# Vendor retention review worksheet

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Security, privacy, engineering, and support teams reviewing whether vendor retention matches customer-facing statements.

## What this template is for

Use this worksheet to separate vendor retention from your own retention. Many customer answers fail because prompts, tickets, recordings, or logs are copied outside the vendor path.

## When to use it

- Before answering customer questions about prompt or output retention.
- After adding logging, recording, transcript, or support export workflows.
- When a vendor introduces a zero retention or custom retention option.

## Retention worksheet

| Question | Current answer | Review action | Evidence |
| --- | --- | --- | --- |
| What data type is retained? | Prompt, output, file, ticket, transcript, recording, billing record, or log. | Review each data type separately. | Data inventory and vendor source. |
| Where is it retained? | Vendor system, application log, warehouse, support tool, object storage, or local export. | Separate vendor storage from company-controlled storage. | Architecture note or system owner confirmation. |
| How long is it retained? | Record default period, configurable period, deletion process, or unknown. | Attach source or mark unknown until reviewed. | Retention source and configuration screenshot. |
| What customer statement depends on it? | Trust Center, DPA, questionnaire, AI policy, or retention policy. | Update statement or qualify scope if needed. | Customer-facing text excerpt. |
| Who owns cleanup? | Engineering, support operations, security, privacy, or vendor owner. | Assign remediation for any mismatch. | Ticket and due date. |

## How to fill it out

- Track vendor retention and your own copies in separate rows.
- Do not use a single retention number for every data type.
- Keep unknown periods visible until confirmed.

## Common mistakes

- Ignoring debug logs and support tickets.
- Assuming zero retention applies to files, fine-tuning, or connected tools.
- Deleting vendor data while keeping the same data in analytics or warehouse systems.

## Example retention note

AWS Bedrock prompts are reviewed under Bedrock sources, but CloudWatch debug logs are company-controlled and retained for 30 days. Customer retention answer must mention both paths or avoid a single blanket claim.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.