Forty prompts to use when evaluating AI vendors — organized by category, copy-paste ready. Use them in procurement calls, RFP questionnaires, vendor security reviews, or renewal negotiations. A vendor who cannot answer clearly in any category has a governance gap worth documenting before you sign.
These prompts work for any AI vendor: model APIs (OpenAI, Anthropic, Google, Cohere), AI-powered SaaS tools (Notion AI, Salesforce Einstein, HubSpot AI), and developer infrastructure (AI hosting, vector databases, embedding services).
Category 1: Data Handling and Privacy (8 prompts)
These are the most important prompts. Send them in writing before your first call. Verbal answers are not binding.
1. "Does your platform train on data submitted through the API or product? If yes, what is the opt-out process, and is opt-out available on our plan tier?"
2. "Where is our data stored geographically? Do you offer data residency in [EU / US / specific region]? Is this a paid add-on or included?"
3. "Who within your organization has access to prompts and completions submitted through our account? Under what circumstances does your team access customer data?"
4. "Do you use subprocessors to process customer data? Please provide your current subprocessor list and notify us of any changes before they take effect."
5. "What is the data retention period for our prompts, completions, and usage logs? Can we request deletion of our data before the retention period expires?"
6. "Do you offer a Data Processing Agreement (DPA) for GDPR compliance? Is the DPA included in the standard contract, or is it a separate negotiated document?"
7. "How do you handle data submitted via the API when we use it to process personal data of EU residents? What legal basis do you rely on for processing?"
8. "If we terminate the contract, what happens to our data? What is the timeline for deletion, and do you provide written confirmation?"
Category 2: Security Posture (7 prompts)
9. "Do you have a SOC 2 Type II certification? Can you share the report under NDA? What is the audit period covered and the name of the auditing firm?"
10. "How do you manage API key security? Do you support key scoping (per-project or per-environment keys), key rotation, and key expiry?"
11. "Have you had any security incidents or data breaches in the past 24 months? If yes, what was the nature of the incident, what data was affected, and how was it remediated?"
12. "Do you conduct annual penetration tests? Who conducts the tests, and can you share the most recent executive summary or scope document?"
13. "How do you handle vulnerability disclosure? Do you have a public CVE program or security advisory feed we can subscribe to?"
14. "What encryption standards do you use for data in transit and at rest? Do you support customer-managed encryption keys (CMEK)?"
15. "What is your policy regarding employees accessing customer data for model improvement, debugging, or support purposes? Is there an audit trail?"
Category 3: Compliance and Certifications (6 prompts)
16. "What compliance certifications do you hold? (e.g., SOC 2, ISO 27001, ISO 42001, HIPAA BAA availability, FedRAMP, CSA STAR)"
17. "Under the EU AI Act, how do you classify your AI system? If it is classified as a general-purpose AI model, have you published the required transparency documentation?"
18. "Are you able to sign a HIPAA Business Associate Agreement (BAA)? Is this available on standard commercial plans, or only enterprise?"
19. "For GDPR purposes, do you act as a data processor or data controller for data submitted through the API? How does this affect our obligations as the data controller?"
20. "If our use case involves automated decisions that affect individuals (hiring, credit, healthcare), how does your platform support our obligation to document decision logic and provide human review?"
21. "Are you subject to any regulatory investigations, consent orders, or enforcement actions in the past 36 months? Please disclose any open matters."
Category 4: Reliability and SLA (7 prompts)
22. "What is your uptime SLA? Is this a target or a contractually guaranteed commitment? What are the financial remedies if SLA is breached?"
23. "What is the typical and maximum API latency for our expected request volume? Do you publish historical latency data?"
24. "What are the rate limits on our plan tier? Do rate limits apply per minute, per day, or per month? What happens when we exceed them — hard fail or degraded service?"
25. "How do you notify customers of planned maintenance, degraded service, or outages? What is your target time-to-notify after an incident begins?"
26. "Do you offer a status page with real-time and historical uptime data? Can we subscribe to incident notifications?"
27. "What is your policy for API versioning and deprecation? How much notice do you give before deprecating an API version we depend on?"
28. "Have there been any service outages lasting more than 1 hour in the past 12 months? Please provide the dates and durations."
Category 5: Contract and Exit Terms (6 prompts)
29. "What is the data deletion process and timeline when we terminate the contract? Do you provide written confirmation of deletion?"
30. "What is the liability cap in your standard contract? Does it cover direct damages only, or consequential damages as well? Is the cap tied to fees paid?"
31. "Do you have a right to change pricing or terms unilaterally during the contract term? What is the notice period for material changes?"
32. "What are the contract terms for the subprocessor list? Are we notified before changes take effect, and do we have a right to object?"
33. "What happens to our data, configurations, fine-tuned models, or embeddings if you are acquired, merge with another company, or cease operations?"
34. "Is there an escrow arrangement for source code or model weights in the event of vendor insolvency or acquisition?"
Category 6: Incident Response and Support (6 prompts)
35. "What is your contractual commitment for breach notification? Specifically: from discovery to notification of affected customers, in hours?"
36. "Who is our dedicated security contact for incident escalation? Is this a named individual or a shared alias? What is the expected response time for P1 security issues?"
37. "Can you describe the last significant incident that affected customers? What was the root cause, timeline, and remediation? What changed in your process afterward?"
38. "What information do you include in incident notifications to customers? Do you disclose root cause, data affected, scope of exposure, and remediation steps?"
39. "If our use of your platform causes or contributes to a data breach under GDPR or CCPA, what is your role in the breach notification process? What information will you provide to us?"
40. "Do you have a dedicated security or trust page where you publish past incident reports, certifications, and security policies? Please provide the URL."
How to Use These Prompts
Before any call: Send Categories 1, 3, and 5 in writing. Written responses are evidence. Vendors who answer verbally but cannot put it in writing are telling you something.
On a 30-minute security call: Work through Category 2 (security posture) and Category 6 (incident response). Ask for the SOC 2 report by end of call.
During contract review: Use Category 5 prompts as a checklist against the draft agreement. Any gap between verbal commitment and contract language is a negotiation point.
At annual renewal: Re-send Category 1 and 4 prompts to check for changes. AI vendors update terms, subprocessors, and SLAs frequently — a one-time review is insufficient governance.
Scoring: For each category, score the vendor 1–3:
- 3 = clear, documented, contractual commitment
- 2 = verbal commitment or policy page reference (follow up in writing)
- 1 = unclear, deflected, or "it depends"
A vendor with a score below 2 in Categories 1 or 2 warrants escalation before signing.
Use the AI Tool Register Template to document vendor responses in one place. For a full due diligence workflow before onboarding a new AI vendor, see the 30-Minute AI Vendor Due Diligence Checklist.
