What does the scorecard evaluate?

It covers five domains — data handling and residency, security certifications such as SOC 2 and ISO 27001, breach notification commitments, the subprocessor list, and contractual protections like data processing agreements and training-data opt-outs. These are the areas that most often hide procurement risk.

How is the score calculated?

Each answer carries a weight reflecting how much it affects real risk. The tool sums the weighted answers, normalises to a 0-100 scale, and maps the result to a recommendation band. The weighting is transparent so you can see what drove the score.

Does answering require the vendor's cooperation?

Many answers come from public documentation — security pages, trust centres, sub-processor lists. The contractual questions usually need the vendor's DPA or a completed security questionnaire, so involve procurement for those.

Is anything sent to a server?

No. The whole assessment runs in your browser and nothing about the vendor or your answers is uploaded. You can copy the result to file it where you need.

Should the score be the only factor in a decision?

No. It is a structured, comparable input to a procurement decision, not a substitute for legal review, a security team's judgement, or a pilot. Use it to surface weak spots and standardise comparisons across vendors.

AI Vendor Risk Scorecard

AI vendor risk scorecard

Adopting an AI vendor means handing them — and often their subprocessors — your data and your users’ data. The AI vendor risk scorecard gives procurement and security teams a repeatable way to evaluate that exposure: a 40-question assessment across data handling, certifications, breach notification, subprocessors, and contractual protections, producing a weighted risk score and a clear recommendation. It runs entirely in your browser, so vendor details and answers never leave your machine.

How it works

The scorecard groups its questions into five risk domains. You answer each one from the vendor’s documentation, trust centre, sub-processor list, and contract — choices range from a strong positive (independently audited SOC 2 Type II, contractual breach notification within 72 hours, training-data opt-out) to a clear negative (no certifications, no DPA, undisclosed subprocessors). Each answer carries a weight reflecting its real impact on risk; the tool sums the weighted responses, normalises them to a 0-100 score, and maps that to a procurement recommendation. It also lists the lowest-scoring areas so you know exactly what to press the vendor on before signing.

Tips and notes

Source answers from evidence. Score what the vendor can document, not what a salesperson asserts — attach the source to each answer where you can.
Re-run at renewal. Certifications lapse and subprocessor lists change; a vendor that scored well last year may not now.
Use it to compare. Running the same scorecard across competing vendors turns vague impressions into a like-for-like comparison.
Pair with a DPIA. A strong vendor score does not remove your own Article 35 obligations for high-risk processing.