What should I look for in an AI vendor's data policy?

Look for clear answers on where your data is stored, whether it is used to train models, how long it is retained, and whether you can opt out of training. Ask for the data processing agreement (DPA) before signing.

Do small teams need a formal AI vendor review process?

Yes. Even a one-page checklist run in 30 minutes prevents the most common mistakes: signing up for a tool that trains on your data, missing GDPR obligations, or locking in without an exit clause.

How often should we re-evaluate AI vendors?

Annually, or whenever a vendor announces a major policy change, changes ownership, or when your data classification requirements change.

AI Vendor Evaluation Checklist for Small Te…

Where is data processed? Confirm the data region (EU, US, etc.) matches your obligations.

Is data used to train models? Get a written answer. Many consumer tiers say yes by default.

Can you opt out of training? If yes, is it account-level or requires a paid tier?

How long is data retained? Prompts, outputs, and conversation history.

Do they have a Data Processing Agreement (DPA)? Required for GDPR. Request it before signing.

AI Vendor Evaluation Checklist for Small Teams