IndexableDrift trackingLast reviewed 2026-05-21

Vendor commitment drift register

Use this register as the working list for vendor changes that may affect customer promises. It is not a risk score. It is a way to avoid quiet drift.

Download Markdown Download CSV Generate this automatically

Who it is for

Teams that need one place to track potential vendor commitment drift from source change to final review outcome.

Template

Commitment drift register with 5 starter rows.

Download formats

Markdown for docs, CSV for spreadsheet review.

When to use it

As the main tracker for an AI vendor review packet.
When findings come from source changes, customer questions, or internal tool changes.
Before closing a vendor review cycle.

How to fill it out

Create a row for each commitment that could drift.
Keep the source signal separate from the final review decision.
Close rows only after customer-facing evidence is updated or explicitly unchanged.

Commitment drift register

Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.

4 columns

Record: Training statement
Signal to watch: AI data-use or model training source changed.
Commitment affected: Customer data is not used to train provider models.
Next step: Review product scope, settings, and customer wording.

Record: Retention statement
Signal to watch: Retention source, logging setting, or storage workflow changed.
Commitment affected: Customer data is retained only as long as needed.
Next step: Compare vendor retention with internal logs and exports.

Record: Subprocessor statement
Signal to watch: Subprocessor page changed or new integration added.
Commitment affected: Subprocessors are reviewed and disclosed where required.
Next step: Run subprocessor checklist and decide notice path.

Record: DPA statement
Signal to watch: DPA, terms, or agreement path changed.
Commitment affected: Customer data is processed under the right agreement.
Next step: Use DPA worksheet and route wording changes to legal.

Record: Security statement
Signal to watch: Security evidence, product setting, or service scope changed.
Commitment affected: Security controls described to customers remain accurate.
Next step: Update evidence, questionnaire answer, or owner note.

Record	Signal to watch	Commitment affected	Next step
Training statement	AI data-use or model training source changed.	Customer data is not used to train provider models.	Review product scope, settings, and customer wording.
Retention statement	Retention source, logging setting, or storage workflow changed.	Customer data is retained only as long as needed.	Compare vendor retention with internal logs and exports.
Subprocessor statement	Subprocessor page changed or new integration added.	Subprocessors are reviewed and disclosed where required.	Run subprocessor checklist and decide notice path.
DPA statement	DPA, terms, or agreement path changed.	Customer data is processed under the right agreement.	Use DPA worksheet and route wording changes to legal.
Security statement	Security evidence, product setting, or service scope changed.	Security controls described to customers remain accurate.	Update evidence, questionnaire answer, or owner note.

Common mistakes

Tracking vendor changes without naming the customer commitment affected.
Closing a finding because the vendor changed only a little.
Mixing source facts with legal conclusions in the same field.

Example drift record

Microsoft 365 Copilot privacy source reviewed; Trust Center AI policy mentions Microsoft 365 Copilot but not tenant scope; owner assigned to narrow wording and attach source date.

AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.

Related vendor pages

Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.

Microsoft 365 / CopilotReview Microsoft 365 / Copilot privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.OpenAIReview OpenAI API, DPA, privacy, subprocessors, retention, and model training sources for SaaS customer commitments.AnthropicReview Anthropic Claude commercial terms, DPA, model training, retention, and privacy sources for SaaS review packet evidence.SalesforceReview Salesforce privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.

Related templates

These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.

AI vendor monitoring evidence packet templateUse this packet to show what sources were reviewed, what changed, and which customer commitments need follow-up. It is built for a short review meeting, not a long risk committee packet.Trust Center AI policy templateUse this template to write a calm public AI policy that tells customers what is used, what is not promised, and how vendor evidence is reviewed. Keep it specific enough to be useful and narrow enough to stay accurate.

Turn this template into a review packet.

Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.

Generate a drift register View all templates