Checklist

AI Vendor Evaluation Checklist

After you've sent the 12 due-diligence questions, you need a scoring rubric. This is it.

Reviewed May 5, 2026 by Level Up Automate.

TL;DR

Score each of 12 areas green / yellow / red after reading the vendor's response.
Three or more reds: walk away. Three or more yellows: negotiate.
Save the completed rubric in your vendor folder for audit trail.

Scoring rubric

Apply consistently across vendors.

Data location — green = specific country, yellow = vague region, red = unknown.
Internal access — green = named roles + need-to-know, yellow = generic policy, red = unclear.
Model training opt-out — green = contractual no, yellow = policy-only no, red = yes by default.
Sub-processors — green = current list with countries, yellow = list of names only, red = no list.
Data retention after cancellation — green = under 90 days with confirmation, yellow = vague, red = indefinite.
Incident response — green = documented playbook, yellow = informal, red = ad-hoc.
Third-party security assessment — green = SOC 2 Type II or ISO 27001, yellow = SOC 2 Type I, red = none.
Liability for AI errors — green = reasonable caps named, yellow = some negotiation possible, red = vendor refuses or insists on indemnity from you.
Data deletion on request — green = written confirmation possible, yellow = informal, red = no.
Contract reflects commitments — green = yes, yellow = some, red = privacy policy only.
Uptime SLA — green = 99.9%+ with credits, yellow = 99% with credits, red = no commitment.
Continuity if acquired — green = data portability + notice period, yellow = vague, red = nothing.

Common questions

What if a vendor scores green on most but red on one critical area?

Treat red on liability, model-training, or contract-vs-policy as deal-breakers regardless of overall score.

Next step

A 30-minute conversation often saves weeks of guessing. We'll talk through your team, your data, and what to do first — no slide deck required.