If you've sat across from a sales-AI vendor in the past year, you've probably been impressed by the demo. That's not what you discuss with your lawyers. What they ask about is where the data lives.
Most US-based AI sales tools fail a thorough EU compliance review. Not because they're malicious — but because they're built for an American market where data transfer isn't a question. Schrems II changed that for the EU. NIS2 makes it worse. The AI Act makes it even worse.
Here are 12 questions you should ask — and the right answer.
1. Where does data physically reside?
The right answer: “Frankfurt” or “Stockholm” — not “EU” or “EEA region” or “closest available zone”.
Many vendors say “EU-hosted” but run backups in the US, or use CDNs that spread data globally. Ask for the specific region. Ask for the backup region. Ask for the CDN policy.
2. Which sub-processors are used?
The right answer: A publicly available list with named sub-processors and their location.
If the vendor can't give you the list, or says “it's proprietary” — move on. GDPR requires it.
3. Are models trained on our data?
The right answer: “No. Hardcoded in the contract and in the codebase.”
Many US vendors have clauses that permit “product improvement use” of customer data. That's code for “we train on your conversations”. If you're selling to a competitor and their data is trained into the AI — that's a serious data leakage situation.
4. What happens to data upon termination?
The right answer: “30-day export window. Database dump in open format. Deletion from all systems thereafter.”
Ask to see it documented. Many vendors say “you can request export” but have no automated process — which is effectively lock-in.
5. Standard DPA available?
The right answer: “Yes, signed PDF can be sent within 24 hours.”
If the vendor needs to “check with legal first” — they don't have a standard DPA. That means lengthy negotiations, often with unfavorable clauses.
6. Audit logs?
The right answer: “Every action is logged. Exportable to SIEM. 90-day retention minimum.”
For NIS2 compliance you need audit logs on AI sales tools — especially for sales data on decision-makers.
7. Penetration tests?
The right answer: “External pentest 2x per year. Reports available under NDA.”
If the vendor can't show penetration test reports — even under NDA — they're not mature enough for enterprise.
8. SOC 2 / ISO 27001?
The right answer: Roadmap or existing. SOC 2 Type II is gold standard.
EU-only ISO 27001 is often more relevant for European buyers than SOC 2. But a startup without either isn't impossible — just a risk flag.
9. Who has production access internally?
The right answer: “Few employees. MFA required. 4-eyes approval. Logged.”
If “all of engineering can see customer data” — you have a breach waiting to happen.
10. AI Act compliance?
The right answer: “We are classified as [low/limited risk]. We have transparency requirements implemented.”
The EU AI Act came into force in 2024. Most sales-AI is “limited risk” but requires transparency about AI-generated content. Ask specifically.
11. DSAR handling?
The right answer: “Self-service or email to privacy@. Response within 30 days as GDPR requires.”
If the vendor has no process — you have no process. You're the one who gets the compliance whip.
12. What happens if the vendor shuts down?
The right answer: “30-day export window. Company articles ensure it.”
This is what few ask about. If the vendor is run by creditors, you may have 7 days to get your data out. Ask to see it in the contract.
The short version
Print the 12 questions. Send them to the vendor. If you don't get clear answers within 48 hours — move to the next vendor. That's not arrogance — that's compliance.