Vendor due diligence for clinics, accountants, and regulated sectors

Updated 2026-04-11 · Practical guide for NZ small businesses

Short answer: Regulated NZ practices should vet vendors for data handling, breach notification, subprocessors, and NZ-appropriate contracts—not just pick the cheapest form plugin.

Your clients assume you chose tools carefully; diligence is part of professional duty.

Minimum vendor questions

Where is data stored and who can access it?
Breach process and timelines for informing you.
Deletion and export when you leave the tool.
Uptime and support realistic for your risk tolerance.

Document decisions

Keep short decision notes: why this CRM, what data classes flow into it, review date. Future you—and auditors—will thank you.

Website-specific risks

Live chat, document uploads, and analytics pixels each expand scope; review holistically, not tool-by-tool in isolation.

Frequently asked questions

Is an overseas SaaS automatically bad?

No—but understand transfer mechanisms and whether the vendor’s DPA fits your practice.

Do patients read privacy policies?

Some do; regulators may. Clarity signals professionalism.