25 procurement questions для AI chatbot vendors

In which regions is customer data stored at rest?

SLAtech: Microsoft Azure West Europe (primary) и North Europe (failover). EU-only by default. Single-tenant Enterprise deployments can pin к а single region.

Which sub-processors process customer data и where?

SLAtech: OpenAI (US, LLM inference), Cohere (Canada, optional re-ranking), Sentry (US, errors), Cloudflare (global edge, WAF / CDN), SendGrid (US, transactional email). Full list at /en/sub-processors/ kept current within 14 days of change.

What standard contractual clauses govern non-EEA transfers?

SLAtech: SCC 2021/914 — current European Commission template. Transfer-impact assessment available on request.

Can customer data residency be pinned к а single region?

SLAtech: Yes — Enterprise tier offers а single-tenant deployment pinned к one Azure region. Multi-tenant tiers (Starter / Pro) auto-failover within EU.

Are backups stored in the same region as primary data?

SLAtech: Yes. Daily backups с 35-day retention; point-in-time recovery within the last 24 hours. Backup region matches primary unless customer pins otherwise.

Is the vendor SOC 2 compliant?

SLAtech: Type I report targeted Q3 2026; Type II Q2 2027. Operational controls listed at /en/security/ independently auditable on request.

Is the vendor ISO 27001 certified?

SLAtech: Certification targeted Q4 2026. ISMS scope = production infrastructure + customer-data processing systems.

Is the vendor HIPAA BAA-eligible?

SLAtech: Yes — on the Enterprise tier with single-tenant deployment. Standard BAA template available via [email protected].

Is the vendor GDPR-compliant и will it sign а DPA?

SLAtech: Yes — DPA executed on Enterprise signup; standard DPA template downloadable for review.

How is the vendor's PCI-DSS scope managed?

SLAtech: SLAtech does not store, process или transmit cardholder data — payments are handled by Paddle / RewirePay (PCI-DSS Level 1 providers). SAQ-A applies.

Describe encryption at rest и in transit.

SLAtech: AES-256-GCM at rest, TLS 1.2+ in transit с HSTS preload. Key rotation runs annually + on personnel changes.

Describe identity, authentication и authorization controls.

SLAtech: Argon2id password hashing, per-tenant password policy, RBAC, audit log of admin actions. SAML SSO ships on Enterprise tier (Okta, OneLogin, Azure AD, Google Workspace).

Describe the vulnerability management program.

SLAtech: Dependabot dependency updates on production, GitHub CodeQL static analysis on every PR, annual external pen test (next Q4 2026), coordinated vulnerability disclosure policy.

How are security incidents detected и notified?

SLAtech: Sentry per backend service с PII scrubbing, synthetic transaction monitoring at 5-minute cadence, real-time status page at status.slatech.ai. Incident-notification SLA: within 24 hours для significant incidents (NIS2 alignment).

What is the pricing model?

SLAtech: Flat-tier pricing: Starter €39/mo, Pro €89/mo, Scale €199/mo, Enterprise custom. Conversation count is unlimited within reasonable use. No per-resolution или per-message billing.

Is а 14-day free trial available?

SLAtech: Yes — no credit card required. Trial converts к Starter / Pro / Scale at the buyer's choice.

What's included in the standard MSA?

SLAtech: GDPR-compliant DPA, sub-processor list, SCC 2021/914 references, 99.9% uptime SLA с service credits on the Enterprise tier.

What's the termination и data-export policy?

SLAtech: Termination для convenience с 30 days notice. On termination, customer data exportable for 90 days (Markdown / JSON knowledge content + JSONL conversation history). Then permanently deleted.

What's the typical time-to-first-widget-live?

SLAtech: 10-30 minutes self-service for the web widget. WhatsApp Business + Telegram add another 20 minutes. No implementation-consultant engagement required.

What integrations ship out-of-the-box?

SLAtech: Telegram, WhatsApp Business (Cloud API), Shopify, Google Calendar, Zapier, generic JSON-POST webhook (for in-house CRMs). HubSpot, Salesforce и Pipedrive are first-class на Pro tier.

What knowledge formats are supported для ingest?

SLAtech: PDF, DOCX, plain text, Markdown, scraped web pages, FAQ-pair upload, manual article authoring. Chunking + embedding runs as а Worker job; reconciliation nightly.

What's the vendor's revenue runway / financial transparency?

SLAtech: Privately-held; founder-led. Customer-data export-rights survive vendor solvency events per the MSA's continuity clause.

What's the disaster-recovery posture?

SLAtech: RTO 4 hours, RPO 1 hour. Daily backups с 35-day retention; multi-region failover within EU. DR runbook tested quarterly.

How is concentration risk on LLM providers managed?

SLAtech: Multi-provider abstraction layer — OpenAI primary, Anthropic / Cohere available на Enterprise tier для failover или per-tenant pin. Provider switching doesn't require customer-side migration.

How are eval / quality regressions detected?

SLAtech: Per-vertical eval harness runs nightly against а sealed 200-question test set. Score regressions ≥3 points trigger а manual triage. Public scoreboard at /en/eval/.