Vendor Due Diligence & Contracts — Foundations
Vendor Due Diligence & Contracts
EU AI Act Compliance Foundations EU/UK aligned
+ On this page
Key takeaways
- Treat model vendors like critical infrastructure: require safety/security evidence and incident SLAs.
- Contracts must secure your right to evaluate, monitor and withdraw safely.
Screening & criticality
- Classify vendors by data sensitivity, model reliance, business impact; set enhanced DD for critical tier.
DD questionnaire (AI-specific)
- Model provenance, training data sources/licences, eval results, safety policies, known limitations, red-team history.
Security & privacy
- Encryption, key management, egress controls, logging; data use for training; regionality; DPA and SCCs/IDTA.
Safety & model risks
- Abuse handling, jailbreak mitigation, bias controls, content filters, harmful output suppression.
Attestations & evidence
- Third-party audits/assurance reports; conformity statements; model cards; vulnerability disclosures.
SLAs & incident duties
- Uptime/latency; incident notification times; cooperation duties; forensics; rollback support.
Licensing & IP
- IP ownership of outputs; indemnities; training on your data; derivative works; open-source obligations.
Acceptable use & constraints
- Sector bans; disallowed prompts; user content restrictions; rate limits; export controls.
Audit & termination
- Evidence access; audit rights; termination assistance; data deletion & model unlearning options.
Flow-downs & sub-processors
- Require vendor to flow obligations to subs; approval of changes; sub-processor registry & notice.
Scoring & approval
- Weighted scoring (safety, security, privacy, performance, cost); go/no-go and conditions to proceed.
Due diligence checklist
- DD complete; evidence captured; SLAs agreed; audit rights; termination plan; ongoing monitoring set.
© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.
Related Articles
Vendor Due Diligence & Contracts — Foundations
Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Vendor Due Diligence & Contracts EU AI Act Compliance Foundations EU/UK aligned + On this page On this page Overview & risk tiers Due diligence ...
Implementation Checklists — Foundations
Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Implementation Checklists (build → approve → operate) EU AI Act Compliance Foundations EU/UK aligned + On this page On this page Classify & plan ...
Provider vs Deployer — Responsibilities — Foundations
Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Provider vs Deployer — Responsibilities EU AI Act Compliance Foundations EU/UK aligned + On this page On this page Roles & definitions Provider ...
Governance, Evidence & Records — Foundations
Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Governance, Evidence & Records EU AI Act Compliance Foundations EU/UK aligned + On this page On this page Org structure & roles Policies & decision ...
Human Oversight Patterns — Foundations
Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Human Oversight Patterns EU AI Act Compliance Foundations EU/UK aligned + On this page On this page Oversight goals Oversight modes Escalation ...