Este artigo está disponível apenas em inglês no momento.
AI Vendor Contracts: The Clauses Every Business Must Have (And What Vendors Hope You Miss)
When you buy AI software, the default contract almost always protects the vendor, not you. Here are the specific clauses you need to add before you sign — and the vendor practices that create liability you did not know you were taking on.
Key Takeaways
Most standard AI vendor contracts include broad limitations of liability for AI errors, no warranties about AI accuracy or fitness for purpose, and clauses allowing the vendor to modify the AI system without notice — none of this is in your interest.
The five clauses you must add: (1) AI incident notification within 24 hours, (2) model change notification with 30 days notice before significant changes, (3) audit rights over AI system performance data, (4) data deletion on termination, (5) liability allocation for AI governance failures.
Under the EU AI Act, you are the 'deployer' of the AI — you have regulatory obligations regardless of what the vendor contract says. The contract cannot transfer your regulatory obligations to the vendor.
Training data warranties are increasingly important — require the vendor to warrant that the training data was lawfully obtained, appropriately licensed, and does not create IP liability for you as the user.
Service level agreements for AI systems need specific metrics beyond uptime: accuracy thresholds, bias testing frequency, model drift monitoring, and the vendor's obligations when performance degrades.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
What the default AI vendor contract actually says
The default AI vendor contract — the terms of service or master services agreement that comes out of the vendor's legal team — is designed to protect the vendor. The typical provisions: no warranty that the AI will produce accurate outputs; limitation of liability that caps the vendor's exposure at one month's fees (often far less than the cost of an AI failure); no obligation to notify you of significant changes to the AI model; broad rights to use your data to improve their systems; and an indemnification structure that protects the vendor from your third-party claims while leaving you exposed.
None of this is surprising — vendors write contracts to protect themselves. What is surprising is how many businesses sign these contracts without modification, in contexts where the AI failure risk is material.
The five clauses you need
AI incident notification: the vendor must notify you within 24 hours of any AI system failure, security incident, data breach, or significant performance degradation affecting your use of the system. This is not in the standard contract. Without it, you may be the last to know about an AI problem that is affecting your customers.
Model change notification: the vendor must give you at least 30 days written notice before making significant changes to the AI model — including changes to training data, model architecture, or outputs that may affect performance. AI vendors routinely update their models without notifying customers. If you are relying on the AI's performance in a regulated context, a model change without notice can cause unexpected compliance failures.
Audit rights: you have the right to receive reports on AI system performance, including accuracy metrics, bias testing results, and model drift indicators, on request and at reasonable intervals. In a regulated context, you may need this information to satisfy your own regulators.
Data deletion on termination: the vendor must delete all your data — including data used to fine-tune or train models on your behalf — within 30 days of contract termination, and provide written confirmation of deletion. This is often resisted by vendors whose business models depend on data retention.
Liability allocation for AI governance failures: the contract must address what happens when the vendor's AI governance failure (inaccurate outputs, discriminatory results, security breach) results in your regulatory exposure. The vendor cannot accept your regulatory obligations, but can accept financial responsibility for failures caused by their AI system.