AI Vendor Selection: 12 Questions to Ask Before Signing Any Contract

Where does our data live, and who has access to it?

Understand the full data residency picture: which cloud provider, which region, which employees of the vendor have access, and under what conditions. Compliance requirements (GDPR, HIPAA, SOC 2) will determine whether a vendor’s architecture is acceptable before you go any further.

Red flag: “We follow industry best practices” without specifics.

Will our data be used to train your models?

Many AI SaaS products use customer data to improve their models by default. This is an IP and competitive risk. Get the answer in writing. If the answer is yes and that’s unacceptable for your use case, you need to know now—not after your proprietary data has been ingested.

Red flag: “We may use anonymized data to improve our services” buried in page 47 of the ToS.

What is your breach notification timeline and process?

Regulations like GDPR require breach notification within 72 hours. If your vendor’s process is slower than your legal obligation, you have a compliance gap. Get their incident response playbook before you sign.

Can you explain why the model made a specific decision?

For high-stakes applications (hiring, lending, healthcare), explainability isn’t optional—it’s a regulatory and ethical requirement. Ask for a demo where the vendor shows you the reasoning trail behind a specific model output. “The model said so” is not an acceptable answer for regulated use cases.

What is your definition of model degradation, and how is it monitored?

Models drift over time as real-world data distributions change. Ask how the vendor monitors for this, what threshold triggers a retraining or alert, and what the response time is. If they don’t have a formal model monitoring process, you will be the one discovering degradation through declining business metrics.

Red flag: “We update the model periodically” with no defined SLA.

What are your uptime guarantees, and what is the credit structure for violations?

99.9% uptime sounds impressive until you calculate that it allows 8.7 hours of downtime per year. For mission-critical deployments, what’s the SLA for your specific tier? What do you actually receive (credits vs. refunds) if the vendor misses it? Credits that apply to future invoices are worth less than actual refunds.

What is your support response time for production model failures?

Distinguish between uptime SLAs (API returns a response) and quality SLAs (the response is correct and useful). Most vendors only guarantee the former. Push for a defined escalation path and response timeline for “the API is up but the model outputs are wrong”—which is the failure mode that will actually impact your business.

In what format can we export all of our data if we leave?

Before you sign, understand your exit. Can you export all training data, fine-tuning datasets, and model weights in a standard format? How long does the export take? Is there a fee? The answer to this question determines whether you have a vendor relationship or a hostage situation.

How long would it realistically take to migrate to a competing platform?

Ask your own team, not the vendor. If the honest answer is “more than 6 months,” you have significant lock-in risk that should be reflected in how aggressively you negotiate the contract terms and pricing.

What does this cost at 10× our current projected volume?

Model cost at scale before you sign. Usage-based pricing looks cheap at launch and can become catastrophically expensive at scale. Get a written projection from the vendor for your expected growth trajectory. Negotiate volume discount thresholds before you need them.

Red flag: “We can cross that bridge when we get there.”

What are the hidden costs? (Storage, egress, support tiers, rate limits)

The headline price rarely covers: data storage fees, data egress charges, API rate limit overages, premium support tier requirements to get an actual human, and professional services fees for integrations that were implied to be straightforward. Request a complete cost breakdown for your expected usage pattern, in writing.

What does your roadmap look like for the next 18 months, and how do pricing changes work for existing customers?

AI vendor pricing and capabilities are changing rapidly. What protections do existing customers have against price increases? How are breaking API changes communicated and how much notice is given? A vendor with a strong partnership mentality will have clear answers. A vendor treating you as a revenue unit won’t.