Skip to main content
PS
Public Skills Hub
PDF
AI Skills

AI Vendor Due Diligence Questionnaire

A structured set of questions to ask an AI vendor before procurement. Covers data handling, security, accuracy, bias, compliance, and support.

Updated 21 April 2026

Who is this for?

Procurement officers, IT managers, data protection officers, and decision-makers evaluating AI vendors for their organisation.

When to use it

When evaluating an AI tool or service before purchase. Send this questionnaire to the vendor as part of your due diligence process. Use the responses to inform your risk assessment and procurement decision.

Template

## AI Vendor Due Diligence Questionnaire

Send this questionnaire to any AI vendor you are evaluating. Use the responses to inform your risk assessment and procurement decision.

---

## Section 1: Company and Product

1. Company name and registered address:
2. Product/service name:
3. Brief description of the AI functionality:
4. How long has this product been available commercially?
5. How many UK customers currently use this product?

## Section 2: Data Handling

6. Where is customer data stored? (Specify data centre locations)
7. Is UK data residency available? Yes / No
8. Is customer data used to train or improve AI models? Yes / No
9. If yes, can customers opt out of model training?
10. How long is customer data retained after contract termination?
11. Can customer data be deleted on request? Yes / No
12. Do you have a Data Processing Agreement (DPA) compliant with UK GDPR?

## Section 3: Security

13. Do you hold ISO 27001 certification? Yes / No
14. Do you hold SOC 2 Type II certification? Yes / No
15. Do you hold Cyber Essentials or Cyber Essentials Plus? Yes / No
16. Do you support Single Sign-On (SSO) and Multi-Factor Authentication (MFA)?
17. How do you handle security incidents? (Describe your incident response process)
18. When was your last penetration test? (Date and provider)

## Section 4: AI-Specific Risks

19. What measures do you take to prevent AI hallucinations/inaccurate outputs?
20. How do you address bias in your AI models?
21. Is there human oversight built into the system? If so, describe:
22. Do you provide transparency about how the AI reaches its outputs?
23. What testing and validation processes do you use before releasing updates?

## Section 5: Compliance

24. Is your product compliant with the EU AI Act? (If applicable)
25. Do you comply with UK GDPR and the Data Protection Act 2018?
26. Have you conducted a Data Protection Impact Assessment for this product?
27. Can you provide evidence of compliance with relevant accessibility standards (WCAG)?

## Section 6: Support and Continuity

28. What support is included? (Hours, channels, SLA)
29. What happens to customer data if the company ceases trading?
30. What is your product roadmap for the next 12 months? (High level)

---

## Evaluation Notes

**Completed by:** ___________________________

**Date:** ___________________________

**Overall assessment:** Proceed / Proceed with conditions / Do not proceed

**Key risks identified:**

___________________________

**Conditions (if applicable):**

___________________________

---

*Use the responses to this questionnaire alongside your AI Risk Assessment Starter template to make an informed procurement decision.*

This questionnaire is a guide for due diligence conversations. The specific questions relevant to your procurement will depend on the nature of the tool, the data involved, and your organisation's risk appetite.

Related Resources

Choosing an AI Assistant for UK Workplacesguide
AI and UK GDPR: Practical Guidanceguide
AI Risk Awarenessquiz