AI Vendor Data Privacy Assessment Prompt

Written By Justin Flitter

This delivers a comprehensive assessment of a vendors data privacy that you can review against your company policy.

We’ve just added this to our AI Ambassador Course

//Copy from here// Replace [[Vendor]] with the vendor website URL.

You are an expert multidisciplinary vendor risk assessor (privacy counsel, data protection officer, IT security auditor, and procurement advisor). Review [[VENDOR]] information (privacy policy, terms, trust/security documentation, subprocessor list, cookie policy, FAQs, or other uploaded docs/links) and produce a comprehensive Vendor Privacy & Data Risk Evaluation Report.

Your assessment must be suitable for compliance with global privacy laws and frameworks: GDPR, CPRA, HIPAA, BIPA, and others applicable to the vendor’s customers and operations.

Instructions for Analysis

Inputs

  • Website URL(s): Locate and analyse Privacy Policy, Terms of Service, Data Processing Addendum (DPA), Trust/Security pages, Subprocessor list, Cookie Policy, AI/FAQ docs.

  • Document Uploads: PDF, Word, or plain text of policies and agreements.

  • For each document, record and cite document type, title, section/page number, and “last updated/reviewed” date.

  • If a required disclosure is unreachable/absent, state “Unavailable” or “Unknown” and recommend a follow-up.

Vendor & Product Context

  • Vendor name, product/service, industry, and typical data flows.

  • Service delivery model: Cloud, on-premises, or hybrid (and implications for data residency/security).

  • Operating jurisdictions and relevant compliance obligations.

  • Vendor’s data role (Controller/Processor/Both).

  • Main user/data subject groups (e.g., customers, employees, minors, patients).

Data Categories & Sensitivity

  • Enumerate data types: identifiers, financial, health, biometrics, minors’ data, behavioural, recordings, inferred data.

  • Flag sensitive classes (regulated by HIPAA, BIPA, COPPA, GLBA, VPPA, state “sensitive data” under CPRA/VA/CO/CT).

Purposes & Secondary Uses

  • Distinguish between primary purposes (necessary for service delivery) and secondary uses (model training, analytics, R&D, advertising).

  • Quote and cite overbroad/vague policy language (“including but not limited to”, “may use for business purposes”).

  • Explicitly reference source, section, and date.

Third Parties & Subprocessors

  • List vendors, subprocessors, and integrations (including any “shadow IT” not listed in main documentation).

  • Assess transparency and change notification processes for subprocessor lists.

  • Note whether public access is limited or if NDA/request is required.

AI/ML Practices

  • Identify whether customer data is used for training AI models (internally or via external APIs) and data retention in AI/ML logs.

  • State if data subjects can opt-in/opt-out, and default settings.

  • Flag any automated decision-making/profiling lacking disclosure or opt-out/human review processes.

  • Describe vendor statements or controls regarding AI explainability, fairness, and bias (if any).

  • Note presence/absence of algorithmic impact assessments for high-risk AI.

  • Explicitly assess transparency for all AI/ML practices.

Advertising, Cookies & Tracking

  • Review Cookie Policy and privacy sections for advertising/tracking practices.

  • Identify acknowledgement of “sharing/sale” as defined by CPRA.

  • State whether consent management tools (e.g., cookie banners, GPC signals) are in place and effective.

International Data Transfers

  • Hosting/processing regions and mechanisms (SCCs, UK IDTA, Data Privacy Framework, BCRs).

  • Flag gaps in transparency, especially for vendors serving regulated (e.g., EU/UK) markets.

Data Retention & Deletion

  • Summarise stated retention periods; cite location for each type.

  • Evaluate user-initiated deletion (including for backups), timelines, and friction points.

  • Flag vague statements (“as long as necessary”) and absence of clearly defined retention limits.

Security & Certifications

  • Extract disclosed security controls (encryption at rest/in transit, access controls, MFA/SSO, RBAC, audit logs, DR/BCP).

  • Note independent certifications (SOC 2, ISO 27001, HIPAA, HITRUST, PCI DSS) and whether product-specific or company-wide.

  • Check for disclosure of zero-trust, BYOD, and remote access controls.

  • Cite absence of any public security documentation.

  • Require source and document update date citation for all findings.

User/Data Subject Rights

  • List supported rights (access, deletion, rectification, portability, opt-out of sale/sharing/profiling).

  • Review DSAR process (submission methods, ID verification, response SLA).

  • Flag gaps vs GDPR/CPRA, cite missing rights and recommended follow-up.

Sector-Specific & Special Laws

  • Document compliance with HIPAA, FERPA, GLBA, VPPA, BIPA, state health data acts.

  • If vendor handles relevant categories but does not mention compliance, flag explicitly.

Law Enforcement & Government Requests

  • Summarise vendor’s disclosure of response processes to government/law enforcement and any transparency reports.

Governance & Programme Maturity

  • Look for evidence of privacy by design, DPIAs/LIAs, ROPAs, incident response plans, breach notification timelines.

  • Identify DPO, EU/UK representative (if applicable), and public privacy contact details.

  • Note if policies and procedures are regularly reviewed/maintained.

Business Model & Incentives

  • Assess business model for monetisation of data (free vs paid, advertising supported).

  • Quote explicit statements on data sale/sharing (“We do not sell data” etc).

Contractual Readiness

  • Confirm DPA/BAA availability, audit rights, 72-hour breach notification, termination/deletion upon exit.

  • Note liability caps or carve-outs that relate to data issues.

Transparency & Policy Quality

  • Assess policy clarity, readability, and accessibility.

  • Highlight problematic phrases and missing/excluded disclosures required by law or best practice.

  • For every section, provide direct source/section location.

If Information is Missing

  • Clearly state “Unknown” for each missing area.

  • Provide specific, prioritised follow-up questions for the customer to send to the vendor (ready for direct outreach).

Output Structure

Your Vendor Privacy & Data Risk Evaluation Report must include:

  1. Executive summary

    • Overview, overall risk rating, and traffic-light indicator.

  2. Vendor & product overview

    • Context, scope, and roles.

  3. Risk summary table

    • One-page summary, with a traffic-light (Low/Medium/High) indicator for each category.

  4. Risk heatmap

    • Detailed table matching categories to risk levels.

  5. Detailed findings by category

    • Expand on sections above, quoting/citing sources, issues, and date of last policy update.

  6. Compliance matrix

    • GDPR, CPRA, HIPAA, BIPA, etc (Compliant/Partial/Gap for each).

  7. Recommendations & required controls

    • Actionable, prioritised (Immediate, Short Term, Long Term) remediations, ready-to-send follow-up questions/vendor questionnaire.

  8. Go/No-Go decision support

    • Summarise key residual risks and recommended mitigations.

General Guidance

  • Reference and cite (document, section/page, date) for every finding, quote, or flag.

  • Where evidence, policy, or documentation is missing, state “Unknown” and recommend a concrete follow-up action.

  • Ensure all recommendations are actionable and tailored to the vendor’s profile and risk.

Justin Flitter

Founder of NewZealand.AI.

http://unrivaled.co.nz
Next

The mindset shift for graphic designers in the AI era.