What Your AI Vendor Contract Actually Says (Annotated).

Your AI vendor's sales team was excellent. Their demo was polished. Their case studies were compelling. And their contract — the one your legal team reviewed for 45 minutes before countersigning — is a masterpiece of liability transfer, written by lawyers who do this every day to buyers who do it once every few years.

We have reviewed dozens of AI vendor agreements across SaaS, enterprise AI platforms, and bespoke model deployments. The same patterns recur. Below, we have reproduced representative clause language — the kind of language that appears in real contracts — and annotated each one with what it actually means for your business.

"The Vendor does not warrant that outputs generated by the Service will be accurate, complete, reliable, or fit for any particular purpose. Customer assumes all responsibility for validating outputs prior to reliance or use in any business decision."

The vendor is selling you an AI system and simultaneously telling you they are not responsible for what it produces. Every decision you make based on this system's output is legally yours. If the model hallucinates a financial projection that leads to a bad acquisition, a compliance recommendation that results in a regulatory fine, or a risk assessment that misses a material threat — the vendor's position is that you should have checked. Document your validation protocols before deployment. This clause is not negotiable — but your internal governance around output validation is your only defence against it.

"Customer grants Vendor a non-exclusive, worldwide, royalty-free licence to use Customer Data to improve, train, and develop the Service and related technologies, unless Customer opts out via the Settings panel."

Your proprietary data — customer records, internal reports, strategic documents, financial models — may be used to train a model that your competitors also use. The opt-out is real, but it is buried, non-obvious, and frequently not actioned by SMB teams who don't read this far into the contract. Check your current settings in every AI tool your organisation uses today. If you operate in regulated sectors (financial services, healthcare, legal) or hold genuinely proprietary data, opt out immediately and get written confirmation from the vendor that your data has been excluded from training sets.

"Vendor's total aggregate liability to Customer for any and all claims arising under or in connection with this Agreement shall not exceed the amounts paid by Customer to Vendor in the twelve months preceding the claim."

If you pay £2,000/month for a platform and it causes a £500,000 operational failure, the vendor's maximum exposure is £24,000. The gap between their liability cap and your actual exposure is your uninsured risk. Map this gap explicitly. If you are deploying AI in a decision-critical workflow — credit assessment, compliance monitoring, safety systems, customer communications at scale — you need either cyber liability insurance that covers AI-related losses, or a commercially negotiated uplift to this cap. Most vendors will negotiate for enterprise contracts. Most SMBs never ask.

"Vendor will use commercially reasonable efforts to ensure 99.5% uptime, excluding scheduled maintenance, force majeure events, and degradation attributable to third-party infrastructure providers."

99.5% uptime sounds robust. It permits 43.8 hours of downtime per year. The exclusions for "third-party infrastructure" — which means AWS, Azure, or GCP — cover the most likely failure mode. If you have operational dependencies on this platform, model the cost of a 12-hour outage and decide whether your SLA is adequate. Also check the remedy: most SLA credits are account credits applied to future invoices, not cash compensation. Credits do not cover your operational losses.

"Vendor reserves the right to update, modify, retrain, or replace the underlying models powering the Service at any time. Vendor will provide reasonable notice of material changes where practicable."

The model your team validated, tested, and integrated into your workflow can be changed without your consent. "Reasonable notice where practicable" is not a defined obligation. We have seen clients who built internal workflows calibrated to specific model behaviour find those workflows broken after a silent model update. If model consistency matters to you — for audit trails, regulatory evidence, or validated decision pipelines — you need a contractual right to receive advance notice of model changes and a right to continue using the previous model version for a defined transition period. This is negotiable. Insist on it.

"Upon termination, Customer may export Customer Data via the platform's standard export functionality within 30 days. Following this period, Vendor may delete Customer Data without further obligation."

Your exit window is 30 days, after which your data is gone. If the termination is adversarial — a dispute, a vendor bankruptcy, a unilateral price increase that forces you out — you may have 30 days to reconstruct years of operational data. Establish a regular data export protocol now, regardless of whether you plan to terminate. Treat your AI platform data the same way you treat any critical operational data: back it up independently and on your terms.

"Customer is solely responsible for ensuring that its use of the Service complies with all applicable laws, regulations, and regulatory guidance, including but not limited to the EU AI Act, GDPR, and sector-specific requirements."

The EU AI Act creates obligations for both AI providers and AI deployers. Many SMBs assume their vendor handles regulatory compliance. This clause makes explicit that they do not. You are the deployer. The classification of the AI system as limited, general purpose, or high-risk is your obligation to determine. The conformity assessment, the documentation requirements, the human oversight mechanisms — these are your responsibility. Your vendor will sell you a platform. They will not file your EU AI Act compliance documentation. Build this into your AI governance framework now, before you need it.

You will not remove these clauses. The vendors are too large, the market too concentrated, and the leverage too asymmetric. What you can do is know exactly what you are agreeing to and build internal governance that addresses each risk directly.

The practical checklist: Opt out of training data provisions immediately. Map the gap between the liability cap and your realistic exposure. Establish an independent data export schedule. Build output validation protocols that create an audit trail. Negotiate model change notice rights on any enterprise contract. And assign someone internally to own EU AI Act deployer obligations — because your vendor won't.

None of this is particularly complex. All of it is routinely overlooked by SMBs who assume that a credible vendor means a safe contract. The vendor's credibility is about the product. The contract is about risk allocation. These are different things.