⚠️ TEMPLATE — DO NOT USE WITHOUT LEGAL REVIEW. The clauses below are starting points drafted to operationalize the framework's procurement principles. Your company's General Counsel must adapt them to your jurisdiction, your existing contract structure (MSA / SaaS agreement / DPA), the specific vendor's standard terms, and any sector-specific requirements (HIPAA BAA, GLBA, SOX, etc.). Treat this template as a checklist of what to negotiate for, not as ready-to-sign legal text.

Purpose

Standard contract clauses to negotiate into agreements with any vendor whose product uses AI / LLMs / ML. The clauses operationalize the answers from template 12 (Vendor AI Questionnaire) into enforceable contract language.

The five clauses cover:

AI disclosure — vendor warrants what AI is in the product
Material-change notification — vendor notifies before behavior shifts
Training-data use prohibition — vendor won't train on your data
Audit + log access — vendor provides per-call telemetry
Annual AI compliance certification — vendor re-attests yearly

When you use it: At every new AI vendor contract. At every renewal. As a negotiation starting point.
Who owns: Legal owns final language. Procurement drives negotiation. CoE Lead provides technical input on what's needed.
Output: Signed contract addendum or main agreement language reflecting these clauses.

Worked example (Anthropic Claude API contract addendum)

"After completing template 12 (vendor questionnaire) for Anthropic, ACME negotiated this AI-specific addendum during contract signature."

AI-Specific Contract Addendum — Anthropic, Inc.

Parties: ACME Corp ("Customer") and Anthropic, Inc. ("Vendor") Effective: 2026-04-01 This addendum supplements the Master Subscription Agreement dated [...]

Clause 1 — AI/ML Disclosure and Inventory

Vendor warrants that as of the Effective Date, the Product employs the artificial intelligence and machine learning components disclosed in Schedule A (the "AI Inventory"). Vendor shall update the AI Inventory and provide written notice to Customer within thirty (30) days of any addition, removal, or material modification to such components.

Schedule A includes for each AI/ML component: (a) the component name and function, (b) the underlying model family and version (if applicable), (c) the data the component processes, (d) the regions in which processing occurs, and (e) whether Customer Data is used for training or model improvement.

ACME negotiation note: Schedule A confirmed Anthropic Claude Sonnet 4.6 + Haiku 4.5, multi-region hosting, no training on customer API data by default.

Clause 2 — Material-Change Notification

Vendor shall provide Customer with at least thirty (30) days' prior written notice before implementing any Material Change to AI/ML components of the Product. "Material Change" means any of:

(a) replacement of an underlying model with a different model architecture or training corpus; (b) change to whether Customer Data is used for training or model improvement; (c) addition of a new AI feature enabled by default for Customer's account; (d) modification of safety, content-policy, or refusal behavior that meaningfully alters Customer's reliance on Product behavior; or (e) deprecation of any model version Customer is actively using.

Vendor shall additionally publish a public AI changelog accessible to Customer documenting all changes to AI/ML components.

ACME negotiation note: Anthropic agreed to 30-day notice. Default 6-month deprecation notice for model retirement was confirmed beyond this minimum.

Clause 3 — Customer Data and Training

Vendor shall not use Customer Data (as defined in the MSA) to train, fine-tune, validate, evaluate, or otherwise improve any AI/ML model, including models offered to Vendor's other customers or models retained by Vendor for any purpose, except where Customer has expressly opted in to such use in writing through a documented mechanism.

Vendor shall maintain technical controls to enforce this restriction. Vendor shall provide, upon Customer's request and at no cost, a Zero Data Retention configuration in which Vendor stores no Customer Data beyond the minimal duration required to return a response. Default retention shall not exceed thirty (30) days.

Vendor shall flow this restriction down to any sub-processor used to deliver AI/ML functionality.

ACME negotiation note: Anthropic provided their standard Data Processing Addendum which exceeds this language. Zero Data Retention enabled for our account.

Clause 4 — Audit Trail and Logging

Vendor shall provide Customer with API-level audit data including, at minimum: timestamp of each call, Customer-side identifier, model version invoked, tokens consumed (input and output), cost, latency, and any safety classifier outputs (refusal codes if applicable). Audit data shall be accessible to Customer via API export for the full retention period.

Vendor shall retain audit data for no less than six (6) months and shall provide Customer with the ability to export such data prior to the end of any retention period or upon termination of the Agreement.

Where Customer is subject to obligations under the EU AI Act, applicable sector regulations, or other governing law that require longer retention or additional audit detail, Vendor shall, on commercially reasonable terms, provide such longer retention or additional detail.

ACME negotiation note: Anthropic's standard logging meets baseline. We retain prompts + completions on our own side (LangSmith) for primary audit trail.

Clause 5 — Annual AI Compliance Recertification

On each anniversary of the Effective Date, Vendor shall provide Customer with a written recertification confirming: (a) the current AI Inventory (Clause 1) remains accurate and complete; (b) no Material Changes have occurred without notice; (c) Vendor remains in compliance with the data-handling restrictions in Clause 3; and (d) any material changes to Vendor's AI safety, security, or compliance practices since the prior certification.

Vendor shall also reasonably cooperate with Customer's vendor-AI reviews conducted no more than once per twelve (12) month period, including completion of Customer's AI Governance Questionnaire (or comparable industry-standard questionnaire).

ACME negotiation note: Anthropic agreed. First recertification due 2027-04-01.

Schedule A — AI Inventory (Anthropic, Effective 2026-04-01)

Component	Function	Model family / version	Customer Data processed	Regions	Training use of Customer Data
Claude API	Text generation, reasoning, agentic completion	claude-sonnet-4-6, claude-haiku-4-5	Prompts + completions submitted by Customer	US, EU (selectable by API call)	No (default); opt-in only

Signatures (Addendum)

Party	Name	Title	Date
ACME Corp	John Smith	General Counsel	2026-04-01
ACME Corp	(rotating)	VP Procurement	2026-04-01
Anthropic, Inc.	(Anthropic counsel)		2026-04-01

Blank template (starting language for your contracts)

# AI-Specific Contract Addendum — [Vendor]

**Parties:** [Customer] and [Vendor]
**Effective:** [YYYY-MM-DD]
**This addendum supplements the [Master Agreement Name] dated [date].**

---

### Clause 1 — AI/ML Disclosure and Inventory

> Vendor warrants that as of the Effective Date, the Product employs the artificial intelligence and machine learning components disclosed in Schedule A (the "AI Inventory"). Vendor shall update the AI Inventory and provide written notice to Customer within [30] days of any addition, removal, or material modification to such components.
>
> Schedule A includes for each AI/ML component: (a) the component name and function, (b) the underlying model family and version (if applicable), (c) the data the component processes, (d) the regions in which processing occurs, and (e) whether Customer Data is used for training or model improvement.

---

### Clause 2 — Material-Change Notification

> Vendor shall provide Customer with at least [30] days' prior written notice before implementing any Material Change to AI/ML components of the Product. "Material Change" means any of:
>
> (a) replacement of an underlying model with a different model architecture or training corpus;
> (b) change to whether Customer Data is used for training or model improvement;
> (c) addition of a new AI feature enabled by default for Customer's account;
> (d) modification of safety, content-policy, or refusal behavior that meaningfully alters Customer's reliance on Product behavior; or
> (e) deprecation of any model version Customer is actively using.
>
> Vendor shall additionally publish a public AI changelog accessible to Customer documenting all changes to AI/ML components.

---

### Clause 3 — Customer Data and Training

> Vendor shall not use Customer Data to train, fine-tune, validate, evaluate, or otherwise improve any AI/ML model, including models offered to Vendor's other customers or models retained by Vendor for any purpose, except where Customer has expressly opted in to such use in writing.
>
> Vendor shall maintain technical controls to enforce this restriction. Where applicable, Vendor shall provide a Zero Data Retention configuration in which Vendor stores no Customer Data beyond the minimal duration required to return a response. Default retention shall not exceed [30] days.
>
> Vendor shall flow this restriction down to any sub-processor used to deliver AI/ML functionality.

---

### Clause 4 — Audit Trail and Logging

> Vendor shall provide Customer with API-level audit data including, at minimum: timestamp of each call, Customer-side identifier, model version invoked, tokens consumed (input and output), cost, latency, and any safety classifier outputs. Audit data shall be accessible to Customer via API export for the full retention period.
>
> Vendor shall retain audit data for no less than [6] months and shall provide Customer with the ability to export such data prior to the end of any retention period or upon termination of the Agreement.
>
> Where Customer is subject to obligations under the EU AI Act, applicable sector regulations, or other governing law that require longer retention or additional audit detail, Vendor shall, on commercially reasonable terms, provide such longer retention or additional detail.

---

### Clause 5 — Annual AI Compliance Recertification

> On each anniversary of the Effective Date, Vendor shall provide Customer with a written recertification confirming: (a) the current AI Inventory (Clause 1) remains accurate; (b) no Material Changes have occurred without notice; (c) Vendor remains in compliance with the data-handling restrictions in Clause 3; and (d) any material changes to Vendor's AI safety, security, or compliance practices since the prior certification.
>
> Vendor shall also reasonably cooperate with Customer's vendor-AI reviews conducted no more than once per twelve (12) month period, including completion of Customer's AI Governance Questionnaire.

---

### Schedule A — AI Inventory ([Vendor], Effective [Date])

| Component | Function | Model family / version | Customer Data processed | Regions | Training use of Customer Data |
|---|---|---|---|---|---|
| | | | | | |

### Signatures (Addendum)

| Party | Name | Title | Date |
|---|---|---|---|
| | | | |

Negotiation guidance

Hard requirements (don't sign without these):

Clause 1 (AI Inventory) — vendor must disclose what's in the product
Clause 3 (no training on customer data without explicit opt-in)
Clause 4 (some level of per-call audit trail)

Strongly preferred (push hard):

Clause 2 (material-change notification, ≥ 30 days)
Clause 5 (annual recertification)

Common vendor pushback:

Vendor objection	Response
"Our standard DPA covers data handling"	Standard DPAs predate the AI era. Insist on Clause 3's specifics about training use.
"We can't give 30 days notice on model changes"	Negotiate to 14 days or to a published changelog with email notification — but don't accept "no notification."
"We don't publish per-call audit trails"	This is a non-starter for enterprise AI. Move to a vendor that does.
"Annual recertification is too operationally heavy"	Compress to a 1-page form (template 12 plus questionnaire). Most vendors comply.
"Customer Data definition is too broad"	Be specific in Schedule A about what counts as Customer Data — prompts? completions? metadata?

Sector-specific additions to negotiate:

Healthcare (HIPAA): Add Business Associate Agreement (BAA) with explicit AI-specific PHI handling
Financial (SOX): Add log retention of 7 years for any AI used in financial reporting paths
EU: Add Article 25 (deployer support obligations) flow-down + Article 50 transparency
Government (FedRAMP): Confirm authorization level + region constraints

Usage notes

This is template language, not legal advice. Your General Counsel must adapt to your jurisdiction and existing contract structure.
Negotiate the clauses individually. Vendors often agree to some and resist others. Knowing which are hard requirements helps.
Schedule A is the load-bearing list. The clauses reference "the AI Inventory" — keep Schedule A current. Update it during annual recertification.
Default values in brackets are negotiation starting points. [30] days notification might become 14. [6] months retention might become 12 for High-tier or 7 years for SOX-adjacent.
Flow-down to sub-processors matters. A vendor may sub-process to an LLM provider — the clauses must flow down.

Common pitfalls

Pitfall	What it looks like	Fix
Standard MSA accepted with no addendum	Vendor's boilerplate covers data security but not AI specifics	Always negotiate an AI addendum, even at extra friction
Schedule A left blank	Clause 1 references "AI Inventory" with empty Schedule A	Fill before signature
"Material Change" undefined	Clause 2 says "material changes" with no definition	Negotiate explicit (a)–(e) list
Training opt-out instead of opt-in	Vendor wants opt-out as default	Insist on opt-in default
No annual recertification	Questionnaire run at onboarding, never revisited	Clause 5 forces yearly cadence
Schedule A out of date	AI Inventory not updated as vendor ships changes	Annual recertification (Clause 5) refreshes it

Framework cross-references

framework.md §26 (Procurement integration — clause text operationalizes this)
framework.md §15.2 (Vendor-embedded AI inventory — Schedule A feeds this)
framework.md §22.1 EU AI Act Article 25 (deployer obligations, flow-down)
framework.md §22.1 EU AI Act Article 50 (transparency obligations)
framework.md §22.1 EU AI Act Article 72 (post-market monitoring — Clause 4 supports this)
framework.md §22.3 ISO/IEC 42001 Annex A control on third-party AI
workflows.md Step A8 (Procurement integration)
workflows.html → In Action view → side branch "Procurement: vendor approvals"
Companion template: 12-vendor-ai-questionnaire.md (the questionnaire feeds this contract negotiation)