9 Signs of a Trustworthy Website Vendor

This sounds trivial, but it's effective. A vendor with a physical office (even a rented coworking space counts) is far less likely to disappear. Try typing the vendor's name + location into Google Maps. A serious vendor will have a location pin with interior photos, reviews, and opening hours. Don't be thrown off by 'we're a 100% remote digital agency' — that isn't a problem as long as they're transparent, but check whether there's at least one physical point of contact (a registered business, a tax ID, a mailing address). For clients in East Java in particular, we always recommend: factor in distance. If there's a local vendor whose quality matches an out-of-town one, take the local one — not out of some 'local pride', but because if a problem comes up on Monday morning, you can drop by in person. Plenty of Jakarta vendors pull projects from tier-2 cities at higher prices, then only communicate over Slack — and when there's an urgency, their response time doesn't compare to a vendor in your own city. For us in Madiun, this is a standard too: if a client in Madiun-Magetan-Ngawi asks to meet, we're ready to visit within 24 hours.

A portfolio full of pretty screenshots with no clickable links is a major red flag. A professional vendor will proudly share a live URL for each project — you click, and you see their quality for yourself in production conditions. Open a few of those links on an Android phone, on a laptop, and in incognito mode. Check: does the page load fast (target < 3 seconds)? Are there 404 errors on internal links? Is the launch year still reasonable (if every project is from 2018-2019 and it's now 2026, the vendor may have retired)? If a vendor refuses to share URLs on the grounds that 'the client asked to keep it confidential', ask for at least ONE example you can open. It's not realistic for EVERY client to demand privacy. Conversely, be wary of a portfolio whose screenshots all look slick and Behance/Dribbble-worthy — check whether that design was truly their work or just a mockup on display. How to check: do a reverse image search on Google Images. If the same image shows up in 5 different vendors' portfolios, you know the answer. Another way: ask the vendor for a video call and to share their screen while opening the actual working files (.fig, .psd, or the backend CMS) from those projects. An honest vendor will happily oblige.

A serious vendor will give you a PDF proposal of at least 2-3 pages after the brief — not a WhatsApp voice note saying 'just go with package B, 6 million, done in 2 weeks'. The proposal PDF should contain: (a) a summary of the brief as they understand it — proof they were listening, (b) a detailed scope per page/feature, (c) what's not included (out of scope), (d) a per-phase timeline with target dates, (e) the payment structure (usually 30-50-20 or 40-40-20), (f) a revision clause (how many rounds are included, the cost per extra round), and (g) the post-launch warranty period. If the proposal is just 1 page with no scope, that's a problem. If the proposal looks copy-pasted (another client's name hasn't been swapped out, or there's no context about your business), that's a bigger problem — you'll be served copy-paste work. On the other hand: a vendor whose proposal runs 20 pages of jargon and looks 'corporate' isn't necessarily better either. What matters isn't the thickness, but the relevant specifics. Ask questions back if there's any part you don't understand — a good vendor will explain patiently in plain language, not rudely or as if you're being a nuisance.

This is often the second-year trap. Ask firmly: 'Whose name will the domain and hosting account be registered under?'. The right answer: your name / your PT or CV's name. The domain registration email is yours, not the vendor's. The renewal payment in subsequent years is something you can do yourself with the registrar (Niagahoster, IDwebhost, Cloudflare Registrar, etc.). A vendor who keeps the domain in their own name 'for convenience' is actually holding the client by the throat — if the relationship ends, the client can lose a domain with hundreds of backlinks and an SEO reputation that's already been built. This happens more often than you'd think. The fix is simple: ask for the credentials from day one. Log into the registrar account yourself, change the password, and store it in a password manager. For hosting, the same: the account in your name, with full dashboard access. The vendor just needs to be granted access as a sub-user or additional admin that can be revoked at any time. Don't be tempted by a 'package with hosting forever' that looks like a saving — that's lock-in. The healthy approach: pay hosting directly to the provider, and the vendor only helps with the initial setup.

This doesn't mean an individual freelancer is automatically risky — there are plenty of brilliant freelancers. But for projects above IDR 5 million with non-trivial complexity, transacting with a registered business gives you clearer legal protection. A vendor that's a registered business (CV/PT) with a tax ID usually: has been operating for at least 1-2 years, has an internal structure (not just one person), pays taxes (so there's an audit trail), and has a bank account in the company's name (not a personal account that can vanish). For government-agency clients, public schools, and corporations, this is even mandatory — you need an official tax invoice for financial reporting. How to check: ask for the NIB (Business Identification Number) and tax ID. The NIB can be verified at OSS (oss.go.id). A good vendor will happily provide a copy. If the vendor operates only as a 'small team' with no formal entity, that's okay for small projects under IDR 5 million — but ask for a contract clause that names the responsible individual + their ID-card identity, so you're not left hanging if there's a dispute.

A communication test before the contract. Send 3 questions to the prospective vendor: (1) 'How long is the average load time of the websites you build, on 4G on an Android phone?', (2) 'What schema markup do you typically implement for an industry like mine?', (3) 'How do you keep my website safe from injection attacks or scraping?'. The answers don't have to be long — but a serious vendor will answer with the right technical terms (not 'it'll definitely be fast' or 'we use antivirus'). A vendor who gets nervous or answers with empty jargon usually doesn't have a real technical team, just resells from freelancers on overseas marketplaces. Another test: ask whether they insist on a specific framework/CMS or are adaptable. A vendor who can only do one CMS (e.g. 'we only use WordPress') isn't wrong, but make sure it really fits your needs. A vendor who can adapt (a static site for a simple website, a modern framework for a web app) is usually more senior. This early communication is also an indicator of how communication will go during the project. If even at the introduction stage they reply 3 days later, expect the same response time during the project.

A website is a living product, not a one-time purchase. A good vendor will offer: a free bug-fix warranty for the first 14-30 days (standard), and the option of a monthly/annual maintenance package afterward at a transparent price. Healthy maintenance covers: weekly backups, security updates for plugins/libraries, uptime monitoring, minor bug fixes (5 tickets/month, for example), and a monthly report on the website's condition. Avoid a vendor who: (a) has no post-launch warranty at all — you'll get charged for every bug that appears in the first week, (b) offers 'all-in' maintenance with no clear scope — which usually means nothing gets done unless you complain, (c) offers super-cheap maintenance (IDR 100 thousand/month) — which doesn't add up for the work hours involved, and usually amounts to neglect in disguise. A fair maintenance range at an independent studio: IDR 500 thousand - IDR 2.5 million/month depending on the website's complexity. Pay for maintenance if you genuinely need it; many simple static websites don't actually need monthly maintenance — annual is enough, for the renewal + an audit.

The most commonly overlooked signal: what if, after 2 years, you want to switch vendors? A good vendor's contract explicitly covers:

• Source code handed to the client at launch, in a format that can be hosted with another provider.
• The original design files (Figma, Adobe) becoming the client's property.
• Technical documentation — how to deploy, the list of dependencies, third-party credentials — provided in a handover document.
• No lock-in to a proprietary CMS that only that vendor can edit.
• A complete database backup handed over periodically, not just when the relationship ends.

If the contract is silent on this, ask. A vendor who refuses to include an exit clause usually knows they'll lose the client the moment the client learns how to migrate. A test question: 'If I want to migrate to another vendor next year, what documents will you provide?'. A vendor who answers 'no client has ever wanted to switch' is hiding an answer that's hard to hear.

Once you've gathered 3-5 quotes from different vendors for the same scope, you'll have a picture of the market range. Be wary of two extremes: a vendor whose quote is far below average (50% cheaper than the rest) — they're most likely cutting corners somewhere you can't see: no thorough testing, no image compression, no rewritten content, or no handover training. And a vendor whose quote is far above average (2-3x more expensive) — not automatically better; sometimes that's just the overhead of a big agency that you're paying for their office on Sudirman, not for the quality of the result. The sweet spot is usually in the middle, with the most concrete deliverables. Do the 'sandwich quote': take 3 quotes, drop the cheapest and the most expensive, and have a serious conversation with the one in the middle. If you're lucky, the middle one is also the most responsive in communication — that combination usually produces the least dramatic project. Finally: trust your gut on the first video call. If something feels 'off', it usually is.