Complete this checklist before approving any new AI tool for use at MSP AI Resource Hub. Required questions are mandatory โ a single "No" on a required item blocks approval.
01Vendor Information
Tool / Service Name
Vendor / Company
Website / URL
Requested By
Intended Use Case
Assessment Date
Assessed By
Data Types to Be Used
๐ก
Weight key:REQ = Required (No = blocked), IMP = Important (No = flag for review), STD = Standard (scored but not blocking).
02Security & Compliance
REQ
Does the vendor have a current SOC 2 Type II report?
Request the report or verify via their Trust Center. Type I is acceptable as a minimum; Type II preferred.
REQ
Is a Data Processing Agreement (DPA) available?
Required for any GDPR/CCPA compliance and most enterprise client contracts. Should define data handling, retention, deletion rights.
REQ
Does the vendor encrypt data at rest and in transit?
Look for AES-256 at rest, TLS 1.2+ in transit. Check their security documentation or privacy policy.
IMP
Is data processing geographically restricted to the US or approved regions?
Relevant for clients with ITAR, HIPAA, or specific data residency requirements. Check if EU/UK data transfer mechanisms are in place.
IMP
Does the vendor have a published security incident / breach notification policy?
Should include notification timelines (ideally 72 hours). Required to meet CC7.3 obligations.
03Data Handling & Privacy
REQ
Does the vendor allow you to opt out of using your data to train their AI models?
Default opt-in to training is a dealbreaker for client data use. Verify in privacy policy or settings. Enterprise tiers often have this off by default.
IMP
What is the vendor's data retention period for prompts and outputs?
Shorter is better. 30 days or less is acceptable. Indefinite retention is a flag.
IMP
Can data be deleted on request?
Needed for GDPR right to erasure and client contract compliance. Look for a privacy/data deletion request process.
STD
Does the vendor publish a clear privacy policy with AI-specific disclosures?
04Access & Authentication
IMP
Does the tool support SSO / Entra ID (Azure AD) integration?
SSO allows centralized access control, offboarding, and MFA enforcement via existing identity provider.
IMP
Is multi-factor authentication (MFA) supported or enforced?
STD
Are role-based access controls (RBAC) available for team/enterprise plans?
05Business Continuity & Vendor Viability
STD
Does the vendor publish an uptime SLA or status page?
STD
Is the vendor a funded, established company (vs. unknown startup)?
Assess risk of service discontinuation. Check funding status, age, and customer base.
06Assessment Result
0
/ 165 points
Complete checklist above
Answer all questions to generate an assessment result.