How to Check a Software Vendor in Malaysia: 12-Point Checklist

A proper software vendor checklist for Malaysia should cover company verification (SSM, paid-up capital), technical proof (live portfolios, code samples, references you can actually call), legal protection (IP ownership, source-code escrow, exit clauses), regulatory readiness (PDPA 2024, LHDN e-invoice, SST), and post-launch terms (SLA, response times, handover). Anything thinner than that, and you are picking a vendor on vibes.

We have sat on both sides of this. Pitches we have lost to cheaper vendors who later ghosted the client. Recovery jobs where we inherited a "finished" product with no documentation, no repo access, and an IP clause that gave the original developer the right to resell it. The patterns repeat. This guide turns them into a checklist you can run before signing anything.

For a broader view of what you are actually paying for, see our custom software cost guide for Malaysia. Checking the vendor is the other half of the cost question, the half that decides whether the quote you accepted is the bill you actually pay.

What does it mean to "check" a software vendor?

Vendor checking (sometimes called vendor vetting or due diligence) is the structured set of questions you run on a development partner before you sign a contract. It covers four things: can they legally do the work (company registration, tax status), can they technically do the work (portfolio, code, team), will they protect your interests (IP, data, exit terms), and will they still be around in 18 months (financials, references, retention). In Malaysia the regulatory layer adds PDPA, LHDN e-invoice readiness, and SST registration on top.

The reason it matters is that switching vendors mid-build typically costs 40 to 80% of what you have already spent. Picking wrong is not a small mistake.

The 12-point due diligence checklist

Run these in order. The early checks are cheap and rule out most chancers before you waste time on a meeting.

1. SSM and company status (5 minutes, free)

Pull the vendor's record on MyData SSM. You are looking for:

Entity type. Sdn Bhd is the minimum for any contract above RM 50,000. A sole proprietorship or enterprise has no legal separation between the founder and the business, which means if the founder walks, your contract walks with them.
Paid-up capital. RM 1 paid-up is technically legal and practically meaningless. We treat anything under RM 50,000 as a yellow flag for a build in the RM 100,000 range.
Date of incorporation. A six-month-old Sdn Bhd pitching for a RM 300,000 build is not automatically a problem, but it changes the references you should ask for.
Directors and shadow directors. Cross-check the directors against the people in the room. If the person pitching is not on the company record, ask why.

This one check has knocked out more pitches we have reviewed than any other.

2. Portfolio verification (the vaporware test)

Every Malaysian software house has a portfolio page. Half of those portfolios are inflated. The test:

Click every "live" link. Does the product actually exist at that URL today?
Ask for the production URL of the last three projects, not just screenshots.
Cross-reference with LinkedIn. Do current employees list the projects on their work history? If a flagship project is on the website but nobody who worked on it still works there, that capability has walked out the door.
Ask: "which of these projects are you still maintaining?" Building once and walking is very different from running something for years.

3. Reference calls (not testimonials, calls)

Written testimonials are PR. Phone calls are due diligence. Ask for two clients you can call directly. The questions:

Did the project ship on the original timeline?
What did the final invoice look like compared to the original quote?
How long did it take to get a response when something broke at 9pm on a Saturday?
If you could go back, would you hire them again? (Listen for hesitation more than the answer.)

If a vendor cannot produce two references, that is the answer.

4. Technical conversation with an engineer (not a salesperson)

Ask to talk to the technical lead who would actually run the project. A 30-minute conversation will tell you more than a 50-page proposal. Watch for:

Specific opinions on stack tradeoffs for your use case ("for a multi-tenant SaaS in Malaysia we usually pick X because…").
Honest limits ("we don't do native iOS, we'd subcontract or use Flutter").
Questions back at you about your business, not just your features.

If the only person you ever talk to is the founder or a sales lead, the people who will actually do the build are a black box.

5. Code sample or technical artefact

Any vendor pitching for a serious build should be able to share, under NDA, a recent code sample or architecture diagram. This is not about reading every line. It is a signal of basic professionalism: do they version-control, do they write tests, do they document.

A vendor who refuses on principle, or who shares something obviously old and unmaintained, is telling you something.

6. IP ownership clauses (the single most important contract term)

Under Section 26(2) of Malaysia's Copyright Act 1987, copyright in commissioned work is deemed transferred to the person who commissioned it, unless the contract says otherwise. The risk for SMEs is not the default. The risk is that vendor contracts often contain clauses that override the default in the vendor's favour, retaining ownership for the developer, granting only a "perpetual licence" back to the client, or carving out reusable "framework" code. Read the IP clause carefully and insist on terms that confirm, not displace, the assignment:

Work-for-hire assignment confirmed. All IP created in the engagement is assigned to you on payment, in writing, with the assignment surviving termination.
Repository handover. GitHub or GitLab repo ownership transfers to your organisation on final payment, with admin rights.
No reuse without consent. The vendor cannot resell or reuse the code (or substantial parts of it) for other clients without your written permission.
Source-code escrow for higher-stakes builds (typically enterprise engagements over RM 500,000, or anything mission-critical to your operations). A neutral third party holds the latest source. If the vendor disappears, you get the code. Most Malaysian SME builds skip this because the repo handover clause above already covers the common failure mode, but it is worth asking about. MyIPO does not offer escrow directly; commercial services are available through firms like Escode (formerly NCC Group Software Resilience).

For a deeper view of why IP risk is often missed in due diligence, the Praktis IP risk assessment guide is a solid starting point.

This is the clause that funds the post-launch ghosting industry. Take it seriously.

7. PDPA 2024 readiness (newly material)

The PDPA amendments that came into force in 2025 made data processors (your vendor) directly liable, not just data controllers (you). Ask for:

A clear owner of data protection responsibilities. From 1 June 2025, a formally appointed Data Protection Officer is mandatory for data controllers and processors that meet the Commissioner's thresholds (broadly: processing personal data of more than 20,000 data subjects, sensitive personal data of more than 10,000, or large-scale regular monitoring). If your vendor sits below those thresholds they are not legally required to appoint a DPO, but they should still be able to name the person who handles PDPA compliance, breach response, and your sub-processor questions. "Nobody specifically" is the wrong answer.
Their breach notification SLA. Under the amended PDPA and the February 2025 guidelines, the data controller must notify the Commissioner within 72 hours of becoming aware of a personal data breach, and notify affected individuals within 7 days where there is risk of significant harm. Your vendor needs a contractual SLA that surfaces a breach to you fast enough to hit those deadlines, typically 24 hours or less.
A sub-processor list. If they ship your customer data to a third party (analytics, hosting, AI APIs), you need to know.
Data residency. Where is the production database hosted? Cross-border transfers have specific PDPA implications.

The legal community has flagged that vendor due diligence is now a baseline expectation, not optional. See the DLA Piper briefing on Malaysia's 2025 DPO and breach-notification guidelines for the current vendor due-diligence baseline.

8. LHDN e-invoice and SST readiness

Two related but separate checks:

SST registration. A vendor charging service tax must be registered. Ask for the SST registration number and verify it on the Customs portal.
LHDN e-invoice readiness. The mandate is rolling out by turnover band: businesses over RM 100 million started 1 August 2024, RM 25–100 million from 1 January 2025, RM 5–25 million from 1 July 2025, and RM 1–5 million deferred to 1 January 2027. Businesses with turnover under RM 1 million are currently exempt. Whichever band your vendor sits in, they need to (a) issue e-invoices to you correctly when their phase hits, and (b) understand the MyInvois API if your build needs to integrate. We covered the integration cost in LHDN e-invoice integration cost: what developers charge in Malaysia.

A vendor who does not understand MyInvois cannot build a product that integrates with it.

9. Pricing model and payment milestones

Ask which model they propose and why:

Fixed-price suits well-scoped builds (a marketing site, a clearly defined module). It transfers scope risk to the vendor, who will price defensively.
Time and materials suits open-ended product work where requirements will evolve. It transfers scope risk to you.
Hybrid (fixed for phase one discovery, T&M for build) is what most serious vendors propose for non-trivial projects.

Then look at the payment schedule. We treat 50% upfront for anything over RM 80,000 as a red flag. A healthier pattern: 25% on signing, 50% across milestones tied to deliverables, 25% on acceptance after a defect-fix window.

The relationship between price and total cost is rarely linear. We wrote about the parts of the bill that do not appear in the quote in the hidden costs of launching software in Malaysia.

10. Team composition (and who actually does the work)

Ask, by name, who would lead the project and which other engineers would touch the code. Formal CVs are nice but not always practical at the proposal stage. A LinkedIn profile and a 15-minute call with the technical lead is enough. Then push on:

Are they full-time staff or freelancers retained for this project?
If subcontracted, where are they located, and what is the IP and PDPA chain back to you?
Will the senior who pitched still be involved in week 12, or is this a classic bait-and-switch where the demo team disappears after kickoff?

A team of two senior developers who own the work is often a better bet than a team of eight where six are juniors learning on your dime.

11. Stack and AI tooling readiness

Two questions worth asking in 2026:

What stack would you propose for this and why? A vendor with a single-stack hammer (everything is Laravel, or everything is Node.js) is not necessarily wrong, but should be able to defend the choice. We compared the two in Laravel vs Node.js: which costs less for a Malaysian startup.
How does the team use AI coding tools day to day? This is a legitimate productivity question now, not a hype question. A team using Cursor, Copilot, or Claude well ships faster and should price accordingly. A team that pretends AI doesn't exist or refuses to talk about it is either inexperienced or hiding something. Our take on what to look for is in how to choose a software development company in Malaysia (AI era guide).

12. Post-launch terms and exit plan

This is where most contracts fall apart. Ask for written answers to:

Maintenance SLA. Response time for critical bugs, business-hours definition, who is on call.
Hourly rate for change requests after the build is delivered.
Knowledge transfer. What documentation do you receive? Can your future internal team (or your next vendor) actually pick this up?
Exit clause. If you want to walk in month 18, what happens? Repo handover, credentials, infra access, customer data export.
HRDF / HRD Corp claimable training. If the build includes any training component, structure it so the levy works in your favour. We broke down what's claimable in HRDF claims for software development in Malaysia.

A vendor who has thought about the exit before you sign is a vendor who is not planning to trap you.

Five red flags that should kill the deal

If you see any of these, walk:

No SSM record, sole proprietorship, or paid-up capital under RM 10,000 for a build over RM 100,000.
Refusal to give references, or references that turn out to be friends and family.
IP clause that retains ownership with the vendor, or that grants only a "perpetual licence" rather than full assignment.
No mention of PDPA in the proposal or contract for any project that touches personal data.
50% or more upfront payment with no milestone structure.

You will lose some good vendors to these filters. You will lose far more bad ones.

A note on AI vendors and AI-built portfolios

A pattern we are seeing in 2026: portfolios padded with screenshots of generic dashboards built largely by AI tools, dressed up to look like custom client work. AI lets a single developer ship a polished demo in a weekend that would have taken a team a month two years ago. That is genuinely useful when the vendor is honest about it, and dangerous when they are not.

Our take is that the "did you use AI to build this" question is the wrong frame. The right question is "if I sent you a screenshot of one of these portfolio projects right now, could you walk me through the architecture, the database schema, and the bug you fixed last Tuesday?" A vendor who built it knows it. A vendor who pasted a Claude prompt into Cursor and shipped does not.

That is true at Gotchaa Lab too. We use AI tools daily, and we expect any vendor working on serious software in 2026 to do the same. What we don't accept is using AI as a substitute for understanding what was built.

Get a software vendor proposal you can actually verify

We respond to RFPs in writing with a fixed scope on phase one (discovery), an honest team CV, named IP and PDPA terms, and references you can call. See what we deliver under custom software development and web development for the kinds of engagements this checklist is designed for. If you are putting a build out to tender and want a proposal you can put through this checklist, WhatsApp us with a rough scope and budget. We will come back within 24 hours with a clear next step, or with an honest answer that we are not the right fit for what you are building.

This article is general guidance for Malaysian SMEs procuring software services and does not constitute legal advice. Contract terms, PDPA obligations, and tax requirements vary by case; consult your lawyer and tax agent before signing. Pricing thresholds mentioned are typical rather than prescriptive.