An SMB AI vendor evaluation defensible to the typical cyber-insurance reasonable-care expectation can be completed in 90 minutes by walking through five questions in order — model provenance, data residency, sub-processor list, breach history, termination clause — each answered from the vendor's public site or the contract about to be signed.

Editorial framework piece. Each question maps to a specific public artefact (Trust Center, DPA, sub-processor list, security/incident page, termination clause) such that absence of the artefact is itself the answer. Not a substitute for ISO 27001 or SOC 2; not a guarantee. Pairs with OPS-011 (use-case filter) — vendor selection happens after the use case clears OPS-011's filter.

Published

26 Apr 2026

Last reviewed

26 Apr 2026

Next review

+58d· 26 Jun 2026

Cohort

5-50p SMB about to sign with AI vendor

Cadence

60-day

Sample

editorial framework citing GDPR Art. 28, ISO/IEC 42001, Anthropic + OpenAI Trust Centers

Sibling claim

OPS-011Picking your first AI agent: the 4-question filter for SMBs

Source piece

AI vendor due diligence in one Saturday: a 5-question framework for SMBsRead piece →

Permalink/holding/OPS-014/

Embed this claimiframe + oEmbed

HTML iframe

<iframe src="https://agentmodeai.com/embed/claim/OPS-014/" width="600" height="280" frameborder="0" scrolling="no" loading="lazy" referrerpolicy="strict-origin-when-cross-origin" title="OPS-014: Holding — Agent Mode AI" style="border:0;max-width:100%;"></iframe>

Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.