A vendor onboarding checklist turns “we just hired a new supplier” from a three-week scramble into a 48-hour workflow. Without one, your procurement team is chasing a W-9 from finance, an insurance certificate from legal, and a signed NDA from the vendor — all in disconnected email threads.
This article gives you the full vendor onboarding checklist: a base list every supplier should complete, plus add-ons for IT vendors, construction subcontractors, healthcare providers, and international suppliers. Copy the sections you need.
The core vendor onboarding checklist
Every new vendor — whether a $500/month SaaS tool or a $5M general contractor — needs the same backbone of documents before they can be paid, given system access, or set loose on a project. The list below is the floor.
| # | Document | Why you need it | Refresh cadence |
|---|---|---|---|
| 1 | Signed Master Services Agreement or contract | Legal terms agreed and dated | Per contract term |
| 2 | W-9 (US) or equivalent tax form (W-8BEN, VAT certificate, KBIS for FR) | Tax reporting and entity verification | When entity changes |
| 3 | Certificate of insurance (general liability, professional liability, cyber, workers’ comp) | Risk transfer if something goes wrong | Annually at renewal |
| 4 | Banking details with bank verification letter or voided check | Pay the right account, prevent fraud | When account changes |
| 5 | Signed NDA or confidentiality agreement | Protect IP and customer data | Once per vendor |
| 6 | Code of conduct or ethics policy acknowledgment | Anti-bribery, anti-corruption, ESG | Annually |
| 7 | Diversity and ownership classification (if applicable) | DEI reporting and supplier diversity targets | At onboarding |
| 8 | Sanctions and screening clearance (OFAC, EU sanctions, debarment lists) | Avoid prohibited counterparties | Quarterly |
| 9 | References or proof of comparable work | Validate capability | At onboarding |
| 10 | Primary contact details and escalation path | Know who to call when something breaks | When contacts change |
Get these ten right and you have a vendor file that survives an audit. Anything beyond depends on what the vendor does and where they operate.
Industry- and risk-specific add-ons
The base list is the same for everyone. The extras depend on what the vendor will touch — your data, your job site, your patients, or your money.
IT and SaaS vendors
- SOC 2 Type II report (current within 12 months)
- ISO 27001 certificate or equivalent
- Data Processing Agreement (DPA) under GDPR
- Subprocessor list with locations and roles
- Penetration test summary (most recent)
- Cyber liability insurance certificate (typically $5M+)
- Incident response and breach notification commitment in writing
- Business continuity and disaster recovery summary
- Data residency confirmation (EU, US, etc.)
Construction subcontractors and trades
- General liability ($1M-$2M per occurrence)
- Workers’ compensation certificate
- Auto liability if vehicles will be on site
- Trade-specific licenses (electrical, plumbing, HVAC)
- OSHA 10 or OSHA 30 training certificates for crew
- Drug and alcohol policy acknowledgment
- Safety plan or JHA submitted
- Past project references with contact details
- Equipment list and inspection records
The deeper construction compliance documents checklist goes further on subcontractor prequalification.
Healthcare and life sciences vendors
- HIPAA Business Associate Agreement (BAA)
- HITRUST certification or equivalent
- FDA registrations (for medical devices and drug-handling vendors)
- Background checks for staff with patient contact
- Credentialing and licensing for clinical personnel
- Sterilization and quality control records (manufacturing)
- Cold chain compliance evidence (where applicable)
Financial services and KYC-required vendors
- Full KYB / KYC pack (see the KYC document checklist)
- Beneficial ownership disclosure
- AML policy summary
- Source of funds for material payments
- Regulatory licenses (broker-dealer, MSB, e-money)
- Adverse media screening result
International vendors
- Certificate of incorporation in country of origin
- Tax residency certificate
- Local equivalent of W-9 (W-8BEN, VAT certificate, KBIS, etc.)
- Export control screening (denied parties, OFAC)
- Foreign corrupt practices (FCPA / UK Bribery Act) attestation
- Currency and payment method confirmation
- Local contact person and time zone
For French suppliers specifically, KBIS, URSSAF certificates, and SIRET-linked data can be pulled automatically from INSEE and INPI registries — Superdocu does this in one click during onboarding.
A 5-step vendor onboarding workflow
The checklist tells you *what* to collect. The workflow tells you *how* to collect it without three weeks of email chasing.
1. Pre-qualify before contracting. Send a short intake form — company name, services, locations, certifications — through a public intake portal. Filter unqualified vendors out before legal spends time on a contract.
2. Send the full onboarding pack as a single guided workflow. One link, every required document, in the order they should be uploaded. The vendor sees what’s done, what’s pending, and exactly what file format you expect.
3. Auto-validate what you can. ID checks, tax form validity, French KBIS verification, sanctions screening, certificate expiration parsing — let the system do the obvious checks before a human reviewer opens the file.
4. Review, approve, or reject with feedback in writing. Every document gets a timestamped approval or a specific rejection reason. The vendor sees the rejection and re-uploads without a back-and-forth phone call.
5. Set renewal reminders on every expiring document. Insurance, licenses, certifications — all have expiration dates. The system reminds the vendor 30 days before, collects the renewed document, and your file stays current with zero work from procurement.
Common vendor onboarding mistakes
A bad onboarding process is not just slow — it creates legal, financial, and security exposure. The same five mistakes show up in nearly every audit.
Email-based collection. Insurance certificates buried in a 40-message thread are unfindable, undateable, and a GDPR exposure. There are better methods than email.
No expiration tracking. A subcontractor’s general liability lapses six months into a 12-month project. Nobody notices until an incident. Document expiration tracking eliminates this entirely — here’s how it works.
Inconsistent files across vendors. Vendor A has a full pack; Vendor B is missing the NDA and the W-9. At audit time, your sample fails. Use a single workflow that enforces completion before the vendor is marked active.
No reviewer or timestamp on approved documents. “Who approved this insurance certificate?” “Sara, I think?” Without an audit trail, your compliance program fails any external review.
Onboarding handled person-by-person. Procurement onboards five vendors a month manually, each taking three hours. That’s fifteen hours of admin a month replaced by a one-time workflow setup.
How Superdocu replaces the spreadsheet
Most procurement teams run vendor onboarding on a spreadsheet, email, and a shared drive. The result is what you’d expect: missed renewals, inconsistent files, and a binder rebuild every audit.
Superdocu lets you build the vendor onboarding checklist once as a reusable workflow, send it to each new supplier as a branded magic link, and track completion in one dashboard. Documents are validated automatically where possible, expirations trigger reminders, and every approval has a timestamp and a reviewer name. When the auditor asks for a vendor’s full file, you export a clean PDF in seconds. Everything is hosted in Europe and GDPR-compliant by default.
For more on building the broader process, see the vendor onboarding document collection guide.
Frequently asked questions
What is a vendor onboarding checklist?
A vendor onboarding checklist is the standard list of documents, agreements, and data a new supplier must provide before they can be paid, given system access, or assigned work. It typically covers a signed contract, tax form, certificate of insurance, banking details, NDA, code of conduct, and screening clearances. Industry-specific add-ons cover IT, construction, healthcare, and international risks.
How long should vendor onboarding take?
A well-designed workflow gets a low-risk vendor onboarded in 48 to 72 hours. High-risk vendors (large contracts, regulated industries, international) typically take one to two weeks once enhanced due diligence is included. Anything longer usually signals manual chasing rather than process complexity.
Who owns vendor onboarding?
Procurement usually owns the workflow, but the checklist requires input from legal (contracts, NDA), finance (W-9, banking), IT or security (DPA, SOC 2 for digital vendors), and the requester (scope of work and references). One person should own the checklist and chase the others.
What is the difference between vendor onboarding and vendor prequalification?
Prequalification is a lightweight screen done before contracting — does the vendor meet basic criteria, hold the right licenses, and operate where you need them. Onboarding is the full document and data collection that happens after a contract is signed and before the vendor is paid or given access.
How often should vendor information be updated?
Insurance certificates, licenses, and sanctions screenings should be refreshed at their respective expiration dates — typically annually for insurance and quarterly for sanctions. Banking details and contacts should be re-verified on change. The full vendor file should be reviewed once a year for any high-spend or high-risk supplier.
Can vendor onboarding be automated?
Yes — most of the collection, validation, and reminder work can be automated. A workflow tool sends the checklist as a single guided portal, auto-validates documents where possible, tracks expiration dates, and triggers reminders without manual chasing. Human review stays where it should: judgment calls, not data entry.
Next step
Vendor onboarding done manually takes hours per supplier and produces inconsistent files that fail audits. A purpose-built workflow turns the checklist into a guided portal the vendor completes in one sitting, with expirations and reminders handled automatically.
Start a free 7-day trial of Superdocu — no credit card required. Build your first vendor onboarding workflow in under 10 minutes with the AI workflow generator.