Blog

AI Vendor Due Diligence: The 20-Question Checklist

July 2026 · 7 min read · AI Strategy

A clipboard checklist under a magnifying glass, with two items ticked in terracotta
← Back to all posts

Signing an AI vendor is not the same as buying another SaaS licence. You are handing a third party a pipe into your customer records, your internal documents, and sometimes your regulated data. When something goes wrong, the regulator will not accept that the vendor was at fault as a defence. For Australian businesses under the Privacy Act, and for financial firms now covered by APRA CPS 230, the accountability for a third party sits with you.

A rushed procurement decision can be expensive. A mid-sized firm that has to unwind a failed AI rollout, migrate data out, and re-train staff can easily burn $45,000 in wasted licences and internal hours before it recovers. The fix is a disciplined set of questions asked before the contract is signed, not after the incident. Below is a 20-question checklist we run with clients across Sydney and beyond.

Why AI vendors need harder questions than ordinary software

Ordinary software processes the data you put into fixed fields. AI systems read unstructured content, infer things you did not explicitly provide, and often send that content to a model hosted somewhere else. Three risks follow from that: your data may be used to train someone else model, the output may be wrong in ways that are hard to detect, and the processing chain may cross a border you did not intend.

This is why we lead with Claude for regulated Australian work. Anthropic commercial terms do not train on your business data by default, and the deployment options make data residency answerable rather than vague. But the point of due diligence is that you verify these claims for any vendor, including ours, rather than taking a sales deck on trust.

The 20-question checklist

Group the questions into four themes. Ask every one in writing and keep the answers with the contract, because a written answer is what an auditor or the OAIC will want to see if there is ever an inquiry.

Data and privacy (questions 1 to 5)

  • Where is our data physically stored and processed, and can you keep it in Australia if we require it?

  • Is our content ever used to train or fine-tune your models, and how do we opt out in writing?

  • How long do you retain prompts, outputs, and logs, and can we set a shorter retention period?

  • Do you meet the Australian Privacy Principles, and will you sign a data processing agreement that names them?

  • If we process personal or health information, what sub-processors touch that data and where are they based?

Security and access (questions 6 to 10)

  • Do you hold a current SOC 2 Type II or ISO 27001 certification we can review?

  • How is data encrypted in transit and at rest, and who at your company can access our content?

  • What is your process for reporting a breach to us, and within how many hours?

  • Do you support single sign-on, role-based access, and audit logs we can export?

  • Have you had an independent penetration test in the last twelve months, and can we see the summary?

Compliance and accountability (questions 11 to 15)

  • If we are an APRA-regulated entity, can you meet the material service provider obligations under CPS 230?

  • For AUSTRAC-reporting businesses, how do you handle data that forms part of a suspicious matter report?

  • Who is liable if your model produces an output that causes us a regulatory or financial loss?

  • Can you provide references from other Australian customers in our industry?

  • What happens to our data and our obligations if you are acquired or shut down?

Reliability and exit (questions 16 to 20)

  • What uptime do you commit to, and what credits apply when you miss it?

  • How do you version and communicate model changes that could alter our outputs?

  • Can we export all our data and configurations in a usable format at any time?

  • What does offboarding cost, and how quickly is our data deleted after we leave?

  • Who is our named contact for support, and what are the guaranteed response times?

How to score the answers

A vendor does not need a perfect score. What matters is that the answers are specific, in writing, and consistent with the contract. Vague answers on data training, breach notification, or exit terms are the ones that turn into six-figure problems later. We usually flag any deal where three or more answers come back as a promise to follow up, and hold the signature until they are resolved.

Weight the questions by your exposure. A firm handling health records should treat questions 4, 5, and 8 as pass-or-fail. A financial services business should not sign without a clear CPS 230 answer on question 11. A A$120K annual contract deserves a legal review of the answers; a A$3,000 pilot may not, though the data questions still apply.

Where Claude fits, and how we help

For Australian firms that want a model with answerable data, security, and residency positions, Claude is a strong default, and we can help you run this same checklist against it and against any competing vendor. We build the procurement pack, sit in the vendor calls, and document the answers so your board or auditor has a clean trail.

If you are about to sign an AI vendor and want a second set of eyes on the contract and the claims, book a short call and we will walk your shortlist through the 20 questions together.

Ready to move from AI pilot to production?

We help mid-market Australian businesses deploy AI automations that actually reach production and deliver measurable ROI.