finsay
← All AI tools

AI vendor due-diligence checklist

10 questions to ask any AI vendor before you sign for client-facing or firm-data work. Save the vendor's answers to a shared firm doc — useful for compliance audits later, and useful for comparing vendors apples-to-apples.

  1. Where is my data stored?

    Why it matters: Data residency matters for state-jurisdiction privacy rules (California, Colorado, Virginia) and for institutional clients with specific regional requirements. US-only data residency is the default expectation for FA work.

    Red flag: Vendor cannot answer, or says "globally distributed" without naming a primary region.

  2. Do you train on my prompts, my files, or my outputs?

    Why it matters: Free and consumer-tier AI tools often use your interactions to improve future models. For client-data work, you need an explicit "we do not train on customer data" commitment on the tier you're paying for.

    Red flag: The "no training" clause is only on the highest enterprise tier, or carved out for "safety and abuse review."

  3. What is your data retention policy and can I configure it?

    Why it matters: SEC 17a-4 and FINRA 4511 require advisors to retain client communications for 3+ years and produce them on demand. Your AI vendor needs to either let you configure retention to match, or hold longer than your firm needs (better).

    Red flag: Retention is opaque, vendor-controlled, or shorter than your firm's record-keeping policy.

  4. Are you SOC 2 Type II certified? When was your most recent audit?

    Why it matters: SOC 2 Type II is the minimum table-stakes security audit. Type I is much weaker (a point-in-time check). The audit should be within the last 12 months.

    Red flag: Only SOC 2 Type I, or the audit is over 18 months old, or the certification covers a different product line than the one you're buying.

  5. Do you offer a Business Associate Agreement (HIPAA) or Data Processing Agreement (GDPR/state privacy)?

    Why it matters: A BAA is required if any client communication might touch protected health information (clients with disability claims, medical-trust beneficiaries). A DPA is increasingly important for state-privacy compliance and prospect data.

    Red flag: BAA/DPA is only offered at enterprise tier, or vendor cannot produce a standard DPA template within 5 business days.

  6. What happens to my data if I cancel?

    Why it matters: On cancellation you typically need: (a) the ability to export your data, (b) a documented deletion timeline, and (c) a deletion attestation you can show on your next compliance exam.

    Red flag: Data export is manual or requires a paid migration, or deletion timeline is vague ("after a reasonable period").

  7. Who at your company has access to my data, and under what circumstances?

    Why it matters: For tools where your data is part of the product (meeting transcripts, document uploads), you need to know which roles can view it. Engineering for debugging? Customer success for support requests? "Just-in-time" access controls are best practice.

    Red flag: Broad "all employees" access, or no documented internal access controls.

  8. Do you support SSO (SAML/OIDC) and SCIM provisioning for our team?

    Why it matters: For multi-advisor firms, SSO + SCIM are essential. SSO means a departing advisor loses access the moment IT disables their identity. SCIM auto-syncs team additions/removals.

    Red flag: SSO only at the highest enterprise tier, or no SCIM support. (Acceptable for solo advisors; risky for any firm with 3+ users.)

  9. What is your incident-response posture? Are you breach-disclosure-obligated?

    Why it matters: You need to know when a breach happened and whether it touched your data. SEC has tightened cybersecurity disclosure rules for advisors; if your vendor is slow to disclose, your firm is on the hook.

    Red flag: No published incident-response timeline, or breach disclosure is "at our discretion" rather than within a contractual window (e.g., 72 hours).

  10. Can I get a redlined sample MSA / DPA before I sign?

    Why it matters: Most AI vendors offer click-through TOS at the entry tier but a real contract at enterprise. A clean redline negotiation is a tell that the vendor has done this with other regulated industries.

    Red flag: Vendor refuses to provide a sample contract before a signed NDA, or insists on click-through TOS at the price point your firm requires.

A note on free trials and pilots

Running a 30-day pilot with 2-3 advisors is the single best AI vendor due-diligence step. The questions above are necessary; a pilot tells you what the questions can't — does the tool actually fit your workflow, do the AI features hold up on YOUR meeting types or YOUR documents, and is the vendor responsive when something breaks?

← Back to the Toolkit