What security certifications should I look for in an AI vendor?

SOC 2 Type II is the baseline for enterprise AI vendors. For EU operations, check for ISO 27001. Both certify that the vendor has audited security controls, not just policies.

What is a Data Processing Agreement (DPA) and do I need one?

A DPA is a contract that governs how a vendor processes personal data on your behalf. Under GDPR, you are legally required to have one with any vendor processing personal data. Most major AI vendors offer standard DPAs on request.

Does using an AI API expose our data to training?

It depends on the vendor and tier. Most enterprise API tiers explicitly exclude training on your data. Check the vendor's data policy page — or use our Vendor Scorecard to compare at a glance.

What's the biggest security risk with AI tools?

Accidental data leakage: employees pasting sensitive client data, source code, or PII into AI tools not covered by a DPA. The fix is a clear policy on what data can go into which tools — not a blanket ban.

Vendor Security

AI Vendor Security for Small Teams

Every AI tool you adopt is a potential data exposure point. This hub covers how to assess AI vendor security, what certifications to look for, and the minimum due diligence every small team should do before signing up.

Start here

Pillar guide

AI Vendor Due Diligence in 30 Minutes (Questions + Scoring Sheet)

A fast procurement pass for AI vendors: the questions that matter, a simple risk score, and how to document evidence when the team has no procurement desk.

9 min read

Related guides

Governance · 12 min

When Your AI Vendor Has a Security Incident

An AI vendor security incident on a tool you depend on is still your governance problem. This practical guide helps small teams assess scope, rotate credentials, update threat models, and document decisions — without waiting for confirmed harm.

Governance · 11 min

AI Developer Tool Vendor Security — 10 Questions to Ask

Choosing an AI developer tool without vendor security questions invites supply-chain surprises. Use these ten prompts — build hygiene, disclosure culture, telemetry, SBOM — before you standardise an AI developer tool across your team.

Frequently Asked Questions

What security certifications should I look for in an AI vendor?: SOC 2 Type II is the baseline for enterprise AI vendors. For EU operations, check for ISO 27001. Both certify that the vendor has audited security controls, not just policies.
What is a Data Processing Agreement (DPA) and do I need one?: A DPA is a contract that governs how a vendor processes personal data on your behalf. Under GDPR, you are legally required to have one with any vendor processing personal data. Most major AI vendors offer standard DPAs on request.
Does using an AI API expose our data to training?: It depends on the vendor and tier. Most enterprise API tiers explicitly exclude training on your data. Check the vendor's data policy page — or use our Vendor Scorecard to compare at a glance.
What's the biggest security risk with AI tools?: Accidental data leakage: employees pasting sensitive client data, source code, or PII into AI tools not covered by a DPA. The fix is a clear policy on what data can go into which tools — not a blanket ban.

Vendor Security

AI Vendor Security for Small Teams

Start here

Pillar guide

AI Vendor Due Diligence in 30 Minutes (Questions + Scoring Sheet)

A fast procurement pass for AI vendors: the questions that matter, a simple risk score, and how to document evidence when the team has no procurement desk.

9 min read

Related guides

Governance · 12 min

When Your AI Vendor Has a Security Incident

Governance · 11 min

AI Developer Tool Vendor Security — 10 Questions to Ask

Frequently Asked Questions

What security certifications should I look for in an AI vendor?: SOC 2 Type II is the baseline for enterprise AI vendors. For EU operations, check for ISO 27001. Both certify that the vendor has audited security controls, not just policies.
What is a Data Processing Agreement (DPA) and do I need one?: A DPA is a contract that governs how a vendor processes personal data on your behalf. Under GDPR, you are legally required to have one with any vendor processing personal data. Most major AI vendors offer standard DPAs on request.
Does using an AI API expose our data to training?: It depends on the vendor and tier. Most enterprise API tiers explicitly exclude training on your data. Check the vendor's data policy page — or use our Vendor Scorecard to compare at a glance.
What's the biggest security risk with AI tools?: Accidental data leakage: employees pasting sensitive client data, source code, or PII into AI tools not covered by a DPA. The fix is a clear policy on what data can go into which tools — not a blanket ban.

Frequently Asked Questions

Get governance updates by email

Frequently Asked Questions

Get governance updates by email