Procurement Checklist for AI Tools

Buying an AI tool without proper due diligence is one of the fastest ways to create a compliance liability. Data residency issues, training clauses that mean your content feeds a competitor’s model, no audit rights, no exit terms — these problems are common and almost entirely avoidable if the right questions are asked before a contract is signed.

This checklist covers the six areas that matter most.

1. Vendor Stability and Track Record

• Company registered for three or more years
• Publicly funded or operationally profitable — not running on a venture capital burn rate
• Three or more customer references available from similar-sized organisations
• SOC 2 Type II certification or equivalent security audit within the last 12 months
• Errors and omissions insurance plus cyber liability coverage

2. Data and Security

• Data centre location confirmed — EU, UK, or other jurisdiction with adequate protections
• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
• Audit trail logging who accessed what data and when
• Data retention policy — how long is your data held after use ends?
• Deletion process — can you request permanent, verifiable deletion?
• UK GDPR Data Processing Agreement in place
• Right to audit — can you independently verify security controls?

3. AI Model and Output Quality

• Training data disclosed — what was the model trained on?
• Bias testing documented — how was fairness assessed?
• Accuracy benchmarks provided for your specific use case, not generic industry figures
• Explainability — can the system explain its reasoning on request?
• Performance guarantees in the contract including uptime SLA and error rate limits

4. Compliance and Legal

• Data Processing Agreement covers UK GDPR specifically
• Sub-processor list disclosed — who else has access to your data?
• Liability cap is reasonable relative to contract value
• Indemnification covers vendor-caused breaches, not passed to you
• Termination clause allows exit with reasonable notice and without punitive cost
• Source code escrow agreement — if the vendor fails, can you recover your data?

5. Operational Readiness

• Integration capability via API, webhooks, or documented manual process
• Training and onboarding scope is defined — what is included and what costs extra?
• Support response times for critical issues are specified in contract
• Model change notification — you are told when the underlying model is updated
• Rollback capability — you can revert to a previous version if needed

6. Cost and ROI

• Full pricing model defined — per user, per transaction, per month?
• Hidden costs identified before signing: implementation, training, integration, support
• Free trial or paid pilot available before full commitment
• Price lock guarantee covering at least 12 months
• Exit cost and data portability terms are clear

Negotiation Red Lines

These are the terms that should be dealbreakers if the vendor will not budge:

Terms worth pushing on in every negotiation: strong SLAs with defined accuracy and response commitments, a clear 30-day exit clause with data portability, a cap on annual price increases of 3–5%, and 30-day notice before any sub-processor changes.

The Final Rule