Every year, UK businesses lose millions of pounds to software agencies that looked credible on a call, had a polished website, and disappeared or delivered long after the budget ran out. Most red flag guides are generic: they tell you to check for communication problems and ask for references. They do not tell you how to pull a director history on Companies House in under ten minutes, why a fixed-price quote from an agency with no discovery phase is almost always a trap, or how GDPR outsourcing liability can land with you, not the agency, if their contract is drafted the wrong way. This guide covers ten of the most dangerous software agency red flags that UK buyers encounter, written specifically for UK buyers using UK pricing benchmarks, UK legal context, and the Companies House paper trail that most agencies hope you never check. If you are about to spend five, six, or seven figures on a software project, these are the ten hidden red flags that will save you from the hire you cannot afford to make. Use this alongside a solid UK tech partner selection guide to make any final decision with confidence.
Table of Contents
- Why Hiring a UK Software Agency Is Not Like Hiring Any Other Supplier
- Red Flag 1 – They Cannot Show You a Verified UK Client Portfolio
- Red Flag 2 – Their Pricing Doesn’t Reflect UK Market Rates
- Red Flag 3 – They Haven’t Passed a Basic Companies House Check
- Red Flag 4 – The Contract Is Vague on IP Ownership and Code Rights
- Red Flag 5 – No Clear Discovery or Scoping Phase
- Red Flag 6 – Senior Bait-and-Switch on the Delivery Team
- Red Flag 7 – Weak or Missing QA and Testing Process
- Red Flag 8 – Poor Communication Structure and No Defined Escalation Path
- Red Flag 9 – No Post-Launch Support Plan or SLA
- Red Flag 10 – They Resist a Technical Due Diligence Review
- Quick Reference – Red Flag Checklist Before You Sign
- Frequently Asked Questions
- Conclusion – Hire Slow, Ship Right
Why Hiring a UK Software Agency Is Not Like Hiring Any Other Supplier
Hiring a UK software agency involves a level of dependency that most other supplier relationships do not. You are not buying a finished product. You are funding months of specialised work where outcomes depend on expertise, process discipline, and honest communication. Getting that wrong at the hiring stage costs far more than a bad marketing retainer or a disappointing events vendor. The risks are structural, legal, and financial, and they are uniquely shaped by the UK market context.
The offshore-masquerading-as-UK problem
A growing number of agencies maintain a UK-facing brand, a London or Manchester address, and a polished website, while all delivery is handled by offshore teams in Eastern Europe, South Asia, or the Middle East. This is not inherently illegal and is not always a problem. But it becomes a serious red flag when it is not disclosed, when the offshore team operates without proper UK oversight, or when the commercial relationship between the UK entity and the offshore team is opaque. You cannot assess delivery quality if you do not know who is doing the delivery. Ask directly: where will the engineers building my product be based, and what is the employment or contractual relationship between them and the UK entity you are contracting with?
What UK incorporation actually tells you (and doesn’t)
A company being registered in England and Wales tells you that they filed a form at Companies House and paid a small fee. It tells you very little about their delivery capability, their financial health, or whether they have built anything of substance. Incorporation age, director history, filed accounts, and any county court judgments against the company all tell you considerably more. Most buyers never check any of this, which is precisely why it remains one of the most exploitable gaps in the UK agency procurement process.
Why UK contract law and GDPR change the risk profile
UK contract law provides real protections for buyers, but only if the contract you sign is properly drafted. A well-structured UK software contract will cover IP assignment, liability caps, data processing obligations, termination rights, and payment milestones. A poorly drafted one, or one drafted entirely to protect the agency, can leave you with no IP, no data protection coverage, and no clean exit. GDPR adds another layer: if the agency is handling any personal data on your behalf, the Data Protection Act 2018 and UK GDPR require a specific data processing agreement to be in place. Missing that agreement does not just create a legal exposure, it creates a regulatory one.
Red Flag 1 – They Cannot Show You a Verified UK Client Portfolio
A credible agency builds a track record over time. That track record should be verifiable. If the agency you are evaluating cannot point you to named UK clients, real case studies with measurable outcomes, or at least reference contacts willing to take a call, that is a serious problem. A portfolio page full of logos is not a verified client list. Logos can be lifted, borrowed, or listed without any meaningful project relationship. Ask for a named contact at two or three of the clients shown, and ask the agency to facilitate an introduction.
How to validate case studies beyond a website testimonial
Website testimonials are the weakest form of reference. They require no corroboration and they are trivially easy to fabricate. A stronger validation process involves three steps. First, ask for the name and direct contact of the person who commissioned the project, not just a generic company name. Second, ask them to describe one thing that went wrong on the project and how it was resolved. Every real project has friction. If the reference only has positive things to say with no nuance, treat that as a signal that the reference may not be genuine. Third, look at the referenced company on LinkedIn. Can you find the person named? Does the timeline match what the agency claims?
What to do when an NDA blocks all references
Some agencies will cite NDAs to explain why they cannot share client references. This happens legitimately, particularly in regulated sectors such as finance, healthcare, and government. When this is the case, ask the agency for an anonymised case study with verifiable technical detail: stack used, team size, timeline, scope, outcome metrics. If they cannot produce even an anonymised account, that is the flag, not the NDA. Legitimate agencies working under NDA still retain the ability to describe their work in technical and commercial terms without naming names.
Red Flag 2 – Their Pricing Doesn’t Reflect UK Market Rates
Pricing is one of the clearest signals of what you are actually buying. UK software development carries a real cost structure, shaped by London and regional market rates, employment obligations, and the overhead of running a legitimate professional services operation. When pricing looks dramatically lower than the market, there is always a reason, and it is rarely good for the buyer. Understanding the cost and risk analysis of hiring options in the UK is essential before you accept any commercial proposal from an agency.
What senior UK developer day rates actually look like in 2025
As of 2025, senior UK-based software engineers working through agencies typically command day rates between £550 and £900 depending on specialism, seniority, and location. Lead engineers, solution architects, and AI specialists sit at or above the top of that range. An agency quoting a team of senior engineers at rates that imply day costs below £300 is either using offshore labour without disclosing it, using junior developers misrepresented as senior, or planning to expand scope significantly after the initial contract is signed. None of those outcomes work in your favour.
Why a suspiciously low fixed-price quote is a trap, not a deal
Fixed-price contracts sound attractive because they appear to transfer risk from the buyer to the agency. In practice, a fixed-price quote without a thorough discovery and scoping phase is a commercial mechanism for getting the contract signed, not for delivering the product. Agencies that quote fixed prices on complex, under-specified projects almost always protect themselves through scope restrictions, change request fees, and delayed delivery timelines. The initial price becomes a floor, not a ceiling. By the time the scope disputes begin, you are already deep into the engagement with significant switching costs.
Discovery phase costs: what a legitimate UK agency charges upfront
A credible UK agency will charge for discovery. Expect to pay between £5,000 and £25,000 for a structured discovery and scoping phase, depending on project complexity. This phase produces a technical specification, a delivery plan, a risk register, and a basis for an accurate project cost estimate. Agencies that offer free discovery are typically absorbing that cost into an inflated delivery quote, or they are not conducting a real discovery at all. Free scoping is a commercial tactic. Paid discovery is a professional practice.
Red Flag 3 – They Haven’t Passed a Basic Companies House Check
Before you engage any agency commercially, spend ten minutes on Companies House. The public register gives you access to incorporation date, filed accounts, director history, confirmation statements, and any charges or insolvency proceedings. Most buyers never do this. Most agencies know most buyers never do this. The ones with something to hide are betting on your omission.
How to run a Companies House check in under 10 minutes
Search the agency’s registered company name on the Companies House public register. Confirm the company number matches what appears on their website or in their email footer. Review the most recent confirmation statement to verify the registered address is current. Check the filed accounts to understand the company’s financial position. Look at the persons with significant control. Verify the incorporation date. If the company was incorporated within the last twelve months and is pitching for a six-figure engagement, ask why. A company can be excellent and young, but youth combined with other flags warrants additional scrutiny.
What director history and incorporation age reveal
Director history is one of the most informative fields in a Companies House search. Look at previous companies associated with current directors. Have any of those companies been dissolved while carrying unpaid creditors? Has a director been associated with a significant number of short-lived companies? Director patterns are not conclusive proof of wrongdoing, but they are material to your risk assessment. Incorporation age matters because it gives you a sense of whether the agency has an operating history long enough to assess. Checking a director against the disqualified directors register takes less than two minutes and is almost never done by buyers.
Dormant shell companies and nominee director warning signs
Some agencies operate through shell company structures where the entity you are contracting with has no real assets, limited filed accounts, and nominee directors who hold the position on paper without exercising real control. If the company you are contracting with is dormant or recently activated, if the accounts show no meaningful revenue, or if the directors are individuals with no traceable professional identity, these are serious structural flags. You want to know that the entity signing the contract with you has real assets, real people, and real accountability behind it.
Red Flag 4 – The Contract Is Vague on IP Ownership and Code Rights
Intellectual property is the most commercially significant clause in any software contract, and it is the one most frequently drafted in the agency’s favour by default. Under UK copyright law, code written by an employee is owned by the employer, not the employee. Code written by a contractor is owned by the contractor unless explicitly assigned in writing. If the agency uses contractors, and many do, and if the contract does not contain an explicit IP assignment clause covering contractor-produced work, you may not own the code you have paid for. That is not a theoretical risk. It has played out in UK commercial disputes repeatedly.
What a proper IP transfer clause looks like in a UK software contract
A proper IP assignment clause should state that all intellectual property created in connection with the engagement, including code, documentation, designs, and derivative works, transfers to the client upon full payment. It should explicitly cover works created by subcontractors and employees of the agency. It should include a present-tense assignment rather than an agreement to assign in the future. It should also address any pre-existing IP that the agency incorporates into the deliverable, specifying what licence rights you receive for that pre-existing IP and on what terms. If the contract you are reviewing does not contain this, do not sign without amendment.
Vendor lock-in through proprietary frameworks and hosted-only code
A more sophisticated form of IP capture is technical lock-in. Some agencies build on proprietary internal frameworks that are not open source and are owned by the agency. Others deploy code to hosting environments they control, providing clients with a running application but not the source code or the ability to migrate. Both of these structures limit your ability to take the product elsewhere. Ask explicitly: will I receive the full source code in a format I can deploy independently? Will the codebase use open, auditable, third-party frameworks, or does any part of the stack require a continuing relationship with this agency to function?
GDPR outsourcing liability – who is data controller, who is processor
If the software you are commissioning will handle personal data, the GDPR distinction between data controller and data processor is commercially critical. You, as the business deploying the software, are almost certainly the data controller. The agency, to the extent it processes personal data in the course of building or operating the system, is a data processor. UK GDPR Article 28 requires a written data processing agreement to be in place between controller and processor. Without one, you are in breach of your data protection obligations. Review the ICO guidance on controller and processor contracts before accepting any agency’s standard contract terms as GDPR-compliant. Many are not.
Red Flag 5 – No Clear Discovery or Scoping Phase
Discovery is the phase where requirements are clarified, technical constraints are identified, delivery risk is mapped, and project cost is accurately estimated. It is not optional. Agencies that skip it are not being efficient. They are either pricing blind, which results in costly corrections later, or they are deliberately keeping the specification vague so they can expand scope and revenue during delivery. Both outcomes damage the buyer.
Why skipping discovery is a revenue signal, not an efficiency one
When an agency offers to move straight from a sales call to a statement of work and contract signature, they are prioritising contract closure over project success. Discovery costs time and money. Agencies that absorb or skip discovery are making a commercial bet that the discovery cost will be recovered through scope changes, timeline overruns, or project extensions. They are not doing you a favour by moving fast. They are removing the stage in the process that protects you most. A reliable agency will insist on discovery before committing to a delivery plan, because they know that skipping it creates problems for both sides.
Fixed price without SOW: the contract structure that always ends badly
A statement of work is the document that defines what is being built, to what specification, by when, and at what cost. A fixed-price contract without a detailed SOW is a contract for a dispute. When the agency says the feature you expected was out of scope, and you say it was never discussed as out of scope, the SOW is the document that resolves that question. Without it, there is nothing to resolve it with, and the agency holds most of the leverage because they control the delivery timeline and the codebase. Never sign a fixed-price or milestone-based contract without a detailed, mutually agreed SOW attached.
Red Flag 6 – Senior Bait-and-Switch on the Delivery Team
One of the most consistent complaints from buyers of UK software development services is that the team they were sold in the pitch is not the team that delivered the project. The sales engagement features senior engineers, experienced architects, and a credible technical lead. The delivery engagement features junior developers supervised loosely by someone who is simultaneously running three other projects. This is not accidental. It is a margin optimisation strategy, and it is entirely legal unless you have contractually locked the key personnel to your project.
How to identify who will actually build your product
Before signing, ask the agency to name the specific individuals who will be assigned to your project. Ask for their LinkedIn profiles. Ask what percentage of their time will be allocated to your engagement. Ask what happens if a named team member leaves the project. If the agency cannot or will not name specific team members at this stage, that is the flag. Credible agencies can tell you precisely who is being assigned to your project before the contract is signed, because they have done the resourcing plan. Agencies that cannot name the team are either over-committed or have not done the resourcing yet.
IR35 and its implications when UK agencies use contractor-heavy teams
Many UK software agencies staff delivery teams heavily with contractors rather than employees. This has implications for you as the end client. Under the post-2021 IR35 rules, medium and large UK businesses engaging labour through intermediaries may have deemed employment obligations. More practically, contractor-heavy teams introduce higher team turnover risk, lower institutional knowledge, and different IP ownership dynamics as noted above. Ask the agency whether the engineers assigned to your project are employees or contractors. Ask how they manage continuity risk when contractors rotate off. Review HMRC’s IR35 guidance if you are uncertain about the downstream tax and employment status implications for your organisation.
Red Flag 7 – Weak or Missing QA and Testing Process
Quality assurance is one of the first areas that gets compressed when an agency is behind schedule or over budget. It is also one of the areas that buyers least often scrutinise during the sales process, because the consequences of poor QA tend to emerge post-launch when the relationship is already locked in. A serious agency will have a defined QA process that is documented, resourced, and integrated into the delivery timeline, not bolted on as an afterthought in the final sprint.
Questions to ask about automated vs manual testing
Ask specifically about the balance between automated and manual testing. A mature delivery process will include unit tests, integration tests, and end-to-end automated tests as part of the standard development workflow, not as optional extras. Manual testing should cover usability, edge cases, and user acceptance. Ask what test coverage percentage is standard for their deliverables. Ask who is responsible for writing tests: is it the developer, a dedicated QA engineer, or no one? Ask to see a sample test report or QA sign-off document from a previous project. Agencies that cannot produce these documents either do not have them or do not want you to see them.
What a proper QA sign-off process looks like
A defensible QA process includes formal sign-off gates at defined milestones. Before any release, including staging releases, a QA sign-off document should record what was tested, by whom, against which acceptance criteria, and what the outcome was. Bug severity classifications should be documented, with explicit rules about which severity levels block release. User acceptance testing should involve the client, and sign-off from the client side should be captured before production deployment. If the agency’s process is to deploy to production and then ask the client to report bugs, that is not a QA process. That is a QA absence dressed as an agile practice.
Red Flag 8 – Poor Communication Structure and No Defined Escalation Path
Communication failures cause more project breakdowns than technical failures. The patterns that predict communication problems are almost always visible before the contract is signed, if you know what to look for. The agency that takes four days to respond to a pre-sales query, that gives vague answers to direct questions, or that cannot explain its delivery methodology in plain language is showing you what the relationship will feel like once you are paying for it.
Red flags in the sales process that predict delivery communication
Slow response times to pre-contract questions are the single most reliable predictor of poor delivery communication. Agencies that are responsive, specific, and organised during the sales process tend to maintain those qualities during delivery. Agencies that are vague, inconsistent, or hard to reach during sales almost never improve once the contract is signed. Beyond response times, watch for inconsistency between what different team members tell you, over-reliance on presentations over direct conversation, and the absence of anyone with genuine technical authority in the sales meetings.
What agile ceremonies should actually include (and what agencies skip)
Most UK software agencies will describe their delivery methodology as agile. Agile means different things in different organisations. At minimum, a properly run agile engagement should include sprint planning with clearly defined and sized stories, daily standups at a fixed time with client visibility, sprint review meetings where working software is demonstrated, and retrospectives that produce documented actions. What many agencies skip is the sprint review and the retrospective. These are the ceremonies that surface problems early and create accountability. An agency that cannot describe these ceremonies in specific operational detail, or that waves them away as unnecessary overhead, does not run a mature delivery process.
Red Flag 9 – No Post-Launch Support Plan or SLA
The period immediately after a software launch is statistically the highest-risk phase of a project. Real users encounter edge cases that testing missed. Load patterns differ from estimates. Integration endpoints behave differently in production than in staging. A reliable agency plans for this. An unreliable one treats launch as the end of the relationship, hands over credentials, and moves on to the next sales cycle.
Why post-launch is where budget surprises happen
Without a defined post-launch support arrangement, every issue that emerges after deployment becomes a separately priced engagement. The agency holds significant leverage at this point: they know the codebase, you need the fixes, and you are exposed to user-facing failures. Some agencies deliberately underprice the build and reprice the support. Others simply have no structured support offering and improvise reactively, which means response times are unpredictable and costs are unbudgeted. Either way, the absence of a post-launch support plan in the original contract is a structural gap that tends to become expensive.
What a defensible SLA looks like in a UK software contract
A service level agreement for post-launch support should define incident severity classifications, target response times for each severity level, and target resolution times. It should specify support hours, how to raise an incident, who will handle it, and what the escalation path is if the initial response is insufficient. It should define what is covered under the support arrangement and what constitutes out-of-scope new development. The SLA should carry a financial remedy for breach, even if the remedy is modest, because a contractual obligation without a remedy is a request, not a commitment.
Red Flag 10 – They Resist a Technical Due Diligence Review
A pre-contract technical audit is one of the most powerful buyer protections available when evaluating a software agency. It involves an independent technical reviewer examining the agency’s proposed architecture, reviewing code samples from previous projects, assessing their toolchain and development practices, and stress-testing their delivery plan. Agencies with strong technical practices welcome this. Agencies with weak technical practices resist it, because it surfaces gaps they would prefer you not to discover until after the contract is signed.
What a pre-contract technical audit covers
A well-scoped pre-contract technical audit should cover code quality assessment from samples provided by the agency, architecture review of the proposed technical design, security posture review, DevOps and deployment practice review, and an assessment of the agency’s approach to technical debt and documentation. The audit does not need to be exhaustive to be valuable. Even a half-day review by a competent independent technologist will surface signals about whether the agency’s technical practice matches the claims made in sales. For a six or seven-figure engagement, the cost of a technical audit is negligible relative to the risk it mitigates.
How to bring in an independent technical reviewer without derailing the deal
The most common objection to technical due diligence is that it will damage the relationship with the agency before the engagement starts. In practice, the reverse is true. Agencies that respond positively to a technical review request are demonstrating the kind of professional confidence that characterises reliable partners. Frame the request as standard procurement practice rather than a trust challenge. Many clients who work with agencies like Software AG and Foundry 5 treat technical review as a non-negotiable part of their procurement process, not as an exceptional measure. If the agency you are evaluating treats a request for technical review as a deal-breaker, that response is the most informative data point they have given you.
Quick Reference – Red Flag Checklist Before You Sign
- Red Flag 1: No verified UK client references with named contacts willing to speak.
- Red Flag 2: Pricing is significantly below UK market rates for the seniority level claimed.
- Red Flag 3: Company fails a basic Companies House check on age, accounts, or director history.
- Red Flag 4: Contract is vague or silent on IP assignment, contractor-produced work, and GDPR obligations.
- Red Flag 5: No structured discovery or scoping phase before a fixed-price contract is offered.
- Red Flag 6: Agency cannot name the specific individuals who will deliver your project before signing.
- Red Flag 7: No documented QA process, no test coverage standards, no formal release sign-off procedure.
- Red Flag 8: Slow or vague responses during the sales process; no defined delivery communication structure.
- Red Flag 9: No post-launch support plan or SLA included in the initial contract.
- Red Flag 10: Agency resists or discourages a pre-contract independent technical review.
Frequently Asked Questions
What are the biggest red flags when hiring a UK software agency?
The most commercially damaging red flags when hiring a UK software agency are: inability to provide verified UK client references, pricing that does not reflect UK market rates, vague IP assignment in the contract, no structured discovery phase, and resistance to independent technical due diligence. These five flags alone account for the majority of project failures and commercial disputes in the UK agency market.
How do you vet a UK software development company before signing a contract?
Start with a Companies House check to verify incorporation age, filed accounts, and director history. Request named references and speak to them directly. Review the contract terms for IP assignment and GDPR data processing obligations. Ask for the CV or LinkedIn profile of the specific engineers assigned to your project. Request code samples from previous work and consider commissioning a pre-contract technical audit for high-value engagements.
What should a UK software agency contract include?
A robust UK software agency contract should include a detailed statement of work, explicit IP assignment covering both employee and contractor-produced work, a data processing agreement compliant with UK GDPR, milestone-based payment terms linked to deliverable acceptance, defined SLAs for post-launch support, key personnel provisions, liability caps, and clear termination rights including provisions for code handover on termination.
How much does it cost to hire a reputable software agency in the UK?
A credible UK-based software agency with senior engineers will typically charge between £550 and £900 per engineer day. Discovery and scoping phases for complex projects cost between £5,000 and £25,000. A full bespoke software build for a serious commercial application typically runs from £80,000 to well over £500,000 depending on scope, team size, and duration. Agencies quoting significantly below these benchmarks are almost certainly not delivering the seniority or quality profile represented.
Can I check if a UK software agency is legitimate using Companies House?
Yes. The Companies House public register is free and open to anyone. You can verify the agency’s registered company number, review their filed accounts, check the incorporation date, review director history, check for any charges or insolvency proceedings, and look at the persons with significant control. This check takes less than ten minutes and provides more reliable information about the agency’s legitimacy than any claim made on their website.
Conclusion – Hire Slow, Ship Right
The UK software agency market contains excellent partners and significant risk in roughly equal measure. The agencies that cause the most damage are not always obvious. They have polished websites, credible pitch decks, and confident sales teams. The difference between a partner that delivers and one that does not is almost always visible before you sign, if you know the right questions to ask and the right records to check. This guide gives you that framework. Use it as your baseline, and treat any agency that cannot satisfy these ten checks as a commercial risk not worth taking.
If you are evaluating the top software and AI partners in London and want to work with a team that welcomes references, technical review, and transparent discovery, Foundry 5 is a custom software and AI development agency based in London that builds serious commercial products for UK businesses. Reach out to arrange a discovery call and see how a properly structured engagement should begin.