The rise of vibe coding is going to change the software market.

For businesses, this could be a very positive thing. We are likely to see more choice, more niche products, faster innovation and new tools that solve problems traditional software companies have overlooked for years.

A small team, or even an individual founder, can now build an online system, app or portal much faster than before. That opens the door to clever ideas, affordable tools and software that are more closely aligned with real business problems.

But it also creates a risk.

Just because a product looks polished, works well in a demo and appears to solve a problem, it does not automatically mean it is safe, secure, compliant or suitable for your business.

This is not about discouraging vibe coding. Far from it. Used properly, it can be a brilliant way to prototype, test ideas and bring new products to market. But businesses need to exercise caution before subscribing to any online system, especially where personal data, customer records, financial information, operational data or staff details are involved.

The barrier to building software has dropped

Historically, launching a software product required a development team, infrastructure knowledge, testing, security planning, documentation and support processes.

That is no longer always the case.

With modern AI coding tools, platforms and low-code services, products can be created quickly. In many ways, that is exciting. It means more people can solve problems and more businesses can access tools that might previously have been too expensive or too complex.

However, the speed of creation can sometimes outpace the boring but essential parts of running a proper software business.

Things like security, data protection, insurance, support, resilience, backups, legal terms, supplier due diligence and infrastructure management may not be visible in the demo, but they matter deeply once your business is relying on the product.

A good product is not just good code

When assessing a new online system, businesses often focus on features.

  • Does it do what we need?
  • Is it easy to use?
  • Is the price right?
  • Can we get started quickly?

Those are valid questions, but they are not enough.

A good software product is not just about the screen you can see. It is also about the company behind it, the way it handles data, the security of the application, the quality of its terms, the resilience of its infrastructure, and whether the provider can be trusted with your business information.

Before signing up, businesses should ask some simple but important questions.

Where is your data stored?

Data location matters.

If the system stores personal data, customer records or business-sensitive information, you need to understand where that data is held. Is it stored in the UK, the EU, the US, or somewhere else?

This is often called data sovereignty. In simple terms, it means understanding which country’s laws and protections may apply to your data.

Businesses should ask:

  • Where is the data hosted?
  • Which cloud provider is being used?
  • Is the data stored in the UK, EU or outside these regions?
  • Are backups also stored in the same region?
  • Does the supplier use any third-party tools that process your data?
  • Is data used to train AI models?
  • Are there any international data transfers?
  • Are sub-processors involved?

If the answer is vague, that should be a warning sign.

Has the application been security tested?

Every online system carries risk. That does not mean every system is unsafe, but it does mean security should be taken seriously.

Ask whether the application has been penetration tested or independently security reviewed. A penetration test is not a magic guarantee, but it does show that the supplier has taken steps to identify and fix common security issues.

You may want to ask:

  • Has the application had an independent penetration test?
  • When was it last tested?
  • Were critical or high-risk issues found?
  • Have those issues been fixed?
  • Does the supplier follow secure development practices?
  • Are user passwords properly protected?
  • Is multi-factor authentication available?
  • Are backups tested?
  • Is there an incident response plan?

For smaller tools, a full enterprise-level security programme may not be realistic, but the supplier should still be able to explain how they protect the system and your data.

What infrastructure is the product built on?

It is also worth asking about the infrastructure behind the product.

A software application is not just the visible screens and features. It depends on hosting, servers, databases, backups, domain settings, monitoring, access controls and ongoing maintenance.

For many businesses, these areas are invisible until something goes wrong.

Before subscribing to a new product, ask:

  • Where is the application hosted?
  • Is it hosted on a recognised cloud platform?
  • Are the servers properly maintained and patched?
  • Is there a backup process?
  • Are backups tested?
  • Is there monitoring in place to detect downtime or unusual activity?
  • Who has access to the hosting environment?
  • Is access protected with multi-factor authentication?
  • Are development, test and live environments kept separate?
  • Is there a disaster recovery plan?
  • What happens if the system goes offline?
  • How quickly could service be restored?

This does not mean every small software provider needs enterprise-level infrastructure. But they should understand their own setup and be able to explain how they keep the service secure, available and recoverable.

If the answer is simply “it is in the cloud”, that is not enough.

The cloud is not a security plan. It is only part of the infrastructure.

Look for recognised cyber security standards

Another useful check is whether the supplier holds recognised cyber security certifications, such as Cyber Essentials or Cyber Essentials Plus.

Cyber Essentials is a UK government backed scheme designed to help organisations protect themselves against common cyber threats. Cyber Essentials Plus goes further by including more rigorous technical verification.

For a software supplier, this can be a positive sign. It suggests they have thought about basic security controls, such as secure configuration, access control, malware protection, security updates and firewalls.

However, it is important to understand what these certifications do and do not prove.

Cyber Essentials is not the same as a full application penetration test. It does not automatically mean the product itself has been deeply tested for every possible security flaw. It is a useful assurance point, but it should sit alongside other checks.

Businesses should ask:

  • Does the supplier hold Cyber Essentials?
  • Do they hold Cyber Essentials Plus?
  • Is the certification current?
  • What part of the business, product or infrastructure does the certification cover?
  • Has the application itself also been security tested?
  • Are there any other relevant standards, such as ISO 27001, depending on the size and nature of the supplier?

A supplier that takes cyber security seriously should be comfortable answering these questions.

A lack of certification does not always mean a product is unsafe, especially for a very new business, but it does mean you should ask more questions before trusting it with important data.

Who is behind the product?

One of the biggest risks with fast-built products is not always the technology itself, it is the lack of structure behind the business.

Before subscribing, carry out some basic checks on the company or developer.

Look at:

  • Is the business registered?
  • Who owns or operates it?
  • Do they have a track record in software development?
  • Can you find real people behind the product?
  • Do they have professional experience?
  • Are they clear about how support is provided?
  • Do they publish a business address or company details?
  • Are there genuine testimonials or case studies?
  • Do they have appropriate insurance?

This does not mean every new product should be avoided. New companies can produce excellent software. But if a provider is asking you to trust them with your data, they should be prepared to be transparent.

Are they registered with the ICO?

If a UK organisation is processing personal data, registration with the Information Commissioner’s Office may be required, depending on what they do and how they operate.

For businesses choosing a software supplier, ICO registration is not the only measure of compliance, but it is a useful due diligence point.

You should also look for evidence that the supplier understands data protection responsibilities. That includes having a clear privacy policy, explaining what data is collected, stating how long data is kept, and making it clear who is responsible for what.

If the system stores or processes personal data on your behalf, you also need to understand whether the supplier is acting as a data processor, whether they use sub-processors, and whether the correct contractual terms are in place.

Review the terms and conditions

Terms and conditions are often ignored, but they are important.

Before signing up to a system, check what the terms say about:

  • Ownership of your data
  • Service availability
  • Support response times
  • Cancellation
  • Price increases
  • Data export
  • Data deletion
  • Liability
  • Suspension of service
  • Changes to the product
  • What happens if the company closes

A key question is this: if you leave the product, can you get your data back in a usable format?

If the answer is unclear, think carefully before relying on it.

Read the privacy policy

A privacy policy should not be a generic copy-and-paste document that says very little.

It should explain:

  • What personal data is collected
  • Why it is collected
  • How it is used
  • Where it is stored
  • Who it is shared with
  • How long it is kept
  • How users can exercise their rights
  • Whether third-party services are involved

If the privacy policy is missing, unclear or poorly written, that is a concern.

Check for cyber security information

A responsible software provider should be able to explain how it approaches cyber security.

That does not always mean publishing every technical detail publicly, but there should be enough information to give confidence.

Useful signs include:

  • Secure login options
  • Multi-factor authentication
  • Role-based access controls
  • Audit logs
  • Regular backups
  • Encryption in transit
  • Clear support channels
  • Security contact details
  • Vulnerability reporting process
  • Evidence of testing or certification

If the product handles sensitive or business-critical data, the standard should be higher.

Beware of “it was built with AI” being used as a selling point on its own

There is nothing wrong with software being built with the help of AI. In fact, most modern development teams are now using AI in some way.

The issue is when “built with AI” becomes a substitute for proper software engineering.

AI can help create code quickly, but someone still needs to understand the architecture, security, data handling, testing, hosting, infrastructure and long-term maintenance of the product.

The real question is not whether AI was used.

The real question is whether the product has been built, tested and managed responsibly.

Vibe coding is not the problem, unchecked trust is

Vibe coding will create opportunities. It will help founders move faster, allow businesses to test ideas more affordably, and bring more competition into the software market.

That should be welcomed.

But businesses should avoid being dazzled by a slick interface or a confident sales page.

Before subscribing to any new online system, ask practical questions. Do some checks. Read the policies. Understand where your data goes. Check who is behind the product. Ask what infrastructure it runs on. Ask what happens if something goes wrong.

Innovation should be encouraged, but trust should still be earned.

A simple checklist before subscribing

Before your business signs up to a new software product, ask:

  1. Who owns and operates the product?
  2. Is the company properly registered?
  3. Are they registered with the ICO, where required?
  4. Where is our data stored?
  5. Is data transferred outside the UK?
  6. Who else can access or process the data?
  7. Are sub-processors involved?
  8. Has the application been penetration tested?
  9. Where is the application hosted?
  10. Is the infrastructure properly maintained and patched?
  11. Are backups taken and tested?
  12. Is there monitoring for downtime or unusual activity?
  13. Is access to hosting and admin systems protected with multi-factor authentication?
  14. Does the supplier hold Cyber Essentials?
  15. Do they hold Cyber Essentials Plus?
  16. Is the certification current and relevant to the service being provided?
  17. Is there a clear privacy policy?
  18. Are the terms and conditions fair and understandable?
  19. Can we export our data if we leave?
  20. Is there suitable insurance in place?
  21. What support is available?
  22. What happens if the service goes offline?
  23. Is there a clear process for reporting security issues?

The future of software will include more AI-assisted and vibe-coded products. Some will be excellent. Some will be risky. The challenge for businesses is knowing how to tell the difference.

The message is simple: do not dismiss vibe-coded products, but do not subscribe blindly either.