All posts

How to onboard AI vendors without legal headaches: insights from our data privacy expert

Published on
August 11, 2025

AI tools are everywhere and can be a game-changer. They help teams move faster, work smarter, and get more done. But if you don’t set them up right, they can expose your company to risks you didn’t see coming.

In this interview, one of our legal experts shares how we help startups bring in external AI tools safely, without slowing things down. It’s not about blocking progress. It’s about adding just enough structure so your team can move fast, without the legal headaches.

Let’s jump in.

1. Picking the right vendor

#1 Where do we start when a client wants to onboard an AI vendor?

We always start by understanding how the tool will be used. Is it for internal tasks, or something more critical like product development or customer data? What kind of data goes in? Does it connect to other systems? These answers help us spot risks early.

If the tool is low-risk, we keep it simple. If it’s more complex or higher-risk, we dig deeper. That saves time, cuts legal cost, and gets the tool in use faster. But contracts only go so far. If you're using AI tools regularly, clear internal rules matter just as much.

#2 How do we check if a tool’s safe and compliant?

Once we know how the tool works, we look at what it means for compliance, things like privacy, security, and the upcoming EU AI Act.

If there’s potential for high risk, we check for human oversight, bias testing, proper logging, and how the vendor handles your data. Do they follow trusted standards like ISO 27001, SOC 2? Do they use access controls? These basics sound simple, but they’re often what makes or breaks a deal later.

#3 What do we ask vendors to catch red flags early?

We start with data. Will they use it themselves? Will it be used for training? Will it leave the EU? These questions reveal a lot.

Then we ask about their security setup, certifications, access controls, logging, and how they handle incidents. We also check what obligations they place on the client. If there’s no clear security setup but the liability sits with you, that’s a red flag.

#4 Talking about data training, when, if ever, is it okay to let a vendor train on your data?

Sometimes, yes. When the data is protected and the training benefits you directly, it can make sense. For example, a tool that stays internal and improves its performance for your use can be worth it, but you need to stay in control. If the data is sensitive or tied to your product, it’s best to avoid it.

Some vendors don’t fully anonymize data, so it’s safest to remove anything confidential, use summaries when possible, and set clear limits in the contract.

#5 What should companies watch out for when it comes to vendor training?

This is one of the most common blind spots. Many vendors, especially on free plans, include training rights in their terms by default, often without making it obvious. Training means your data could help shape outputs for other users, including competitors. If that’s a risk, it’s worth paying for a higher-tier plan that keeps your data out of the training pool.

#6 IP rights can be tricky too. How can founders protect themselves?

One big risk is using tools trained on copyrighted code. If outputs pull from proprietary or open-source material, you could face claims or license issues. Always check how the tool was trained and who owns the outputs. Always cover this in your contract, making the vendor responsible for any third-party IP infringement claims.

If it’s tied to your product, make sure it’s safe to use commercially and won’t cause problems later. Some tools also generate outputs from questionable sources, so a quick review goes a long way.

#7 What’s something teams often miss when trying a new AI tool?

Jumping in too fast. New tools are exciting, but even a quick risk check matters, especially if the tool handles sensitive data or supports product development.

Smaller teams often skip legal review or assume free tools are safe for commercial use. But many free plans block commercial use completely. If you’re building on top of one, you could be breaching terms without knowing. That can lead to legal trouble, blocked launches, or issues during investor due diligence.

#8 What if the tool is great but the vendor raises red flags?

It depends on the vendor. Big players like OpenAI rarely change terms, but with mid-size ones, there’s usually room to negotiate. We help clients flag risks and push for stronger terms. Once the risks are clear, vendors are often willing to compromise. If the tool is critical, it’s smarter to work with someone you can align with from the start.

2. Setting things up internally

#9 What should teams do internally before using a new AI tool?

Start by making sure everyone knows what the tool is for, what kind of data can and can’t be used, and who’s allowed to use it. If it processes personal data, like during hiring, update your privacy notices and keep a list of approved AI tools so everyone stays aligned.

We help clients draft a policy from scratch or refine what’s already there. The goal is simple: protect your product and make sure key vendors are properly vetted. What makes the difference is that we know our clients and their products well, so we tailor the policy to their specific risks.

#10 If a tool feels risky, how do we help clients make the call?

It’s usually a business call. We help map out the legal and compliance risks, but the client knows their priorities best. Our job is to give clear input so they can weigh the benefits against the risks and decide what they’re comfortable with.

#11 Can you share an example where internal review prevented a serious issue?

One client shared vendor terms with us before rolling out a new tool. We spotted hidden limits they had missed. Thanks to a quick review, they avoided integrating something that could’ve compromised their product.

#12 What if clients are building their own AI tools, how do we support that?

In that case, we move from reviewing vendors to helping build the tool itself. We help clients figure out if their tool qualifies as high-risk under the AI Act, and what that means in practice.

If it qualifies, we guide the client through safeguards like human oversight, documentation, and risk controls. This is where early legal input adds the most value, because nothing is harder than rolling back features in a finished product just to make it compliant.

#13 What should companies do today to prep for AI rules?

Treat it like GDPR. The EU AI Act is leading the way, and others will follow. Even if you’re not directly affected yet, it’s smart to start now. Treat compliance as a competitive edge. Early GDPR adopters stood out, and the same will happen here. Treating compliance as part of your strategy gives you an edge.

#14 Any advice for teams just starting with AI tools?

Keep it simple at the start. Don’t just plug in a tool and hope for the best. Take a minute to check what it does, who’s behind it, and set a few clear rules for your team. Even a lightweight policy makes a difference.

Thinking about bringing in an AI tool? Get in touch to make sure it’s set up safely and runs smoothly from day one.

Legal
Content

Get your regular dose of legal know-how

Join our monthly newsletter. We’ll explain legal terms in a way your grandma would understand. Want to know what you are signing up for? Check out our past newsletters here.

You are in control. We need your consent so that we and our trusted partners can store and access cookies, unique identifiers, personal data and information about your browsing behaviour on your device. See further privacy information.
PreferencesDeny allAccept all