← Back to sample deliverables

AI vendor due diligence checklist

Most AI vendor reviews stop at “the demo looked good.” This checklist covers the things that actually become expensive later: contracts, transfers, retention, failure modes, and lock-in.

Download checklistStart with a £500 scoping review

Data handling

  • What personal data is sent to the vendor?
  • Can we minimise or pseudonymise the payload first?
  • Does the vendor use our data for training by default?

Contracts and transfers

  • Is there a DPA and does it actually fit our use case?
  • Which subprocessors are involved?
  • What transfer mechanism applies if data leaves the UK or EEA?

Security and operations

  • What access controls, logging, and incident notification terms are in place?
  • Can we configure retention or zero-retention?
  • What happens if the service fails mid-workflow?

Model and product risk

  • How are hallucinations, refusals, and unsafe outputs handled?
  • Can we set human review thresholds?
  • Is the output explainable enough for the use case?

Exit risk

  • Can we export our data and logs cleanly?
  • How much business logic becomes vendor-locked?
  • What is the fallback plan if pricing or terms change?