Due Diligence On Suppliers: What To Check

Choosing the right supplier can make or break your business. Prices, quality and lead times matter - but so does legal risk.

Doing due diligence on suppliers isn’t just a tick-box exercise. It’s how you avoid product failures, data breaches, reputational damage and costly contract disputes. With a straightforward approach, you can onboard trusted partners and stay protected from day one.

In this guide, we break down what to check, which documents to ask for, and how to structure contracts so you’re properly covered under UK law.

What Is Supplier Due Diligence And Why It Matters

Supplier due diligence is the research and risk assessment you carry out before (and during) a supplier relationship. It’s about confirming that a supplier is legitimate, financially stable, compliant with UK law and able to meet your standards on quality, timing and safety.

For UK SMEs, strong due diligence helps you to:

• Reduce operational risk (missed deliveries, poor quality, single points of failure)
• Comply with UK regulations (data protection, product safety, bribery and sanctions)
• Protect your customers and your brand
• Negotiate better contract terms based on real risk
• Unlock finance or enterprise clients who expect robust supply chain controls

Think of it as your early-warning system. The time you invest now is far cheaper than firefighting later.

What Checks Should UK SMEs Do Before Onboarding A Supplier?

You don’t need a huge team to run effective checks. Focus on the areas where the legal and commercial risks actually sit. Here’s a practical checklist to get started.

1) Legal Status And Financial Health

• Company identity: Confirm the legal name, registered number, and registered office (and the trading name if different). Check Companies House filings for active status and any red flags (struck-off attempts, late filings).
• Ownership and control: Understand who ultimately owns or controls the supplier (helpful for sanctions and bribery risk, and for conflict checks).
• Financial stability: Request recent accounts and management figures (or use credit reports). Look for liquidity issues, heavy debts, or going concern warnings.
• Insurance: Ask for certificates (public/products liability, professional indemnity, cyber where relevant). Check policy limits and exclusions match your risk profile.

2) Compliance And Regulatory Risk

• Bribery and corruption: The Bribery Act 2010 has broad reach. Ask about anti-bribery policies, staff training, and third-party commission/agent arrangements.
• Sanctions: UK sanctions (OFSI regime) apply to dealings with certain persons, sectors and territories. Confirm the supplier and its ultimate owners aren’t on sanctions lists and have screening processes for their own vendors.
• Tax and HMRC: Check VAT registration where appropriate and confirm no outstanding disputes that affect service continuity.
• Health and safety: If services are performed on your site, ensure compliance with the Health and Safety at Work etc. Act 1974 and risk assessments for tasks and equipment.

3) Data Protection And Cybersecurity

• UK GDPR and Data Protection Act 2018: If your supplier will process personal data for you, they must offer adequate security, confidentiality and only act on your instructions.
• Security controls: Ask about ISO certifications, penetration testing, access controls, encryption, and incident response plans.
• Data breach history: Understand any prior incidents and remediation steps.
• Sub-processors: Who else (cloud providers, subcontractors) will handle your data? You need visibility and control.

4) Product Safety, Quality And Traceability

• Product safety: For physical goods, ensure compliance with applicable UK product safety rules (e.g. UKCA/CE marking, technical documentation, test reports). The Consumer Protection Act 1987 imposes strict liability for defective products causing injury or damage.
• Quality assurance: Review QC procedures, sampling and inspection reports, and acceptable quality levels.
• Traceability: Ask how batches are tracked and recalled if there’s a defect.
• Certifications: Depending on your sector, look for relevant certifications (e.g. BRCGS for food, cosmetic safety assessments, electrical safety compliance).

5) Labour Standards And ESG

• Workforce practices: Even if you’re not caught by the Modern Slavery Act 2015 transparency threshold, it’s wise to check supplier policies on forced labour, child labour, working hours and pay.
• Sustainability: Consider environmental impact, materials sourcing, and waste management - increasingly required by enterprise customers and public sector tenders.
• Accreditations: Review any third-party audits or certifications relevant to your sector.

6) Operational Capability And Continuity

• Capacity and lead times: Can the supplier realistically meet your demand and seasonal spikes?
• Business continuity: Ask for disaster recovery plans, dual sourcing of critical components, and stock strategies.
• Location risk: Consider geopolitical risk, import/export controls, customs and logistics routes.

What Documents And Warranties Should You Ask For?

You’ll want a pack of documents that shows the supplier can do what they say - and is prepared to stand behind it. At minimum, ask for:

• Corporate documents: Certificate of incorporation, directors/members list, and proof of registered address.
• Financial documents: Latest filed accounts and any interim financials that give a current picture.
• Insurance certificates: With adequate limits and scope for your risk (e.g. product liability for manufacturers, PI for professional services).
• Compliance policies: Anti-bribery, data protection, information security, health and safety, whistleblowing and supply chain standards.
• Technical documentation: Test reports, conformity assessments, product specifications and quality control procedures.
• Data protection details: Record of processing activities, sub-processor list, security summary, and incident response protocol.

In your commercial contract, seek clear warranties and representations, such as:

• They have the right to supply the goods/services and all necessary licences, permissions and approvals.
• Goods meet the agreed specifications, are safe and free from defects, and comply with applicable laws and standards.
• Services will be provided with reasonable care and skill, using appropriately qualified staff.
• No infringement of third-party intellectual property rights.
• Compliance with UK GDPR and data security standards where personal data is processed.
• No breaches of sanctions, anti-bribery or other applicable laws in the supply chain.

If the supplier handles sensitive information before you sign a full contract, use an Non-Disclosure Agreement to protect your confidential information during negotiations.

How To Structure Your Supplier Contracts To Manage Risk

Even the best due diligence can’t remove all risk - that’s the job of your contract. A well-drafted agreement sets expectations, provides remedies, and keeps you in control if things go wrong.

Choose The Right Agreement Type

For ongoing supply of goods, a tailored Supply Agreement is your foundation. If you’re appointing a reseller or channel partner, consider a Distribution Agreement. For complex or multi-service arrangements, a Master Services Agreement with statements of work can keep terms consistent across projects.

Set Clear Specifications And SLAs

• Specifications: Define exactly what will be supplied (materials, dimensions, packaging, compliance standards).
• Service levels: Add measurable targets for uptime, response and resolution times; consider a separate Service Level Agreement.
• Acceptance and testing: Build in inspection rights and acceptance criteria with remedies for failure.

Price, Variations And Indexation

• Transparent pricing: Avoid opaque formulas. Include price lists, discount structures and pass-through costs.
• Changes: Control price increases and scope changes with written change control and notice periods (bear in mind UK expectations around fair notice - see how price increase notices should be handled).

Delivery, Risk And Title

• Incoterms or delivery terms: Clarify who bears risk and costs at each stage.
• Title transfer: Decide when ownership passes, and link to payment milestones.
• Late delivery: Include liquidated damages or service credits for missed deadlines where appropriate.

Liability, Indemnities And Insurance

• Liability caps: Use reasonable and enforceable limits with carve-outs (e.g. for death/personal injury due to negligence, fraud). For context, review how limitation of liability clauses work in UK contracts.
• Indemnities: Target specific high-risk areas (IP infringement, product liability, data breaches).
• Insurance: Require minimum policy types and limits, and evidence on renewal.

Data Protection Terms

If the supplier is a processor of personal data, the contract must include UK GDPR-required clauses. A standalone or embedded Data Processing Agreement should cover processing scope, security measures, sub-processor controls, assistance with data subject rights and breach notifications. Where personal data is shared controller-to-controller, use an appropriate Data Sharing Agreement. Ensure your public-facing Privacy Policy aligns with how suppliers handle personal data in your ecosystem.

Intellectual Property And Confidentiality

• IP ownership: Make it clear who owns existing IP and any new IP created during the engagement.
• Licences: Grant only what’s necessary, and limit sublicensing.
• Confidentiality: Use robust confidentiality obligations in the main agreement, supported by pre-contract NDAs where needed.

Termination, Exit And Audit Rights

• Termination: Include rights to terminate for material breach, repeated minor breaches, prolonged force majeure, sanctions/ethical breaches and insolvency.
• Exit assistance: Require reasonable cooperation to transition to a new supplier without service gaps.
• Audit and inspection: Reserve rights to audit compliance (quality standards, data security, ethical sourcing) on reasonable notice.
• Auto-renewals: If you use rolling terms, ensure renewal and cancellation are clear and fair - UK businesses need to be careful with auto-renewal terms.

Payment Security And Guarantees

If the supplier is overseas or financially weak, you can reduce counterparty risk with additional security. Options include a parent-company guarantee, retention sums, or taking security over assets via a General Security Agreement in appropriate circumstances.

Ongoing Monitoring: How Often Should You Review Suppliers?

Due diligence isn’t “one-and-done”. Build simple, periodic checks into your supplier management so you can spot changes early.

• Annual refresh: Update financials, insurance certificates, sanctions screening and key compliance policies.
• Performance reviews: Use KPI dashboards and meeting cadences to address trends, not just incidents.
• Incident-triggered reviews: Revisit diligence after data breaches, QC failures, ownership changes or regulatory investigations.
• Contract health checks: Markets shift - revisit pricing mechanisms, SLAs and risk allocation regularly. If terms feel off, consider a targeted Contract Review to stress-test enforceability and fairness and identify any onerous terms you should renegotiate.

Document what you check and the outcomes. A simple risk register with action owners will keep you organised and ready to evidence your governance if asked by a key customer, insurer or regulator.

Step-By-Step Supplier Due Diligence Process For Small Businesses

Step 1: Map The Risk

Start by scoping what the supplier will do and the data, people and products involved. High-risk categories (handling personal data, critical components, customer-facing services, safety-critical goods) deserve deeper checks and tighter contract controls.

Step 2: Run Desk Checks

Review Companies House records, sanctions lists, and public information. Request your initial document pack (financials, insurance, policies, technical docs) and send a concise questionnaire tailored to the risk areas you’ve identified.

Step 3: Validate And Challenge

Don’t rely solely on PDFs. Ask questions about anomalies in accounts, clarify policy gaps, and request example outputs (e.g. QC reports, test certificates). For data-heavy services, have your IT lead review security claims.

Step 4: Agree Commercial And Legal Safeguards

Negotiate the backbone commercial points (specs, SLAs, pricing, lead times, acceptance) and embed the legal protections (warranties, indemnities, liability caps, data protection, IP, confidentiality, termination). Use the appropriate agreement type and annexes (specifications, SLAs, data schedules).

Step 5: Sign And Secure

Execute the agreement using your preferred signing process (and keep originals organised). If needed, put security in place (retentions, guarantees, or security interests). Share a concise “playbook” internally so your team knows how to order, inspect, approve and escalate issues.

Step 6: Monitor And Improve

Track performance, run periodic checks, and log corrective actions. As your relationship and risk evolve, update the contract using change control or a formal amendment (just be strategic - sometimes an addendum vs amendment is the cleaner path).

Common Legal Pitfalls To Avoid

• Vague specs: If quality or performance aren’t measurable, they’re hard to enforce.
• Uncapped liability: Especially risky for IP infringement, product liability or data breaches - ensure caps and carve-outs are balanced and commercially sensible.
• Missing data terms: If a supplier touches personal data without a compliant DPA, you risk UK GDPR breaches and fines.
• Overbroad auto-renewal: Rolling terms without clear notice windows can trap you into price hikes and poor performance.
• IP gaps: If you commission bespoke work without clear IP terms, you may not own or even be licensed to use what you’ve paid for.
• Single-source dependance: No plan B if your sole supplier fails - diversify where the risk is critical.

How UK Consumer And Privacy Laws Affect Your Supplier Choices

If you sell to consumers, the Consumer Rights Act 2015 requires goods to be of satisfactory quality, fit for purpose and as described, and services to be carried out with reasonable care and skill. Your customers’ rights run to you - not your supplier - so your contract should flow down obligations and remedies to the supplier. It’s also worth brushing up on handling faulty goods under the CRA if you’re setting your returns process.

On privacy, you remain responsible for personal data handled on your behalf. Make sure the supplier relationship is accurately reflected in your records and in your public-facing policies. If the supplier engages sub-processors or transfers data overseas, you’ll need appropriate safeguards and contractual controls.

Finally, marketing and cookies (if your supplier runs your site or ads) bring their own compliance layers. Ensure web and analytics partners respect ePrivacy rules and set consent correctly - cookie banners and consent mechanisms need to be implemented in a way that actually complies with UK requirements.

Key Takeaways

• Supplier due diligence protects your business, brand and customers. Focus on legal status, financial stability, compliance, data protection, product safety, labour standards and operational resilience.
• Ask for clear documentation and meaningful warranties - don’t accept vague assurances where legal exposure is high.
• Use the right agreement structure and lock in the essentials: specifications, SLAs, pricing controls, IP, confidentiality, data terms, liability caps, indemnities, termination and audit rights. A tailored Supply Agreement (and where relevant, a Data Processing Agreement) is critical.
• Keep liability and data protection front and centre - align your internal policies and your supplier’s obligations, and understand how liability clauses shape your real risk.
• Build in ongoing monitoring: refresh diligence annually, run performance reviews, and revisit terms as your risk changes. A targeted Contract Review can flag renegotiation priorities.
• Where financial or delivery risk is material, consider extra protections like retention sums, guarantees, or a General Security Agreement in appropriate scenarios.

If you’d like help setting up supplier due diligence, drafting robust contracts or pressure-testing your existing terms, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.