AI Vendor Questionnaire
Copy/paste template to use when you are evaluating AI products and tools
Here’s my recommended AI Vendor Questionnaire. Use it as an addendum to your current vendor documentation and adjust it as needed for your organization. The goal is to collect consistent information upfront, then conduct deeper due diligence on any areas that are flagged.
1) Vendor Information
Input type: Short text
Description: Basic vendor and contact details for contracting and security review
Fields:
Company name
Product or service name
Website
Headquarters country
Primary contact (name, title, email)
Security contact email
Legal or procurement contact email
2) AI Use in Product
Input type: Free text (multi-line)
Description: Describe the role AI plays in your product and how customers typically use it. List all features that are powered by AI.
3) Models Used
Input type: Free text
Description: List all model(s) used in the solution, including provider, exact model name, and version (for example, OpenAI GPT 4.1, Claude 3.5 Sonnet, Llama 3.1 70B). Include any open source models. Include any routing or orchestration layer.
4) Model Hosting
Input type: Free text (multi-line)
Description: For each model listed above, state whether you host the model yourself or use a third party model API or service.
Options:
Self hosted
Managed cloud service
Direct third party API (OpenAI, Anthropic, and similar)
Hybrid
5) Enterprise Agreements With Model Providers
Input type: Free text (multi-line)
Description: Do you have enterprise contracts with your model providers? If yes, confirm whether those agreements include limits on data use, confidentiality, and terms that say no training on customer data.
6) Cloud and Regions
Input type: Free text
Description: What cloud provider or providers and which regions are used for processing and inference, and for data storage, including logs and backups?
7) Data We Provide and Data You Collect
Input type: Free text
Description: What data do you ingest from us or our customers? Include content such as customer information, prompts, documents, files, and metadata.
8) Data Flow Breakdown
Input type: Free text (multi-line)
Description: Describe the end to end data flow for a typical AI process.
9) Data Segregation and Isolation
Input type: Free text (multi-line)
Description: How is our data isolated from other customers?
10) Safety Controls and Guardrails
Input type: Free text (multi-line)
Description: What controls prevent harmful outputs, policy-violating outputs, or disclosure of confidential information?
11) Training or Model Improvement Using Our Data
Input type: Multiple choice plus free text
Description: Confirm whether you or any subcontractors, subprocessors, or model providers use our data, including prompts, outputs, or logs, to train, fine tune, or otherwise improve models. If yes, describe how and what data is used.
Options:
No, never.
Yes, opt in.
Yes, default.
13) RAG and Embeddings
Input type: Free text (multi-line)
Description: Describe if and how you create/use embeddings from our data, including prompts, documents, files, and outputs. Explain how embeddings are stored, isolated, retained, and deleted.
14) Retention and Deletion
Input type: Free text
Description: What do you retain, including inputs, outputs, logs, and backups, and for how long? Can we set retention to zero or as low as possible? Include deletion timelines, including backups.
15) Subprocessor Disclosure
Input type: Free text (multi-line)
Description: Provide a complete list of subprocessors, including purpose, location or region, and whether they receive customer data such as prompts and documents.
16) IP Ownership of Inputs and Outputs
Input type: Free text (multi-line)
Description: Confirm ownership rights for inputs and outputs. Describe any limits on our use of outputs. Clearly state whether you claim any rights to derived data, and whether you use derived data for analytics or benchmarking.
17) Indemnification
Input type: Free text (multi-line)
Description: Do you provide indemnification, including for IP infringement, related to model outputs or your service? Specify scope, caps, and key carve outs.