What should I look for in an AI vendor's data policy?

Look for clear answers on where your data is stored, whether it is used to train models, how long it is retained, and whether you can opt out of training. Ask for the data processing agreement (DPA) before signing.

Do small teams need a formal AI vendor review process?

Yes. Even a one-page checklist run in 30 minutes prevents the most common mistakes: signing up for a tool that trains on your data, missing GDPR obligations, or locking in without an exit clause.

How often should we re-evaluate AI vendors?

Annually, or whenever a vendor announces a major policy change, changes ownership, or when your data classification requirements change.

AI Policy Desk · Templates

AI Vendor Evaluation Checklist for Small Teams

A practical checklist for evaluating AI vendors before you sign: data handling, security, compliance, and exit clauses — in under 30 minutes.

Back to blog

AI Vendor Evaluation Checklist for Small Teams

Before you give an AI vendor access to your data — even indirectly via prompts — run through this checklist. It takes under 30 minutes and catches the issues that cause problems later.

Start here (5 minutes)

Prefer a faster “pass/fail + score” version? Use AI Vendor Due Diligence in 30 Minutes.
If you have not defined data rules yet, start with AI Policy Starter Kit so vendor questions map to policy.
For ongoing oversight, adopt the Lightweight AI Governance Operating Rhythm.

1. Data handling

Where is data processed? Confirm the data region (EU, US, etc.) matches your obligations.
Is data used to train models? Get a written answer. Many consumer tiers say yes by default.
Can you opt out of training? If yes, is it account-level or requires a paid tier?
How long is data retained? Prompts, outputs, and conversation history.
Do they have a Data Processing Agreement (DPA)? Required for GDPR. Request it before signing.

2. Security

SOC 2 Type II or ISO 27001? Ask for the report or check their trust page.
SSO / SAML support? Centralised auth matters as the team grows.
Audit logs available? Can you see who used the tool and when?
Subprocessors disclosed? They should list third-party services that touch your data.

3. Compliance & legal

GDPR / CCPA compliant? Don't assume — verify via their privacy policy or DPA.
Industry-specific requirements met? HIPAA, PCI, SOC 2 if relevant to your sector.
Liability clause reasonable? Some AI vendors disclaim all liability for outputs.
IP ownership clear? Who owns content you generate using their tool?

4. Operational risk

Pricing model stable? Free tiers disappear. Understand the paid path early.
API or export available? Can you get your data out if you need to switch?
SLA / uptime commitment? If the tool is business-critical, you need a commitment.
Support channel and response time? For enterprise/team plans, not just docs.

5. Exit and lock-in

Can you export all data on cancellation?
Cancellation notice period? Month-to-month vs annual lock-in.
What happens to your data after cancellation? Deletion timeline should be documented.

Scoring and decision

Run this with your IT or security contact. Any red (data trains models, no DPA, no export) should trigger a conversation before sign-off — not after.

A vendor that cannot answer these questions in writing is a risk. Document the answers alongside the contract.