- Transparency Score
- A percentage (0-100%) indicating how much security and governance information a vendor publicly discloses. Calculated automatically from 21 evaluation items. See Understanding Scores for details.
- Adoptability
- A color-coded rating summarizing whether a vendor is ready for adoption: Green (70%+), Yellow (40-69%), Red (below 40%), or Not Assessable (insufficient data).
- SOC 2 Type II
- An audit report issued by an independent CPA firm that evaluates an organization's controls over security, availability, processing integrity, confidentiality, and privacy over a period of time (typically 6-12 months).
- ISO 27001
- An international standard for information security management systems (ISMS). Certification demonstrates that an organization has established, implemented, and maintains a systematic approach to managing sensitive information.
- ISO 42001
- An international standard for artificial intelligence management systems (AIMS). It provides a framework for organizations to manage risks and opportunities related to the development and use of AI.
- DPA (Data Processing Agreement)
- A legally binding contract between a data controller and a data processor that specifies how personal data will be processed, stored, and protected. Required under GDPR and similar regulations.
- Subprocessor
- A third-party service provider that processes data on behalf of a vendor. Vendors are expected to disclose their subprocessors so customers can assess the full data processing chain.
- SLA (Service Level Agreement)
- A commitment from a vendor specifying guaranteed uptime, response times, and remedies (such as service credits) if those guarantees are not met.
- VDP (Vulnerability Disclosure Policy)
- A published policy describing how external security researchers can report vulnerabilities to the vendor. Often includes a security.txt file and may offer a bug bounty program.
- OWASP LLM Top 10
- A list of the ten most critical security risks for Large Language Model (LLM) applications, published by the Open Web Application Security Project. Covers risks like prompt injection, training data poisoning, and sensitive information disclosure.
- Prompt Injection
- An attack technique where malicious input is crafted to manipulate an LLM into ignoring its instructions, leaking data, or performing unintended actions. Listed as LLM01 in the OWASP LLM Top 10.
- Watchlist
- A personal list of vendors you are tracking. You receive notifications when a watched vendor's score changes. See Watchlist Guide.
- Policy
- A set of rules defined by an organization to automatically classify vendors as allow, deny, or review based on their assessment data. See Policy Settings Guide.
- Evidence
- A piece of publicly available information (web page, document, or security page) used to verify a vendor's security and governance claims. Each assessment item requires evidence with a specific text excerpt.
- Certification
- A formal recognition from an accredited body that a vendor meets specific security or quality standards (e.g., SOC 2 Type II, ISO 27001, ISO 42001). AI Assess automatically detects certifications from public pages.
- Inferred Assessment
- An evaluation item that is automatically marked as satisfied when a related certification is detected. For example, detecting SOC 2 Type II implies encryption, access control, monitoring, incident response, and change management are in place.
- Evidence Level
- A rating (E0-E4) indicating the quality and quantity of evidence available for a vendor's assessment. Higher levels indicate more comprehensive publicly available documentation.
- GDPR (General Data Protection Regulation)
- The European Union's regulation on data protection and privacy. Requires organizations to protect personal data and provides rights to individuals regarding their data.