The Essential AI Vendor Checklist
As the EU enters full operational enforcement of the EU AI regulatory stack between 2025–2027, procurement of AI services without proper due diligence creates both compliance and business risks.
Section 1: GDPR Compliance Questions
- ☐ Do you have a GDPR-compliant Data Processing Agreement available?
- ☐ Where is data stored? (Must be EU or adequacy country)
- ☐ Who are your sub-processors and do they have DPAs?
- ☐ What is your data breach notification process and timeline?
- ☐ How do you handle data subject access requests?
- ☐ What is your data retention and deletion policy?
Section 2: EU AI Act Compliance Questions
- ☐ What risk category does your AI system fall under (EU AI Act)?
- ☐ Do you have technical documentation per EU AI Act Article 11?
- ☐ For high-risk AI: Do you have a conformity assessment?
- ☐ Are your AI outputs explainable? (GDPR Article 22, EU AI Act transparency)
- ☐ Do you have human oversight mechanisms?
- ☐ Are you registered in the EU AI database (for high-risk AI)?
Section 3: Technical Security Questions
- ☐ ISO 27001 certification or equivalent
- ☐ SOC 2 Type II or equivalent audit
- ☐ Penetration testing frequency and most recent results
- ☐ API security standards and authentication
- ☐ Encryption standards (at rest and in transit)
Section 4: Business Continuity Questions
- ☐ SLA uptime guarantee (minimum 99.9% for business-critical AI)
- ☐ Data export capability (can you get your data if you leave?)
- ☐ Service continuity plan if vendor ceases operations
- ☐ European support team (language and timezone)
✅ Vendor Vetted
📋 Full Checklist