Guide
AI vendor red flags
A vendor's first impression doesn't tell you much. The questions they answer (and how) tell you everything.
Reviewed by Level Up Automate.
TL;DR
Refusal to put data-handling commitments into the contract is the single biggest red flag.
Vague answers on training-data use, sub-processors, or data location should stop a deal.
A vendor that takes more than five business days to answer 12 due-diligence questions is telling you something.
The eight red flags
Walk away — or push hard — when you see any of these.
- Refuses to put data-handling commitments in the contract (only in the privacy policy).
- Cannot tell you what country your data is stored in.
- Privacy policy says 'we may use customer data to improve our services' with no opt-out.
- Trust portal is a 5-page marketing PDF rather than substantive documentation.
- No SOC 2 / ISO 27001 / equivalent third-party assessment available.
- Wants you to indemnify them for their AI's mistakes.
- Cannot articulate an incident-response process.
- Pricing requires a multi-year commitment with no termination-for-convenience clause.
Yellow flags worth pushing on
Not deal-breakers, but worth a conversation.
- Long retention windows (over 90 days) post-termination.
- Many sub-processors with vague descriptions.
- Liability caps far below contract value.
- Soft commitments on training-data opt-out — get it in writing.
Common questions
Plain-English answers
What if it's a small vendor we want to support?
Hold them to the same questions but with patience for the answers. Many small vendors lack the documentation but will answer in writing — that's good enough early.
Next step
Want a hand getting this right?
A 30-minute conversation often saves weeks of guessing. We'll talk through your team, your data, and what to do first — no slide deck required.