How mature is your Data & AI organization?Take the diagnostic
All trainings

AI TRAINING

AI Vendor Due Diligence for SMEs

Walk away with a repeatable checklist to evaluate any AI vendor in under two hours.

Format
workshop
Duration
2–4h
Level
literacy
Group size
4–16
Price / participant
€300–€600
Group price
€3K–€7K
Audience
SME operations managers, compliance leads, and founders responsible for selecting AI tools
Prerequisites
No technical or legal background required; participants should bring one or two AI vendors they are currently evaluating

What it covers

This compact workshop equips SME operations and compliance leads with a structured 10-question due diligence checklist, a guide to spotting Data Processing Agreement red flags, and a practical security-page reading framework. Participants complete a live vendor evaluation exercise and leave with a ready-to-use go/no-go decision template. The session is delivered in a single half-day, with roughly 60% hands-on application and 40% guided instruction. No legal or technical background is required.

What you'll be able to do

  • Apply a 10-question checklist to score any AI vendor within two hours
  • Identify at least five DPA red flags that create GDPR or data-sovereignty risk for SMEs
  • Navigate and interpret a vendor security page to extract relevant risk signals
  • Structure and run a productive 20-minute vendor reference call
  • Complete a go/no-go scoring template and justify the decision to stakeholders

Topics covered

  • 10-question AI vendor evaluation checklist
  • Reading and flagging Data Processing Agreements (DPA)
  • Interpreting vendor security and privacy pages
  • Conducting effective vendor reference calls
  • GDPR compliance red flags in AI contracts
  • Go/no-go decision framework and scoring template
  • Data residency and subprocessor risk for SMEs
  • Common contractual lock-in traps to avoid

Delivery

Delivered as a half-day in-person or remote session. Participants receive a printed or digital toolkit including the checklist, DPA annotation guide, reference-call script, and go/no-go template. The session is 60% hands-on: participants apply each tool to a real vendor of their choice in real time. A follow-up async Q&A channel is recommended for 2 weeks post-workshop to handle edge cases.

What makes it work

  • Assigning one named person as DPA reviewer before any vendor shortlist is finalised
  • Using the checklist as a shared document so legal, ops, and finance align on the same evidence
  • Running reference calls with companies of similar size and sector, not just those provided by the vendor
  • Scheduling a 6-month review date into the go/no-go template to reassess live contracts

Common mistakes

  • Relying solely on a vendor's self-reported security certifications without checking scope and expiry
  • Signing DPAs without verifying subprocessor lists and data residency clauses
  • Skipping reference calls because the sales process felt trustworthy
  • Conflating SOC 2 Type I with Type II and overestimating the security posture it signals

When NOT to take this

This workshop is not the right fit if your organisation already has a dedicated procurement or legal team with an established vendor risk management process — in that case, a deeper supplier risk framework or a CISO-led security review programme is more appropriate.

Providers to consider

Sources

This training is part of a Data & AI catalog built for leaders serious about execution. Take the free diagnostic to see which trainings your team needs.

Run the diagnosticBook a call