AI Vendor Security Posture Scrutiny Kit
You inherit a vendor's security posture the moment you connect them. Score it before you sign: mark six controls, get one verdict, and catch the two answers that should stop a deal.
instant download · .xlsx · yours to keep
The problem
You inherit their security posture as your own.
of organizations that suffered an AI-related breach admitted they lacked adequate AI access controls.
of S&P 500 companies now flag AI as a material risk in their public disclosures — up from 12% in 2023.
"Will our data train your models?" The only acceptable answer is no — and most reviews never ask.
A clean SOC 2 logo is where most security reviews stop. But the report doesn't tell you whether your data trains their model, what their breach-notification window is, or how you get your data back when you leave. Those are the questions that decide the risk — and the ones this kit forces.
See it work
Mark six controls. Watch the disqualifier decide.
A current SOC 2 Type II or ISO 27001 — the report, not a logo.
In transit and at rest; least-privilege access controls.
A written commitment your data isn't used to train a model. Only 'no' passes.
A contractual notification window, not a privacy-policy line.
Current subprocessor list incl. which LLM providers they call.
Right-to-erasure, data return on termination, proof of deletion.
Disqualifier: Won't train on your data (written opt-out) scored 0 — RED FLAG regardless of the 80 score. Get it in writing to release the gate.
Press first on: Won't train on your data (written opt-out)
Runs entirely in your browser and resets on reload. The downloadable workbook produces the identical verdict from the same marks. Scores the vendor posture you assemble, not people.
This is the live engine. Score every vendor on your shortlist in one workbook. Disqualifier gate catches the two answers that should stop a deal. Go / no-go rollup across the whole shortlist.
Get the kit — $69The standard
Six controls. Two are deal-killers on their own.
Independent audit evidence
A current SOC 2 Type II (within 12 months) or ISO 27001 — the report itself, not a logo or a verbal claim. SOC 2 is necessary, not sufficient.
Encryption & least-privilege access
Encryption in transit and at rest, least-privilege access controls — evidenced, not 'we take security seriously.'
Won't train on your data
disqualifierA written commitment that your data is not used to train their or a shared model. The only acceptable answer is no — and a disqualifier on its own.
Breach-notification SLA
A contractually specified notification window (GDPR's is 72 hours), not a line buried in a privacy policy.
Subprocessor & LLM-chain transparency
A current subprocessor list, including which LLM provider(s) they call and those providers' own data-handling terms.
Deletion & exit
disqualifierRight-to-erasure on request, data return on termination, and proof of deletion. No exit path is lock-in you can't undo — the second disqualifier.
How it works
A weighted score — and a gate that overrides it.
Each control is weighted and marked 0, 1, or 2 from what the vendor actually produced. The marks roll into a 0–100 score, banded SOLID ≥ 75, PRESS FOR PROOF 50–74, RED FLAG < 50. The score tells you how broad the posture is.
The disqualifier gate: if a vendor trains on your data with no opt-out, or offers no deletion and exit path, the verdict is RED FLAG no matter how high the score — because neither fault is bought back by polish elsewhere. The gate worsens only, and releases the moment you get it in writing.
In the worked example, Acme Copilot scores 80 — a SOLID number — and still reads RED FLAG, because it trains on your data with no written opt-out. That is the gate doing its job.
What you'll see
One verdict per vendor, one go/no-go for the shortlist.
Score ≥ 75 and neither disqualifier tripped. Worth a deeper review and a contract.
Gaps to close. Press for the evidence the weak controls are missing, then re-score.
Score under 50, or a disqualifier tripped. Don't sign until it's fixed in writing.
The Dashboard rolls your whole shortlist up to CLEARED TO PROCEED, CONDITIONS TO MEET, or DO NOT PROCEED, and names the one control to press each vendor on first.
Who it's for
Anyone signing an AI or SaaS vendor that touches their data.
- Founders and operators vetting an AI tool before it touches customer data.
- Procurement and IT running a security review without a full GRC team.
- Anyone comparing a shortlist of vendors on security, side by side.
- AI Vendor Claim & Contract Scrutiny Kit — scrutinizes the marketed claims ($69).
- AI Vendor Reliability & Spend-Justification Scorecard — grades uptime & renewal value ($79).
- AI Vendor & Sub-Processor Data-Flow Register — governs privacy & DPAs ($89).
Scope. Scores the vendor posture you assemble from their answers and evidence — it never scans or connects to the vendor, nothing is uploaded, and it scores no person. A buyer's pre-signing aid, not a security audit, certification, or penetration test. Marketing-claim substantiation is governed by the FTC; not legal advice — have counsel review any agreement before you sign.
Common Questions
Straight answers before you buy.
Get the kit
Scrutinize the posture before you sign.
- Six weighted controls, one verdict per vendor.
- A disqualifier gate that catches the two deal-killers.
- A shortlist go/no-go and the control to press first.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai