企业与AI供应商签约前,法务团队必须逐条审查以下8个核心条款。每个条款附风险等级评估与可直接引用的英文示范条款(Sample Clause)。 Before signing with an AI vendor, your legal team must review each of the following 8 clauses. Each includes a risk rating and ready-to-reference sample contract language.
明确企业输入数据(Input Data)与输出数据(Output Data)的所有权归属。供应商不得以任何方式声称对客户数据享有所有权,企业应保留对原始数据的完整权利,并要求供应商在合同终止后30日内彻底删除所有副本。
Clearly define ownership of Customer Input Data and Output Data. The vendor must not claim any ownership over customer data. The company retains full rights to its original data and should require the vendor to permanently delete all copies within 30 days of contract termination.
禁止供应商使用客户数据训练、微调或改善其基础模型(Foundation Model)。此条款直接关系到商业机密泄露风险,必须明确约定且不得以服务改善为由豁免。
Prohibit the vendor from using customer data to train, fine-tune, or improve any foundation model. This clause directly addresses trade secret exposure risk and must be expressly stated — no service improvement exception should be permitted.
要求供应商遵守行业公认安全标准(如SOC 2 Type II、ISO 27001),并约定发生数据泄露时的通知时限(通常72小时内)。安全审计报告应定期提供给客户审阅。
Require the vendor to comply with recognized security standards such as SOC 2 Type II and ISO 27001. Define breach notification timelines (typically within 72 hours) and mandate that security audit reports be periodically shared with the customer.
明确约定可用性承诺(Uptime Commitment,通常≥99.9%)、响应时间(Response Time)及违约时的服务信用(Service Credit)机制。SLA应区分核心功能停机与部分降级的不同赔偿标准。
Define uptime commitments (typically ≥99.9%), response time targets, and service credit mechanisms for SLA breaches. Distinguish compensation standards between full outages and partial degradation of core functionality.
AI系统生成的输出内容(AI-Generated Output)的知识产权归属需明确。通常应约定:基于客户数据生成的输出归客户所有,供应商仅保留对其底层技术的权利,不得将客户定制化成果用于第三方。
Clearly allocate IP ownership of AI-Generated Outputs. As a rule, outputs generated from customer data should belong to the customer. The vendor retains rights only to its underlying technology and must not use customer-specific outputs for any third party.
责任上限(Liability Cap)通常设为过去12个月费用总额,但数据泄露、知识产权侵权等重大事项应争取更高上限或不设上限。相互赔偿条款(Mutual Indemnification)应覆盖第三方IP侵权索赔。
The liability cap is typically set at total fees paid in the prior 12 months. For significant matters like data breaches or IP infringement, negotiate for a higher cap or no cap at all. Mutual indemnification provisions should cover third-party IP infringement claims.
合同终止后,客户应有权在合理期限内(建议90天)导出全部数据,供应商须提供标准格式的数据导出工具,不得设置技术壁垒阻碍数据迁移。避免供应商锁定(Vendor Lock-in)是谈判重点。
Upon termination, customers should have the right to export all data within a reasonable window (90 days recommended). The vendor must provide data export tools in standard formats and must not create technical barriers to migration. Avoiding vendor lock-in is a key negotiation objective.
要求供应商遵守适用的数据保护法律(GDPR、CCPA、中国数据安全法等),并赋予客户每年至少一次的审计权(Audit Right)或要求供应商提供独立第三方审计报告。
Require the vendor to comply with applicable data protection laws (GDPR, CCPA, China's Data Security Law, etc.) and grant the customer at least annual audit rights, or require the vendor to provide an independent third-party audit report on request.
关键术语表 Key Glossary
谈判优先级矩阵 Negotiation Priority Matrix
| 条款Clause | 风险等级Risk Level | 谈判难度Difficulty | 推荐策略Recommended Strategy |
|---|---|---|---|
| 数据权利与所有权Data Rights & Ownership | 高 🔴HIGH 🔴 | 中Medium | 必须争取,不可妥协Non-negotiable, must secure |
| 模型训练限制Model Training Restrictions | 高 🔴HIGH 🔴 | 高High | 明确禁止条款,附违约金Explicit prohibition with liquidated damages |
| 保密与安全标准Confidentiality & Security | 高 🔴HIGH 🔴 | 低Low | 要求SOC 2报告作为前提条件Require SOC 2 report as a precondition |
| 知识产权归属IP Ownership | 高 🔴HIGH 🔴 | 中Medium | 输出归属客户,书面确认Customer owns outputs, confirm in writing |
| 服务水平协议Service Level Agreement | 中 🟡MED 🟡 | 低Low | 对标行业标准,争取服务信用Benchmark to industry standard, secure credits |
| 赔偿与责任限制Indemnification & Liability | 中 🟡MED 🟡 | 高High | 数据泄露场景争取无上限Push for uncapped liability on breach |
| 终止与数据迁移Termination & Migration | 中 🟡MED 🟡 | 低Low | 90天导出窗口,标准格式90-day export window, standard format |
| 合规与审计权Compliance & Audit Rights | 中 🟡MED 🟡 | 低Low | 年度审计权或第三方报告Annual audit right or third-party report |