During AI processing, does customer data remain on premises, or is it transmitted to your cloud environment?

If cloud processing is used, can customers select the data residency region?

Are data flows documented and available for customers to review?

Is DP/PII classification performed before transmission?

Is data encrypted in transit and at rest? Please describe the encryption standards.

Is customer data used for AI model training?

Can customers opt out of contributing data to training, fine-tuning, or model improvement?

Is the AI model dedicated per customer or shared/multi-tenant?

Do you use models that were trained on other customers' data?

If fine-tuning is performed, what data is used and how is it isolated or anonymized?

How is training data anonymized, pseudonymized, or masked?

What is the retention period for training data, logs, and metadata?

Is customer training data automatically deleted upon contract termination?

Do you automatically detect and mask PII?

Can your AI detect and exclude credentials, API keys, secrets, and tokens?

Can customers configure a list of sensitive data types to block or exclude from AI processing?

Is integrated Data Loss Prevention (DLP) functionality available?

Do you offer event-level or prompt-level filtering before the data reaches the model?

Are audit logs generated for all AI-related data access and processing?

What information is included in the audit logs (timestamps, user IDs, data types, model version, actions, decisions, metadata)?

What is the retention period for AI-related audit logs?

Can customers export or access these logs directly via API or dashboard?

Is data usage history traceable end-to-end (lineage, transformations, decision history)?

Are AI decisions explainable (Explainable AI / XAI)?

Is the rationale for alerts, recommendations, or risk scores provided to the customer?

Do you disclose model types used (LLM, ML, deep learning, hybrid) and third-party models involved?

Are AI accuracy metrics (False Positive/Negative rates, confidence scores) made available?

Have you conducted bias testing on your AI models? Please describe the methodology.

What is your model update frequency, and how are customers notified of changes?

Have you performed a formal AI Risk Assessment (e.g., DPIA, EU AI Act mapping)?

Are there internal governance processes overseeing AI lifecycle, risks, and change management?

Do third-party AI model providers contractually guarantee confidentiality of customer data?

Do you maintain a full SBOM or "AI Component Bill of Materials"?

Are AI decisions, prompts, and results archived for security investigations?

Can customers disable AI features entirely?

Does your platform provide mappings to SOC 2, ISO 27001, GDPR/UK GDPR, HIPAA, CMMC/NIST 800-53, or EU AI Act?

Does your AI introduce any "High Risk" or "Prohibited" categories under the EU AI Act?

Do you perform third-party audits of AI components?

Are compliance reports available on request?

Do you support multi-tenant isolation with no cross-tenant data transfer?

Can MSPs manage AI settings per customer (fine-grained controls, overrides, exclusions)?

Do you provide prebuilt policies aligned with industry standards (HIPAA, PCI, FINRA, education, legal)?

Are actions taken by AI (e.g., blocking, alerting, enrichment) logged in a way that MSP auditors can review?

Do you support importing external policies or open-source rule sets?

Is your AI compatible with agent-based, browser-based, or API-based telemetry providers?