LevelUpAutomate
AI Governance / Vendor Due Diligence

12 questions every AI vendor should be able to answer

You don't need a 200-question security questionnaire. You need 12 questions, asked plainly, with answers that match what you'd want a partner to say.

Have us run vendor due diligenceBack to AI Governance
Reviewed by Level Up Automate.
TL;DR

  • Most AI vendor risk comes down to where data goes, who can see it, and whether it trains the model.

  • If a vendor takes more than five business days to answer these questions, that is itself an answer.

  • Save the answers. They become your audit trail when a customer or insurer asks.

The 12 questions

Send these by email. A serious vendor will respond in writing within a week. Score each answer green / yellow / red. Three or more reds is a deal-breaker; three or more yellows is a renegotiation point.

  • 1. Where, geographically, is our data stored? (Country and region matter for compliance.)
  • 2. Who at your company can read our data? (Engineers? Support? Outsourced contractors?)
  • 3. Is our data used to train your AI models? Default and opt-out.
  • 4. Do you share our data with sub-processors? Provide a current list with country and purpose.
  • 5. How long do you retain our data after we cancel? (We expect 30–90 days.)
  • 6. What is your incident-response plan if our data is exposed?
  • 7. Do you have SOC 2 Type II, ISO 27001, or equivalent? Provide the report or link to a trust portal.
  • 8. What happens if your AI gives a wrong answer that harms us or our customers? Who is liable?
  • 9. Can you delete our data on request and provide written confirmation?
  • 10. Where in the contract do you commit to the answers above? (We expect them in writing, not in a sales email.)
  • 11. What is your uptime commitment, and what's the credit if you miss it?
  • 12. If you are acquired or shut down, what happens to our data and our access?

What good answers look like

A vendor with their act together will answer these in a single document, often called a trust portal or security one-pager. They will not balk at any of the questions. They may push back on liability (question 8) — that's normal — but the conversation will be respectful and substantive.

If a vendor responds with marketing language, refuses to put answers in writing, or claims that any of the questions are 'too technical for sales to answer' — that is your signal to walk away or negotiate hard. Your downside is your customers' data; their downside is one lost deal. The asymmetry favors caution.

Red flags that mean walk away

Save yourself months of regret by treating these as deal-breakers, not negotiation points.

  • Vendor cannot tell you what country your data sits in.
  • Vendor's privacy policy says they may train on customer data with no opt-out.
  • Vendor refuses to put data-handling commitments into the contract (only the privacy policy).
  • Vendor's incident response is 'we'll figure it out if it happens.'
  • Vendor wants you to sign an indemnification clause that puts you on the hook for their AI's mistakes.
  • Vendor cannot produce a recent SOC 2 / ISO 27001 report or comparable third-party assessment.

Yellow flags worth negotiating

These are not deal-breakers, but they are worth a 30-minute call to push back on.

  • Long retention windows (over 90 days) — push for shorter or for hard-delete on cancellation.
  • Lots of sub-processors with vague descriptions — ask for specifics or carveouts.
  • Liability caps that are far below your contract value — negotiate up.
  • No commitment on model-training opt-out — get this in writing, even if it costs more.

Save the answers

The single biggest mistake we see: companies do this work, then lose the answers in someone's inbox. When the customer questionnaire arrives 18 months later — or worse, when a regulator does — that two hours of work is gone.

Keep a simple folder per vendor with: the 12 questions and answers, the contract, the trust report, and your renewal date. When a customer asks 'how do you vet AI vendors,' you hand them a clean folder and you're done.

Common questions

Plain-English answers

Do I really need to ask all 12, even for a free tool?
Yes, especially for free tools. Free tools often pay for themselves by training on your data. The 12 questions take an hour to send and they protect you from the cheapest mistake in the AI vendor space.
What if the vendor is huge — like Microsoft or Google?
They have answers. Their trust portals are usually well-organized and the answers are public. Use the 12 questions as your checklist as you walk through their documentation, not as 12 separate emails.
Can you do this for me?
Yes. Most clients have us run vendor due diligence as a one-time engagement before signing a major AI contract. Three to five days, fixed fee.
How often should I re-check?
At each contract renewal, and any time the vendor announces a major change (acquisition, new region, new training behavior). Set a reminder.
Related reading

AI Vendor Questionnaire (downloadable)

These 12 questions formatted as a sendable Word doc.

Read on →

AI Vendor Evaluation Checklist

A scoring rubric for vendor responses.

Read on →

AI Vendor Red Flags

The longer guide on what disqualifies a vendor.

Read on →
Next step

Want a hand getting this right?

A 30-minute conversation often saves weeks of guessing. We'll talk through your team, your data, and what to do first — no slide deck required.

Have us run vendor due diligence