Vendor security due diligence

AI Vendor Security Posture Scrutiny Kit

You inherit a vendor's security posture the moment you connect them. Score it before you sign: mark six controls, get one verdict, and catch the two answers that should stop a deal.

SOC 2 is the box everyone checks — and it never tells you whether they train on your data or how you get it back. This kit makes the follow-up questions explicit and turns the answers into a go/no-go.
Get the Kit
$69one-time

instant download · .xlsx · yours to keep

The problem

You inherit their security posture as your own.

97%

of organizations that suffered an AI-related breach admitted they lacked adequate AI access controls.

72%

of S&P 500 companies now flag AI as a material risk in their public disclosures — up from 12% in 2023.

1 answer

"Will our data train your models?" The only acceptable answer is no — and most reviews never ask.

A clean SOC 2 logo is where most security reviews stop. But the report doesn't tell you whether your data trains their model, what their breach-notification window is, or how you get your data back when you leave. Those are the questions that decide the risk — and the ones this kit forces.

See it work

Mark six controls. Watch the disqualifier decide.

Try a preset:
Independent audit evidence (SOC 2 / ISO 27001)

A current SOC 2 Type II or ISO 27001 — the report, not a logo.

wt 20
Encryption & least-privilege access

In transit and at rest; least-privilege access controls.

wt 16
Won't train on your data (written opt-out) disqualifier

A written commitment your data isn't used to train a model. Only 'no' passes.

wt 20
Breach-notification SLA in the contract

A contractual notification window, not a privacy-policy line.

wt 16
Subprocessor & LLM-chain transparency

Current subprocessor list incl. which LLM providers they call.

wt 12
Deletion & exit (erasure + data return) disqualifier

Right-to-erasure, data return on termination, proof of deletion.

wt 16
RED FLAG
80
score / 100

Disqualifier: Won't train on your data (written opt-out) scored 0 — RED FLAG regardless of the 80 score. Get it in writing to release the gate.

Press first on: Won't train on your data (written opt-out)

Runs entirely in your browser and resets on reload. The downloadable workbook produces the identical verdict from the same marks. Scores the vendor posture you assemble, not people.

This is the live engine. Score every vendor on your shortlist in one workbook. Disqualifier gate catches the two answers that should stop a deal. Go / no-go rollup across the whole shortlist.

Get the kit — $69

The standard

Six controls. Two are deal-killers on their own.

Independent audit evidence

A current SOC 2 Type II (within 12 months) or ISO 27001 — the report itself, not a logo or a verbal claim. SOC 2 is necessary, not sufficient.

Encryption & least-privilege access

Encryption in transit and at rest, least-privilege access controls — evidenced, not 'we take security seriously.'

Won't train on your data

disqualifier

A written commitment that your data is not used to train their or a shared model. The only acceptable answer is no — and a disqualifier on its own.

Breach-notification SLA

A contractually specified notification window (GDPR's is 72 hours), not a line buried in a privacy policy.

Subprocessor & LLM-chain transparency

A current subprocessor list, including which LLM provider(s) they call and those providers' own data-handling terms.

Deletion & exit

disqualifier

Right-to-erasure on request, data return on termination, and proof of deletion. No exit path is lock-in you can't undo — the second disqualifier.

How it works

A weighted score — and a gate that overrides it.

Each control is weighted and marked 0, 1, or 2 from what the vendor actually produced. The marks roll into a 0–100 score, banded SOLID ≥ 75, PRESS FOR PROOF 50–74, RED FLAG < 50. The score tells you how broad the posture is.

The disqualifier gate: if a vendor trains on your data with no opt-out, or offers no deletion and exit path, the verdict is RED FLAG no matter how high the score — because neither fault is bought back by polish elsewhere. The gate worsens only, and releases the moment you get it in writing.

In the worked example, Acme Copilot scores 80 — a SOLID number — and still reads RED FLAG, because it trains on your data with no written opt-out. That is the gate doing its job.

What you'll see

One verdict per vendor, one go/no-go for the shortlist.

SOLID

Score ≥ 75 and neither disqualifier tripped. Worth a deeper review and a contract.

PRESS FOR PROOF

Gaps to close. Press for the evidence the weak controls are missing, then re-score.

RED FLAG

Score under 50, or a disqualifier tripped. Don't sign until it's fixed in writing.

The Dashboard rolls your whole shortlist up to CLEARED TO PROCEED, CONDITIONS TO MEET, or DO NOT PROCEED, and names the one control to press each vendor on first.

Who it's for

Anyone signing an AI or SaaS vendor that touches their data.

Built for
  • Founders and operators vetting an AI tool before it touches customer data.
  • Procurement and IT running a security review without a full GRC team.
  • Anyone comparing a shortlist of vendors on security, side by side.
The rest of the vendor lane

Scope. Scores the vendor posture you assemble from their answers and evidence — it never scans or connects to the vendor, nothing is uploaded, and it scores no person. A buyer's pre-signing aid, not a security audit, certification, or penetration test. Marketing-claim substantiation is governed by the FTC; not legal advice — have counsel review any agreement before you sign.

Common Questions

Straight answers before you buy.

A vendor's security posture on the six controls every 2026 vendor due-diligence checklist converges on: independent audit evidence (SOC 2 Type II or ISO 27001), encryption and least-privilege access, a written commitment not to train on your data, a contractual breach-notification SLA, subprocessor and LLM-chain transparency, and a deletion and exit path. You mark each control 0, 1, or 2 from what the vendor actually produced, and the engine returns SOLID, PRESS FOR PROOF, or RED FLAG plus the one control to press them on first.

Get the kit

Scrutinize the posture before you sign.

  • Six weighted controls, one verdict per vendor.
  • A disqualifier gate that catches the two deal-killers.
  • A shortlist go/no-go and the control to press first.
$69

one-time

Buy the Kit

← Browse all Quick Kits

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai