Back to Blog
Security & ComplianceMay 12, 20269 min read

AI Employee Security Checklist: 20 Questions to Ask Your Provider

Before deploying AI employees, you need to verify that your provider meets rigorous security standards. Use this 20-question checklist to evaluate any AI employee provider.

AI Employee Security Checklist: 20 Questions to Ask Your Provider
S

Struan

Managed AI Employees • Business Automation

Introduction: Security Cannot Be an Afterthought

AI employees access your business systems, handle your data, and interact with your customers. The security implications are significant. A poorly secured AI employee could expose sensitive customer data, violate GDPR, or create vulnerabilities in your IT infrastructure.

Yet many businesses rush into AI employee adoption without conducting proper security due diligence. They are so excited by the productivity gains that they skip the questions they would ask of any other vendor or hire.

This checklist gives you 20 critical questions to ask any AI employee provider before signing a contract. At Struan.ai, we welcome these questions because we know that transparency builds trust. Any provider that cannot or will not answer them clearly should be treated with caution.

Data Protection and Privacy

1. How is our data stored and where?

You need to know exactly where your data resides. For UK businesses, data should ideally be stored within the UK or the European Economic Area to simplify GDPR compliance. Ask about the specific data centres used and their certifications.

2. Is our data used to train your AI models?

This is a critical question. Some AI providers use customer data to improve their models, which can create privacy and intellectual property concerns. Your provider should confirm that your business data is never used for model training without explicit consent.

3. How do you handle data deletion requests?

Under GDPR, individuals have the right to erasure. Your AI employee provider must be able to delete specific data upon request and confirm that deletion is complete and permanent across all systems, including backups.

4. What is your data retention policy?

How long does the provider keep your data? Is it retained only for the duration of your contract, or longer? Clear retention policies with defined deletion timelines are essential for compliance.

Access Control and Authentication

5. What access controls are in place?

Your AI employee should operate with the principle of least privilege, accessing only the systems and data it needs to perform its designated tasks. Ask how access is configured, restricted, and monitored.

6. How are credentials managed?

API keys, login credentials, and access tokens must be stored securely, ideally in encrypted vaults with automatic rotation. Ask about the provider's credential management practices and whether they use industry-standard solutions.

7. Can we define role-based access for AI employees?

Just as you would with human employees, you should be able to define exactly what each AI employee can and cannot access. Granular role-based access control is a must.

8. Is multi-factor authentication supported?

For any human interfaces to the AI employee platform, such as admin dashboards or configuration tools, multi-factor authentication should be mandatory, not optional.

Infrastructure Security

9. What encryption standards do you use?

Data should be encrypted both at rest and in transit. Ask specifically about encryption standards. AES-256 for data at rest and TLS 1.2 or higher for data in transit are the minimum acceptable standards.

10. How do you handle security patches and updates?

Software vulnerabilities are discovered constantly. Your provider should have a clear process for applying security patches promptly, ideally within 24 to 48 hours of a critical vulnerability being disclosed.

11. Do you conduct regular penetration testing?

Reputable providers commission independent penetration tests at least annually and share the results, or at minimum a summary, with customers. Ask when the last test was conducted and what the findings were.

12. What is your disaster recovery plan?

If something goes catastrophically wrong, how quickly can the provider recover? Ask about recovery time objectives, recovery point objectives, and whether they conduct regular disaster recovery drills.

Compliance and Certification

13. Are you GDPR compliant?

This should be non-negotiable for any UK business. Ask for evidence of GDPR compliance, including a data processing agreement that clearly defines responsibilities and obligations.

14. Do you hold ISO 27001 or SOC 2 certification?

These certifications demonstrate that the provider has implemented a comprehensive information security management system. While not legally required, they provide strong assurance that security is taken seriously.

15. Can you support industry-specific compliance requirements?

If you operate in a regulated industry, such as financial services under FCA regulation, healthcare under NHS data standards, or legal services under SRA requirements, your provider must be able to demonstrate compliance with sector-specific rules.

Monitoring and Incident Response

16. How do you monitor for security incidents?

Ask about real-time monitoring, alerting, and the security operations capabilities of the provider. Do they use automated threat detection? Is there a security team monitoring for anomalies around the clock?

17. What is your incident response process?

When a security incident occurs, every minute matters. Ask about the provider's incident response plan, including notification timelines. Under GDPR, serious breaches must be reported to the ICO within 72 hours.

18. Will you notify us immediately of any breach affecting our data?

The answer must be an unequivocal yes. Any hesitation or qualification on this point is a red flag. Your contract should include specific notification timelines and obligations.

Transparency and Accountability

19. Can we audit your security practices?

For larger deployments or sensitive data, you may want the right to audit the provider's security practices directly or through an independent third party. A provider that refuses audit rights is not one you should trust with your data.

20. What happens to our data if we terminate the contract?

You need a clear exit strategy. Your provider should guarantee that all your data is returned to you in a usable format and then permanently deleted from their systems within a defined timeframe upon contract termination.

How to Use This Checklist

Send these 20 questions to any AI employee provider you are evaluating. Score their responses and look for:

  • Clear, specific answers rather than vague reassurances.
  • Evidence such as certifications, audit reports, and documented policies.
  • Willingness to put commitments in writing within the contract.
  • Transparency about any limitations or areas where they are still improving.

A provider that scores well across all 20 questions is one you can trust with your business data. A provider that dodges questions, gives vague answers, or refuses to commit in writing should be avoided regardless of how impressive their technology appears.

Security as a Foundation, Not a Feature

Security is not a nice-to-have add-on. It is the foundation upon which your entire AI employee deployment rests. Without robust security, the productivity gains and cost savings of AI employees are meaningless because a single data breach can cost far more than you ever saved.

Take the time to conduct thorough due diligence. Your business, your customers, and your reputation depend on it.

How Struan.ai Approaches Security

At Struan.ai, security is built into everything we do. We welcome every question on this checklist and more. Our AI employees are deployed with enterprise-grade security, GDPR compliance, and full transparency about how your data is handled. Visit struan.ai/implementation to learn about our security practices, or contact us at struan.ai/contact to discuss your specific compliance requirements.