← All posts

Seven questions to ask any AI supplier (including us)

13 June 2026 · 6 min read · written by a practising NHS GP

If your organisation handles patient, client or employee data, the hardest part of adopting an AI tool is not choosing one — it is being able to write down, honestly, why it is safe to use. Your DPIA, your information-governance lead, and one day perhaps a regulator will want answers, not a logo and a reassuring landing page.

Here are seven questions worth putting to any AI supplier in writing, with a note on what a good answer sounds like. Send them to us too — and keep the replies. A supplier's willingness to answer plainly tells you almost as much as the answers themselves.

The seven questions

  1. Who ultimately owns your company, and under which country's law do you operate? A good answer names the jurisdiction directly. Ownership — not where the servers sit — decides whose courts can compel disclosure of your data.
  2. Where is our content processed, and on whose hardware? A good answer names the operator of the machines, not just the country. "UK region" of a US-owned cloud is a location, not an owner.
  3. Could any government compel you, or any company in your processing chain, to hand over our data — and under which law? A good answer engages with the question. A weak one changes the subject to encryption or certifications. (US-owned providers fall under the CLOUD Act wherever data is stored — Microsoft conceded this to the French Senate under oath.)
  4. Is our content ever used to train your models — by default or at all? A good answer is an unambiguous no, or a clear description of the opt-out and which tier it applies to. "We may use data to improve our services" is not a no.
  5. How long is our data retained, and can we delete it ourselves? A good answer gives a retention period and a self-service deletion route — not "contact support to request deletion".
  6. Can we export an audit trail of our usage that belongs to us? A good answer is yes, in a portable format, on all tiers — so you hold the evidence your governance file needs, independent of the supplier.
  7. Will you support our DPIA with honest, written answers — including the uncomfortable ones? A good answer is a yes you can test by asking questions 1–6 and seeing what comes back in writing.

Why "in writing" matters

A sales call produces reassurance; an email produces a record. If a supplier is comfortable putting the answers in writing, you have something to file with your DPIA and point to later. If they will only say it on a call, that is information too. None of this requires you to be a lawyer — it requires you to ask, and to keep the reply.

A shortcut for question 3

The jurisdiction question is the one most suppliers blur, so we built a free tool that answers it for your current stack in about two minutes: the CLOUD Act exposure checker. Seven questions, no email address, no tracking, and a result you can forward to your DPO. It works on any tool you already use, not just ours.

Our answers are on the table.

Hush is a UK-owned company; inference runs on hardware we own in England, outside US CLOUD Act jurisdiction; your content is never used for training and is stored encrypted until you delete it; audit export is one click on every plan. See how that compares, or test us with a free pilot.

Compare honestly Start a free pilot

Hush AI (hush-ai.uk) is a UK-sovereign AI assistant for regulated professionals, founded by a practising NHS GP. It drafts documents under your review — not an ambient scribe, not a medical device. Conversation history is stored encrypted on UK-owned hardware until you delete it, and is never used for training. Our DSPT self-assessment is in progress; we publish our certification status, including what we do not yet hold.