AI Vendor Selection for SMEs: 12-Point Checklist

Wito AI

AI Vendor Selection for SMEs: The 12-Point Checklist for 2026

How small and mid-sized companies pick the right AI vendor — GDPR-compliant, free of vendor lock-in, with the right contract clauses negotiated up front. The structured basis for your 2026 decision.

Book a vendor evaluation Free Wito Digital Audit (WDA)

Why vendor selection decides whether your AI project succeeds or fails

Choosing the right AI vendor is one of the most consequential decisions a mid-sized company makes on its digitalisation journey — and one of the most frequently underestimated. According to the Forrester Wave: AI Vendors 2024, 47% of all corporate AI projects fail primarily because of a flawed vendor choice: a poor fit, inadequate GDPR compliance, unclear contractual foundations and underestimated vendor lock-in are the leading causes.

The Gartner Magic Quadrant for AI Platforms 2024 reinforces the point: companies that systematically compare fewer than three vendors during the selection process are four times more likely to end up locked into a long-term dependency with high switching costs — the so-called vendor lock-in trap. This risk is especially acute for SMEs, many of which decide under time pressure and without structured selection criteria.

So what makes a good AI vendor selection? It is neither a pure price comparison nor a feature checklist. A professional vendor evaluation for an SME assesses at least four dimensions at once: technical fit (can the tool actually cover the use cases you have defined?), regulatory compliance (GDPR, EU AI Act, the implications of Schrems II), commercial sustainability (pricing transparency, lock-in risk, exit options) and organisational fit (support language, documentation, roadmap transparency for the European market).

This is particularly critical for European SMEs: the market for GDPR-compliant AI solutions with EU hosting is considerably smaller than commonly assumed. According to the Statista DACH AI Market Report 2024, only 23% of the AI vendors active in the German market offer demonstrably GDPR-compliant EU hosting with no data transfer to third countries. The compliance pressure created by Schrems II makes a structured selection process far more necessary — informal vendor decisions based on a product demo simply do not cut it here.

The commercial consequences of a wrong decision are severe: according to a survey by Wito AI (2025), the cost of switching to a different AI vendor runs to 1.5 to 3 times the original initial investment — including data migration, re-integration, training effort and an unproductive transition period. That makes a structured selection process not just a quality decision but a direct safeguard for your investment.

47%

Of projects fail on the vendor choice

Quelle: Forrester Wave, 2024

8 years

Average vendor tie-in under lock-in

Quelle: Gartner Magic Quadrant, 2024

23%

GDPR-compliant EU vendors in the market

Quelle: Statista DACH, 2024

1.5–3×

Switching cost vs. initial investment

Quelle: Wito AI, 2025

The 12-point checklist for selecting an AI vendor as an SME

This checklist was developed on the basis of more than 30 vendor evaluations for mid-sized companies and covers every critical dimension — from GDPR compliance to your exit strategy. All twelve points should be assessed before you commit to a purchase.

1. GDPR compliance and proof of EU hosting

Ask for written proof that all data is processed and stored exclusively on servers within the EU (or the EEA). A verbal promise or a generic privacy policy is not enough. Ask explicitly: where are the data centres located? Which sub-processors are used? Are there any data transfers to third countries — even temporary ones?

2. A data processing agreement under Art. 28 GDPR

A data processing agreement (DPA) under Art. 28 GDPR is mandatory — not optional — whenever an AI vendor processes personal data. Check whether the vendor provides a complete DPA that documents all technical and organisational measures (TOMs). US vendors often use a different name, such as "Data Processing Agreement" (DPA), but its content must satisfy Art. 28 GDPR.

3. Protection against data exfiltration and model training

Get a binding answer: is your input data used to train the AI models? Many vendors rely on opt-out mechanisms that allow data training by default. With personal or business-critical data, this is a significant compliance risk. Demand a written commitment that your data will not be used for model training — or choose a vendor with a "data isolation" guarantee.

4. Model auditability and explainability

For AI systems in the high-risk category under the EU AI Act (Art. 13, Regulation (EU) 2024/1689), explaining decisions is mandatory. But even outside the high-risk classification, SMEs should insist that the vendor can clearly explain how the model arrives at its outputs. "Black box" systems with no audit trail are a long-term governance risk.

5. Assessing vendor lock-in

Analyse this carefully: how proprietary are the data formats? Is there a documented data-export process? Can trained models or fine-tunings be exported? How deeply does the system integrate into your infrastructure — and how much effort would switching vendors take after 24 months? A high degree of lock-in is not an automatic deal-breaker, but it must be factored explicitly into the decision.

6. Scalability and pricing transparency

Make sure you fully understand the pricing model: are there hidden costs as usage grows? How does the price behave at 10× or 100× your current usage? Many SaaS AI vendors have aggressively escalating prices for API usage — what looks cheaper in a pilot can quickly become uneconomical at full rollout.

7. SLA: availability and response times

Review the service-level agreement (SLA) for: guaranteed uptime (at least 99.5% for production systems), maximum downtime per month, response time for critical incidents, and whether there is financial compensation (service credits) for SLA breaches. Watch out: many vendors define "force majeure" very broadly — read the clauses closely.

8. Support in your own language

Do not underestimate the language of support: when a critical production problem hits, your staff — not just the IT lead — need to be able to communicate with the support team. English-only support is often a hidden barrier to adoption for European SMEs. Check: is local-language support available? What support hours apply for the European time zone?

9. Roadmap transparency

A reputable AI vendor communicates its product roadmap openly and regularly. Ask: how stable is the API interface? How far in advance are breaking changes announced? What is the deprecation policy for older model versions? Vendors that offer no roadmap transparency create high internal maintenance effort through forced migrations.

10. Reference customers in your region

Ask for at least three comparable reference customers in your region — from a similar industry and of a similar company size. Speak to those reference customers directly (not just the case studies the vendor has prepared). Ask: what went better than expected? What was disappointing? What is the support quality really like day to day?

11. Exit strategy and data deletion

What happens to your data if you terminate the contract? Settle this contractually: the deadline for a full data export, the format of that export (machine-readable, not proprietary), written confirmation that all data has been deleted after the contract ends, and how long the vendor may retain data after termination (GDPR-compliant deletion periods under Art. 5(1)(e) GDPR).

12. The vendor's EU AI Act high-risk classification

Find out whether the vendor classifies the AI system as a high-risk AI system under Annex III of the EU AI Act. If it does, both the vendor and you, as the deployer, face heightened compliance requirements. Ask about the EU AI Act compliance status and the expected date of CE marking (mandatory for high-risk systems from 2 August 2027 for new systems, and earlier for systems already on the market).

When selecting an AI vendor, SMEs should evaluate at least three vendors in parallel — a single-source choice leads four times more often to vendor lock-in with high switching costs.

Gartner Research, Magic Quadrant for AI Platforms 2024, Gartner, 2024

GDPR assessment: EU vendors vs. US vendors after Schrems II

The Schrems II ruling of the European Court of Justice (CJEU C-311/18) of July 2020 fundamentally changed the legal position for using US cloud and AI services. The Privacy Shield mechanism was declared invalid — since then, transferring personal data to the US without adequate safeguards has been unlawful.

The EU-US Data Privacy Framework (DPF), which took effect in July 2023 as the successor to the Privacy Shield, once again permits data transfers to the US under certain conditions. Data protection authorities — including the German Federal Commissioner for Data Protection (BfDI) — remain critical of the DPF, however: a fresh legal challenge (Schrems III) is considered likely. Companies that rely on US vendors carry the risk that the legal basis is invalidated all over again.

The question of model training data is particularly important: if a US vendor uses your input data by default to train its models, personal data leaves the EU — even if the data centre itself sits in Europe. Under data protection law, this counts as a transfer to a third country whenever the training infrastructure is operated in the US.

For the EU AI Act, an additional rule applies: AI systems deployed in the EU must meet the EU requirements regardless of where the vendor is based. US vendors, too, must appoint an EU authorised representative for the high-risk systems they make available in the EU (Art. 22 EU AI Act). SMEs should check whether their AI vendor has already named that EU representative — otherwise they effectively take on part of the compliance responsibility themselves.

Contract clauses you should negotiate when selecting an AI vendor

The Bitkom guide to AI contract design 2024 identifies five contract clauses that are missing from many AI vendors' standard offers but are indispensable for SMEs. If you do not proactively insist on these clauses, you accept significant risks.

A complete, detailed DPA under Art. 28 GDPR

The data processing agreement must contain everything Art. 28 GDPR requires: the subject matter and duration of the processing, its nature and purpose, the types of personal data, the categories of data subjects, and a complete list of the sub-processors used. Clauses such as "we use sub-processors whose list is available on request" are not sufficient — the list must be attached to the contract, and changes must be announced with advance notice.

Model-update notification and version stability

AI models are updated continuously — often without users being told. A model update can fundamentally change your AI system's outputs and cause unexpected behaviour in production processes. Agree on: a minimum notice period of 30 days before breaking changes, the option to keep using an older model version for at least 90 days after an update is rolled out, and a regression-testing obligation on the vendor.

Service-level agreement: availability and response time

A complete SLA for production AI systems includes: an uptime guarantee of at least 99.5% per calendar month (equivalent to a maximum of 3.6 hours of downtime per month), maximum API latency (p95) for standard requests, an escalation path for critical incidents with response times under four hours, and financial service credits for SLA breaches. Standard terms of service with no specific SLA clauses give you no basis for compensation when production goes down.

Audit rights and proof of compliance

Companies have the right to verify that the agreed data protection measures are being met. Negotiate the right to your own or commissioned audits (at least once a year) or, alternatively — and more common in practice — the regular provision of up-to-date certifications: ISO 27001, SOC 2 Type II, BSI C5 (the Cloud Computing Compliance Criteria Catalogue published by the German Federal Office for Information Security).

An exit clause covering data export and data deletion

Agree contractually that, after the contract ends, the vendor will make all your data available within 30 days in a standardised, machine-readable format (e.g. JSON or CSV, not a proprietary format). Once the export is complete, the vendor deletes all copies of your data in full and confirms this in writing. The transition period (running both systems in parallel during a vendor switch) must be secured in the contract — ideally 90 days after termination.

Frequently asked questions about AI vendor selection for SMEs

The Gartner Magic Quadrant for AI Platforms 2024 recommends comparing at least three vendors in a structured process. Fewer than three vendors statistically leads to vendor lock-in four times more often. More than five or six vendors in a first evaluation is rarely worthwhile for an SME — the effort outweighs the insight gained. A two-stage process works well: a long list of 8–10 vendors (a coarse filter on GDPR, price and functionality), then a short list of 3–4 vendors for an in-depth evaluation that includes a pilot test.

A structured vendor evaluation for a specific AI use case typically costs between EUR 3,000 and EUR 8,000 in external consulting support — depending on the scope (the number of vendors to assess, the complexity of the technical requirements, and the depth of the GDPR review). Without external support the internal effort is usually higher, because the expertise to assess GDPR and contract clauses is rarely available in-house at an SME. Germany's BAFA consulting subsidy can be applied to vendor evaluations when they form part of a larger digitalisation consulting project.

Yes, under certain conditions. The EU-US Data Privacy Framework (DPF) of July 2023 permits data transfers to certified US companies. Check: (1) Is the vendor listed in the DPF register (searchable at dataprivacyframework.gov)? (2) Does the vendor provide a complete data processing agreement (DPA) that meets GDPR requirements? (3) Is there an EU-region option that keeps processing entirely within the EU? Important: the DPF is still being challenged in court (Schrems III is considered likely). An EU-first vendor strategy significantly reduces long-term compliance risk.

A data processing agreement (DPA) under Art. 28 GDPR is mandatory whenever a service provider processes personal data on your behalf — which applies to almost every AI SaaS vendor as soon as your input data could even potentially relate to individuals. The DPA governs the subject matter, duration and purpose of the processing, which data categories are processed, all sub-processors used, and the technical and organisational measures (TOMs). A missing DPA is a direct GDPR breach — regardless of whether an actual data incident occurs.

Vendor lock-in can be reduced significantly through four measures: (1) Secure data portability contractually — a machine-readable export of all data within 30 days of the contract ending. (2) Favour standardised interfaces — vendors that offer proprietary APIs with no standard alternative create more switching effort than those built on open standards (e.g. an OpenAI-compatible API). (3) Keep fine-tunings and model adaptations portable — favour approaches (such as RAG over fine-tuning) that can be reproduced vendor-neutrally. (4) Think through and contractually secure the exit scenario at the point of signing.

There is no legal obligation to favour European AI vendors. In practice, however, choosing a European vendor offers clear advantages: lower GDPR risk (no Schrems II problem), clearer applicability of the EU AI Act, often better local-language support, and a better cultural fit for European requirements (e.g. legally compliant document templates and data protection standards). Our recommendation: choose a European vendor when it is functionally equivalent or only marginally weaker — the compliance savings far outweigh the difference in performance.

Liability is complex and depends on several factors. As the deployer of an AI system, you are generally responsible for its use under the EU AI Act and general product liability law — even if the system is supplied by the vendor. The vendor is liable for errors that stem from defects in the system itself (product liability under the revised EU Product Liability Directive 2024). In practice, a clear allocation of liability in the contract is decisive: agree that the vendor is liable for damage arising from proven system defects, while you, as the deployer, are responsible for correct use and monitoring. In the high-risk category under the EU AI Act, a human oversight function ("human oversight") is mandatory.

A structured vendor evaluation for an AI solution with a realistic pilot test typically takes 4–8 weeks. Weeks 1–2: build the long list, apply the coarse filter (GDPR, price, functionality) and gather initial demos. Weeks 3–4: short-list 3–4 vendors, run the deep technical review, and assess GDPR and contract clauses. Weeks 5–6: run a parallel pilot of all short-listed vendors on your own use case with your own data. Weeks 7–8: document the decision, negotiate the contract and conclude the DPA. This timeframe is appropriate for most AI use cases — only very simple standard integrations (e.g. a standard chatbot on public content) can shorten it to 2–3 weeks.