# NoticeKit AI Vendor Risk Assessment Worksheet

Use this worksheet when procurement, security, privacy, or counsel asks, "How did you assess this AI vendor?" It is designed to turn one vague review thread into a short operating record with named vendors, customer scope, notice timing, and proof. It is an operational handoff aid, not legal advice.

## 1. Assessment Snapshot

| Field | Notes |
| --- | --- |
| Company |  |
| Product or workflow reviewed |  |
| Vendor being assessed |  |
| Assessment owner |  |
| Review request source |  |
| Assessment date |  |
| Target decision date |  |

## 2. What The Vendor Does

| Question | Notes |
| --- | --- |
| What product path or workflow uses this vendor? |  |
| Is the vendor customer-facing, internal-only, or both? |  |
| Is this a new vendor, a replacement, or a scope expansion? |  |
| Which internal team owns the relationship? |  |
| Which other vendors sit behind or around it? |  |

## 3. Downstream Chain

| Provider | Role in the chain | Data touched | Region or transfer context | Status |
| --- | --- | --- | --- | --- |
|  |  |  |  | Active / Planned / Review |
|  |  |  |  |  |
|  |  |  |  |  |
|  |  |  |  |  |

## 4. Data And Customer Scope

| Question | Notes |
| --- | --- |
| What data categories may be involved? |  |
| Are prompts, uploaded files, support messages, or production content involved? |  |
| Which product areas are affected? |  |
| Which customer segments, plans, regions, or agreements are affected? |  |
| Which customer segments are not affected? |  |

## 5. Retention, Training, And Review Questions

| Review point | Current answer | Proof link or owner | Open question? |
| --- | --- | --- | --- |
| Retention stance |  |  | Yes / No |
| Training or model-improvement stance |  |  | Yes / No |
| Human access or support access |  |  | Yes / No |
| Region or transfer position |  |  | Yes / No |
| Security or procurement exceptions |  |  | Yes / No |

## 6. Notice And Approval Logic

| Segment | Notice required? | Agreement or rule controlling it | Planned notice window | Contact route | Owner |
| --- | --- | --- | --- | --- | --- |
|  | Yes / No / Review |  |  |  |  |
|  |  |  |  |  |  |
|  |  |  |  |  |  |

## 7. Proof Trail

| Evidence item | Link or location | Owner | Complete? |
| --- | --- | --- | --- |
| Public vendor or subprocessor page |  |  | [ ] |
| Draft disclosure packet |  |  | [ ] |
| Draft or sent customer notice |  |  | [ ] |
| Archived screenshot or page capture |  |  | [ ] |
| Internal tracker row or ticket |  |  | [ ] |
| Security or procurement notes |  |  | [ ] |
| Open legal or privacy questions |  |  | [ ] |

## 8. Reviewer Summary

Use this short summary at the top of the thread:

> We assessed `{{vendor_name}}` for `{{workflow}}`. This worksheet names the vendor chain, affected data and customers, retention or training stance, notice logic, proof links, and the open questions that still need review before approval.

## 9. Decision

| Decision | Owner | Due date | Notes |
| --- | --- | --- | --- |
| Approve current use |  |  |  |
| Revise vendor facts or scope |  |  |  |
| Escalate to procurement, security, privacy, or counsel |  |  |  |
| Hold use until proof lands |  |  |  |