How long should AI tool due diligence take?

For a contract worth tens of thousands of pounds annually, expect two to four weeks of proper due diligence. That covers vendor research, security questionnaire responses, reference calls, legal review of the Data Processing Agreement and contract, and a paid pilot if appropriate. Compressing this into a fortnight is usually a sign that someone has already decided to buy and is treating procurement as a formality. The cost of buying badly is far higher than the cost of a slower decision.

Do we need a separate Data Processing Agreement for AI tools?

Yes. Your standard supplier contract is unlikely to cover the data handling specifics that AI tools introduce: model training rights, data residency, sub-processor disclosure and audit rights against AI-specific obligations. A UK GDPR Data Processing Agreement that explicitly addresses these points is a baseline requirement. If a vendor offers only their generic terms or refuses to redline a DPA, treat that as a red flag and stop the procurement.

What is a reasonable liability cap for an AI vendor contract?

There is no single right answer, but the cap should be proportionate to the realistic worst-case loss, not just the contract value. For a tool processing customer data or feeding regulated decisions, a cap set at the annual fee will not cover the cost of a serious breach. Push for a higher cap on data-related liabilities specifically, with vendor-caused breaches indemnified separately. If the vendor will not move, that tells you how much risk they think they are pushing onto you.

Should we always run a paid pilot before a full contract?

For anything beyond a small per-user subscription, yes. A paid pilot of four to eight weeks lets you test the tool against your data, your workflows and your accuracy expectations rather than the vendor's demo environment. Define success criteria in writing before the pilot starts, set a baseline so you can measure improvement, and treat the pilot as a genuine go or no-go decision. A vendor unwilling to pilot is usually a vendor whose product does not survive contact with real conditions.

How do we handle vendor rights to use our data for training?

The default position is that the vendor must not use your inputs or outputs to train their models without explicit, separately documented consent. Many standard vendor terms reserve broad rights to use customer data for product improvement. Strike that language out. If the vendor argues the model needs your data to perform well, that is a different conversation requiring a clear commercial benefit to you and stronger contractual protections. Silence on this in the contract is not silence: it usually means the vendor reserves the right.

What if the vendor will not answer our security questions?

Walk away. A vendor that cannot or will not document its security controls, sub-processors, data flows and incident response in writing is not a vendor you can defend to your board, your auditor or the ICO if something goes wrong. Reluctance to answer is itself an answer. Good AI vendors expect these questions, have prepared responses, and will share security documentation under NDA without resistance. The ones that resist are the ones that will create problems later.

Executive Resources · for UK SME leaders

Procurement Checklist for AI Tools

Buying an AI tool without proper due diligence is one of the fastest ways to create a compliance liability. This checklist covers the six areas that matter most before a contract is signed: vendor stability, data and security, model and output quality, compliance and legal terms, operational readiness, and cost and ROI. If a vendor will not answer these questions in writing, move on.

Why AI procurement is different from normal IT buying

Most procurement processes were written for software that does not learn, does not retain your inputs, and does not depend on a model owned by a third party that may change next quarter. AI tools break those assumptions. Data residency questions become harder. Training clauses can mean your content quietly feeds a competitor's model. Audit rights that nobody negotiated for cannot be invented after the fact, and exit terms that look reasonable on a one-page summary can become very expensive once a model is embedded in a workflow.

The six areas below are the ones Simon checks before signing off any AI tool for a UK SME. None of them are exotic. They are the questions a serious vendor will already have answers to.

Vendor stability and track record

An AI vendor running on venture capital that may not refinance is a different risk profile to one with paying customers and audited accounts. You are buying into the company's continued existence as much as the product. Ask about the company's age, funding model, customer references in similar-sized organisations, and recent independent security certification.

Company registered for three or more years.
Publicly funded or operationally profitable, not running on a venture capital burn rate.
Three or more customer references available from similar-sized organisations.
SOC 2 Type II certification or equivalent security audit within the last 12 months.
Errors and omissions insurance plus cyber liability coverage.

Data and security

This is the area most likely to surface UK GDPR problems after the contract is signed. Confirm where data is processed and stored, how it is protected in transit and at rest, who can see it, how long it is kept, and how it is deleted. A Data Processing Agreement that names the UK regime explicitly is non-negotiable.

Data centre location confirmed: UK, EU, or other jurisdiction with adequate protections.
Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
Audit trail logging who accessed what data and when.
Data retention policy with clear timescales for how long data is held after use ends.
Deletion process: can you request permanent, verifiable deletion?
UK GDPR Data Processing Agreement in place.
Right to audit: can you independently verify security controls?

AI model and output quality

Generic accuracy figures from the vendor's marketing site are not useful. You need accuracy benchmarks for your specific use case, evidence that bias has been tested, and a contractual position on uptime and error rates. Explainability matters more in some sectors than others, but the question should always be asked.

Training data disclosed: what was the model trained on?
Bias testing documented: how was fairness assessed?
Accuracy benchmarks provided for your specific use case, not generic industry figures.
Explainability: can the system explain its reasoning on request?
Performance guarantees in the contract including uptime SLA and error rate limits.

Compliance and legal

Read the liability cap before you read anything else. A liability cap that is small relative to the contract value tells you how much the vendor really thinks they are exposing you to. Push for indemnification on vendor-caused breaches, a sub-processor list, an exit clause that is not punitive, and code escrow if the vendor's failure would leave your data stranded.

Data Processing Agreement covers UK GDPR specifically.
Sub-processor list disclosed: who else has access to your data?
Liability cap reasonable relative to contract value.
Indemnification covers vendor-caused breaches and is not passed to you.
Termination clause allows exit with reasonable notice and without punitive cost.
Source code escrow agreement: if the vendor fails, can you recover your data?

Operational readiness

The tool has to fit into how your team actually works. Confirm integration options before the contract, not after. Check that training and onboarding scope is written down, that critical-issue support response times are in the contract rather than the marketing collateral, and that you will be told when the underlying model changes underneath you.

Integration capability via API, webhooks, or a documented manual process.
Training and onboarding scope defined: what is included and what costs extra?
Support response times for critical issues specified in the contract.
Model change notification: you are told when the underlying model is updated.
Rollback capability: you can revert to a previous version if needed.

Cost and ROI

AI pricing models are still volatile. Per-user, per-transaction and per-month models all have hidden cost shapes that show up at scale. Get the full pricing model in writing, identify implementation, training, integration and support costs before signing, and lock the price for a defined period.

Full pricing model defined: per user, per transaction, per month?
Hidden costs identified before signing: implementation, training, integration, support.
Free trial or paid pilot available before full commitment.
Price lock guarantee covering at least 12 months.
Exit cost and data portability terms are clear.

Negotiation red lines and the final rule

Some terms should be dealbreakers. Do not accept: no Data Processing Agreement, unlimited liability transfer, no incident notification requirement, no audit rights, or vendor rights to use your data for model training without explicit consent. Terms worth pushing on in every negotiation are strong SLAs with defined accuracy and response commitments, a clear 30-day exit clause with data portability, a cap on annual price increases of 3 to 5 per cent, and 30-day notice before any sub-processor changes.

The final rule is simple. If a vendor will not answer these questions directly and in writing, move on. Good vendors are transparent about their security, their data practices, and their contractual terms. Reluctance to answer is itself an answer.

Take the next step

Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.

Frequently asked questions

Related resources

Executive Resources

Find Out Where AI Can Save or Generate Money in Your Organisation

Book a free 30-minute call with Simon. Bring a real problem — staff time, governance worry, vendor proposal, failing pilot — and leave with a concrete first step you can take next week.

07973 210 895