Tool Name / Vendor

Version (Consumer / Business / Enterprise)

Requested by (employee / department)

Proposed use case(s)

Estimated number of users

Estimated data types involved

Similar to any currently approved tool?

Evaluation date

Evaluated by

Question

Where to Find the Answer

Response

Risk Level

Is input data retained by the vendor?

Privacy policy / data processing addendum

YES / NO / UNCLEAR

HIGH if YES

Is input data used to train the AI model?

Privacy policy / data processing addendum

YES / NO / UNCLEAR

HIGH if YES

Can input data appear in responses to other users?

Privacy policy / terms of service

YES / NO / UNCLEAR

CRITICAL if YES

Is data shared with third parties?

Privacy policy

YES / NO / UNCLEAR

MEDIUM-HIGH

Where is data stored geographically?

Privacy policy / DPA

[LOCATION]

HIGH if outside US

What is the data retention period?

Privacy policy

[PERIOD]

Varies

Is there a business/enterprise version with stronger protections?

Vendor website / sales contact

YES / NO

Review enterprise version if yes

Is a Data Processing Agreement (DPA) available?

Vendor legal page / sales contact

YES / NO

HIGH risk if regulated data and no DPA

Compliance Requirement

Applicable?

Tool Status

Compliant?

HIPAA — BAA required for ePHI

YES / NO

BAA available? YES / NO

YES / NO / N/A

PCI-DSS — cardholder data restrictions

YES / NO

Compliant per vendor?

YES / NO / N/A

FERPA — student education records

YES / NO

Compliant per vendor?

YES / NO / N/A

Arizona ARS § 18-552 — personal information

YES (all AZ businesses)

Encryption & retention reviewed?

YES / NO

Client contract obligations

YES / NO

Review client agreements for AI restrictions

YES / NO / REVIEW

Cyber insurance policy requirements

YES (all)

Policy permits AI tool use for this data?

YES / NO / REVIEW

Security Factor

Questions to Ask

Status

Authentication

Does the tool support MFA? Is MFA enforced for business accounts?

MFA: YES / NO

Access control

Can access be restricted by user, role, or team? Can you provision/deprovision users?

Controls: YES / NO

Audit logging

Does the tool log user activity? Can logs be exported? Are they retained?

Logging: YES / NO

Data encryption

Is data encrypted in transit and at rest? What encryption standards?

TLS 1.2+: YES / NO

Vendor security posture

Does the vendor have SOC 2 Type II, ISO 27001, or equivalent certification?

Certified: YES / NO

Incident notification

Does the vendor commit to breach notification? What is the timeline?

Committed: YES / NO

API access

If used via API, what authentication method? What data is sent?

API secured: YES / NO / N/A

Question

Response

What specific problem does this tool solve that approved tools do not?

Is there an approved tool that could handle this use case?

What is the measurable productivity benefit?

What is the minimum data required for the tool to function? (principle of minimum necessary)

Can the tool be used effectively with anonymized or reduced data?

What happens if we do NOT approve this tool?

Decision

Conditions

Action Required

APPROVED

All critical risks addressed; data handling acceptable; compliance met

Add to approved tool list; notify requestor; update policy if needed

APPROVED WITH CONDITIONS

Tool acceptable for limited use cases or data types only

Document restrictions; notify requestor of conditions; monitor compliance

PENDING REVIEW

Additional information needed from vendor or legal counsel

Document outstanding questions; set follow-up date; do not approve until resolved

DENIED

Critical data handling risk; compliance gap; security concern

Notify requestor with reason; document denial; recommend alternative if available