Your procurement team has a vendor due diligence template. It does not have an AI vendor due diligence template. Those are different documents.
That gap matters now.
The EU AI Act started applying in phases from 2 February 2025, with later obligations landing on 2 August 2026. If your team is buying or deploying AI into EU-facing workflows, standard security questionnaires are not enough. You still need the usual floor: GDPR Article 28 for processor terms and GDPR Article 35 for a DPIA where processing is likely to result in high risk.
AI procurement adds another layer: training data provenance, retention, fine-tuning, transfer mechanics, deployer obligations under EU AI Act Article 27, and importer obligations under Article 28 if you are bringing a non-EU AI system into the EU market.
Use the checklist below as a working form. Copy it into procurement. Edit the weightings. Make vendors answer in writing.
Before the checklist, fix the consumer-tier trap
Your enterprise contract is not magic dust. If your staff are using consumer accounts, those enterprise terms often do not apply. ChatGPT Free is not ChatGPT Enterprise. The same problem shows up across Copilot, Gemini, Claude, and whatever new assistant the board saw on LinkedIn this week.
Due diligence fails when you assess the sanctioned tool while employees keep pasting data into the unsanctioned one. Your form should ask two things at once: what protections the vendor offers, and how you will prevent use of consumer-tier versions that bypass those protections.
That screenshot is the practical point. Due diligence only works if you know what is actually in use.
If you need the policy side, the one-page AI usage policy template is a good companion.
Category A: Training data
1) Will our prompts, files, or outputs be used to train your models?
Regulatory hook: GDPR Article 28(3); GDPR Article 5(1)(b) on purpose limitation.
Required answer: no training on customer data by default, documented in the DPA or product terms.
// Show what good DD answers look like vs bad ones
Q: 'Will my customer data be used to train your models?'
Good answer: 'No, by default; documented in DPA section X.'
Bad answer: 'We respect user privacy and follow industry best practices.'2) What are the sources and licences for the model's training data?
Regulatory hook: EU AI Act transparency and documentation obligations depend on system role and classification; ISO 42001:2023 expects documented controls around AI lifecycle governance.
Ask for provenance categories, data sourcing controls, and any restrictions on downstream commercial use. If they cannot describe provenance beyond vague public-web language, treat that as immaturity.
3) Can you identify whether personal data or special-category data was intentionally included in training datasets?
Regulatory hook: GDPR Article 9 for special-category data; GDPR Article 35 for DPIA scoping.
This matters for legal, healthcare SaaS, and insurance teams. A vendor does not need to reveal trade secrets. They do need a defensible answer.
Category B: Model retention and fine-tuning
4) What is your retention period for prompts, completions, and uploaded files?
Regulatory hook: GDPR Article 5(1)(e) on storage limitation; GDPR Article 28(3)(g).
Push for product-specific answers, not policy poetry.
Q: 'What is your retention period for prompts and completions?'
Good answer: 'API: 30 days for abuse monitoring, zero-retention option available; Enterprise UI: configurable, default 30 days.'
Bad answer: 'As long as necessary for service operation.'5) Do you offer zero-retention by default or as a contractual option?
Regulatory hook: GDPR Article 25 on data protection by design and by default.
Contract language to request: zero-retention by default, or zero-retention enabled for named workspaces and APIs.
6) Is customer data ever used for fine-tuning, evaluation, safety tuning, or human review?
Regulatory hook: GDPR Article 28(3); GDPR Article 32 on security of processing.
Vendors love to separate training from evaluation as if procurement will not notice. Ask all four words.
Training, fine-tuning, evaluation, human review.
Category C: Data residency and transfers
7) Where is data processed, stored, and backed up?
Regulatory hook: GDPR Articles 44-49 on international transfers.
You want the actual locations. Region names. Backup regions. Support access locations. Not “global infrastructure.”
8) What transfer mechanism applies if data leaves the UK or EEA?
Regulatory hook: GDPR Article 46.
Ask whether they rely on the 2021 SCCs, the UK IDTA, the UK Addendum, or an adequacy decision. If US transfers are involved, ask whether they certify under the EU-US Data Privacy Framework and whether all relevant subprocessors do too.
9) Can you provide a current sub-processor list and advance notice of changes?
Regulatory hook: GDPR Article 28(2) and 28(4).
Contract language to request: named data locations and a sub-processor list, with notice periods and objection rights.
Category D: AI-specific governance
10) Do you have an ISO 42001:2023 certificate, or at minimum a gap analysis against ISO 42001?
Regulatory hook: ISO 42001:2023.
Very few vendors have a certificate yet. That is fine. Ask for the gap analysis, ownership, remediation dates, and evidence. This is one of the fastest ways to separate mature AI governance from a polished sales deck.
11) Can you share your NIST AI RMF 1.0 profile across Govern, Map, Measure, and Manage?
Regulatory hook: NIST AI Risk Management Framework 1.0.
A serious vendor should be able to map controls, testing, incident handling, and monitoring to those four functions. If they cannot, your team will be doing their homework for them.
12) How have you classified the system under the EU AI Act, and what deployer obligations fall on us?
Regulatory hook: EU AI Act Article 27 for Fundamental Rights Impact Assessments by deployers in relevant cases.
Do not accept “not high risk” without reasoning. Ask for the legal basis, intended purpose, prohibited-use screening, and whether your use case could push the system into a higher-risk category.
13) If you are outside the EU, who is the importer or other responsible economic operator for EU market placement?
Regulatory hook: EU AI Act Article 28 on importer obligations.
This question gets skipped. It should not. If you are effectively bringing a non-EU AI system into the EU market, somebody owns importer obligations. Better to find out before signature than during a regulator conversation.
Category E: Commercial and contractual terms
14) What audit rights will you grant, and on what notice?
Regulatory hook: GDPR Article 28(3)(h).
Contract language to request: audit rights with reasonable notice, access to summaries of independent audits, and evidence for AI-specific controls where direct inspection is not practical.
15) What breach notification timeline will you commit to, and does it fit our clock?
Regulatory hook: GDPR Article 33 requires controller notification to the authority within 72 hours where feasible; processors must notify controllers without undue delay under Article 33(2).
Ask for hours, not “without undue delay.” If your team has 72 hours to assess and notify, the vendor cannot take three business days to send a vague email.
Takeaway: the 15-question AI vendor DD form
Lift this into your workflow today:
| Category | Question | Minimum acceptable evidence | |---|---|---| | Training data | Use of customer data for training | DPA clause stating no training by default | | Training data | Training data provenance | Written provenance summary and licence controls | | Training data | Special-category data handling | DPIA-relevant explanation | | Retention | Prompt/output retention period | Product-specific retention schedule | | Retention | Zero-retention option | Contract term or admin setting | | Retention | Fine-tuning/evaluation/human review | Written opt-out or exclusion terms | | Transfers | Processing and storage locations | Region list incl. backups | | Transfers | Transfer mechanism | SCCs, IDTA, Addendum, adequacy evidence | | Transfers | Sub-processors | Current list and notice clause | | Governance | ISO 42001:2023 | Certificate or gap analysis | | Governance | NIST AI RMF 1.0 | RMF profile across four functions | | Governance | EU AI Act classification | Written classification rationale | | Governance | Importer obligations | Named responsible party | | Commercial | Audit rights | Contract clause with reasonable notice | | Commercial | Breach timing | Specific notification timeline |
This is the floor. Not the ceiling.
For high-risk use cases, add legal review, model testing evidence, and a DPIA. For regulated teams, pair this with the 72-hour AI incident response playbook.
Discover which AI tools are already in your environment, sanctioned or not, before sending the DD form. Start a 7-day audit with Prytive.