Skip to content

Contract Review Checklist for SMEs Before Using Any AI Plan

Many SMEs are starting to use AI tools for drafting, coding, sales, customer support, marketing, HR, operations, and decision support.

But there is one common mistake.

Businesses often judge an AI tool by the vendor’s brand name, popularity, or price plan. That is not enough.

The real question is not:

“Is this AI company trustworthy?”

The better question is:

“For the exact plan we have purchased, what does the contract say about our data, retention, training, access, controls, and liability?”

The same AI vendor may have different rules for personal plans, team plans, API plans, enterprise plans, plugins, connectors, and agents. A paid plan is not automatically a business-safe plan.

This checklist helps SMEs know what to look for before using any AI plan with customer data, employee data, company documents, contracts, pricing, code, or business systems.

How to use this checklist

Before buying or approving an AI tool, go through the contract, privacy policy, data processing terms, plan documentation, and plugin terms.

Do not rely only on marketing pages.

For each item, ask:

  • Is this clearly answered?
  • Does this apply to our exact plan?
  • Does this also apply to plugins, connectors, uploaded files, agents, and feedback?
  • Do we have admin control?
  • Can we switch it off if something goes wrong?

If the answer is unclear, do not use the tool for sensitive business data until it is clarified.

What to Check in the ContractWhat SME Should Look ForWhy It Matters
Plan typeIs it personal, team, business, API, or enterprise?A paid plan is not automatically a business-safe plan.
Data ownershipDoes the contract clearly say your business retains ownership of inputs, outputs, files, and uploaded data?Prevents confusion over who owns prompts, documents, code, and generated outputs.
Training useDoes the vendor use your inputs/outputs/files to train or improve models?Business data should not silently become training material.
Training opt-outCan training use be disabled? Is it disabled by default?Some plans require opting out; some business plans exclude training by default.
Data retention periodHow long are prompts, files, outputs, logs, and attachments retained?Longer retention increases exposure.
Zero-retention optionIs zero data retention or short retention available for your plan?Important for customer data, contracts, source code, and sensitive workflows.
Different retention for different featuresAre chat history, uploaded files, API calls, feedback, voice, connectors, agents, and logs retained differently?A plan may protect normal chats but not plugins, feedback, or connected tools.
Human review by vendorCan vendor staff or contractors review prompts, outputs, files, or flagged conversations?Human review may expose confidential business information.
Abuse/safety review exceptionCan data be retained longer if flagged for abuse, security, or policy review?Even “short retention” may have exceptions.
Sub-processorsDoes the vendor use other companies to host, process, review, or secure your data?Your data may travel through more parties than expected.
Data locationWhere is the data stored and processed?Relevant for customer contracts, privacy law, and cross-border concerns.
Data processing agreementIs a DPA available and signed for business/customer data?Clarifies legal responsibility for personal and customer data.
Confidentiality clauseDoes the vendor contractually commit to protect your confidential information?Marketing claims are weaker than contractual obligations.
Security certificationsDoes the vendor provide SOC 2, ISO 27001, or equivalent security documentation?Gives some assurance about security controls, though it is not a guarantee.
Breach notificationWill the vendor notify you if your data is breached? Within what time?You need to know quickly if customer or business data is exposed.
Admin controlsCan the company control users, access, sharing, history, connectors, and data settings centrally?Prevents employees from individually managing risky settings.
SSO / MFA / access controlDoes the plan support strong login security?Protects company AI accounts from account takeover.
Audit logsCan you see who used the AI, what tools were connected, what data was accessed, and what actions were taken?Essential for accountability and incident investigation.
Connectors and pluginsAre third-party plugins, browser extensions, CRM connectors, Drive connectors, or email integrations covered by the same terms?Often the biggest risk is the connector, not the AI model.
Agents and actionsCan the AI take actions such as sending emails, updating CRM, creating records, deleting files, or triggering workflows?Action-taking AI needs stronger approval than chat-only AI.
Write-back controlsCan write actions be disabled or made approval-based?Prevents AI from silently changing business records.
Scope of data accessCan access be limited to selected folders, fields, projects, or records?Reduces blast radius if something goes wrong.
Deletion rightsCan you delete prompts, files, outputs, logs, and account data?Important for exits, mistakes, customer requests, and compliance.
Export rightsCan you export your data before leaving?Prevents vendor lock-in and loss of business knowledge.
Termination clauseWhat happens to your data after cancellation or non-payment?Some tools retain data even after the account ends.
Indemnity / liability capWhat compensation is available if vendor failure causes loss?Many contracts heavily limit vendor liability. SMEs should know this.
IP rights in outputWho owns AI-generated output? Are there usage restrictions?Important for marketing, code, designs, reports, and client deliverables.
Copyright / infringement protectionDoes the vendor offer any protection if generated output creates IP claims?Useful if AI output is used in public or client-facing work.
Use restrictionsWhat does the vendor prohibit?SME workflows may accidentally violate usage terms.
Regulated data restrictionsDoes the plan allow personal data, health data, financial data, children’s data, or government IDs?Some plans prohibit or restrict sensitive data.
Model improvement feedbackWhat happens if employees click thumbs-up/down or submit feedback?Feedback may be retained longer or reviewed by humans.
Support accessCan support staff access your workspace to troubleshoot?Support access can expose confidential files or prompts.
Version/model changesCan the vendor change the model, features, or terms without approval?Output quality, privacy posture, or costs may change suddenly.
Pricing and usage limitsAre there token limits, overage fees, or throttling?AI can become an uncontrolled operating expense.
SLA / uptimeDoes the plan provide uptime commitments?Important if the AI becomes part of daily operations.
Local law and jurisdictionWhich country’s law governs the contract? Where are disputes handled?Affects enforceability and practical remedies.

In simple English

The SME should ask these 10 plain-English questions

Before buying or approving any AI plan, ask the vendor or reseller:

  1. Will our data be used to train or improve your AI models?
  2. Is training use off by default for our exact plan?
  3. How long do you retain prompts, outputs, uploaded files, chat history, logs, and feedback?
  4. Do different features have different data retention rules?
  5. Can your employees, contractors, or reviewers see our data?
  6. Are connectors, plugins, agents, and marketplace apps covered by the same contract?
  7. Can we disable write-back actions like sending emails or updating CRM?
  8. Can we restrict which users and which data fields the AI can access?
  9. Can we delete and export our data when needed?
  10. What happens to our data after we cancel the plan?

Simple decision rule

If the AI tool is used only for public content, brainstorming, grammar correction, or learning, the risk may be manageable.

If the AI tool touches customer data, employee data, contracts, pricing, financials, source code, CRM, email, accounting, ERP, storage, or messaging systems, the SME must review the contract before approving it.

The safest rule is:

Approve AI use based on the contract of the exact plan purchased — not based on the vendor’s brand name, popularity, or marketing claims.