AI vendor risk assessment
Review AI vendor data use, retention, subprocessors, DPA coverage, and customer-facing commitments before security questionnaires and enterprise deals.
Review question
What should we review before approving an AI vendor or reusing an old vendor risk answer?
Scope for this review
Use this when your team needs a practical AI vendor risk review before sending customer data to a provider or answering an enterprise questionnaire.
What it does
Map the vendor, product, plan, and data category before answering customer questions.
What it does
Flag where the source is clear, where applicability is uncertain, and who should review next.
What it does
Use the scanner before publishing Trust Center language or reusing old questionnaire answers.
Direct answer
When to use this packet
Check the exact vendor product, plan, data categories, agreement path, retention claims, subprocessors, and customer commitments. The packet is strongest when you need a concise review record that names source evidence and the remaining reviewer decision.
What the packet gives you
Use the free scanner to check scope. Buy the $199 one-time packet when you need the result ready for security, privacy, legal, or founder review.
- Packet section
- Risk review scope
- How to use it
- Captures the vendor path, data categories, product plan, and customer commitment language.
- Decision needed
- Decide whether the vendor is in scope for this customer or internal review.
- Packet section
- Applicability questions
- How to use it
- Keeps unknown contract, retention, transfer, and feature questions visible instead of hiding them.
- Decision needed
- Route ambiguous answers to privacy, legal, or security reviewers.
- Packet section
- Review-ready packet
- How to use it
- Packages cited findings, source dates, suggested actions, and limitations for handoff.
- Decision needed
- Approve, qualify, or hold customer-facing language.
| Packet section | How to use it | Decision needed |
|---|---|---|
| Risk review scope | Captures the vendor path, data categories, product plan, and customer commitment language. | Decide whether the vendor is in scope for this customer or internal review. |
| Applicability questions | Keeps unknown contract, retention, transfer, and feature questions visible instead of hiding them. | Route ambiguous answers to privacy, legal, or security reviewers. |
| Review-ready packet | Packages cited findings, source dates, suggested actions, and limitations for handoff. | Approve, qualify, or hold customer-facing language. |
Start the scanner with the right scope
A focused review should start with the vendors, data categories, and commitments most likely to matter. This page starts the scanner with a matching context, then lets the reviewer remove anything that does not apply.
- Review area
- Data-use scope
- Why it matters
- The same vendor can have different answers for API, enterprise, workspace, or consumer usage.
- Scanner action
- Preload customer content, personal data, and EU data context.
- Review area
- Transfer and DPA review
- Why it matters
- Risk assessment should identify when legal or privacy reviewers need to confirm applicability.
- Scanner action
- Use DPA and transfer-related commitments in the generated review packet.
- Review area
- Questionnaire reuse
- Why it matters
- Old security answers can drift when vendor terms or your own implementation changes.
- Scanner action
- Attach source links and review notes before reusing a customer answer.
| Review area | Why it matters | Scanner action |
|---|---|---|
| Data-use scope | The same vendor can have different answers for API, enterprise, workspace, or consumer usage. | Preload customer content, personal data, and EU data context. |
| Transfer and DPA review | Risk assessment should identify when legal or privacy reviewers need to confirm applicability. | Use DPA and transfer-related commitments in the generated review packet. |
| Questionnaire reuse | Old security answers can drift when vendor terms or your own implementation changes. | Attach source links and review notes before reusing a customer answer. |
Official source examples
Vendor facts must be checked against official vendor documentation before they appear in customer-facing answers.
Official-source review
Start with official sources. Keep the review in one packet.
For packet evidence, critical AI and SaaS vendor sources should show a recent reviewed date. Material vendor notices, Trust Center updates, DPA changes, subprocessor notices, and customer-reported changes should be checked before the packet is reused externally.
Freshness operating model reviewed: May 22, 2026
How sources are used
- Area
- DPA and processor path
- Official sources
- OpenAI Data Processing AddendumAnthropic Data Processing AddendumGoogle Cloud Data Processing Addendum
- Packet use
- Use official DPA sources to identify where legal or privacy review is still needed.
- Area
- Collaboration and support context
- Official sources
- Slack Data Processing AddendaIntercom Data Processing Agreement
- Packet use
- Include non-model vendors when they receive prompts, transcripts, files, or customer metadata.
- Area
- Data-use and retention posture
- Official sources
- Data controls in the OpenAI platformZero data retention agreement applicabilityGoogle Cloud Vertex AI data governance
- Packet use
- Use source links to separate vendor defaults from customer-specific agreements and settings.
| Area | Official sources | Packet use |
|---|---|---|
| DPA and processor path | OpenAI Data Processing AddendumAnthropic Data Processing AddendumGoogle Cloud Data Processing Addendum | Use official DPA sources to identify where legal or privacy review is still needed. |
| Collaboration and support context | Slack Data Processing AddendaIntercom Data Processing Agreement | Include non-model vendors when they receive prompts, transcripts, files, or customer metadata. |
| Data-use and retention posture | Data controls in the OpenAI platformZero data retention agreement applicabilityGoogle Cloud Vertex AI data governance | Use source links to separate vendor defaults from customer-specific agreements and settings. |
Last reviewed: May 22, 2026. AI Vendor Packet organizes official-source review evidence and suggested next steps. It does not provide legal advice.
Turn this question into a review packet.
Run the scanner with this context already selected, inspect the sample report, then buy the one-time packet when you need exportable evidence.