What security asks about
- SOC 2 Type II, ISO 27001, penetration test reports
- Data residency and sub-processor list
- Model training data policy
- Prompt-and-response retention
The AI-specific questions
Do they train on your data? How long are prompts retained? Can you delete on demand? Which model providers are in the loop?
What to require in the contract
Explicit no-training language. Deletion SLA. Notification on any sub-processor addition.