This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
If you have already decided an AI service is useful to your business, the next question is whether the vendor's contract gives you enough control when something changes or goes wrong. This guide explains the AI vendor contract clauses that deserve a closer look, the commercial questions behind them and the points worth documenting before you sign or renew.
In short: Do not treat the privacy policy as a substitute for the contract. Check how the vendor may use your data, who owns inputs and outputs, what security commitments are actually binding, how incidents are handled, whether terms can change without approval and what happens to your data when the service ends.
Start with the business use case
Morgan manages operations at a 40-person business that has used an AI platform for nearly a year. The original purchase was approved quickly, and the team assumed the privacy policy covered everything important. Before renewal, Morgan reads the order form, master terms, data processing terms and linked policies together. Three gaps appear: submitted data may be used to improve services, security promises are mostly descriptive, and there is no clear deletion timetable after termination.
The business requests three focused amendments, records the vendor's responses and keeps the accepted position with the renewal approval. This does not remove every risk, but it creates a clearer and better documented decision.
1. Data use and model training
The first clause to check is what the vendor may do with prompts, uploaded files, customer records, feedback and generated outputs. Look beyond statements such as "we do not sell your data". That does not answer whether information may be retained, analysed, reviewed by people, used to improve the service or used to train models.
Check whether the contract distinguishes between customer content, usage data, telemetry, feedback and de-identified or aggregated data. Broad definitions can allow information derived from your use to be retained even after the original content is deleted. Ask whether training is disabled by default, available only on certain plans, or controlled through an account setting that an administrator could later change.
The US Federal Trade Commission has warned that companies should uphold their privacy and confidentiality commitments and has also discussed the risks of changing terms to obtain broader rights over customer data. These publications do not decide what your agreement should say, but they show why clear, consistent promises matter. See the FTC's guidance on privacy and confidentiality commitments and changes to terms of service.
2. Data location, subprocessors and transfers
Identify where business data may be stored and processed, not just where the vendor's head office is located. An AI service may rely on cloud hosting, model providers, content moderation services, analytics tools and support teams in several countries.
Look for a subprocessor list, the process for adding new subprocessors and whether customers receive advance notice. The practical question is whether your business can assess a material change before the new provider begins handling data. Also check whether the vendor offers region selection, data residency controls or contractual transfer mechanisms for customers operating across borders.
A contract does not need to list every server. It should give you enough information to understand the supply chain and the process used when that supply chain changes.
3. Security commitments and evidence
Sales pages often describe encryption, access controls and certifications. Confirm which of those statements form part of the agreement. A contract that only promises "reasonable security" may give less certainty than one that references a defined security schedule, audit report or control framework.
Useful questions include whether data is encrypted in transit and at rest, whether multifactor authentication and single sign-on are supported, how privileged access is controlled, how often independent testing occurs and whether the vendor will provide current assurance reports under confidentiality.
NIST's AI Risk Management Framework describes governance practices for risks arising from third-party AI systems and supply chains, including policies for third-party risks and contingency processes for failures or incidents. It is voluntary guidance, but it provides a useful structure for procurement questions. Review the NIST AI Risk Management Framework and its third-party risk outcomes.
4. Incident notification and cooperation
Check what counts as a security incident, when the notification clock starts and what information the vendor will provide. Phrases such as "without undue delay" may be appropriate in some agreements, but your business still needs to understand the vendor's process and whether it aligns with your own response plan.
The clause should address practical cooperation. Can the vendor provide the affected data categories, relevant dates, known impact, containment steps and updates as the investigation develops? Does it cover incidents involving subprocessors? Is notification sent to a named contact or merely posted to a status page?
A strict deadline is not automatically better if the first notice contains no useful information. Look for both timely notice and continuing updates.
5. Ownership, licences and generated outputs
Separate three issues: ownership of what your team submits, rights in generated output and the licence the vendor needs to operate the service. The contract may say you retain ownership while granting the vendor a broad, worldwide and perpetual licence. Read the licence, not just the ownership headline.
Check whether similar outputs may be produced for other customers and whether the vendor gives any protection against third-party intellectual property claims. Paid access does not make outputs exclusive, accurate or automatically safe for unrestricted commercial use. Feedback clauses should not quietly capture confidential workflows or datasets.
6. Accuracy, human review and permitted use
Most AI vendors disclaim responsibility for output accuracy. The important question is whether the rest of the contract and sales material creates a realistic picture of what the product can do. Record the intended use, required human checks and any decisions the system must not make without review.
The FTC has taken action over unsupported claims about AI product performance. Its enforcement activity is a reminder to compare contractual commitments with demonstrations, proposals and marketing claims. See the FTC's action concerning AI detection accuracy claims.
For higher-impact uses, ask for documentation about testing, limitations, monitoring and changes to the underlying model. The EU AI Act sets out obligations for providers and deployers in defined circumstances, particularly for high-risk systems. Businesses operating in or supplying the EU should review the official EU AI Act text and obtain appropriate advice about its application.
7. Indemnities, liability and insurance
Liability clauses decide who carries the financial impact of a claim, outage, data event or intellectual property dispute. Identify the general cap, exclusions from that cap and the period used to calculate it.
Review indemnities on both sides. Does the vendor cover third-party intellectual property claims? What exclusions apply if you modify an output or use the service outside instructions? Is your indemnity for customer content broader than the vendor's protection? Insurance can support, but does not replace, appropriate contractual protection.
8. Service changes, model changes and suspension
AI services can change quickly. The vendor may replace a model, remove a feature, alter limits or modify acceptable-use rules during the subscription term. Check which changes require notice and whether a material reduction in functionality gives you a right to terminate or receive a credit.
Review suspension rights as well. Immediate suspension may be reasonable for a genuine security threat or unlawful use, but broad wording can interrupt important workflows without a clear escalation path. Look for notice where practical, a way to challenge mistakes and access to export data when suspension is not caused by an urgent security issue.
9. Termination, export and deletion
Plan the exit before the service becomes embedded in daily operations. Check what data can be exported, in what format, for how long after termination and at what cost. Confirm whether prompts, outputs, configuration, logs and audit records are included.
The deletion clause should explain the normal deletion period, backup retention and any information the vendor may keep for legal, security or billing reasons. Ask whether deletion can be confirmed in writing. Also check whether de-identified or aggregated information survives termination and how the contract defines those terms.
For a business with custom integrations or a large knowledge base, exit assistance may matter as much as the subscription price. Negotiate it before the vendor relationship ends, when your bargaining position is stronger.
A practical review process
- Map the use. Record what the system will do, who will use it and what information will enter it.
- Collect every document. Include the order form and all terms or policies incorporated by reference.
- Mark the material clauses. Focus on data use, security, ownership, incidents, liability, changes and exit rights.
- Write questions in business language. Ask what happens in a realistic scenario rather than requesting vague "better protection".
- Prioritise gaps. Separate deal breakers from points the business can accept with controls.
- Record the outcome. Keep amendments, vendor answers, internal approvals and the reviewed contract version together.
- Set a review trigger. Revisit the position at renewal, after a major product change or before expanding into a higher-risk use.
This process is a planning tool, not legal advice. Contract significance varies by jurisdiction, industry, data type and use case. A qualified advisor can help assess wording and obligations for your business.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Is an AI vendor's privacy policy enough?
Usually not for a business procurement decision. A privacy policy may describe general data practices, while the contract determines binding rights, responsibilities, liability, service changes and exit terms. Review both, along with any data processing and security documents.
Which AI vendor contract clauses should be reviewed first?
Start with data use and training, confidentiality, security, incident notification, ownership of inputs and outputs, liability, service changes, termination, export and deletion. The priority should reflect what data enters the service and how important the service is to operations.
Can a small business negotiate standard AI terms?
Sometimes. Large vendors may not amend their standard terms for smaller accounts, but they may offer different enterprise plans, data controls, addenda or written explanations. A refusal to negotiate is still useful information because it helps the business decide whether internal controls or another vendor are needed.
How often should an AI vendor agreement be reviewed?
Review it before signing and at renewal, and also when the vendor changes its model, subprocessors, data practices or key features. A new use involving sensitive information or important decisions should trigger another review even if the subscription term has not changed.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Contract clauses are one part of a full vendor review. Use this due diligence checklist to prepare the complete set of questions before approval or renewal.
Read the Vendor Due Diligence Checklist