Este artigo está disponível apenas em inglês no momento.
AI Vendor Contracts: The Clauses Every Business Must Have (And What Vendors Hope You Miss)
When you buy AI software, the default contract almost always protects the vendor, not you. Here are the specific clauses you need to add before you sign — and the vendor practices that create liability you did not know you were taking on.
Key Takeaways
Most standard AI vendor contracts include broad limitations of liability for AI errors, no warranties about AI accuracy or fitness for purpose, and clauses allowing the vendor to modify the AI system without notice — none of this is in your interest.
The five clauses you must add: (1) AI incident notification within 24 hours, (2) model change notification with 30 days notice before significant changes, (3) audit rights over AI system performance data, (4) data deletion on termination, (5) liability allocation for AI governance failures.
Under the EU AI Act, you are the 'deployer' of the AI — you have regulatory obligations regardless of what the vendor contract says. The contract cannot transfer your regulatory obligations to the vendor.
Training data warranties are increasingly important — require the vendor to warrant that the training data was lawfully obtained, appropriately licensed, and does not create IP liability for you as the user.
Service level agreements for AI systems need specific metrics beyond uptime: accuracy thresholds, bias testing frequency, model drift monitoring, and the vendor's obligations when performance degrades.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
AI vendor contracts — what businesses actually need
Standard software contracts are not designed for AI. They miss the risks that matter most: what happens to your data, how the model behaves, what changes when the vendor updates, and who is liable when the AI gets it wrong. This article covers the specific contract provisions businesses need when procuring AI tools and services.
The provisions that actually matter
Data use restriction. The most consequential single clause. Does the vendor use your data to train or improve their models? For consumer-tier AI tools, the default is often yes. Enterprise contracts should include an explicit, contractually binding commitment that your data will not be used for model training. Verify this in the Data Processing Agreement, not in marketing materials.
Data Processing Agreement (DPA). Required under GDPR, UK GDPR, and increasingly under PDPA, DPDP Act, and other privacy frameworks. The DPA should cover: data processing purposes; sub-processor disclosure and approval rights; data location and transfer; retention and deletion; breach notification timelines; audit rights.
Sub-processor transparency. Most AI vendors use sub-processors — foundation model providers (OpenAI, Anthropic, Google), cloud infrastructure (AWS, Azure, GCP), and others. You should know who they are. Contract should include: list of current sub-processors; notification before material changes; approval rights for changes affecting your data; flow-down of obligations to sub-processors.
Model change notification. AI vendors update their models — sometimes with material effects on your use case. Contract should require: advance notification of material model updates; version control where possible; ability to test updates before deployment; rollback rights if updates materially affect your operations.
Performance benchmarks. Define measurable performance expectations. Accuracy, response time, availability, false positive/negative rates where applicable. Generic vendor claims ("99% accurate") rarely reflect real-world performance for your specific use case.
Liability and indemnification. Standard liability caps often don't address AI-specific risks. Consider: IP infringement indemnification (training data litigation creates downstream exposure); liability for AI errors affecting your customers or business; regulatory fine allocation; uncapped liability for data breaches.
Exit provisions. What happens when the relationship ends? Data return and verified deletion. Transition period. Migration support. Continued access during transition. Format of returned data.
Regulatory-specific provisions
EU AI Act compliance. For AI that may fall within high-risk categories: vendor warranty regarding risk classification; technical documentation availability; conformity assessment evidence; cooperation with deployer obligations.
APRA CPS 230 (Australian financial services). Material service provider contracts must include: defined service descriptions; locations; security obligations; audit rights; sub-outsourcing rules; exit provisions. AI vendors are not in the limited NTSP exempt categories.
DORA (EU financial services). ICT third-party contracts must address: service descriptions; data locations; audit rights; sub-outsourcing rules; exit and termination provisions; incident notification. AI vendors qualifying as ICT providers fall within scope.
Red flags in vendor contracts
Vendor refuses to provide a DPA. Training opt-out is not contractually binding (only in a FAQ or policy page). No sub-processor disclosure. Unlimited right to change the model without notice. Standard liability cap that doesn't reflect AI-specific risk. No exit provisions or data return commitment. "As-is" warranty disclaimer that removes all performance expectations.
Primary sources: IAPP — EU Model AI Contractual Clauses · EU AI Act
Related reading
AI Governance in Regulated Sector Procurement · Enterprise AI Due Diligence Questions · AI Vendor Due Diligence Guide