Copilot, Notion AI, and new LLM APIs land in your stack weekly. Use this scorecard before you sign.
Every AI vendor should answer: Where is data processed? Is it used for training? What subprocessors exist? What is their incident history?
Request SOC 2 Type II or ISO 27001 where available. For early-stage vendors, review their security page and DPA — absence of AI-specific terms is a yellow flag.
Run a lightweight review before procurement: public docs, privacy policy, data flow diagram, and a 30-minute security call for deals over $10k/year.
Our Vendor Security Review delivers an adopt/hold/reject verdict in 2–3 days from $1,500 — often faster than legal reviewing a 40-page DPA alone.
Maintain a living vendor register with risk tier, owner, and renewal date. Enterprise buyers will ask for it.
Related reading
Put this into practice
Book a free call or start with an AI Risk Health Check from $1,500.