# AI vendor risk assessment template

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Teams reviewing whether an AI vendor or feature can be used with customer data before launch or expansion.

## What this template is for

Use this template to document the review questions that matter before customer data is sent to an AI vendor. It focuses on commitments and evidence, not abstract scoring.

## When to use it

- Before adding a new AI model provider or AI feature.
- When changing from direct API use to a cloud-hosted model path.
- When customer data categories expand beyond the original review.

## AI vendor risk table

| Question | Current answer | Review action | Evidence |
| --- | --- | --- | --- |
| What customer data will be sent? | Prompts, files, embeddings, tickets, transcripts, CRM fields, or logs. | Classify data sensitivity and remove unnecessary fields. | Data-flow note and product owner approval. |
| Can vendor data be used for training? | Answer only for the exact product and plan. | Attach official AI data-use or model training source. | Vendor issue page and official source link. |
| How long is data retained? | Separate vendor retention from your own logs and storage. | Check retention controls, zero retention eligibility, and deletion limits. | Vendor retention source and system logging note. |
| Which agreements apply? | DPA, customer agreement, order form, marketplace terms, or enterprise addendum. | Confirm contract path before customer-facing claims. | Agreement reference and legal reviewer note. |
| What commitment could drift? | Training, subprocessors, retention, security controls, DPA coverage, or Trust Center wording. | Create a finding or approve with limits. | Commitment record and reviewer decision. |

## How to fill it out

- Review one vendor product path at a time.
- Write unknowns plainly instead of forcing a yes or no answer.
- Attach both vendor sources and your own implementation evidence.

## Common mistakes

- Treating every product from the same vendor as one risk profile.
- Reviewing model training but ignoring retention, logs, and subprocessors.
- Approving a proof of concept and then reusing the approval for production.

## Example assessment note

Anthropic Claude API for support draft suggestions; ticket excerpts only; model training source reviewed; zero data retention not assumed; internal prompt logs retained for 14 days and need customer-answer wording.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.