Vendor AI Evaluation Checklist

Use this checklist when evaluating any AI vendor prior to procurement or contract renewal. Assign a procurement lead and a security reviewer before starting. Complete all sections; mark N/A only where the item genuinely does not apply to the vendor's product category, and document why.

1. Company and Product Overview

• [ ] Vendor has a publicly verifiable legal entity (company registration, registered address).
• [ ] Vendor has been in operation for at least [X] years, or has credible funding and leadership track record.
• [ ] Product has been generally available (not beta) for at least [X] months, or pilot risk is accepted and documented.
• [ ] Vendor can provide at least [N] reference customers in a comparable industry or use case.

2. Training Data Practices

• [ ] Vendor discloses the categories of data used to train foundation or fine-tuned models.
• [ ] Vendor confirms that customer-submitted data is not used to train shared or public models by default.
• [ ] Vendor provides a mechanism to opt out of training use entirely (Zero Data Retention or equivalent).
• [ ] Vendor can describe their data sourcing, licensing, and de-identification practices for training data.
• [ ] No documented violations of third-party IP rights related to training data in the past 24 months.

3. Sub-processor Disclosure

• [ ] Vendor provides a current sub-processor list.
• [ ] Sub-processor list includes the sub-processor name, processing location, and purpose.
• [ ] Vendor commits to providing [X] days advance notice of sub-processor changes.
• [ ] All sub-processors are located in jurisdictions acceptable under [Company] data residency requirements.
• [ ] Sub-processors that handle production customer data have their own SOC 2 or equivalent certification.

4. Data Processing Agreement

• [ ] Vendor is willing to sign [Company]'s standard DPA, or their own DPA has been reviewed and approved by [Legal].
• [ ] DPA clearly identifies the roles of controller and processor (or sub-processor where applicable).
• [ ] DPA includes data subject rights obligations consistent with GDPR, CCPA, and any other applicable regulations.
• [ ] DPA specifies data retention and deletion timelines and requires deletion confirmation on request.
• [ ] DPA prohibits use of [Company] data for purposes beyond the contracted service.

5. Security Certifications

• [ ] SOC 2 Type II report available (dated within 12 months). Reviewed by [Security reviewer].
• [ ] ISO 27001 certification current (or SOC 2 accepted as equivalent with documented rationale).
• [ ] Penetration testing: vendor conducts annual third-party pen tests and will share executive summary on request.
• [ ] Encryption at rest (AES-256 or equivalent) and in transit (TLS 1.2 minimum, TLS 1.3 preferred) confirmed.
• [ ] Access controls: vendor uses MFA for privileged access and maintains least-privilege access policies.
• [ ] Data residency: vendor can confirm the processing region for [Company] data.

6. Incident History and Disclosure

• [ ] Vendor has not experienced a material data breach affecting customer data in the past 24 months, OR breach occurred and vendor's response has been reviewed and deemed adequate by [Security].
• [ ] Vendor's breach notification SLA is [X hours] or less, consistent with applicable legal obligations.
• [ ] Vendor provides post-incident reports to affected customers within [X days].
• [ ] Vendor can describe their security monitoring and anomaly detection capabilities.

7. AI-Specific Risk Factors

• [ ] Vendor discloses known model limitations, failure modes, and accuracy characteristics relevant to the intended use case.
• [ ] Vendor provides documentation on bias evaluation and mitigation for the model.
• [ ] Vendor supports audit logging of inputs and outputs at the customer level.
• [ ] Vendor has a published policy on responsible AI / AI ethics, and it is consistent with [Company]'s values.
• [ ] Vendor complies with or has a documented roadmap to comply with the EU AI Act (where applicable).

8. Commercial and Contractual Terms

• [ ] Vendor's IP ownership clause does not claim rights to [Company] outputs or derivative works.
• [ ] Vendor's liability cap is acceptable to [Legal] relative to contract value and data sensitivity.
• [ ] Vendor provides SLA commitments on uptime (minimum [X]%) with financial remedies.
• [ ] Contract includes a right to audit or third-party audit certification on request.

9. Evaluation Notes

[Record any material findings, exceptions, or conditions attached to the approval decision.]