Forgeron3
Log in Demo
/ SecurityAug 21, 20257 min read

Fifteen questions to ask your AI vendor

An interview sheet to print before each sales call. If the vendor can’t answer ten of these fifteen questions, the project is exposed.

F3
The Forgeron3 teamMarseille & Paris

Sovereignty — Q1 to Q3

Q1 — Where is my data physically hosted?

Expected answer: one or two specific datacenters, in France, operated by a French or European provider. If the answer mentions “Europe” or “partner datacenters,” that’s too vague.

Q2 — What is the nationality of your parent company?

Expected answer: French or European capital, with no foreign control that would expose you to the Cloud Act or equivalent. See Why choose sovereign AI.

Q3 — Under which jurisdiction is the contract governed?

Expected answer: French law, French courts. No offshore arbitration clause.

Data — Q4 to Q7

Q4 — Is my data used to train or improve the model?

Expected answer: “Never, under no circumstance, and it’s in the contract.” If the answer is “not without your consent,” ask where the hidden opt-out lives.

Q5 — Who can access my data on your side?

Expected answer: nobody, except by name and with an audit log. No silent operator access.

Q6 — How long is my data retained?

Expected answer: a duration configurable by you, with documented defaults (typically 6 to 24 months for conversations).

Q7 — How do I export and delete my data if I leave?

Expected answer: full export within 7 days, full deletion within 30 days, standard destruction certificate.

Model — Q8 to Q10

Q8 — Which AI model are you running?

Expected answer: a specific name and version (open-source models like Mistral, Llama, or proprietary — you need to know). If the answer is “our proprietary AI,” ask what that means concretely.

Q9 — Does the model run on your infrastructure or through a third-party API?

Expected answer: on our infrastructure. If the answer is a third-party API (OpenAI, Anthropic), your data flows through that API, which changes the sovereignty perimeter.

Q10 — How is the model updated, and how does that affect my assistants?

Expected answer: planned updates, a non-regression window, the option to pin a version for critical use cases.

Contract — Q11 to Q13

Q11 — Do you have a DPA compliant with GDPR article 28?

Expected answer: yes, signed before the first ingestion, with an explicit list of sub-processors. See GDPR and AI assistants.

Q12 — What are your SLA commitments?

Expected answer: 99.5 percent minimum, with credits if not met. No “best effort.”

Q13 — What are the exit terms and the minimum commitment?

Expected answer: annual commitment maximum, 60 to 90 days notice, no unreasonable exit penalty.

Support — Q14 to Q15

Q14 — Who supports me during setup and after?

Expected answer: a named human point of contact, in France, reachable. Not a chatbot, not a 48-hour ticket queue.

Q15 — Do you have production references in my industry?

Expected answer: yes, and the vendor can introduce you (with the customer’s consent). If not, you’ll be the pilot — that’s acceptable, but negotiate accordingly.

The final testCount the questions where the answer was precise, contractable, and given without hesitation. Below 12/15, the project is exposed. At 15/15, you probably have a serious vendor.

For Forgeron3’s commitments on these fifteen points, see our security & GDPR page.

Compare a vendor

Twenty minutes to walk through these fifteen questions on Forgeron3 or another vendor. We tell you where the red flags are, straight up.

Book a demo

Read next.

/ Sovereignty9 min

Why choose sovereign AI in 2026

Seven concrete criteria to separate marketing from substance on sovereignty.

Read →
/ Security8 min

GDPR and AI assistants: the keys to compliance

Article 28 processing, DPIA, data subject rights, retention periods.

Read →
/ Method7 min

Integrating an AI assistant into your IT infrastructure

SSO, ACLs, logs, backups: what IT needs to frame before ingestion.

Read →