← Back to Blog
Thought Leadership

Buying AI Tools: The Questions to Ask Before You Sign

Jozef Juchniewicz, Qonera·8 July 2026·3 min read

We wrote recently about the AI questions clients’ procurement teams are starting to ask their vendors. This is the same conversation from the other chair, because every professional firm is also a buyer. The AI tools your team adopts will shape what you can promise your own clients, and a tool chosen on a demo and a feature list can quietly commit the firm to answers it cannot give later. Here are the questions worth asking before signing, and what the answers reveal.

Where does our data go, and under whose law?

Ask where data is stored and processed, in which jurisdiction, and encrypted how. Then ask for the paperwork: a Data Processing Agreement, a published sub-processor list, a privacy policy that says something specific. A vendor with good answers produces these in minutes because they already exist. A vendor who needs weeks to answer where your client’s confidential documents will physically live is telling you the question was never important to them, which is itself the answer.

For European firms this is not preference but obligation: your clients hold you to GDPR, so your tools must let you keep that promise. EU hosting, EU legal entity, and published terms are the clean version of this answer.

How do we verify the output, not just receive it?

Every AI vendor will tell you their output is accurate. The buying question is different: when the output is wrong, how will your team know? Ask whether answers cite their sources at the level of individual claims, whether the system exposes uncertainty and disagreement or hides it behind a single confident voice, and whether there is any structural check on the output beyond “the model is good.” A tool that offers no way to verify is asking your reviewers to work on faith, and your firm’s name goes on the result.

Where does the human fit, structurally?

Ask what the tool does to support review: is human sign-off a real, recorded step, or a habit the vendor hopes your team keeps up on its own? Can oversight be tuned to risk, so high-stakes work is gated and routine work flows? A tool designed as if its output goes straight to production is designed for a world where your firm carries all the risk and the tool carries none of the structure. The workflow around the model matters as much as the model.

What record will exist when someone asks?

Finally, ask what you could hand to a client, an auditor, or a regulator a year from now. Is there a durable record of what was produced, from what sources, reviewed by whom? Can it be exported? Could it be quietly edited, and if so, why would anyone trust it? This question sorts vendors fastest, because a real answer requires the record to have been designed in from the start. It cannot be improvised in the demo.

The pattern behind the questions

Notice what these four questions have in common: none of them is about how impressive the AI is. They are about jurisdiction, verifiability, oversight, and records, the same themes your own clients are beginning to probe and the same shape the EU AI Act gives to organizational obligations. Buying well is how a firm stays able to answer the questions it will be asked.

We built Qonera to pass this checklist rather than dodge it: EU hosting with published terms, per-claim citations, structural sign-off through the review and approval workflow, and a tamper evident, exportable audit trail. But the checklist is yours regardless of vendor. Ask the four questions, insist on specific answers, and treat any tool that cannot give them as what it is: a risk your firm would be adopting on its clients’ behalf.

See how Qonera works in practice

Multi-model stress testing, Conflict Heatmap, tamper-evident audit trail, and structured sign-off, built for teams who need defensible AI output.