Startege Logo
Start free
Free · Runs locally · Markdown export
EU AI Act · GDPR · NIST AI RMF · ISO/IEC 42001

A vendor questionnaire built for AI procurement.

Four guided steps produce a tailored due-diligence questionnaire: data handling, evaluation, security, incident response, regulatory posture. Each question tagged with the framework it maps to.

Four steps · Up to 40 curated questions · Reviewer-ready Markdown

Module preview

Eight modules · 39 curated questions

  1. 01Data handling6
  2. 02Model & training5
  3. 03Evaluation & safety6
  4. 04Security5
  5. 05IP & licensing4
  6. 06Incident response4
  7. 07Exit & portability4
  8. 08Regulatory posture5
Markdown · framework-tagged Client-side
Coverage
Eight modules
Data, model, evaluation, security, IP, incident, exit, regulatory.
Privacy
100% client-side
Inputs stay in your browser. Markdown is generated locally.
Output
Framework-tagged
Each question carries its EU AI Act / GDPR / NIST / ISO reference inline.
Step 1 · Engagement context

Who's the questionnaire for?

Header information that appears at the top of the generated document so the vendor knows what they're responding to and by when.

FAQ

Common questions

What the tool does, how it maps to AI procurement practice, and where its boundaries are.

Who is this questionnaire for?

Procurement, governance, and security teams evaluating a third-party AI vendor. The output is a Markdown document you send to the vendor; their answers feed your assessment. Use it as the starting point. Trim, expand, and adapt before sending.

How is this different from a generic vendor security questionnaire?

AI vendors carry risks a SIG or CAIQ doesn't cover well: training-data licensing, model versioning, hallucination controls, prompt-injection defences, AI Act readiness. This tool ships modules for those specifically, so you're not bolting AI questions onto an SOC 2-shaped form.

Which frameworks does it map to?

Each question tags the regulatory references it supports: EU AI Act (especially Article 14 human oversight, Article 73 incident reporting, Annex IV §2(c) training data), GDPR (Articles 28, 33, 35), NIST AI RMF (Govern, Map, Measure, Manage), and ISO/IEC 42001. Selecting an emphasis framework in Step 4 marks matching questions with a ★ so the vendor answers the regulatory-critical items first.

Does the tool send anything anywhere?

No. Everything runs in your browser: your inputs stay in component state, the Markdown is generated locally, nothing is transmitted or logged server-side.

What does the export contain?

A Markdown document with: engagement context (vendor / product / contact / deadline), system profile (purpose / criticality / data sensitivity / deployment model), response instructions, your selected modules with their questions (each tagged Required or Recommended + framework references), and a sign-off section.

How does this connect to AIGP exam preparation?

The IAPP AIGP exam covers AI procurement and vendor management as part of Domain F: implementing responsible AI governance. Working through this questionnaire mirrors the kind of vendor-risk reasoning the exam tests, and Startege's full AIGP track maps procurement patterns to flashcards and practice scenarios.

Not legal advice. The questionnaire is a curated starting point and does not replace tailored procurement counsel. Adapt the questions to your engagement, contract structure, and jurisdiction before sending.