AI Vendor Security Questionnaire: 30 Questions to Ask Before Signing a DPA

LLM due diligence checklist with scoring, DPA clauses, and AI-011 intake workflow.

Resource guide · Updated 2026 · 18 min read

Procurement teams evaluating LLM API providers, fine-tuning platforms, or embedded AI features in SaaS commonly receive a standard DPA that omits AI-specific risks — prompt retention, training use, jurisdictional routing, output IP exposure, and limited model transparency.

Standard DPAs were written for databases and SaaS applications, not probabilistic models that retain prompts for training, route data across jurisdictions, generate outputs with IP risk, and operate as limited black boxes.

This guide provides a production-ready AI vendor security questionnaire: 30+ copy-paste questions by risk domain, a scoring model, evidence requests, and mapping to AI-011 Vendor Intake and AI-012 DPA Addendum workflows.

Legal disclaimer

Operational guidance only. This guide supports AI vendor due diligence. It is not legal advice. Engage counsel for contract negotiation and regulatory obligations.

Also called

LLM due diligence checklist, third-party AI risk assessment, AI procurement review — same structure regardless of name.

On this page

Quick Self-Assessment: Vendor Review Readiness

  • We classify AI vendors differently from traditional SaaS
  • We require model-specific disclosures (training, retention, fine-tuning)
  • We verify whether prompts are used for model improvement
  • We require jurisdictional transparency for inference routing
  • We have a DPA addendum addressing AI-specific risks

5/5: ahead of most peers · 3–4: foundation, needs AI enhancements · 0–2: use this questionnaire as the baseline.

AI Vendor Risk Tiering Matrix

TierCriteriaScopeApproval
CriticalPII/PHI, customer-facing AI, business decisionsFull 30+ questions + contract negotiationCISO + Legal + Business Owner
HighInternal business data, employee workflowsCore ~20 questions + DPA addendumSecurity Lead + Legal
MediumNon-sensitive read-only, prototypingBasic ~10 questions + standard DPABusiness Owner + Procurement
LowPublic data only, no persistence/fine-tuningSelf-attestation + annual re-checkProcurement

When uncertain, default to a higher tier. Scale down after evidence, not after an incident.

Vendor Evaluation Scoring Model

ResponseScoreMeaning
✅ Acceptable2Meets requirements
⚠️ Negotiation1Partial; contract terms needed
❌ Red flag0Dealbreaker or executive risk acceptance
50–60 points → Low residual risk; standard onboarding 35–49 points → Medium risk; extra controls + executive sign-off Below 35 → High risk; executive review or decline

Pro tip: Weight critical questions (Q1, Q4, Q25, Q28) at 3 points each.

Which Questions Matter Most by Vendor Type

LLM API providers

Prioritize Q1–Q4, Q2a, Q16, Q24–Q25 — training opt-out, retention, routing, versioning, audit logs.

AI SaaS platforms

Prioritize Q20, Q24–Q25, Q5, Q27 — SSO/SCIM, logging, subprocessors, DPA addendum.

Fine-tuning platforms

Prioritize Q12–Q13, Q28, Q32 — training isolation, output rights, export, deletion post-training.

Embedded AI features

Prioritize Q5, Q1, Q3, Q13, Q33–Q34 — hidden subprocessors, retention, vector/RAG controls.

AI-012 DPA Addendum: Key Clauses to Negotiate

When standard DPAs fall short, attach AI-specific terms from AI-012 as Exhibit B. Align privacy processor terms with PRI-004.

1. Training Data Exclusion — no use of prompts/inputs/outputs/embeddings for training without written authorization 2. Zero-Retention Option — in-memory processing on request 3. Output Ownership — customer retains all rights in outputs 4. Inference Routing Transparency — disclose regions; selectable routing where feasible 5. Subprocessor Notification — 30 days notice before new AI subprocessors 6. Model Change Management — 90 days notice before material model changes; migration guidance 7. AI Incident Response — notify within 24 hours of breach/model compromise affecting customer data 8. Audit Rights for AI Controls — annual evidence of bias testing, injection defenses, output filtering 9. Data Portability — return/delete embeddings and fine-tuned weights in portable format on termination
Major LLM APIs

OpenAI, Anthropic, and similar vendors often won’t negotiate individual DPAs. Minimize risk via settings (training opt-out, data restrictions), compensating controls (prompt DLP), and documented executive risk acceptance.

The 30+ Question AI Vendor Security Questionnaire

Copy into your AI-011 intake. Request evidence: SOC 2, ISO certs, subprocessor list, DPA, model card, retention docs, pentest summary.

Data handling & retention (Q1–Q9)

#QuestionRed flag
1Do you retain customer prompts/inputs for training or improvement?“Anonymized improvement” without clear opt-out
2Retention period and deletion process if retained?No customer-controlled deletion
2aZero-retention / in-memory-only processing mode?Mandatory logging with no opt-out
3Opt out of prompt logging entirely?Logging required for reliability, no exceptions
4Where are inference requests processed (regions)?Global routing without disclosure
5Subprocess data to third-party model providers?Subprocessors without notice or list
6Tenant isolation during inference?Generic multi-tenant only
7Customer-managed encryption keys (BYOK)?Platform-only encryption
8Breach notification timeline?Only “per applicable law”
9Do documents enter a vector/RAG database?Vector architecture “proprietary”

Model governance & transparency (Q10–Q18)

#QuestionRed flag
10Model card / system card available?No disclosure of capabilities/limitations
11Training data sources; exclusion options?No recourse on training composition
12Bias, fairness, safety evaluations documented?Generic filters only
13Fine-tuning on customer data — protection & deletion?Cross-customer model improvements
14Configurable output filtering (PII, toxicity, copyright)?Non-customizable moderation
15Copyright/IP claims process and indemnification?Customer solely liable for outputs
16Audit/validate model behavior for our use case?No external validation
17Model versioning and deprecation policy?Updates without notice
18Documented AI governance (ISO 42001 / NIST AI RMF)?“Frameworks not applicable”

Q18 context: ISO 42001 certification is still emerging — focus on underlying controls, not the certificate alone.

Security & compliance (Q19–Q26)

#QuestionRed flag
19SOC 2 Type II, ISO 27001, or equivalent?“Pursuing” without evidence
20API key management and rotation?Long-lived vendor-only keys
21SSO/SAML and SCIM?Manual user admin only
22Vulnerability disclosure and patching SLA?No committed timelines
23Pentest/red team for AI attack vectors?AppSec only
24Prompt injection / jailbreak defenses?Training-only; no runtime filters
25Audit logs of API usage, prompts, outputs?Logs only via support ticket
26Embedding protection and deletion in vector DBs?No customer-accessible deletion

Legal & contractual (Q27–Q34)

#QuestionRed flag
27DPA includes AI-specific addendum?One-size DPA for all services
28Who owns model outputs?Vendor license to customer outputs
29Indemnification for copyright/IP claims?Excludes third-party IP
30Liability caps for AI-specific failures?No liability for accuracy/appropriateness
31Terminate for cause if data practices change?No unilateral termination rights
32Export fine-tuned models on switch?Proprietary, non-portable weights
33Export/destroy embeddings on termination?Deletion not customer-accessible
34Vector stores isolated per customer?Isolation not disclosed

Q29 context: Major LLM APIs often don’t offer broad output IP indemnification — use filters, takedown process, and legal sign-off.

Automatic escalation triggers

Escalate to security/legal immediately if a vendor:

  • Uses prompts for training without explicit opt-in
  • Refuses subprocessors or inference regions
  • Won’t commit to breach notification timelines
  • Refuses AI control audit rights
  • Can’t explain retention/deletion
  • Updates models without notice or migration path
  • Retains rights to outputs or fine-tuned models
  • Lacks vector/embedding isolation

Negotiation priority matrix

PriorityFocusKey questions
🔴 Must haveData control & ownershipQ1, Q8, Q27, Q28
🟡 Strongly preferTransparencyQ4, Q5, Q10, Q18, Q25
🟢 Nice to haveAdvanced controlsQ7, Q21, Q16, Q32–Q34

AI-011 Vendor Intake Workflow

RACI

ActivityProcurementSecurityLegalBusiness
Classify risk tierRCIC
Send questionnaireRCCI
Review security answersIRCI
Review DPA termsICRI
Score & escalateCRCI
Approve onboardingCCCA

R = Responsible, A = Accountable, C = Consulted, I = Informed

Steps

  1. Classify — use tiering matrix; log in AI-006 (e.g. AI-VEN-003,OpenAI,GPT-4 API,High,Annual).
  2. Send questionnaire — written answers from security/legal, not sales only; ~10 business day deadline.
  3. Score — 2/1/0 model; weight critical questions; document risk acceptances.
  4. NegotiateAI-012 addendum for gaps.
  5. Approve & monitor — RACI sign-off; annual or trigger-based re-validation.

Vendor non-response

  1. Follow up (+5 business days)
  2. Escalate to vendor relationship manager
  3. Engage vendor security directly
  4. Offer a call if written response stalls
  5. Document non-response as a risk factor
  6. For Critical tier, treat persistent non-response as a potential dealbreaker

Evidence for audits

EvidenceSupports
Completed questionnaires + evaluationsSOC 2 CC3.2, ISO 42001 A.8.2, GDPR Art. 28(8)
Risk tier documentationSOC 2 CC3.1, ISO 42001 A.5.2
Negotiated AI DPA addendaSOC 2 CC9.2, GDPR Art. 28(3)
SOC 2 / ISO / pentest summariesSOC 2 CC3.2, ISO 42001 A.10.2
Stakeholder approval recordsSOC 2 CC1.2, ISO 42001 A.5.3
Annual re-validation logsISO 42001 A.8.3, SOC 2 CC7.2

Shadow AI discovery

Include unsanctioned tools: browser assistants, meeting AI, CRM AI, Copilot/Cursor, support AI, Notion/Grammarly AI. Tactics: SSO logs, expense reports, engineering surveys, API endpoint monitoring. See the dedicated shadow AI inventory spreadsheet guide and ISO 42001 register walkthrough.

Major LLM providers (OpenAI, Anthropic, Google)

Same questionnaire — emphasize Q1–Q5, Q16, Q25, Q28–Q29. Expect limited DPA negotiation; document compensating controls and annual re-review.

Get the AI-011 Vendor Intake Kit

Procurement-ready questionnaire and DPA addendum from the AI Governance Toolkit.

  • AI-011 vendor security intake questionnaire (docx)
  • AI-012 AI vendor contracting & DPA addendum
  • Pair with AI-006 system register for approved vendors
  • Align processor terms with PRI-004 for GDPR/CCPA
Get the AI Governance Toolkit →

FAQ

What if the vendor refuses to answer questions?
Document refusal, escalate, and factor into tiering. Critical vendors should not withhold core data-handling answers.
How do we handle vendors who won’t negotiate DPAs?
Verify published policies, configure usage (training opt-out, data limits), implement compensating controls, and get executive risk acceptance in writing.
Annual re-evaluation?
Yes — or trigger-based review on new models, subprocessors, or policy changes.
Open-source or self-hosted models?
Adapt questions to deployment controls, training provenance, and output monitoring — same risk domains apply.
GDPR Article 28 alignment?
Q1–Q9 and Q27–Q34 map to processor contract requirements. Use PRI-004 for Article 28 clause structure.
Legal says “just sign their DPA”?
Share concrete AI gaps (training use, output IP, subprocessors). Frame as breach/regulatory risk reduction, not bureaucracy.

Implementation checklist

  • Classify vendor with tiering matrix
  • Send prioritized questions by vendor type
  • Score responses; escalate per triggers
  • Negotiate AI-012 addendum for critical/high vendors
  • Document risk acceptances with executive sign-off
  • Add vendor to AI-006 with review cadence
  • Configure technical controls (opt-out, logging, data limits)
  • Collect SOC 2, model card, subprocessor list, DPA
  • Schedule annual or trigger-based re-validation
  • Retain evidence mapped to audit controls

Complete this questionnaire before the first production prompt to an LLM API, AI SaaS platform, or embedded AI feature — due diligence upfront reduces incident remediation downstream.

Disclaimer: This guide supports vendor due diligence; it is not legal advice. Contract terms and regulatory obligations vary by jurisdiction and use case. Engage qualified legal counsel for DPA negotiation and risk acceptance decisions.