Use these clauses as a starting point when negotiating contracts with AI vendors. They cover AI-specific risks that standard vendor contracts often miss - especially around training on your data, retention, audit evidence, and incident notification.
Vendor must not use Customer Data (including prompts, inputs, outputs, logs, or telemetry) to train, fine-tune, or improve any model without explicit written consent. Vendor must provide a clear opt-out by default.
Vendor must disclose retention periods for Customer Data and provide deletion within a defined SLA (e.g. 30 days) upon request or contract termination.
Vendor must maintain an up-to-date subprocessor list, notify Customer of changes in advance, and support data residency requirements where applicable.
Vendor must maintain SOC 2 Type II (or equivalent), encrypt data in transit and at rest, enforce MFA, and implement least-privilege controls for internal access.
Customer must have the right to audit Vendor controls (or receive independent evidence such as SOC 2 reports) and to request additional attestations for AI-specific controls.
Vendor must notify Customer within a defined window (e.g. 24-72 hours) of any security incident involving Customer Data, including AI-specific incidents (prompt injection exploit, model misconfiguration causing data exposure).
Vendor must provide advance notice of material model changes that impact security, privacy, or performance; include rollback options; and document changes.
Contract must address AI-specific risks (data leakage, hallucination-driven actions, misuse) and include appropriate liability limits and indemnities.
Every policy, checklist, and playbook a security or GRC team needs to build a defensible AI governance program. One email, one ZIP, ready to adapt.
Work email only. We'll email them to you.
A clause library helps in procurement. Aona AI gives you continuous visibility into AI usage, vendor exposure, and audit-ready evidence.