Most dealership software purchases get evaluated on features and price. When the software handles sales call recordings, customer PII, and rep performance data, that evaluation needs to go deeper.

AI training vendors sit at the intersection of four risk categories that standard SaaS purchasing processes do not fully cover: security posture, data privacy, financial stability, and AI-specific compliance. A vendor that fails in any one of these areas can expose your dealership to regulatory risk, data loss, or operational disruption when they fold or get acquired.

This checklist walks through what to ask — and what the answers should look like — before you sign any AI training contract.

---

Why AI Training Vendors Require a Separate Due Diligence Track

Traditional dealership training software evaluation focuses on curriculum quality, user experience, and integration compatibility. Those factors still matter. But AI training platforms introduce risk surface areas that older SaaS tools do not.

Your reps practice on the platform using their real voices. Customer objections and scenario scripts reflect actual deal conversations. Call recordings feed AI feedback loops. That data profile is fundamentally different from a video LMS where a rep watches content and clicks through a quiz.

The four categories below map directly to that expanded risk surface. Use them alongside your standard AI roleplay RFP template when evaluating vendors.

---

Category 1: Security Posture

What to ask:

• Does the vendor have SOC 2 Type II certification, or are they actively in audit?
• Where is data hosted? (Cloud provider, region, and whether it is US-based)
• How is data encrypted in transit and at rest? (Minimum acceptable: TLS 1.2+ in transit, AES-256 at rest)
• What are the access controls for vendor employees? (Role-based access, least-privilege policy, MFA required for internal access)
• How quickly are security patches applied to production systems?
• Has the vendor completed a third-party penetration test in the last 12 months? Will they share a summary or the attestation letter?

What good answers look like:

SOC 2 Type II is the relevant standard for SaaS vendors handling sensitive business data. A vendor who says "we're working toward SOC 2" is in a different position than one who can produce an attestation letter with a completed audit period. Know the difference.

US-based cloud hosting matters for FTC Safeguards Rule compliance. Data residency outside the US creates additional complexity if you operate under state-level privacy laws.

Encryption answers should be specific. "We encrypt everything" is not an answer. AES-256 at rest and TLS 1.2 or 1.3 in transit are the minimums. Ask for documentation, not verbal reassurance.

---

Category 2: Data Privacy and Call Recording Compliance

This is the highest-stakes category for most dealerships, and the one most likely to have gaps.

What to ask:

• What customer PII is collected, processed, or stored on the platform?
• Are sales call recordings stored on the vendor's infrastructure? For how long?
• Can the vendor access your call recordings or rep performance data? For what purposes?
• Does the vendor use your data to train their AI models?
• What is the data retention and deletion policy? Can you request deletion at contract end?
• How does the platform handle state-specific wiretapping and call recording consent laws (two-party consent states)?
• Who owns the data your dealership generates on the platform?

What good answers look like:

The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions — which includes auto dealerships that arrange financing — to maintain a written information security program and vet service providers who access customer financial information. If call recordings contain loan terms, payment discussions, or income verification conversations, that data is in scope.

Data ownership should be unambiguous in the contract. Your dealership's call recordings and rep performance data belong to you. A vendor whose MSA is silent on data ownership or assigns rights to the vendor is a red flag.

Training data use requires explicit opt-out language at minimum, and explicit opt-in is better. You do not want your proprietary sales conversations improving a competitor's model.

Retention limits should match your operational needs. If you need 90-day rolling access and the vendor deletes after 30 days, that is a workflow problem. If they retain indefinitely with no deletion mechanism, that is a compliance risk.

For a full list of warning signs in vendor contracts, see red flags when buying dealership training software.

---

Category 3: Financial Stability

Dealership software contracts run 12 to 36 months. A vendor who cannot sustain operations for that period creates real risk: data access disruption, forced migration, and the sunk cost of a training library your team can no longer reach.

What to ask:

• Is the company venture-backed, bootstrapped, or profitable? (This is relevant context, not a pass/fail)
• If VC-backed, when was the last funding round and what is the approximate runway?
• How many paying dealership customers does the vendor have?
• What is the approximate customer churn rate?
• Does the vendor have a data export mechanism if you need to migrate away?
• Is there an escrow or continuity provision in the contract if the company is acquired or shuts down?

What good answers look like:

Most AI training startups are VC-backed. That is not inherently disqualifying — every major software company started that way. The question is whether they have enough runway and revenue to operate through the duration of your contract.

A vendor with 18 months of runway and 50 dealership customers is in a meaningfully different position than one with 6 months of runway and 8 customers. Neither number is published on their website. Ask directly in the sales process. If they refuse to give any signal, treat that as information.

Customer count and churn signal product-market fit. Churn above 20% annually in a B2B SaaS context is high. Churn below 10% suggests the product is working.

Data portability matters most if the relationship ends. You should be able to export your rep performance history, scenario libraries, and call logs in a standard format (CSV, JSON) without vendor assistance required. Get that confirmed in the contract, not just in a sales conversation.

---

Category 4: AI Compliance and Model Governance

This category is the newest and the least standardized. Most dealerships do not yet have policies here, but regulators are developing expectations quickly.

What to ask:

• What AI models power the platform? Are they proprietary, fine-tuned third-party models, or off-the-shelf LLMs?
• Where do the AI training scenarios come from? Who reviews them for accuracy and bias?
• Has the vendor conducted any bias testing on the AI feedback models? Will they share the methodology?
• Are AI-generated coaching scores and evaluations logged and auditable?
• What happens when the AI gives incorrect or harmful feedback to a rep?
• Does the vendor have an AI ethics policy or responsible AI framework?
• How does the platform handle changes in underlying AI models? (Model versioning, rollback capability)

What good answers look like:

Model provenance matters because licensing terms vary by underlying model. If a vendor is using a fine-tuned version of an open-source model, they should know the license. If they are using a major foundation model API (OpenAI, Anthropic, Google), they should be able to explain what data those providers have access to.

Bias testing is still nascent in sales AI, but the question itself reveals how seriously the vendor thinks about model quality. A vendor who has done no bias evaluation on their scoring models is making implicit assumptions about what "good" performance sounds like that may disadvantage certain reps.

Audit logs for AI evaluations protect both the dealership and the rep. If a rep disputes an AI-generated score, you need a record of what the model evaluated and when. Platforms that generate scores without durable logs create accountability gaps.

AI model updates should be versioned and communicated. A model update that changes scoring criteria mid-quarter can invalidate your performance tracking. Ask how the vendor handles model changes and whether you have any input or notice period.

For integration and technical governance questions beyond AI compliance, see the integration checklist for dealership training software.

---

Sample Questions to Include in Your RFP

Paste these directly into your AI roleplay RFP template:

1. Provide your most recent SOC 2 Type II attestation letter, or describe your current certification timeline.
2. Describe your data retention policy for call recordings and rep performance data, including the deletion process at contract end.
3. Does your company use customer data to train or fine-tune AI models? If yes, describe the opt-out mechanism.
4. Provide your approximate current customer count and annual churn rate.
5. Describe the escrow or data portability provisions available if our dealership needs to migrate off the platform.
6. Has your AI feedback model undergone bias testing? Provide a summary of methodology and findings.
7. How are AI model updates versioned and communicated to customers?

---

Frequently Asked Questions

Do I need SOC 2 compliance from every SaaS vendor my dealership uses?

Not necessarily for every tool. But any vendor who processes customer financial data, stores employee performance data, or handles call recordings of sales conversations is worth requiring SOC 2 Type II from. The FTC Safeguards Rule places responsibility on dealerships to vet service providers who access customer information — SOC 2 is a reasonable proxy for that vetting.

What is the difference between SOC 2 Type I and Type II?

Type I is a point-in-time assessment: an auditor confirms the vendor's controls are designed correctly. Type II covers an audit period of 6 to 12 months and confirms those controls were actually operating effectively over time. For a production vendor handling sensitive data, Type II is the relevant standard.

Can I ask a vendor about their funding runway without being rude?

Yes. Frame it as a business continuity question: "We're making an 18-month commitment and want to understand operational continuity. Can you give us any signal on company runway and customer growth trajectory?" A vendor who has thought about customer success will have a prepared answer. A vendor who stonewalls should trigger additional scrutiny.

What happens to my data if the vendor is acquired?

Acquisition changes data ownership and processing agreements. Your MSA should include language requiring notice of any change of control and giving you the right to terminate without penalty if the acquirer does not meet your data requirements. If that language is not in the standard contract, ask for it.

How do I evaluate AI bias risk in a sales training context?

Ask the vendor for examples of how their AI evaluates reps across different communication styles, accents, and demographic profiles. Ask whether their training scenarios were developed with diverse voice actors or speaker sets. A vendor who has not considered these questions has not done the work. A vendor who has done bias testing and can share methodology is a more credible partner.

---

How DealSpeak Approaches These Questions

DealSpeak is an AI-powered sales practice platform built specifically for car dealerships. We are direct about where we are in the compliance journey: SOC 2 certification is in progress, with data privacy as the foundational design principle from the start.

Customer data is never used to train shared AI models. Call recordings and rep performance data remain owned by the dealership. We can answer every question on the checklist above, and we put it in writing.

If you are currently evaluating AI training vendors and want to run through the full due diligence checklist against DealSpeak, talk to our team. We will give you straight answers.

For the full vendor comparison landscape, see our guide to automotive sales training options.