# AI vendor questionnaire template

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Teams sending questions to an AI vendor or internal vendor owner before approving customer data use.

## What this template is for

Use this questionnaire when official sources are not enough or your team needs implementation-specific answers from a vendor or reseller.

## When to use it

- When official public sources leave an important fact unknown.
- Before approving a new AI vendor for customer data.
- When a reseller, marketplace, or enterprise agreement changes the standard terms.

## AI vendor questionnaire

| Topic | Question | Why it matters | Acceptable evidence |
| --- | --- | --- | --- |
| Data use | Will prompts, outputs, files, feedback, or fine-tuning data be used to improve models? | Customer AI training commitments depend on product and plan scope. | Official policy source, agreement text, or admin setting documentation. |
| Retention | How long are inputs, outputs, files, and logs retained for this product path? | Retention promises can be broken by vendor storage or your own logs. | Retention policy source and configuration evidence. |
| Subprocessors | Which subprocessors can access customer data for this service? | Customer DPAs may require current vendor exhibits. | Official subprocessor page or signed subprocessor schedule. |
| Security | What security controls, audit reports, and access controls apply to this product? | Security answers need product-specific evidence, not only company-level claims. | Trust center record, SOC report access, or security documentation. |
| Scope changes | How will we be notified if terms, data use, retention, or subprocessors materially change? | Monitoring depends on knowing where updates are published. | Notification terms, changelog, source URL, or account setting. |

## How to fill it out

- Ask only questions tied to a customer commitment or launch decision.
- Attach vendor answers to the source record and mark whether they are public or confidential.
- Set a follow-up date for answers that depend on roadmap or beta features.

## Common mistakes

- Sending a long generic questionnaire that no one reads.
- Accepting sales claims without source links or agreement references.
- Failing to update internal commitments after the vendor answers.

## Customer review question

For GitHub Copilot Business, confirm whether organization prompts, suggestions, and repository context are used for model training, and provide the controlling customer terms or admin setting evidence.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.