AI, Contracts
In today’s post, I discuss some commercial considerations when contracting with vendors whose products include gen AI. I also go over considerations for AI companies selling to B2B customers. As discussed before, some of the main issues to be aware of is training on your company’s data, privacy issues around PII disclosure, and general awareness around AI in the vendor’s products.
Often it’ll be better to enter into an enterprise agreement with an LLM or vendor integrating an LLM into their product so that you can negotiate what (if anything) is used to train on the vendor’s models. Most companies prefer not to have any of their company be used for training, and an enterprise agreement, rather than a Terms of Service, allows for that to be negotiated.
When it comes to PII disclosure to the AI tool, you can ask whether the PII is masked so that none of it gets sent into the LLM or any third party tool. If that’s not possible, make sure to review the company’s Privacy Policy and DPA to understand which service providers will have access to any PII provided, and confirm with your team that’s acceptable.
I’ve also seen numerous versions of AI disclosure requirements in recent vendor agreements. Most include a section or addendum to the main agreement that describes how the vendor uses AI in its tools. Customers interested in more transparency can ask the vendor to commit to notifying the customer in advance of incorporating any new AI tool into their product, and to provide at least a high level overview of the AI technology so that the customer’s security team can review and get comfortable with the change. Customers with much more leverage than their vendors can also require that vendors seek permission before incorporating any AI tools into their existing offering with the customer – a tough ask, but something I’ve seen at least a few times!
These additional protections are a must-have when contracting with vendors, and will be a must-have from your customers, as well. First, representations and warranties with respect to compliance with applicable laws, particularly around data privacy and generative AI, are crucial. With rapidly evolving state-level and EU legislation, this commitment is one to take seriously. In the same vein, customers will expect an indemnification from a vendor for any violations of applicable law, and for issues of IP infringement. Customers will also expect clauses that address ownership of AI outputs – will they get a license or outright ownership? That’ll depend on who the provider of the AI model is and how it’s used, and a term to consider seriously when negotiating.
If you’re reviewing a vendor agreement or negotiating with a customer for your AI-powered product, you’ll need to consider which commercial terms should be included, and how to balance business risk with your need to use or sell the product in question. It’s best to work with a commercial attorney experienced in the AI regulatory and licensing space, to ensure you get your bases covered.
