IndexableRetentionLast reviewed 2026-05-21

Vendor retention review worksheet

Use this worksheet to separate vendor retention from your own retention. Many customer answers fail because prompts, tickets, recordings, or logs are copied outside the vendor path.

Download Markdown Download CSV Generate this automatically

Who it is for

Security, privacy, engineering, and support teams reviewing whether vendor retention matches customer-facing statements.

Template

Retention worksheet with 5 starter rows.

Download formats

Markdown for docs, CSV for spreadsheet review.

When to use it

Before answering customer questions about prompt or output retention.
After adding logging, recording, transcript, or support export workflows.
When a vendor introduces a zero retention or custom retention option.

How to fill it out

Track vendor retention and your own copies in separate rows.
Do not use a single retention number for every data type.
Keep unknown periods visible until confirmed.

Retention worksheet

Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.

4 columns

Question: What data type is retained?
Current answer: Prompt, output, file, ticket, transcript, recording, billing record, or log.
Review action: Review each data type separately.
Evidence: Data inventory and vendor source.

Question: Where is it retained?
Current answer: Vendor system, application log, warehouse, support tool, object storage, or local export.
Review action: Separate vendor storage from company-controlled storage.
Evidence: Architecture note or system owner confirmation.

Question: How long is it retained?
Current answer: Record default period, configurable period, deletion process, or unknown.
Review action: Attach source or mark unknown until reviewed.
Evidence: Retention source and configuration screenshot.

Question: What customer statement depends on it?
Current answer: Trust Center, DPA, questionnaire, AI policy, or retention policy.
Review action: Update statement or qualify scope if needed.
Evidence: Customer-facing text excerpt.

Question: Who owns cleanup?
Current answer: Engineering, support operations, security, privacy, or vendor owner.
Review action: Assign remediation for any mismatch.
Evidence: Ticket and due date.

Question	Current answer	Review action	Evidence
What data type is retained?	Prompt, output, file, ticket, transcript, recording, billing record, or log.	Review each data type separately.	Data inventory and vendor source.
Where is it retained?	Vendor system, application log, warehouse, support tool, object storage, or local export.	Separate vendor storage from company-controlled storage.	Architecture note or system owner confirmation.
How long is it retained?	Record default period, configurable period, deletion process, or unknown.	Attach source or mark unknown until reviewed.	Retention source and configuration screenshot.
What customer statement depends on it?	Trust Center, DPA, questionnaire, AI policy, or retention policy.	Update statement or qualify scope if needed.	Customer-facing text excerpt.
Who owns cleanup?	Engineering, support operations, security, privacy, or vendor owner.	Assign remediation for any mismatch.	Ticket and due date.

Common mistakes

Ignoring debug logs and support tickets.
Assuming zero retention applies to files, fine-tuning, or connected tools.
Deleting vendor data while keeping the same data in analytics or warehouse systems.

Example retention note

AWS Bedrock prompts are reviewed under Bedrock sources, but CloudWatch debug logs are company-controlled and retained for 30 days. Customer retention answer must mention both paths or avoid a single blanket claim.

AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.

Related vendor pages

Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.

AWS BedrockReview Amazon Bedrock data protection, abuse detection, AWS service terms, and security sources for SaaS AI commitments.OpenAIReview OpenAI API, DPA, privacy, subprocessors, retention, and model training sources for SaaS customer commitments.ZoomReview Zoom privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.NotionReview Notion privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.

Related templates

These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.

AI vendor risk assessment templateUse this template to document the review questions that matter before customer data is sent to an AI vendor. It focuses on commitments and evidence, not abstract scoring.SOC 2 vendor review evidence templateUse this template to turn a vendor source review into an audit-ready record. It is intentionally narrow: vendor, source, commitment, finding, reviewer, and follow-up. It does not decide whether the vendor is acceptable.

Turn this template into a review packet.

Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.

Generate retention review notes View all templates