Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Guide

AI vendor questionnaire: what to ask an AI tool supplier

Adopted 2026-06-28 ยท ≈ 1 min read ยท Dirk Baaijen

A ready-to-use questionnaire to vet an AI tool supplier before purchase on role (provider/deployer), data and training, security, sub-processors, AI Act status and exit. Adopt the questions into your procurement or vendor assessment.

Short answer: Before you buy an AI tool, vet the supplier. The ready-to-use questionnaire below covers the points that matter legally and operationally. Adopt them into your procurement or vendor assessment and keep the answers on file.

Questionnaire โ€” AI tool supplier [tool/supplier]

Role & AI Act

  1. Are you the provider of the AI system, and what is my role (deployer/provider)?
  2. Does the system fall under an AI Act risk category (prohibited/high-risk/GPAI/transparency)? Substantiate.
  3. Do you provide the documentation and instructions for use (art. 13) I need?

Data & training

  1. Which data does the tool process, and where (EU/EEA)?
  2. Do you use our input to train models? If so, can it be turned off?
  3. How long do you retain data and how is it deleted?

Privacy

  1. Is a data processing agreement (GDPR art. 28) available?
  2. Which sub-processors (model, cloud, tool parties) are involved?

Security

  1. Which security measures and certifications (e.g. ISO 27001) do you have?
  2. How do you handle prompt injection, misuse and data leaks; how do you report incidents?

Continuity & exit

  1. Which availability and support arrangements apply?
  2. What is the exit strategy: data export and switching on termination?

Keep the answers with your procurement file; repeat the check on major changes.

How to use it

Send the questionnaire before selection, weigh the answers in the choice, and link them to your AI use policy and โ€” for agents โ€” the AI agent governance checklist.

Lees ook: Data processing agreement (GDPR art. 28).

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act) โ€” provider/deployer roles and GPAI information duties.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR) โ€” processor, security and sub-processors.

Share on LinkedIn

Read next

U

Data processing agreement (GDPR art. 28): needed with an AI vendor?

If an AI vendor processes personal data on your behalf, Article 28 GDPR requires a written data processing agreement with fixed minimum content. This explainer sets out what it must contain and what to watch for with AI services.

A

Buying HR AI: the vendor due-diligence checklist for ATS software

Procuring HR AI or ATS software means inheriting AI Act obligations. This checklist gives the questions to ask the vendor before you sign โ€” high-risk or not, CE marking, technical documentation, bias tests, logging โ€” plus the contractual safeguards and the oversight that follows.

W

The AI Act for procurement: supplier requirements and contract clauses

Whoever procures AI often becomes a deployer under the AI Act and carries their own obligations. A supplier claiming to be "AI Act compliant" is no guarantee. This guide explains what to ask up front and which clauses belong in the contract.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.