Vetting a Freelance Contractor Before You Sign the NDA

You found someone on Upwork or through a warm intro. The portfolio looks solid, the call went well, and now you're drafting an NDA so you can share the real stuff—your source code, your client database, your pricing model.

Stop for ninety seconds. Do you actually know who this person is?

Most solo operators don't check. They rely on platform ratings, a LinkedIn profile, and vibes. That works until it doesn't—and when it doesn't, you're dealing with stolen IP, a breached client list, or a contractor who disappears mid-project with a five-figure deposit. The NDA you just signed is enforceable only if you can find the person. If their identity was partly fictional, good luck.

This post is a practical checklist for vetting a freelance contractor before you hand over anything sensitive. It's not a legal guide. It's what a careful person with limited time should actually do.

---

Why the NDA Isn't Your First Line of Defense

An NDA is a legal instrument, not a vetting mechanism. It tells a contractor what they can't do with your information. It does nothing to tell you who they are or whether they've done this before.

The NDA also assumes the person on the other end is who they say they are—that "Marcos Alves, freelance developer, São Paulo" is a real person with a real legal identity you can hold to account if something goes wrong. A quick check before signing is how you verify that assumption.

Think of it this way: you wouldn't hand your house keys to a stranger because they signed a piece of paper saying they wouldn't make copies.

---

What You're Actually Checking For

Before you build a checklist, get clear on the risk surface. When you bring on a freelance contractor with access to sensitive information, you're exposed to three categories of risk:

Identity risk. The person is not who they claim to be—fabricated credentials, a stolen LinkedIn identity, or a name that doesn't match any real legal entity.

History risk. The person is real but has a documented track record you'd want to know about: fraud litigation, IP theft claims, a pattern of abandoned contracts, or sanctions exposure if they're in a jurisdiction with active OFAC or EU asset-freeze designations.

Operational risk. The person is real and clean but works from a jurisdiction or through a corporate structure that creates practical problems—payment processing restrictions, export-control issues if you're in defense-adjacent tech, or simple jurisdictional unenforceability.

Most freelancer vetting fails because it only addresses the first category, partially. Here's how to cover all three without spending a week on it.

---

Step 1: Verify the Identity, Not Just the Profile

A LinkedIn profile with 500+ connections and a smiling headshot is not identity verification. Profile cloning is a documented and widespread problem—scammers copy real professionals' profiles wholesale and pitch as them. LinkedIn's own transparency reports document millions of fake account removals per year.

What actually helps:

Video call with camera on. Not a negotiation—a requirement. If a contractor declines to do a live video call, that's your answer. During the call, notice whether the name they use verbally matches what's on the contract.

Email domain check. Does their email match the domain of any business they claim? A freelancer claiming to run an agency but emailing from @gmail.com isn't disqualifying, but it's worth noting. If they claim a corporate identity, search that company name in the relevant corporate registry.

Government ID (proportional to contract value). For anything above a few thousand dollars or any access to genuinely sensitive systems, asking to see a government-issued ID is reasonable. Frame it as your standard process. If the contract is small and the access is limited, this may be overkill—calibrate accordingly.

Reverse image search the headshot. Takes fifteen seconds. Google Images and TinEye will surface any profile photos that appear elsewhere on the internet under a different name. It's a blunt instrument but catches lazy impersonators.

---

Step 2: Run a Sanctions and Watchlist Check

This one surprises solo operators. "I'm hiring a designer in Portugal, why would sanctions matter?"

Two reasons. First, OFAC (the U.S. Treasury's Office of Foreign Assets Control) prohibits U.S. persons from transacting with designated individuals or entities regardless of what service is being purchased. Paying a sanctioned person—even for a logo—is a violation. OFAC's SDN list is public and searchable. So is the EU Consolidated Sanctions List. Second, freelancers sometimes operate through companies, and the company—not the individual—may carry the designation.

The practical reality: most individual freelancers are not on a sanctions list. But "most" is not "all," and the check takes about thirty seconds on OpenSanctions, which aggregates OFAC, UN, EU, and dozens of other lists into a single searchable database. If you're running a platform or hiring at volume, they also have an API. For one-off checks, the free search is sufficient.

Check the individual's name and any company name they've given you.

---

Step 3: Search Public Records and Litigation History

For domestic contractors (U.S.-based), you have access to more than you probably realize.

PACER for federal court records. PACER is the federal court system's public access portal. It costs $0.10 per page to retrieve documents but searches are free. Search the contractor's name for any federal civil or criminal filings. IP theft, wire fraud, and contract disputes above a certain threshold end up in federal court. This matters most for contractors who'll have access to proprietary technology.

State court records. Most states have online portals. Search varies by state—some are comprehensive, some are a mess—but a quick search of "[State] court records public search" will get you to the right portal. Look for fraud claims, breach of contract suits where they were the defendant, or restraining orders.

Better Business Bureau and CFPB complaints. If the contractor operates any kind of business entity, BBB complaint history is public. For anything touching financial services, the CFPB complaint database is searchable too.

Corporate registry check. If the contractor invoices through a company, verify that company exists. In the U.S., OpenCorporates aggregates state-level corporate registrations. In the UK, Companies House is authoritative. A company that was registered last week for a five-year-old "agency" is a yellow flag.

For international contractors, the depth of available records varies widely. EU contractors: company registries exist in most member states and are increasingly linked. UK: Companies House is excellent. Much of Southeast Asia and Latin America: much thinner. Adjust your due diligence threshold to the information environment you're operating in, not to an imaginary standard of perfect information.

---

Step 4: Check Professional Credentials Proportional to What They're Claiming

If a contractor says they're a licensed attorney, a certified accountant, or a credentialed security professional, verify it. Claiming a professional license they don't hold is fraud, and it matters if you're relying on that credential.

• U.S. attorneys: state bar association websites publish licensure status. The ABA's directory links to state bars.
• CPAs: state boards of accountancy publish license lookups.
• Security professionals (CISSP, CISM, etc.): ISC² and ISACA have public verification portals.
• General "agency" claims: ask for two or three client references you can actually contact. Not LinkedIn recommendations—a real name and email of a past client who'll take a five-minute call.

For contractors not claiming professional credentials—a designer, a developer, a writer—this step is less critical. Focus on the work samples and references.

---

Step 5: Do a Proportional News Search

A quick news search is not paranoia—it takes four minutes and occasionally surfaces things no other check would catch.

Search the contractor's full name in quotes on Google News. Add their city or company name if you're getting noise. You're looking for anything that would materially affect your decision: arrest coverage, fraud reporting, a news story where they're named as a defendant. You're not looking to disqualify someone for being mentioned in a local business profile.

Also search their company name if they have one. A company that shows up in a fraud investigation story is worth a follow-up question, even if the individual's name is clean.

If they've published extensively—blog posts, GitHub repos, conference talks—spend five minutes on that too. It's both a credibility signal and occasionally a red flag (plagiarized writing, contradictory claims about their background).

---

What to Do With What You Find

Most of the time, you'll find nothing meaningful. The contractor is who they say they are, their company is registered, they're not on any watchlist, and there's no litigation. You sign the NDA and get to work.

When you find something, resist the reflex to immediately disqualify. A decade-old civil dispute that was settled isn't the same as an active fraud judgment. A company that's only a year old isn't inherently suspicious for a newer freelancer. Use what you find to ask better questions, not to make a snap call.

The things that should stop the engagement:

• Sanctions hit on the individual or their company (this is a legal matter, not a judgment call—consult counsel before proceeding)
• Identity documents that don't match the name on the contract
• Active fraud litigation where they're the defendant and the subject matter is similar to your work
• Credentials claimed but not verifiable through official channels, especially if those credentials are the reason you're hiring them

A pattern of small yellow flags—mismatched details, an unverifiable company, a profile that was created six weeks ago—warrants a direct conversation before you proceed.

---

How Long This Actually Takes

Done manually: two to three hours for a thorough check, roughly thirty minutes for a quick pass covering sanctions, a basic identity check, and a news search.

If you're vetting contractors regularly—say, you run a platform, manage a small agency, or hire multiple specialists per project—doing this manually every time isn't sustainable. That's the problem Sentinel is built to solve: structured due diligence on a person or company in minutes, not hours, without a research team.

---

The Right Moment to Do This

The right moment is before the NDA, not after. Once you've shared your systems, your client data, or your proprietary processes, the due diligence has lost most of its practical value. It only tells you what you should have known before.

Make it a policy: no NDA, no access, no onboarding until the basic checks are done. Framing it as your standard process—rather than something specific to this contractor—keeps it from feeling accusatory. "I run this check on everyone I bring in" is accurate, professional, and usually well-received by contractors who are exactly who they say they are.

The ones who push back on that are telling you something.