Vendor Due Diligence for AI Tools: A 12-Point Checklist for EU SMBs

Updated 19 May 2026. Vendor due diligence is unaffected by the Omnibus deadline extension. Your enterprise customers and procurement teams ask for vendor compliance evidence today, not in 2027. Read what changed.

Most SMBs adopt AI tools without proper vendor due diligence — and discover the gap when a customer asks for compliance evidence. Here is a practical 12-point checklist your team can run through in 30 minutes per vendor.

The 12-point checklist

  1. Data Processing Agreement (DPA) — published, signed, filed.
  2. Hosting region — EU preferred. US needs SCCs.
  3. Training on your data — default and opt-out clearly stated.
  4. Sub-processors — published list with notification on change.
  5. Security certifications — SOC 2, ISO 27001, recent reports.
  6. Breach notification — timeline supports your 72-hour GDPR clock.
  7. Audit rights — or readable audit reports provided.
  8. Data deletion — fast, with technical mechanism.
  9. AI-specific transparency — model card, system card.
  10. Output rights — commercial-use rights clear.
  11. SLA — uptime, support response, business continuity.
  12. Pricing and renewal — auto-renewal, notice, price-increase clauses.

When to walk away

  • No DPA available.
  • Default training on user data without opt-out.
  • Sub-processor list not published.
  • No security certifications and refusal to provide questionnaire response.
  • Refusal to comply with data-deletion requests within a reasonable timeframe.

Done-for-you vendor due diligence

Ready AI Act's Premium Compliance Programme (€899) includes a full vendor due diligence assessment for your top 5 AI vendors — we run the 12-point checklist for each, score the risk, document the DPA status and sub-processor map. Delivered within 5 business days, reviewed by qualified ICT/privacy counsel.

Back to blog