Before you approve an AI tool for your organization, know exactly where it fails on HIPAA, SOX, and data sovereignty. One vendor. One structured report. A clear Go, Conditional Go, or No-Go verdict.
Every vendor is scored Red, Amber, or Green across the same eight criteria — so assessments are consistent and defensible across your tool registry.
| Criterion | Why It Matters | Score |
|---|---|---|
| Data training opt-out | Can your prompts be excluded from model training? Critical for confidential data exposure. | Green / Red |
| SOC 2 Type II certification | Third-party verified security controls — minimum bar for enterprise procurement. | Scored |
| HIPAA Business Associate Agreement | Required for any healthcare-adjacent use. Absence is an automatic disqualifier for PHI exposure. | Critical |
| EU data residency option | Required for GDPR and EU AI Act compliance if you have EU customers or operations. | Scored |
| Prompt / conversation retention policy | How long does the vendor retain your data? This directly determines your data breach exposure window. | Scored |
| Enterprise / private deployment option | Can data be kept entirely within your infrastructure? Higher score = lower shared-infrastructure risk. | Scored |
| Incident notification SLA | How quickly will the vendor notify you of a data breach? Required under HIPAA Breach Notification Rule. | Scored |
| Contractual data deletion guarantee | Can you compel deletion of your data on contract termination? Relevant to employee offboarding and litigation holds. | Scored |
A widely used enterprise AI coding assistant was found to have no HIPAA BAA available, no EU data residency option, and a 30-day prompt retention window with no contractual deletion guarantee — resulting in a No-Go verdict for a healthcare client that had already begun piloting the tool across 40 developers.
Every AVRA report closes with one of three verdicts, with conditions where applicable.
Vendor meets all material criteria for your regulatory environment. Approved with standard usage controls.
Vendor passes most criteria but has specific gaps. Report includes the contractual controls or usage restrictions required before approval.
Vendor fails one or more critical criteria. Report explains the specific disqualifiers and recommends alternatives where possible.
Compliance officers evaluating a new AI tool before adding it to the approved technology list.
Legal and procurement teams who need documented due diligence before signing a vendor contract.
CISOs auditing existing approved tools that were onboarded without formal security review.
Healthcare and fintech operators who need documented evidence of AI vendor due diligence for regulatory audits.
Book a brief request via Calendly. Provide the vendor name, the use case (e.g., "developers using AI coding assistant"), and the frameworks that apply to your organization — HIPAA, SOX, GDPR, or other.
We review the vendor's DPA, security documentation, BAA availability, SOC 2 status, and contractual terms against your regulatory context. Each of the 8 criteria is scored and documented.
You receive a branded PDF report with the full scoring matrix, specific findings, and a Go/Conditional Go/No-Go verdict within 48 hours of submission. The report is ready to include in vendor due diligence files.
One vendor per report. If you need multiple vendors assessed, each is priced at $997. Contact us about bundle pricing for three or more vendors assessed simultaneously.
The report specifies the exact conditions required — for example, "requires a signed HIPAA BAA before any PHI-adjacent use" or "restrict to internal tooling use only, no client data." These conditions are written to be usable directly in your vendor contract or internal usage policy.
Yes. The findings document specific gaps in the vendor's current offering. Several clients have used AVRA reports to negotiate BAA additions, data retention reductions, and deletion guarantees into their enterprise contracts.
If you're auditing an existing tool registry of 5+ tools, that may be better served by a full forensic engagement. Request a briefing to discuss scope and pricing.
$997 to document your due diligence is a small fraction of what one failed regulatory audit costs.