Use this checklist before signing any contract or committing budget to a GenAI platform. For each item, score your vendor as Y (Yes — fully met), P (Partial — partially addressed or requires follow-up), or N (No — not addressed). Tally your scores by category to identify the specific risk areas requiring attention before you proceed. A strong vendor will score Y on 85% or more of these items without hesitation. Use any gaps as negotiation leverage or as a signal to look elsewhere.
01 — Security & Compliance
SOC 2 Type II certified — and the report is available upon request
GDPR and CCPA compliant data handling with documented processes
Data encryption at rest and in transit (AES-256 / TLS 1.2+ minimum)
Role-based access controls with granular permission management
Audit logs and access monitoring available to administrators
Defined SLA for security incident response and breach notification
02 — Data Privacy
Clear data retention and deletion policies with enforceable timelines
Customer data is not used for model training by default (opt-in only)
Option to opt out of all data sharing with third parties or affiliates
Data residency options available (US, EU, or region of your choice)
PII handling documented and compliant with applicable regulations
Third-party data sharing disclosed in DPA (Data Processing Agreement)
03 — Model Performance
Benchmark results on tasks relevant to your use case are provided
Ability to test the model on your own data before purchase or commitment
Hallucination rate documented, testable, or addressed with mitigations
Model versioning and rollback available — you control upgrade timing
Output consistency across repeated queries is measurable and documented
Human-in-the-loop options available for high-stakes workflows
04 — Integration & Technical
REST API with comprehensive, versioned documentation and sandbox environment
SSO / SAML 2.0 support for enterprise identity management
Webhook and event-driven architecture support for automation workflows
Rate limits clearly documented with enterprise tiers available
SLA for API uptime at 99.9% or higher with historical uptime published
SDK available for your primary tech stack (Python, Node, Java, etc.)
05 — Vendor Stability
Company is Series B or later, or demonstrably profitable — runway confirmed
Key personnel and leadership publicly disclosed; not anonymous
Customer references in your industry available and willing to speak
Roadmap transparency with a clear product update cadence (quarterly minimum)
Acquisition risk assessed — change of control clause exists in contract
06 — Support & Success
Dedicated customer success manager included at your contract tier
SLA for support response times documented and contractually binding
Onboarding program included — not gated behind an additional fee
Training resources and documentation are comprehensive and current
Active community or user group for peer learning and product feedback
Escalation path for critical issues is clearly defined and accessible
07 — Pricing & Contracts
Pricing model is aligned to your usage patterns — not punitive at scale
No hidden overage fees; all cost triggers fully disclosed upfront
Annual and monthly billing flexibility with no penalty for annual prepay
Data portability guaranteed upon contract termination — your data leaves with you
Exit clause and transition support are included and clearly defined
Scoring Guide
28+ Yes
Strong candidate. This vendor has done the work. Move forward with standard due diligence and negotiate the remaining gaps.
18–27 Yes
Proceed with caution. Address gaps explicitly in contract negotiations. Require written commitments on any unchecked items before signing.
Under 18
Significant risk — explore alternatives. A vendor who cannot satisfy basic security, privacy, and support requirements is not ready for enterprise deployment.
Need help evaluating your AI vendor shortlist or building a procurement process for AI tools?
Work With Lynn