54 views
Move Security Due Diligence Before the Signature: A 14-Point Checklist That Reveals Whether Your Vendor Actually Guards Your Data

Most companies only ask where their source code and customer data live after something breaks. Here is a pre-signing security due diligence scorecard that keeps the risk outside the contract.

Share:

An e-commerce brand importing health supplements, with roughly NT$80M in annual revenue, outsourced its website, membership system, and payment integration to a three-person studio. Two years in, nothing seemed wrong—until Google Search Console flagged hidden links on the site redirecting to a gambling domain. The owner asked the engineer: "Where are our server password, database backups, and Stripe keys stored?" The answer: "On the personal laptop of the engineer who left, and in his own GitHub account." Running security due diligence at that point is already too late. What you want is a checklist you can complete before you sign.

Industry Myths: Four Things Owners Get Wrong About Vendor Security

Myth 1: "Small studios don't get hacked—attackers only go after big companies." The opposite is true. Attackers target weakness, not fame, and smaller sites are often easier hits because of unpatched dependencies, shared passwords, and no multi-factor auth. Verizon's 2024 Data Breach Investigations Report found that over a third of breaches involved a third-party (supply-chain) element, and that share keeps climbing. Your outsourcing vendor is that third party.

Myth 2: "Signing an NDA means the data is safe." An NDA governs whether you can sue after a leak, not whether a leak happens. It's a remedy, not a control. What actually protects you is the vendor's access management, encryption, and backup practices.

Myth 3: "As long as I hold the source code, I'm safe." Source code is one piece of the puzzle. The sharper questions: where are production secrets (payment keys, DB passwords, API tokens) stored? Who can reach the production database? Were a departed employee's permissions revoked? OWASP has ranked Broken Access Control as the top Web application risk category, and these failures almost always live in "people and permissions," not the code itself.

Myth 4: "They're professionals, so their security must be fine." "Professional" is marketing, not an audit result. What you need is verifiable evidence: can they show access logs, a backup-restore test record, a screenshot of their secrets manager? If they can't show it, they didn't do it.

Core Framework: The Three-Layer Due Diligence Model

Don't machine-gun a vendor with 50 technical questions until they get defensive. Use this three-layer funnel, verifying from outside in:

  • Layer 1 · Where the data lives (Data Locality): which account, which cloud, whose hands hold production data, backups, and secret credentials? The goal is to eliminate any single point that exists "only on one person's laptop."
  • Layer 2 · Who can touch it (Access Control): how many people have production access? Is multi-factor auth enforced? How are offboarded staff revoked? The goal is to count exactly who holds keys.
  • Layer 3 · What happens when it breaks (Incident & Recovery): how often are backups taken? Has a restore actually been tested? What's the breach-notification process and deadline? The goal is to confirm someone can catch the worst case.

Give each layer a red/amber/green light. If Layer 1 or Layer 2 shows red, don't even discuss features and pricing yet—that's building a house on quicksand.

Three Company Profiles, Different Depths of Diligence

ProfileData SensitivityDiligence DepthThe One Thing to Watch
Sub-10-person content studio (site + blog, no personal data)LowLightweight: account ownership + backup confirmationDomain and hosting accounts are in your name
50-person e-commerce (members, orders, payment integration)Medium-highFull 14-point checklistWho can reach the production DB and payment keys
Healthcare / finance (special-category data, compliance)Very high14 points + written security policy + audit logsEncryption, audit trail, and compliance mapping

Same checklist, but the higher the sensitivity, the higher the "evidence tier" you require: a content site can accept a verbal promise, e-commerce needs screenshots, healthcare and finance need written policies and logs.

Hidden Costs: Where the Bill Comes Back If You Skip Diligence

Skipping half a day of diligence usually hides its cost in expenses you can't see up front:

  • Breach cleanup: depending on scale, notification, forensics, and customer remediation routinely start around NT$500K; where personal data is involved, regulators can levy fines under data-protection law, higher for serious cases.
  • Hostage migration fee: when the vendor holds every account with no handoff docs, the "archaeology + rebuild" labor to switch vendors commonly runs 40–120 hours, roughly NT$80K–240K.
  • Downtime loss: if the server dies in peak season and nobody has root, a day's revenue drops to zero; against the NT$80M annual revenue above, a single peak day can exceed NT$300K.
  • SEO recovery: restoring trust after malicious links and a Google flag often takes 2–4 months to return to prior traffic.
  • Opportunity cost: the hours the owner and team spend firefighting could have closed three new clients.

In one line: diligence costs half a day; skipping it costs three months plus cash.

Security Due Diligence KPI Scorecard (10 dimensions, scored before signing)

Score each 0–2 (0 = can't answer, 1 = verbal promise, 2 = shows evidence), out of 20. Below 12, hold off on signing; below 8, walk away.

DimensionGreen (2 pts)Red (0 pts)
Domain & hosting ownershipRegistered under your company, you hold adminUnder vendor or personal account
Source-code version controlIn your org Git with full historyOnly in one person's personal account
Production secrets managementIn a secrets manager / env vars, not in VCSHard-coded or pasted in chat
Least-privilege accessCan list who has access, revocable anytime"Everyone has root"
Multi-factor auth (MFA)MFA on host, Git, and payment backendsPassword only
Backup frequency & off-siteDaily automated + off-site copy"There should be some"
Restore testingRestore drill in the last 6 months, loggedNever restored
Dependency updatesRegular scan-and-update processNever updated since launch
Offboarding revocationHas an SOP, can show recordsNo process, from memory
Incident notification SLAContract states a deadline (e.g. 24 hours)Contract is silent

ScriptWalker's Options—and Where We're Not a Fit

ScriptWalker is a studio focused on Laravel + Flutter. Security due diligence is a plus for us, not a problem, because it's already our default way of working:

  • Project delivery: every account (domain, host, Git, payment) is created under the client's name; we take invited access only and remove ourselves at handoff.
  • Monthly retainer: includes daily backups, quarterly restore drills, dependency scanning and updates—keeping the scorecard's greens green.
  • Advisory: if you already have a vendor and just want someone to run this 14-point diligence and review their security answers, we can do only that.
  • One-off security check: an access inventory + secrets scan + backup verification on an existing system.

But we'll say plainly there are three situations we're not a fit for: (1) you want "cheapest possible, forget security" one-off outsourcing—our baseline will look expensive; (2) you need formal ISO 27001 / SOC 2 audit certification for a large compliance project—that calls for a certified auditor, not a dev studio; (3) you want every account under the vendor's name "for convenience"—we insist on the opposite, and if that can't be agreed, there's no point starting.

Onboarding Playbook: Fit Diligence Into the First 30 Days

Diligence isn't a one-time pre-signing pass; it should carry into onboarding:

  • Before signing (Day 0): complete the 14-point checklist and 10-dimension scorecard; write red-light items into the contract as deliverables.
  • Days 1–7: create/transfer all accounts to your name, vendor switches to invited access; set up secrets management and MFA.
  • Days 8–21: configure daily automated backups, run the first restore drill and log it; inventory who has production access.
  • Days 22–30: run a dependency scan; write the incident-notification process and contacts into a one-page SOP.
  • Day 90 review: rerun the 10-dimension scorecard to confirm no green has slipped back to amber.

Pre-Signing Self-Check List

  • ☐ Is the domain registered under my company?
  • ☐ Am I the owner of the hosting / cloud account?
  • ☐ Is the source code in my org Git, or in someone's personal account?
  • ☐ Where are payment keys and DB passwords stored, and who can see them?
  • ☐ How many people have production access?
  • ☐ Is MFA enabled on host, Git, and payment backends?
  • ☐ How often are backups taken? Where? Off-site?
  • ☐ Has a restore been tested in the last 6 months? Logged?
  • ☐ How often are dependencies updated?
  • ☐ When the last engineer left, were permissions revoked?
  • ☐ Does the contract state a breach-notification process and deadline?
  • ☐ Can the vendor show evidence, not just verbal promises?
  • ☐ Are the red-light items written into the contract as deliverables?
  • ☐ Do I know what to reclaim if I switch vendors?

FAQ

Won't security due diligence make the vendor feel distrusted and damage the relationship?

A good vendor is actually relieved—it signals you're a client who knows how to manage outsourcing, which means fewer disputes later. The vendor who gets offended by this checklist is usually the one you should worry about most. Frame it as "our company's standard procurement process" and it stays dignified for both sides.

I'm not technical—how do I judge whether a vendor's answers are true?

You don't need to understand the technical detail; you only need to see evidence. Ask them to demonstrate with a screenshot or a live screen: show you who owns the account, that a backup restore actually runs, that secrets aren't pasted in chat. If you can see it, it's green; if it's vague, it's red—a standard you can enforce without an engineering background.

I'm already working with a vendor—is it too late to run diligence now?

It's not too late, and sooner is better. Start with "account ownership" and "where secrets live"—that's the tourniquet. You don't have to do all 14 at once; finishing Layer 1 (where the data lives) alone usually surfaces the most fatal single point of failure.

If the vendor says "these practices increase cost," should I accept it?

Basic account ownership, MFA, daily backups, and secrets management are defaults of professional development and shouldn't cost extra. If they're treated as add-ons, it means the vendor doesn't normally work that way—which is itself a red light. Reasonable extra fees should only appear for genuinely out-of-scope needs like formal audit certification.

Call to Action

If you're about to sign an outsourcing contract, or nobody's quite sure "who holds" your current system's passwords, spend 30 minutes running this checklist first. ScriptWalker offers a free consultation to help you review a current vendor's security answers, or to run an access-and-backup inventory on an existing system and find the red lights.

Share: