The security terms an AI vendor contract needs

Standard vendor contract terms fail for AI vendors in three structural ways.

First, they assume the product is static between contract reviews. A standard SaaS agreement covers the product as described in the order form. An AI product's behaviour can change materially — through a model update — without any change to the order form description. The contract provides no mechanism for the customer to know this has happened, to request information about the change, or to delay the change while conducting a supplemental assessment.

Second, they treat the vendor as the sole processor of customer data. DPA terms govern the relationship between the customer and the vendor. When customer data flows through to a third-party model provider, that provider is outside the scope of the DPA unless specific subprocessor terms bring it in.

Third, they define “incident” in terms of security events — data breaches, unauthorised access. AI incidents include model behaviour changes that affect customers without any underlying security breach. Standard incident notification clauses do not trigger on model behaviour events.

The model change notification clause creates a contractual obligation for the vendor to notify the customer before making material changes to the AI model powering the product.

The clause must specify:

• Trigger definition: What constitutes a material model change — base model changes, major version upgrades, model provider changes, significant capability additions or removals.
• Notice period: The minimum advance notice required. Thirty days is a reasonable minimum; ninety days for high-risk AI systems in regulated contexts.
• Notice content: What information must be included in the notice — the nature of the change, the new model identity, capability differences, and any data handling changes.
• Customer options: Whether the customer can delay deployment of the change during a supplemental assessment period, and for how long.

A model change notification clause is the contractual foundation of AI vendor governance. Without it, the customer has no right to know when the system they assessed has been replaced. With it, the disposition record can have enforceable re-assessment triggers tied to the vendor's notification obligation.

The training data restriction clause prohibits the use of customer data for model training without the customer's explicit consent. It must address both the vendor's own fine-tuning and training activities, and — critically — the model provider's training data practices.

The clause must specify:

• A prohibition on using customer data — including inference data — for model training, fine-tuning, or evaluation without explicit written consent.
• A warranty that the model provider used by the vendor operates under equivalent restrictions for customer data received through the vendor's API calls.
• An obligation to notify the customer if the vendor's ability to maintain the training data restriction at the model provider level changes — for example, if the vendor changes model providers or the model provider changes its data handling terms.
• A process for auditing compliance with the training data restriction, or a vendor obligation to provide annual confirmation of compliance.

The AI incident notification clause extends the standard incident notification obligation to cover AI-specific incidents. The standard clause covers data breaches and security incidents; the AI supplement covers model behaviour incidents.

AI incidents that must be covered:

• Model behaviour changes that materially affect the outputs customers receive — including unexpected outputs, capability failures, or discovered misalignment.
• Discovered safety or alignment issues with the model that affect the vendor's product, even if no customer has been directly affected yet.
• Security or behaviour incidents at the model provider that affect the vendor's product.
• Regulatory investigations or enforcement actions related to the vendor's AI product.

The notification timeframe for AI incidents should be defined — 72 hours for known customer-affecting model behaviour incidents is a reasonable benchmark, consistent with standard data breach notification timelines.

The re-assessment rights clause gives the customer the right to request updated security documentation after a material model change, and the vendor's obligation to provide it within a defined period.

The clause should specify:

• The trigger for exercising the right — any material model change as defined in the model change notification clause.
• The documentation the vendor must provide — model card or equivalent, updated data processing description, capability comparison, red-team summary if available.
• The timeframe for providing the documentation — 30 days from the customer's request is a reasonable baseline.
• The customer's options if the vendor fails to provide the documentation within the required timeframe — including the right to suspend use of the AI feature without penalty.

Standard DPAs include subprocessor disclosure requirements under GDPR Article 28. The AI supplement to this clause should specifically identify AI-specific subprocessors and create a notification obligation when they change.

The AI subprocessor disclosure requirements:

• An initial complete list of AI subprocessors — specifically identifying model providers and other parties that receive customer data as part of the AI feature's operation.
• A 30-day advance notice requirement for any change to the AI subprocessor list — specifically, any change in the model provider.
• Disclosure of the data handling terms that govern the relationship between the vendor and each AI subprocessor — specifically whether the subprocessor is bound by training data restrictions equivalent to those in the main DPA.
• A customer right to object to changes in AI subprocessors with a defined response process.

The following is indicative language for each clause. This is a starting point for negotiation, not legal advice. The actual clause language should be reviewed by legal counsel and adapted to the governing law and the specific vendor relationship.

Model change notification (abbreviated):“Vendor shall provide Customer with not less than [30] days’ advance written notice before implementing a Material Model Change. 'Material Model Change' means any change to the AI model powering the AI Features, including: (a) a change in the model provider; (b) a change in the base model family or major version; (c) a change in the fine-tuning dataset that materially alters model capabilities; or (d) the addition of capabilities that materially expand the model's function scope.”

Training data restriction (abbreviated):“Vendor shall not use Customer Data — including prompts, completions, or user interactions — for training, fine-tuning, or evaluation of any model, without Customer's prior written consent. Vendor warrants that its agreements with AI Subprocessors impose equivalent restrictions on the use of Customer Data for model training.”

Re-assessment rights (abbreviated):“Following a Material Model Change, Customer may request updated AI security documentation, including a current model card, updated data processing description, and capability comparison document. Vendor shall provide such documentation within [30] days of Customer's written request.”

For the broader vendor assessment framework that these contractual terms support, see The AI section your vendor security questionnaire is missing.