The assumption that gets businesses into trouble

Most SMEs choose AI tools the same way they choose other software: read a few reviews, try the free tier, sign up if it seems useful. The problem is that AI tools aren't like other software. They process your data — and often your clients' data — in ways that create legal obligations you can't opt out of after the fact.

By the time you discover that your AI vendor has been using your inputs to train its models, or that your data is stored on servers in a jurisdiction with no adequate privacy protections, or that the vendor has been acquired and your data processing agreement no longer applies, it's too late to undo the risk. You can only manage it.

The time to ask hard questions is before you sign up — not after.

Category 1: Data handling

This is the most important category, and the one most businesses skip. You need to understand exactly what happens to the data you enter into the tool.

  • Is your data used to train the vendor's AI models? This is a non-negotiable question. Many consumer-tier AI products use user inputs to improve their models. If you're entering client information, confidential business data, or anything sensitive, this is a serious problem.
  • Where is your data stored? Australian Privacy Principle 8 requires you to take reasonable steps to ensure overseas recipients of personal information comply with the APPs — or to obtain consent. You need to know where the servers are.
  • Who has access to your data? Does the vendor's support team have access to your inputs? Are there subprocessors? Who are they?
  • How long is your data retained? What happens to it when you close your account?

Category 2: Privacy compliance

Understanding your vendor's privacy posture matters because under Australian law, you remain responsible for personal information you collect, even when you've shared it with a third party for processing.

  • Does the vendor have a privacy policy that clearly addresses data processing?
  • Will they sign a data processing agreement (DPA) with you?
  • Are they certified to relevant standards (ISO 27001, SOC 2)?
  • Do they have a breach notification process, and will they notify you promptly if your data is affected?

Category 3: Security

AI vendors vary enormously in their security maturity. Key questions:

  • Is data encrypted in transit and at rest?
  • What access controls exist on your data?
  • Has the vendor undergone independent security audits? Can they share the results?
  • What is their incident response process?

Category 4: Contract terms

Most AI tool subscriptions are governed by standard terms that heavily favour the vendor. Before signing anything significant, review:

  • Intellectual property clauses. Do you retain ownership of your inputs and outputs? Does the vendor claim any licence over content you generate?
  • Liability limitations. Most vendor agreements cap their liability at the amount you've paid them. If their tool causes you to breach client obligations, who's responsible?
  • Exit rights. Can you export your data in a usable format? What happens to your data when you cancel?
  • Change of terms. Can the vendor change the terms unilaterally, including data usage terms?

Category 5: Business stability

This category is underappreciated. AI startups are failing, pivoting, and getting acquired at a rapid rate. If you build workflows around a tool that then disappears, you have a business continuity problem.

  • How long has the vendor been operating?
  • Are they venture-backed? If so, what happens to your data if funding runs out?
  • Do they have a stated policy on what happens to customer data in an acquisition or insolvency?

The five questions to always ask any AI vendor:

1. Is my data used to train your models?
2. Where is my data stored, and who can access it?
3. Will you sign a data processing agreement?
4. What is your breach notification process?
5. What happens to my data when I close my account?

Red flags that should make you walk away

  • The vendor can't clearly answer whether your data is used for training
  • They refuse to sign a DPA or say it's "not their standard process"
  • Their privacy policy is vague about data retention and third-party access
  • They have no independent security certifications for a tool you'd use with sensitive data
  • Their terms allow them to change data usage policies without notice

When vendors won't answer your questions

A vendor who won't clearly answer your data handling questions is telling you something important. This isn't about being adversarial — it's about the fact that a legitimate enterprise vendor should be able to answer basic due diligence questions. If they can't or won't, that's a signal about how they'll treat your business relationship once you're a paying customer.

For enterprise-tier tools where significant personal information is at stake, it's reasonable to request a security questionnaire response or a copy of their SOC 2 report. Vendors who take security seriously will have these documents ready.

The bottom line

The fifteen minutes you spend asking these questions before signing up could save you from a privacy breach, a client relationship breakdown, or a regulatory inquiry. AI vendor assessment isn't a legal technicality — it's core business risk management.

Document your assessments. Keep records of the representations vendors make. If something goes wrong, you'll want to be able to demonstrate you took reasonable steps.

Get your AI governance pack

A complete, tailored set of AI governance documents for your Australian business — ready in minutes.

Get started →