The 20-point checklist
Contract
Training-use prohibition
An express written commitment that your inputs and outputs will not be used to train the vendor's general models — consumer-tier terms frequently permit training by default; enterprise terms should prohibit it.
Unilateral-amendment controls
AI vendor terms change fast; require advance written notice of material changes and a right to terminate without penalty if a change is materially adverse.
Liability floor vs AI-specific exclusions
Check that the liability cap is meaningful against your exposure, and that AI-specific exclusions (output reliance, accuracy, hallucination) do not swallow the cap entirely.
SLA + deprecation notice
An uptime commitment with real remedies, plus a contractual notice period before models, endpoints, or features you depend on are retired or materially changed.
Data / POPIA
Section 21 operator agreement
If the vendor processes personal information on your behalf it is an operator — POPIA section 21(1) puts the duty on you, the responsible party, to have a written agreement covering security (s 19), breach notification, and confidentiality.
Section 72 transfer ground + residency
Identify the lawful ground for any cross-border transfer (most commonly contractual adequacy under s 72(1)(a)) and ask whether the vendor offers SA or EU data-residency options.
Retention and deletion
How long are prompts, outputs, and logs retained, can you configure zero-retention, and is abuse-monitoring retention separated from product retention?
Sub-processor transparency + objection
A published sub-processor list, advance notice of additions or changes, and a contractual right to object — AI stacks routinely involve multiple model and infrastructure sub-processors.
IP
Input ownership
You retain ownership of everything you submit, and the vendor's licence to your inputs is limited to providing the service to you — nothing broader.
Output ownership + licence breadth
Outputs should be owned by (or assigned to) you, not merely licensed back — and understand that identical or similar outputs may be generated for other customers.
Output IP indemnity + carve-outs
A vendor indemnity against third-party IP claims arising from outputs is increasingly available — but the carve-outs (customer fine-tuning, modifications, knowing infringement) decide what it is actually worth.
Fine-tune ownership
Who owns models fine-tuned on your data, and can you export, transfer, or compel destruction of those artefacts at exit?
Security / Governance
Certifications — verify scope
SOC 2 Type II or ISO 27001 reports are table stakes, but verify the certification scope actually covers the AI service you are buying, not just the vendor's corporate environment.
Breach-notification timelines
The vendor's notification window must be short enough for you to meet your own POPIA section 22 duty to notify the Information Regulator and affected data subjects.
Model-behaviour disclosures
Bias-testing and evaluation documentation, model cards or system descriptions, and notification when model behaviour changes materially in ways that affect your use case.
Section 71 automated-decision support
If outputs feed decisions with legal consequences for natural persons, POPIA section 71 restricts solely automated decisions — the vendor must support human review and the data subject's right to make representations.
Exit
Export formats
Your data, outputs, and configurations must be exportable in usable, machine-readable formats — not a proprietary dump that only the vendor's platform can read.
Deletion attestation
A written attestation of deletion on termination, covering production systems, backups, and sub-processors, with defined timelines.
Transition assistance
A defined post-termination assistance period and rate card so migration to a replacement vendor is contractually supported, not a favour.
What survives — trained artefacts
Be explicit that fine-tunes, embeddings, or aggregated learnings derived from your data do not survive termination without your written consent.
Red flags that should stop a deal
Consumer-tier terms for enterprise use
If the vendor expects your business to sign up on the same click-wrap terms as a free individual user, the data, IP, and liability positions will almost certainly be wrong for enterprise adoption.
Silence on training use
If the terms do not say whether your data trains their models, assume it does — silence is not a prohibition, and the implied licence may be broad enough to permit it.
No DPA offered
A vendor that processes personal information but offers no data processing agreement cannot support your POPIA section 21 obligation — that gap is your compliance failure, not theirs.
Indemnity disclaimed entirely
A vendor that disclaims all responsibility for third-party IP claims arising from its own outputs is shifting a risk it created onto you — at minimum, negotiate; at worst, walk.
How this maps to your own POPIA exposure
Adopting an AI vendor does not transfer your POPIA obligations to the vendor. Where the vendor processes personal information on your behalf, it is an operator and you remain the responsible party — the entity POPIA holds accountable for the lawfulness of the processing, the security of the personal information, and the rights of the data subjects.
Two consequences follow. First, the vendor's failures are your section 19 problem too: section 19 requires you to secure the integrity and confidentiality of personal information in your control, including information sitting in a vendor's systems on your instructions. A vendor-side breach lands on your section 22 notification duty to the Information Regulator and affected data subjects — which is why the breach-notification timeline in the vendor agreement (item 14) matters so much.
Second, the operator-agreement duty is yours under section 21(1): the responsible party must, in terms of a written contract, secure that the operator establishes and maintains the section 19 security measures. If your AI vendor never signed a DPA, the compliance gap belongs to you — not the vendor. That is why "no DPA offered" is a deal-stopping red flag rather than a negotiating inconvenience, and why this checklist treats the data group as non-negotiable wherever personal information is in scope. For vendors licensing AI capability into your own products, see the AI-SaaS agreements guide; for governing what staff do with AI tools day to day, see the workplace AI policy guide.
Frequently asked
What should we demand before adopting an AI tool?
Five things decide most of the risk: a written enterprise no-training commitment; clarity on where data is processed and stored, with a POPIA section 72 transfer ground; ownership of inputs and outputs, with an output IP indemnity; a POPIA section 21 operator agreement covering security, breach notification, and sub-processors; and defined exit terms — data export, deletion attestation, and portability of any fine-tuned artefacts. The 20-point checklist on this page expands each into contract language you can put to the vendor.
Can AI vendors train on our data by default?
On consumer and free tiers, often yes — the standard terms frequently reserve the right to use your inputs to improve the service, which includes model training. Enterprise tiers should not: leading vendors now offer no-training commitments as standard on paid business plans. The position is only safe if it is in writing in the agreement that binds your account — a help-centre article or marketing page is not a contractual commitment.
Do we need a data processing agreement with every AI vendor?
If the vendor processes personal information on your behalf — and most AI tools that touch customer records, employee data, documents, or support conversations do — then yes. POPIA section 21 requires the responsible party to secure, in a written agreement, that the operator establishes and maintains the security measures referred to in section 19. The duty to put that agreement in place sits on you, not the vendor.
Our preferred AI vendor is US-only. Can we use it under POPIA?
Usually, yes — section 72 of POPIA permits cross-border transfers on defined grounds, the most practical being that the recipient is subject to a binding agreement providing an adequate level of protection upholding principles substantially similar to POPIA (s 72(1)(a)). In practice that means a properly drafted DPA with cross-border transfer terms. Data-residency options (SA or EU processing regions) reduce the analysis further, so always ask whether they exist.
Are AI output IP indemnities real protection?
Increasingly, yes — several major AI vendors now indemnify customers against third-party copyright claims arising from generated outputs. But the carve-outs decide the real value: indemnities commonly fall away where you fine-tuned the model, modified the output, knew the output was infringing, or used the tool outside permitted use cases. Read the carve-outs before treating the indemnity as a reason to skip your own diligence.
What about free AI tools our staff already use?
Unapproved staff use of free-tier AI tools is the most common gap in SA companies' AI risk: free tiers typically permit training on inputs, offer no DPA, and give no enterprise commitments — yet staff paste client data, contracts, and personal information into them daily. The fix is a workplace AI policy that channels staff to approved, contracted tools and defines what may never be submitted to unapproved ones.
Should we run this checklist on every AI tool, or only the big ones?
Scale the depth to the data and the decisions. A tool that touches personal information, client confidential information, or feeds decisions about people warrants the full 20 points. A tool processing only public or synthetic data can be cleared on a shorter pass — training use, liability, and exit. The mistake is depth by brand familiarity: well-known vendors' consumer tiers are often riskier than a smaller vendor's enterprise agreement.
What does an AI vendor contract review cost, and how fast?
From R7,500 for a review of a single AI vendor's agreement against this checklist, with redlined recommendations and a negotiation position on the points that matter. A 24-hour turnaround is available where procurement is time-pressured. Multi-vendor reviews and a reusable internal AI-procurement standard are quoted on scope.