IndexableQuestionnaireLast reviewed 2026-05-21

AI vendor questionnaire template

Use this questionnaire when official sources are not enough or your team needs implementation-specific answers from a vendor or reseller.

Download Markdown Download CSV Generate this automatically

Who it is for

Teams sending questions to an AI vendor or internal vendor owner before approving customer data use.

Template

AI vendor questionnaire with 5 starter rows.

Download formats

Markdown for docs, CSV for spreadsheet review.

When to use it

When official public sources leave an important fact unknown.
Before approving a new AI vendor for customer data.
When a reseller, marketplace, or enterprise agreement changes the standard terms.

How to fill it out

Ask only questions tied to a customer commitment or launch decision.
Attach vendor answers to the source record and mark whether they are public or confidential.
Set a follow-up date for answers that depend on roadmap or beta features.

AI vendor questionnaire

Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.

4 columns

Topic: Data use
Question: Will prompts, outputs, files, feedback, or fine-tuning data be used to improve models?
Why it matters: Customer AI training commitments depend on product and plan scope.
Acceptable evidence: Official policy source, agreement text, or admin setting documentation.

Topic: Retention
Question: How long are inputs, outputs, files, and logs retained for this product path?
Why it matters: Retention promises can be broken by vendor storage or your own logs.
Acceptable evidence: Retention policy source and configuration evidence.

Topic: Subprocessors
Question: Which subprocessors can access customer data for this service?
Why it matters: Customer DPAs may require current vendor exhibits.
Acceptable evidence: Official subprocessor page or signed subprocessor schedule.

Topic: Security
Question: What security controls, audit reports, and access controls apply to this product?
Why it matters: Security answers need product-specific evidence, not only company-level claims.
Acceptable evidence: Trust center record, SOC report access, or security documentation.

Topic: Scope changes
Question: How will we be notified if terms, data use, retention, or subprocessors materially change?
Why it matters: Monitoring depends on knowing where updates are published.
Acceptable evidence: Notification terms, changelog, source URL, or account setting.

Topic	Question	Why it matters	Acceptable evidence
Data use	Will prompts, outputs, files, feedback, or fine-tuning data be used to improve models?	Customer AI training commitments depend on product and plan scope.	Official policy source, agreement text, or admin setting documentation.
Retention	How long are inputs, outputs, files, and logs retained for this product path?	Retention promises can be broken by vendor storage or your own logs.	Retention policy source and configuration evidence.
Subprocessors	Which subprocessors can access customer data for this service?	Customer DPAs may require current vendor exhibits.	Official subprocessor page or signed subprocessor schedule.
Security	What security controls, audit reports, and access controls apply to this product?	Security answers need product-specific evidence, not only company-level claims.	Trust center record, SOC report access, or security documentation.
Scope changes	How will we be notified if terms, data use, retention, or subprocessors materially change?	Monitoring depends on knowing where updates are published.	Notification terms, changelog, source URL, or account setting.

Common mistakes

Sending a long generic questionnaire that no one reads.
Accepting sales claims without source links or agreement references.
Failing to update internal commitments after the vendor answers.

Customer review question

For GitHub Copilot Business, confirm whether organization prompts, suggestions, and repository context are used for model training, and provide the controlling customer terms or admin setting evidence.

AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.

Related vendor pages

Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.

GitHub CopilotReview GitHub Copilot privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.MistralReview Mistral privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.CohereReview Cohere privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.Hugging FaceReview Hugging Face privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.

Related templates

These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.

AI vendor risk assessment templateUse this template to document the review questions that matter before customer data is sent to an AI vendor. It focuses on commitments and evidence, not abstract scoring.Vendor commitment drift registerUse this register as the working list for vendor changes that may affect customer promises. It is not a risk score. It is a way to avoid quiet drift.

Turn this template into a review packet.

Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.

Generate questionnaire prompts View all templates