AI Vendor Risk Scorecard

Score an AI vendor's privacy and security posture from their docs

Work through a 40-question scorecard evaluating an AI vendor's data handling, security certifications, breach notification procedures, subprocessor list, and contractual protections — outputs a weighted risk score and a procurement recommendation. Runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What does the scorecard evaluate?

It covers five domains — data handling and residency, security certifications such as SOC 2 and ISO 27001, breach notification commitments, the subprocessor list, and contractual protections like data processing agreements and training-data opt-outs. These are the areas that most often hide procurement risk.

AI vendor risk scorecard

Adopting an AI vendor means handing them — and often their subprocessors — your data and your users’ data. The AI vendor risk scorecard gives procurement and security teams a repeatable way to evaluate that exposure: a 40-question assessment across data handling, certifications, breach notification, subprocessors, and contractual protections, producing a weighted risk score and a clear recommendation. It runs entirely in your browser, so vendor details and answers never leave your machine.

How it works

The scorecard groups its questions into five risk domains. You answer each one from the vendor’s documentation, trust centre, sub-processor list, and contract — choices range from a strong positive (independently audited SOC 2 Type II, contractual breach notification within 72 hours, training-data opt-out) to a clear negative (no certifications, no DPA, undisclosed subprocessors). Each answer carries a weight reflecting its real impact on risk; the tool sums the weighted responses, normalises them to a 0-100 score, and maps that to a procurement recommendation. It also lists the lowest-scoring areas so you know exactly what to press the vendor on before signing.

The five risk domains in detail

Data handling and residency

Questions cover where data is stored, whether you can restrict it to a specific region, whether logs and model inputs are retained and for how long, and whether the vendor commits not to use your data for training. Data residency in the EU or UK can be important for GDPR compliance and for organisations with sector-specific data localisation requirements.

Security certifications

The key certifications assessed are SOC 2 Type II (an independent audit of security controls over a period, not just at a point in time), ISO 27001 (information security management standard), and penetration testing currency. Certifications should be independently audited and current — a self-assessed report carries materially less weight than a third-party audit.

Breach notification

Vendor breach notification must fit inside your own 72-hour reporting obligation to the supervisory authority. The scorecard assesses whether the vendor commits to notify within 72 hours, what they commit to include in the notification, and whether there is a clear escalation path.

Subprocessor list

AI vendors typically rely on a chain of subprocessors — cloud infrastructure, logging tools, moderation services. The scorecard checks whether the list is publicly available, whether new subprocessors require prior consent or only notice, and whether the vendor’s DPA flows down equivalent obligations.

Contractual protections

The final domain covers the legal framework: whether a GDPR-compliant DPA is available, whether standard contractual clauses cover international transfers, whether the vendor accepts your data processing terms or only its own, and whether the contract includes a no-training commitment.

Tips and notes

  • Source answers from evidence. Score what the vendor can document, not what a salesperson asserts — attach the source to each answer where you can.
  • Re-run at renewal. Certifications lapse and subprocessor lists change; a vendor that scored well last year may not now.
  • Use it to compare. Running the same scorecard across competing vendors turns vague impressions into a like-for-like comparison.
  • Pair with a DPIA. A strong vendor score does not remove your own Article 35 obligations for high-risk processing.