The Four Questions I Ask Before Recommending Any Data Tool

I have been on the wrong side of a vendor data decision. A tool I recommended to a client turned out to be using customer data to train its models — buried in the terms of service in language that required a lawyer to find. The client had no idea. Neither had I at the time. That experience changed how I evaluate tools.

Now I work through four questions before recommending anything that touches business or customer data. I am sharing them here because the questions are not proprietary — they are just the discipline that most operators skip because evaluating tools is already a lot of work.

Question 1: Where does the data go, and who controls it?

Specifically: what country, what cloud infrastructure, and what does the vendor's sub-processor list look like? A tool that stores data in a jurisdiction with weak data protection laws creates exposure regardless of what their privacy policy says.

If the vendor cannot answer this specifically and quickly, that is a signal. Business-grade vendors know where their data lives. Consumer-grade vendors often do not — or they change infrastructure without telling you. For any tool that touches customer information, "we use industry-standard security" is not an answer. Names, regions, and sub-processors are an answer.

Question 2: Does the vendor use your data to improve their product?

This is the question most operators do not think to ask. Many AI tools train on user inputs by default. Some offer an opt-out buried in settings. Some do not offer an opt-out at all. For any tool that touches client data, proprietary processes, or competitive information, this question is not optional.

The practical test: open the vendor's data terms and search for "training," "model improvement," and "retention." If you cannot find a clear position in ten minutes, assume the default is unfavorable until proven otherwise. Free tiers and consumer plans are where this shows up most often.

Question 3: What happens to your data when you leave?

Can you export everything? Does the vendor delete your data on request? Is there a written commitment to deletion with a timeframe? Vendors who make it easy to leave are vendors who are confident in their product. Vendors who make it hard are vendors who know you have become dependent on them.

I have seen small businesses discover, during a vendor switch, that years of customer records were locked behind an export feature that only exists on the enterprise tier they never purchased. Ask this question before you have data in the system, not after.

Question 4: Is there a data processing agreement available?

This is the clearest signal of whether a vendor takes data practices seriously. Vendors serving business customers should have a DPA readily available — it is a standard document in enterprise and mid-market sales. If a vendor has never heard of a DPA or cannot produce one on request, they are not operating at a standard appropriate for handling your customers' data.

You do not need to sign a DPA on day one for every tool. But the availability of one tells you whether the vendor has thought about business customers as distinct from individual consumers.

What these questions do and do not do

These questions do not guarantee a good outcome. No evaluation framework does. But they surface the information you need to make a conscious decision — which is different from making an uninformed one and hoping for the best.

If you want a structured way to work through vendor questions with your team, the Data Privacy Baseline Workflow at /home/workflows/data-privacy-baseline includes a vendor inventory step and produces a data handling draft you can adapt. Start there before your next tool purchase — not after the contract is signed.