This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
In short: Pay close attention to training data use clauses, liability caps, data retention on termination, and unilateral change-of-terms provisions. Most standard AI vendor contracts are written to favour the vendor by default, and several of these terms are genuinely negotiable, especially for a larger subscription commitment.
Why the contract matters beyond the marketing page
A vendor's public marketing and trust centre pages describe general practices, but the actual contract, usually called Terms of Service, a Data Processing Addendum, or an Enterprise Agreement, is what's legally binding if something goes wrong. These documents are rarely read closely before signing, and AI vendor contracts specifically often contain training-data and liability terms that differ meaningfully from what the marketing implies.
Training data use: read this clause specifically
Look for explicit language about whether your business's data, prompts, and outputs are used to train or improve the vendor's models. Many enterprise or business tiers now include an opt-out or an outright commitment not to train on customer data, but this is often a higher-tier feature, not a default across every plan the same vendor offers. Confirm which specific plan you're actually signing up for carries this commitment, not just what the vendor's general policy page states.
Liability caps and what they actually cover
Most vendor contracts cap their liability at a modest multiple of fees paid, often 12 months' subscription cost, regardless of the actual damage a data breach or major failure might cause your business. This is standard practice across the software industry, not unique to AI vendors, but it's worth understanding what you're actually agreeing to: if the tool causes a serious problem, your practical recourse may be limited to a refund-scale amount, not the true cost of the incident.
What happens to your data when you leave
Check specifically what the contract says about data deletion on termination or non-renewal. Some vendors default to deleting data after a defined period, others retain it indefinitely unless you explicitly request deletion, and the difference matters if your business ever needs to demonstrate that former vendor relationships no longer hold your data. Get this in writing rather than assuming standard practice applies.
Unilateral changes to terms
Many standard-form contracts allow the vendor to change terms, including data handling terms, with only notice via email or a website update, not your explicit consent. For a business relying on a specific data-handling commitment as part of its own compliance posture, this is worth negotiating for anything beyond a low-stakes tool, ask for a clause requiring your active agreement before any change to data-related terms specifically, even if other terms remain subject to standard notice.
What's actually negotiable
Standard-form terms for a small monthly subscription are rarely negotiable, vendors won't rewrite a contract for a single small customer. For a larger annual commitment or an enterprise-tier plan, training data opt-out, liability caps, and data deletion commitments become genuinely negotiable points, and it's reasonable to ask, even as a smaller business. The worst outcome of asking is being told no.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with AUD or other local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Tools are assessed for suitability by a business with no dedicated IT department.
Related reading: our can staff upload customer data to AI tools and our AI vendor contracts and Privacy Act.
Do I need a lawyer to review every AI vendor contract?
For a low-cost, low-stakes tool, reading the key clauses above yourself is usually sufficient. For anything handling sensitive client or financial data, or any meaningful annual spend, a lawyer's review is a reasonable investment relative to the risk.
Are liability caps in AI vendor contracts unusual or a red flag?
No, they're standard practice across most software contracts, not specific to AI or a sign of a bad-faith vendor. The point isn't to avoid liability caps entirely, it's to understand what they mean for your actual risk exposure.
What's the single most important clause to check if I only have time for one?
Training data use. It has the broadest ongoing implication for your business's information and is the one most likely to differ meaningfully between plan tiers of the same vendor.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
<a href="/tools/ai-compliance-checker/">AI Compliance Checker</a> to check whether your AI tools meet your compliance obligations
Check Your Compliance