IndexableRisk assessmentLast reviewed 2026-05-21

AI vendor risk assessment template

Use this template to document the review questions that matter before customer data is sent to an AI vendor. It focuses on commitments and evidence, not abstract scoring.

Download Markdown Download CSV Generate this automatically

Who it is for

Teams reviewing whether an AI vendor or feature can be used with customer data before launch or expansion.

Template

AI vendor risk table with 5 starter rows.

Download formats

Markdown for docs, CSV for spreadsheet review.

When to use it

Before adding a new AI model provider or AI feature.
When changing from direct API use to a cloud-hosted model path.
When customer data categories expand beyond the original review.

How to fill it out

Review one vendor product path at a time.
Write unknowns plainly instead of forcing a yes or no answer.
Attach both vendor sources and your own implementation evidence.

AI vendor risk table

Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.

4 columns

Question: What customer data will be sent?
Current answer: Prompts, files, embeddings, tickets, transcripts, CRM fields, or logs.
Review action: Classify data sensitivity and remove unnecessary fields.
Evidence: Data-flow note and product owner approval.

Question: Can vendor data be used for training?
Current answer: Answer only for the exact product and plan.
Review action: Attach official AI data-use or model training source.
Evidence: Vendor issue page and official source link.

Question: How long is data retained?
Current answer: Separate vendor retention from your own logs and storage.
Review action: Check retention controls, zero retention eligibility, and deletion limits.
Evidence: Vendor retention source and system logging note.

Question: Which agreements apply?
Current answer: DPA, customer agreement, order form, marketplace terms, or enterprise addendum.
Review action: Confirm contract path before customer-facing claims.
Evidence: Agreement reference and legal reviewer note.

Question: What commitment could drift?
Current answer: Training, subprocessors, retention, security controls, DPA coverage, or Trust Center wording.
Review action: Create a finding or approve with limits.
Evidence: Commitment record and reviewer decision.

Question	Current answer	Review action	Evidence
What customer data will be sent?	Prompts, files, embeddings, tickets, transcripts, CRM fields, or logs.	Classify data sensitivity and remove unnecessary fields.	Data-flow note and product owner approval.
Can vendor data be used for training?	Answer only for the exact product and plan.	Attach official AI data-use or model training source.	Vendor issue page and official source link.
How long is data retained?	Separate vendor retention from your own logs and storage.	Check retention controls, zero retention eligibility, and deletion limits.	Vendor retention source and system logging note.
Which agreements apply?	DPA, customer agreement, order form, marketplace terms, or enterprise addendum.	Confirm contract path before customer-facing claims.	Agreement reference and legal reviewer note.
What commitment could drift?	Training, subprocessors, retention, security controls, DPA coverage, or Trust Center wording.	Create a finding or approve with limits.	Commitment record and reviewer decision.

Common mistakes

Treating every product from the same vendor as one risk profile.
Reviewing model training but ignoring retention, logs, and subprocessors.
Approving a proof of concept and then reusing the approval for production.

Example assessment note

Anthropic Claude API for support draft suggestions; ticket excerpts only; model training source reviewed; zero data retention not assumed; internal prompt logs retained for 14 days and need customer-answer wording.

AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.

Related vendor pages

Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.

OpenAIReview OpenAI API, DPA, privacy, subprocessors, retention, and model training sources for SaaS customer commitments.AnthropicReview Anthropic Claude commercial terms, DPA, model training, retention, and privacy sources for SaaS review packet evidence.Azure OpenAI / Microsoft AIReview Microsoft Azure AI Foundry data privacy, Azure terms, DPA, and privacy sources for SaaS customer commitments.Google Vertex AI / Gemini for CloudReview Google Cloud Vertex AI data governance, zero data retention, DPA, terms, and subprocessor sources.

Related templates

These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.

Customer data not used for training clause checklistUse this checklist before saying customer data is not used for model training. The answer must match the vendor, product, plan, settings, and any feedback or fine-tuning flow.Vendor retention review worksheetUse this worksheet to separate vendor retention from your own retention. Many customer answers fail because prompts, tickets, recordings, or logs are copied outside the vendor path.

Turn this template into a review packet.

Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.

Generate an AI vendor assessment View all templates