AI Vendor Due Diligence in 30 Minutes (Questions + Scoring Sheet)

AI Vendor Due Diligence in 30 Minutes (Questions + Scoring Sheet)

The 30-minute workflow:

The 5 gate questions (5 minutes):

1. Can enterprise customers opt out of training on customer content?
2. Is a DPA available and countersignable?
3. Are subprocessors listed with geography?
4. Are SOC 2 Type II / ISO 27001 reports available under NDA?
5. Can you export prompts and outputs or audit logs on demand?

Two or more "no" answers for a use case touching customer data: pause the pilot until leadership accepts the risk in writing.

TL;DR: 30-minute AI vendor due diligence: 5 pass/fail gate questions (training opt-out, DPA available, subprocessors listed, SOC 2/ISO 27001, audit log export), two or more 'no' answers on customer data use cases = pause the pilot. Then 8 deep questions on data lifecycle, security, and model behavior. Score 1-3 per area: 9-15 proceed, 6-8 add controls, 5 or below find an alternative. Store the completed sheet with your vendor invoice and set a renewal reminder 30 days before contract end.

Enterprise vendor questionnaires assume dedicated security engineers. This version assumes you have a calendar opening, a notes doc, and the willingness to say no to vendors who cannot answer basic data questions.

When to use this

• Evaluating SaaS assistants, hosted inference APIs, or bundled copilots
• Renewing a contract that predates your AI policy
• Comparing two vendors before you standardise a workflow

Pair this page with the AI vendor due diligence checklist so you store consistent evidence.

The pass/fail gate (5 minutes)

Ask the vendor, or read their docs, for these binary answers:

1. Can enterprise customers opt out of training on customer content?
2. Is a Data Processing Agreement (DPA) available and countersignable?
3. Are subprocessors listed with geography?
4. Are SOC 2 Type II / ISO 27001 reports available under NDA?
5. Can you export prompts and outputs or at least audit logs on demand?

If you get two or more "no" answers for a use case touching customer data, pause the pilot until leadership accepts the residual risk in writing.

Deep questions (15 minutes)

Data lifecycle

• What is the default retention for prompts, outputs, and embeddings?
• Who can access customer content for support debugging?
• How fast can you delete data on exit, hours, days, or "contact legal"?

Security + reliability

• How does the vendor separate tenants at the application and model layers?
• What SLAs apply to uptime and inference latency, and what are the remedies?
• How are incidents communicated, status page, email, contractual notice?

Model behaviour

• Are customers liable for outputs produced with default prompting?
• What safety filters exist, and can they be tuned for regulated domains?

Scoring sheet (copy into your doc)

Rate each area 1 (weak) to 3 (strong):

9-15: proceed with standard contract language
6-8: proceed with compensating controls (logging, redaction, human review)
≤5: find an alternative or limit to non-production experiments

How to document the decision

1. Store the completed checklist in your policy repository
2. Link the vendor record inside your AI governance guide
3. Add a calendar reminder 30 days before renewal to re-run scoring

Contract Red Lines: What to Add Before Signing

Most small teams accept vendor contracts as-is. That is fine for low-risk internal tools. For any AI vendor that touches customer data, production workflows, or regulated information, three clauses are worth pushing for, even in non-negotiated agreements, the vendor's standard addenda often include them.

Data deletion on termination. Confirm that customer content, prompts, outputs, embeddings, fine-tuning data, is deleted within a defined window after contract end. "Contact legal to arrange deletion" is not a commitment. Look for a specific timeframe (30 days is standard for enterprise AI vendors; 90 days is acceptable). If the vendor cannot provide a deletion window, that belongs in your risk notes.

Subprocessor notification. AI vendors frequently change the underlying model providers, cloud regions, or processing partners without announcement. A subprocessor notification clause requires the vendor to give you advance notice (typically 10-30 days) before adding a new subprocessor. This matters for GDPR compliance, your DPA is only as current as the subprocessor list.

Incident notification timeline. Require written notice within 72 hours of a security incident affecting your data. This aligns with GDPR's breach notification obligation to supervisory authorities. Some AI vendor contracts default to "commercially reasonable time", that is not a compliance-grade commitment.

If the vendor's standard agreement does not include these terms, ask whether they have a data protection addendum (DPA) or enterprise agreement that does. Most mature AI vendors (OpenAI, Anthropic, Google, Microsoft) have these available, they just are not linked in the signup flow.

Ongoing Vendor Review: The Annual Renewal Check

Due diligence at onboarding is a start. The governance gap most teams miss is what happens at renewal.

AI vendors change their terms more frequently than traditional SaaS vendors, model versions change, training data policies update, subprocessors rotate. A vendor that passed your gate questions 18 months ago may have changed their training opt-out defaults, added a new subprocessor in a jurisdiction that creates GDPR complications, or updated their data retention terms.

Set a calendar reminder 30 days before each AI vendor contract renewal. At renewal, re-run the five gate questions. If anything has changed, update your vendor record and escalate if a previously passing question now fails.

The renewal check takes 15 minutes. It is the most common governance action that small teams skip and the one most likely to surface a changed risk before it becomes an incident.

Three specific things to check at renewal:

1. Training data policy. Has the vendor's opt-out default changed? Some vendors have shifted from opt-out-by-default to opt-in-only, requiring an affirmative action from enterprise customers to protect their data. Verify the current state in the vendor's privacy documentation, not your memory of the onboarding terms.

2. Subprocessor list. Compare the current published subprocessor list against the version you reviewed at onboarding. New subprocessors in new geographies may create GDPR complications, your DPA covers the subprocessors listed when you signed, not additions made afterward.

3. SOC 2 / ISO 27001 report vintage. Security certifications expire and are re-audited annually. If your vendor's SOC 2 report is more than 18 months old, ask when the next audit cycle will be published. An outdated report is not necessarily a red flag, but a vendor who cannot tell you when their next report is due is.

The Procurement Email Template

When evaluating a new AI vendor, send this before your first call. Vendors who respond quickly and completely to written questions before a sales conversation are a reliable indicator of operational maturity.

Subject: Security and data processing questions, [Vendor Name] evaluation

Hi [Vendor contact],

We are evaluating [Vendor Name] for [use case description]. Before we proceed to a trial, I need answers to a few data handling and security questions.

1. Can enterprise customers opt out of using our prompts and outputs to train or improve your models? If yes, is this the default or does it require a configuration change?
2. Do you have a Data Processing Agreement (DPA) available? If yes, can you send the current version or a link?
3. Where is your current subprocessor list published? Does it include the geographic region for each subprocessor?
4. Are SOC 2 Type II or ISO 27001 reports available under NDA? What is the most recent audit date?
5. Can we export our prompt history and outputs on demand, or request an audit log? What format does this take?
6. What is your default retention period for customer prompts and outputs?
7. What is your incident notification timeline if customer data is affected by a security event?

We aim to make a decision within [timeframe]. Happy to discuss on a call once I have reviewed these answers.

Thanks, [Your name]

Vendors who cannot answer questions 1-5 in writing before a trial should not handle customer data. Store the response with your vendor evaluation record.

Related reading

• Governing embedded AI in third-party tools, stop unapproved vendors before they spread
• AI tool register template, when spreadsheets stop being enough
• Free AI register template, 12-field format covering EU AI Act Article 70 and Colorado SB 26-189
• GDPR-compliant AI assistants comparison, side-by-side scoring of 6 major AI assistants on DPA, training opt-out, EU data residency
• VC AI governance due diligence checklist, 18 questions investors ask about AI compliance
• AI risk decisioning governance checklist, for vendors used in automated financial or credit decisions
• California SB 942 compliance checklist, ask vendors about AI content detection and transparency features
• Risk assessment guide, translate vendor gaps into tracked risks

Subscribe via the form on this page if you want the procurement email template we send monthly subscribers, it mirrors the question list above so you can forward it to vendors verbatim.

What Vendor Responses Reveal (Beyond the Answers)

The content of a vendor's answers to due diligence questions matters. So does how they answer.

Response time. A vendor who answers five security questions in 48 hours has a mature security and legal function. A vendor who routes every question through sales or takes two weeks to return written answers to basic DPA questions is showing you their organizational maturity. Security incident response requires fast communication, if a vendor takes two weeks to answer a pre-sales question, estimate their breach notification responsiveness accordingly.

Specificity. "We take security seriously and have robust data protection measures" answers nothing. "Customer prompts are retained for 30 days for quality review then deleted; enterprise customers can request zero-retention mode at no additional cost" answers the question. Evaluate specificity as a proxy for organizational clarity, vendors who are specific about data handling have usually made deliberate decisions about it.

What they flag proactively. A vendor who volunteers that their subprocessor list changed last quarter, or that their SOC 2 renewal is upcoming, is a vendor whose security team communicates proactively. This is the behavior you want in an incident, a vendor who sends you a breach notification before you read about it in the news.

What they deflect. Pay attention to which questions get deflected to "contact our enterprise sales team" versus which get answered directly. Pricing is reasonably deflected. Data retention, training opt-out, and DPA availability should never require an enterprise sales conversation, these are documented in published terms for any mature AI vendor.

When to Escalate Beyond 30 Minutes

The 30-minute workflow handles standard vendor evaluations. Three situations require more time and, usually, a specialist:

1. Healthcare and PHI. If the AI tool will process protected health information, you need a signed HIPAA Business Associate Agreement, not just a DPA, before any production traffic. Confirm whether the vendor offers a BAA and whether it covers the specific AI features you plan to use. Some vendors offer a BAA that covers their core product but excludes newer AI features. Verify explicitly.

2. Financial services and FCRA/SOX data. AI tools that analyze credit data, assist with financial reporting, or process data subject to FCRA require review of whether the vendor qualifies as a consumer reporting agency, whether their outputs constitute "consumer reports," and how your use of their AI affects your SOX control environment. This requires legal review, not a 30-minute checklist.

3. EU AI Act Annex III use cases. If you are deploying an AI system that makes or substantially contributes to consequential decisions in hiring, credit, education, or essential services affecting EU residents, you are in the EU AI Act's high-risk category. The vendor due diligence extends to reviewing the vendor's AI system documentation, conformity assessment process, and whether they provide the technical documentation your EU AI Act compliance requires.

For these three situations, the 30-minute gate check is still a useful first pass, it quickly eliminates vendors who cannot answer basic questions. But it is the start of due diligence, not the end.

References

1. National Institute of Standards and Technology, AI Risk Management Framework (AI RMF 1.0)
2. ENISA, AI Cybersecurity Guidance
3. European Parliament and Council, EU AI Act
4. OECD, OECD AI Principles