AI Vendor Due Diligence: What to Check Before Hiring an AI Development Partner

You've decided your business needs AI. Maybe a chatbot, maybe automated document processing, maybe a full workflow overhaul. Good. The hard part isn't making that decision — it's picking who builds it.

The AI development market right now is flooded. Everyone's an "AI expert" in 2026. Freelancers who watched a LangChain tutorial last month. Agencies that rebranded from web development overnight. Consultancies charging £50,000 for a slide deck and a "strategic roadmap."

Some of them are brilliant. Some will waste your money. And it's genuinely hard to tell the difference before you've signed the contract.

This is your checklist. Five areas to examine before you hand over a deposit. Ask these questions, watch for these signals, and you'll dramatically reduce your chances of hiring the wrong partner.

1. Technical Capability — Can They Actually Build It?

This sounds obvious, but you'd be surprised how many AI vendors are better at selling than building. They'll show you impressive demos during the pitch. The question is whether they can build something that works reliably with your data, your systems, and your constraints.

What to ask

• "What models and platforms do you use, and why?" A good vendor will explain trade-offs. "We use GPT-4o for this because of X, but for your use case, an open-source model might be better because of Y." A bad vendor just names the trendiest model.
• "Can you show me a working system you've built — not a mockup?" Demos matter more than portfolios. Anyone can screenshot a chatbot interface. Ask to interact with one they've deployed.
• "What integrations have you done?" If you need it connected to your CRM, accounting software, or internal tools, ask specifically about those integrations. Generic AI capability doesn't mean they can plug it into Xero.
• "What happens when the AI gets it wrong?" Every AI system will produce incorrect outputs sometimes. You want a vendor who designs for failure — fallback mechanisms, human escalation paths, confidence thresholds.

Green flags

• They ask YOU detailed questions about your business before proposing a solution.
• They explain limitations honestly. ("AI won't solve this particular problem well.")
• They've built similar integrations before and can show you.
• They talk about testing, edge cases, and failure scenarios.

Red flags

• They promise accuracy rates without knowing your data.
• Every answer is "AI can do that" with no caveats.
• Their portfolio is all mockups or internal projects, nothing in production.
• They can't explain their technical choices in plain English.

If you're comparing chatbot options specifically, our pricing breakdown covers what different build types actually cost.

2. Data Handling — Where Does Your Data Go?

This is where most businesses get burned. You hand over customer records, internal documents, transaction data — and you have no idea where it ends up.

Your AI vendor is a data processor under GDPR. That means you need a Data Processing Agreement (DPA) before any data changes hands. But beyond the paperwork, you need to understand the actual data flows.

What to ask

• "Where is my data stored, and by whom?" Cloud provider, region, sub-processors. If they're using OpenAI's API, your data is going to OpenAI's servers. That's a sub-processor relationship you need to know about.
• "Do you use my data to train models?" Some vendors use client data to improve their own products. That's a problem. Your customer data shouldn't be training someone else's model.
• "What happens to my data when the project ends?" You want a clear deletion policy. Data should be returned to you or destroyed, with confirmation.
• "Do you have a DPA ready?" If they look confused when you ask this, walk away. Any vendor handling personal data in 2026 should have a standard DPA template ready to go.

Green flags

• They have a DPA ready before you ask.
• They can draw a data flow diagram showing exactly where information moves.
• They use data minimisation by default — only collecting what's needed.
• They have clear sub-processor lists and can explain each one.

Red flags

• "Don't worry, we handle all of that" with no specifics.
• They can't tell you which cloud provider or region they use.
• No DPA, or they say "we'll sort that out later."
• They want you to upload data to their own platform before scoping.

For more on building AI that handles data properly from the start, see our guide on building GDPR-compliant AI chatbots.

3. Compliance Knowledge — Do They Understand the Rules?

Here's the uncomfortable truth: most AI development agencies don't understand GDPR beyond the basics, and they have almost no knowledge of the EU AI Act. They build the software and tell you to "check with your legal team" about compliance.

That matters because if the system is built wrong from the start — no data minimisation, no human oversight mechanism, no proper consent flows — retrofitting compliance is expensive. Sometimes it means rebuilding from scratch.

What to ask

• "Can you produce a DPIA for the system you're building?" A Data Protection Impact Assessment isn't optional for most AI systems processing personal data. If your vendor can produce one, it'll be accurate because it describes the system they actually built. If they can't, you're paying someone else to document a system they didn't build.
• "How would the EU AI Act classify this system?" By August 2026, businesses deploying high-risk AI need to meet specific obligations. Your vendor should know whether what they're building falls into that category and what it means for the build.
• "How do you handle automated decision-making under GDPR?" If the AI system makes decisions about people — customer scoring, application screening, risk assessment — Article 22 of GDPR applies. The system needs human oversight and an explanation mechanism.
• "What documentation do you provide at the end of the project?" Technical docs, compliance docs, data flow diagrams, risk assessments. If the answer is "we provide the code," that's not enough.

Green flags

• They mention compliance requirements during the scoping call, not just when you ask.
• They can explain the difference between high-risk and limited-risk AI under the AI Act.
• They produce compliance documentation as part of the standard delivery.
• They understand that compliance affects architecture decisions, not just paperwork.

Red flags

• "Compliance is your responsibility."
• They've never heard of the EU AI Act.
• They can't explain what a DPIA is.
• They treat compliance as an optional add-on rather than part of the build.

We wrote about why finding a builder who handles compliance matters — it's the single biggest cost-saving decision in AI procurement right now.

4. Pricing and Contracts — What Are You Actually Paying For?

AI project pricing is all over the place. You'll get quotes from £1,500 to £50,000 for what sounds like the same thing. The difference is usually in what's included, not the quality.

What to ask

• "Is this fixed-price or time-and-materials?" Fixed-price means you know the total cost upfront. Time-and-materials means you're paying by the hour and the final bill depends on how long it takes. For most SME projects with clear requirements, fixed-price is safer.
• "What's included in that price, specifically?" Get a line-item breakdown. Development, testing, deployment, documentation, training, support. If they give you one lump number with no breakdown, push back.
• "What triggers additional costs?" Scope changes, extra integrations, more users, higher volumes. Know the boundaries before you sign.
• "Who owns the code and IP after delivery?" You should own the system you paid for. Some vendors retain ownership and license it back to you — that's a trap. Some retain ownership of their proprietary frameworks but give you full ownership of the custom work — that's usually fine.

Typical UK pricing ranges

For context, here's what a reasonable vendor charges in 2026:

Project Type	Typical Range
AI Chatbot (standard)	£2,000 – £5,000
AI Chatbot (complex, integrated)	£5,000 – £8,000
Workflow automation	£3,000 – £10,000
Document processing / RAG	£4,000 – £12,000
Compliance documentation (standalone)	£1,500 – £4,000

If someone quotes significantly below these ranges, ask what's being cut. If someone quotes significantly above, ask what you're getting for the premium.

Green flags

• Transparent pricing with line-item breakdown.
• Clear change request process in the contract.
• You own all custom code and documentation after delivery.
• They explain what's NOT included before you have to ask.

Red flags

• Vague "it depends" pricing with no estimate range.
• No written contract or SOW before work begins.
• They retain ownership and charge hosting/licensing fees.
• Low initial quote with "phases" that each cost as much as the original.

5. Post-Delivery — What Happens After Launch?

The AI system goes live. Then what? AI isn't like a website you build once and leave for three years. Models need monitoring. Performance drifts. APIs change. Costs fluctuate with usage.

What to ask

• "What support do you provide after deployment?" Is there a warranty period? What's the response time for bugs? What's included vs. paid support?
• "How do I monitor the system's performance?" Dashboards, alerts, regular reports — how will you know if the AI starts performing badly?
• "What does handover look like?" You should receive full documentation, credentials, source code, and enough knowledge transfer that you (or another vendor) can maintain the system without the original builder.
• "What are the ongoing costs?" API usage fees, hosting costs, model licence fees. Get these estimated before you launch so there are no surprises.

Green flags

• Defined warranty period (30-90 days minimum).
• Full code and documentation handover — no vendor lock-in.
• They estimate ongoing running costs for you upfront.
• They're happy for you to bring in another vendor later if needed.

Red flags

• "Just call us if anything breaks" with no SLA.
• They host the system on their own infrastructure with no migration path.
• No documentation provided, or documentation that doesn't match the deployed system.
• Ongoing fees that are disproportionate to the actual infrastructure costs.

The Quick-Reference Checklist

Before you sign with any AI vendor, confirm these:

• Seen a working demo of a system they've built (not a mockup)
• They can explain their technical approach in plain English
• DPA ready and signed before any data is shared
• Clear data flow documentation — you know where your data goes
• They understand GDPR obligations for the system they're building
• They know how the EU AI Act classifies the system
• Compliance documentation is included in delivery (DPIA, data flows, risk assessment)
• Pricing is fixed or clearly estimated with a written SOW
• You own the code and all custom work after delivery
• Change request process is defined in the contract
• Post-delivery support terms are in writing
• Full handover including source code, documentation, and credentials
• Ongoing costs are estimated before you commit

If your potential vendor fails more than two or three of these, keep looking.

What Good Looks Like

The best AI development partners don't just build software. They ask hard questions during scoping. They tell you when AI isn't the right solution. They explain trade-offs instead of promising everything. They build compliance into the architecture instead of treating it as an afterthought.

And they give you everything at the end — code, documentation, credentials, knowledge — so you're never dependent on them.

That's what we do at Janus Compliance. We build AI systems and we handle the compliance documentation in the same engagement. One team, one bill, no gaps between what's built and what's documented.

If you're evaluating AI vendors right now and want a second opinion — or if you want to skip the evaluation and work with someone who ticks every box on this checklist — get in touch. We'll tell you honestly whether we're the right fit. And if we're not, we'll tell you that too.

Check our services page for full details on what we build and what it costs.