Key Contractual Considerations for Onboarding GenAI Tools

Key Takeaways:

• Before reviewing a GenAI tool’s license agreement, confirm its usage policy aligns with your intended use.
• Consider not just the tool’s terms but also broader contractual obligations, which will vary depending on what type of data your team is using.
• Not all data is created equally, and understanding the sensitivity of the data being entered into a GenAI tool is essential as it may require further contractual analysis.

Free Download: Access this author’s free GenAI Tool Intake Questionnaire.

Watch On-Demand Video: Watch this webinar recording on the Dos & Don’ts of Agreement Review and Negotiations with this author for more learnings and resources.

As GenAI and LLM tools rapidly gain traction, lawyers and contracts professionals are increasingly tasked with evaluating their risks during the contract review. Contractual terms carry significant business implications and reviewing them during procurement is critical to avoid terms that could harm your company or conflict with its goals.

This guide highlights key contractual considerations for assessing GenAI tools, with term examples from popular LLMs. For a detailed framework, see this GenAI Tool Intake Questionnaire.

1. Ensure Your Use Case is Permitted      

Before reviewing a GenAI tool’s license agreement, confirm its usage policy aligns with your intended use. Start with the basics—what does your team want the tool to accomplish? 

Most LLMs prohibit harmful applications such as harassment and discrimination–but not all prohibited activities are harmful or illegal. While Meta’s Llama 3.2 Acceptable Use Policy (AUP) prohibits promoting disinformation, Anthropic’s AUP for Claude models goes further, banning use for political advocacy, lobbying, and promoting specific candidates or parties.

Anticipate scope creep. Your team will likely identify additional applications as they use the GenAI tool. To avoid future constraints, select a solution with terms that can accommodate your evolving business needs.

Pro Tip: GenAI tool vendors frequently update their terms of use. Save a copy of the AUP at the time of review and establish a process to monitor changes.

2. Confirm Version and Access Method

The version of the GenAI tool and the method of access determine the applicable license terms, which in turn impact the rights associated with your data inputs.

• The licenses for free versions typically grant vendors broad rights to use your data inputs. For example, Cohere’s Terms of Use for free versions of its Command and Embed models permit Cohere to use your data inputs for model training and enhancing their “other offerings.” While some vendors, like OpenAI, provide opt-outs for data training in free versions, this is uncommon.
• Enterprise (paid) version licenses generally offer stronger data protections, with most vendors stating in their license agreements that inputted data will not be used for model training or enhancing other products.
• API-based access may also provide data protection rights. For instance, using Cohere’s API allows users to opt out of model training and offers data deletion within 30 days.
• AI Platforms or Virtual Private Clouds (VPC): AI platforms like Amazon Bedrock and Google Cloud offer the highest security by preventing GenAI tools deployed in their platforms from accessing inputted data entirely. For instance, AWS states in its Bedrock FAQs that “[u]sers’ inputs and model outputs are not shared with any model providers.”

Pro Tip: Ask your team to send the end-user license agreement (EULA) that they must attest to when accessing a GenAI tool via API or AI platform, as it may differ from publicly available enterprise terms on vendor websites.

3. Determine Whose Data Will be Used

When using GenAI tools, it’s important to consider not just the tool’s terms but also broader contractual obligations, which will vary depending on whether your team is using internal data, client data, or integrating the tool into client-facing products or services.

• Internal Data: For internal use only (e.g., creating marketing materials), ensure compliance with your company’s policies and risk tolerance.
• Client Data: Review client agreements to identify limitations on how their data may be used. Many contracts, especially legacy ones, might be silent on GenAI tool usage. Consider seeking client approval to enter their data in a GenAI tool to maintain trust, especially as more companies adopt AI usage policies.
• Client-Facing Tools: If integrating GenAI into your products, ensure safeguards against claims from both vendors (e.g., client misuse) and clients (e.g., flawed outputs). Include robust indemnification, disclaimers, and liability limitations.

Pro Tip: Work closely with your product team to understand the UX for your product’s AI features to determine how to link to or otherwise surface GenAI tools’ AUPs to client end users.

4. Assess the Data Sensitivity

Not all data is created equally, and understanding the sensitivity of the data being entered into a GenAI tool is essential as it may require further legal and contractual analysis.

• Confidential Data: When handling confidential business information, opt for an enterprise version of the tool that includes explicit confidentiality protections. If you permit your team to use a free version for public or non-confidential information, ensure they enable all available opt-out options to safeguard against the inadvertent entry of sensitive data.
• Personal Data: Review the vendor’s Privacy Policy and assess whether the tool’s data use aligns with your company’s Privacy Policy and any Data Processing Agreements (DPAs) you have with data owners.
• Cross-Border Data Transfers: Identify where the GenAI vendor and its servers are located to ensure compliance with international data transfer regulations, such as GDPR’s SCCs. For example, OpenAI’s global operations may involve cross-border transfers, while Cohere, based in Canada, must comply with PIPEDA. Assess these laws’ alignment with your jurisdiction to understand their impact on your organization.
• Regulated Data: Highly regulated data, such as government, healthcare, or financial information, requires additional scrutiny. Confirm that the tool meets relevant industry standards, such as HIPAA for healthcare data (including Business Associate Agreements), FedRAMP for certain government data or PCI DSS for financial data.

Pro Tip: Classify your company’s data based on sensitivity levels (e.g., public, internal, confidential, regulated). In addition, establish clear guidelines for which types of data are permissible for GenAI tool use. And lastly, ensure your colleagues are trained on these policies.

5. Compare Alternatives

Companies often lack the leverage to negotiate terms with GenAI tool vendors. (If you’ve done so successfully, find me on LinkedIn and let me know!) To mitigate risks associated with unfavorable contractual terms, ask your business team upfront if alternative tools can meet the same needs. If multiple options are available, prioritize those with more favorable terms. This strategy acknowledges the reality of limited negotiation power while helping you select a tool that better aligns with your company’s goals.

Learn More: 20 Questions to Ask When Reviewing Contracts with Generative AI Vendors

Why These Questions Matter

By asking the right questions, you minimize risk to your company and can make informed decisions that empower your organization to adopt GenAI tools that align with your organization’s strategic objectives.

Stay tuned for a monthly column from this author dedicated to AI and Contracts! Subscribe here to our free weekly newsletter.