Vendor Onboarding Checklist

Tag the vendor as supplier, 3PL/fulfillment, SaaS/data processor, marketing agency, or marketplace service. Risk tier drives downstream depth — a 3PL that touches inventory and customer addresses needs a deeper review than a Canva-style design tool.

Get the W-9 for US vendors or W-8BEN/W-8BEN-E for foreign vendors before the first payment, not at year-end. Missing TINs cause 1099 filing scrambles in January and 24% backup withholding exposure.

For 3PLs, manufacturers, and any vendor handling inventory: confirm general liability ($1M / $2M minimum), workers' comp, and product liability where applicable. Verify your company is named as additional insured and the certificate is current.

Route the master services agreement and mutual NDA through DocuSign or Ironclad. For suppliers, include MAP language, IP ownership of custom tooling, and exclusivity terms if relevant. Counter-signed copies live in the vendor folder, not just an inbox.

Target Net 30 minimum for domestic suppliers; Net 60 for established factory relationships. Overseas suppliers typically require 30% deposit / 70% on BL copy or against shipping documents. Document early-pay discounts (2/10 Net 30) in the AP system.

Call the vendor at a number from the signed contract — not a number in the wire-instructions email — to confirm ACH/wire details. Vendor email compromise (BEC) attacks redirecting first payments are common; a 5-minute callback prevents a five-figure loss.

Create the vendor record in QuickBooks, NetSuite, Bill.com, or Ramp. Attach the W-9, COI, and signed MSA. Set the GL account, default expense category, and 1099 flag now — fixing 1099 flags in December for the prior tax year is painful.

3PLs and suppliers usually need a Shopify / NetSuite / Cin7 / SkuVault connection for inventory sync, order push, and tracking writeback. SaaS vendors may just need SSO. Marketing agencies often need ad-account access and analytics permissions only.

Use a Shopify dev store or NetSuite sandbox. Test order push, inventory sync, shipment writeback, and cancellation handling. Confirm SKU-to-vendor-SKU mapping; mismatches here cause overselling across channels on day one.

Map vendor SKU ↔ internal SKU ↔ Shopify variant ↔ Amazon ASIN/FNSKU. Set per-channel low-stock buffers so a single warehouse unit doesn't get sold simultaneously on Shopify and Amazon. Confirm sync cadence (real-time webhook vs. 15-minute poll).

Capture day-to-day contact, escalation contact, and after-hours contact for stockouts, shipping holds, or outages. Agree on response SLAs (4 hours for P1, next business day for P2) and the channel — Slack Connect, shared email alias, or vendor portal.

Walk through pick-pack standards, branded packaging inserts, gift-message handling, and the cutoff time for same-day ship. For Amazon SFP or Seller-Fulfilled orders, confirm carrier-rate shopping logic and on-time-shipment expectations.

Tech pack for product, dieline for packaging, FNSKU label placement, polybag suffocation warning, tracking labels for children's products, and expiration formatting for consumables. Suppliers will follow whatever you document — and infer whatever you don't.

Receive and inspect the golden sample against the tech pack before authorizing bulk production. Approve in writing; this sample becomes the QC reference for every future PO.

Set AQL (commonly 2.5 major / 4.0 minor for general consumer goods) and decide who inspects — vendor self-inspection, third party (QIMA, AsiaInspection), or your own QC. Specify whether inspection is during production (DUPRO) or pre-shipment (PSI).

3PLs see names and shipping addresses; CX tools see emails and order history; subscription tools see card tokens. If the vendor never touches customer PII, the rest of this section is light. If they do, treat them as a sub-processor under GDPR/CCPA.

Request the current SOC 2 Type II report (under NDA) or ISO 27001 certificate. Skim exceptions and the bridge letter if the report is older than 6 months. For high-risk vendors, also request a recent pen-test summary.

If neither attestation exists, complete a security questionnaire (SIG Lite or your own) before granting production access.

Sign the data processing addendum with SCCs for any EU/UK data transfers. Add the vendor to your public sub-processor page (Klaviyo, Yotpo, Recharge, etc., expect this from you too) so customer disclosures stay current under GDPR Article 28.

For 3PLs: ship 5-10 live orders before flipping the full channel. For SaaS: enable for one team / one store before company-wide. Catches integration bugs, packing-slip typos, and tracking-writeback gaps while the blast radius is small.