Enterprise

How procurement works with Ciao

A named contact, a reviewer-grade document set, and a predictable sequence from first call to signed agreement — built for security, legal and finance to run in parallel.

Procurement with Ciao follows a documented path: NDA, security pack, SOC 2 Type II report under NDA, questionnaire responses, then DPA and MSA review with legal before commercial terms. Unlike self-serve AI tools that leave procurement teams reverse-engineering a credit-card product, Ciao is bought like enterprise software — with the artifacts vendor risk, privacy and legal teams expect, available on request via the contact page.

Best forVendor risk and sourcing teamsSecurity questionnaire ownersLegal review of DPA and MSA

Published 2026-07-03 · Last updated 2026-07-03

Why procurement for an AI development platform is different

Buying an AI development platform is not like buying a SaaS dashboard. The vendor will generate code your company runs in production, its model suppliers enter your data-flow diagram, and the governance of AI-made changes becomes part of your own control environment. Vendor risk teams are right to treat the category carefully — and most tools in it were built for individual developers, not for a sourcing process.

Ciao is built to be procured. There is a named enterprise contact rather than a support queue, a document set prepared for reviewers rather than assembled on demand, and a sequence that lets security, privacy and legal work in parallel instead of waiting on each other. This page describes that sequence so your team can plan the review before the first call.

The document set you can request

Ask for these by name in your first email — they are prepared for reviewers, not assembled on demand:

  • Security pack — Architecture, isolation, encryption and data-handling detail written for security reviewers, available on request via the contact page.
  • SOC 2 Type II report — Available under NDA — the independent audit evidence behind the security pack's claims.
  • Data Processing Agreement — GDPR DPA covering processor obligations, data handling and subprocessor terms, ready for legal review.
  • Master Service Agreement — The commercial contract, reviewed alongside the DPA during the legal stage.
  • Questionnaire responses — Send the questionnaire your process actually uses — standard formats or your own spreadsheet — and responses come back grounded in the same audited documentation.

A typical procurement path

Sequences vary by organization, but a well-run review usually looks like this — with security and legal running in parallel after the NDA:

  1. 1. Scoping call

    Establish what you are building, the deployment posture — Ciao cloud, your own AWS, Azure or GCP account, private VPC, or on-prem under separate terms — and who owns each review track on your side.

  2. 2. NDA

    Signed early so the SOC 2 Type II report and security pack can move without waiting on commercial discussion.

  3. 3. Security review

    Your team reads the pack and the report, sends the questionnaire, and can ask for a live demonstration of the controls — Guardrails review, the audit trail, security testing — instead of accepting written answers alone.

  4. 4. Legal review

    DPA and MSA go to counsel. Redlines and jurisdiction questions are handled by the enterprise team, in parallel with the security track.

  5. 5. Commercial terms

    Serious production programs start at USD 10,000 per year. Scope, seats, deployment posture and any pilot phase are agreed here.

  6. 6. Signature and onboarding

    Identity setup — SSO, optional MFA, role-based access control — and workspace configuration happen at the start of onboarding, not months later.

How questionnaires are handled

Questionnaires are answered from the same sources your reviewers already hold: the security pack, the SOC 2 Type II report and the DPA. That keeps written answers consistent with the audited evidence — if a response and the report ever seem to disagree, flag it, because the report wins. Long or custom questionnaires are normal in this category; send what your process requires rather than trimming it to fit the vendor.

If your organization requires evidence attachments rather than written assertions, say so up front. The SOC 2 Type II report under NDA and the security pack are the attachments most frameworks accept, and mapping them to your evidence fields early avoids a second pass through the questionnaire.

What slows reviews down — and how to avoid it

Three delays recur in this category, and all are avoidable. The first is sequencing: teams that wait for the security track to finish before starting legal add weeks without reducing risk — the NDA opens both tracks at once. The second is ambiguity about deployment posture: whether the platform runs on Ciao cloud or inside your own account changes the data-flow diagram, so decide the posture early and review the right one. The third is treating the AI element as unprecedented: model vendors are subprocessors with contracts — zero-retention terms, and no training on customer code — and your existing subprocessor review process handles them once it has the documents in hand.

Artifact, purpose, and how to get it

ArtifactWhat it coversHow to get it
Security packArchitecture, isolation, encryption, data handlingRequest via /contact
SOC 2 Type II reportIndependently audited controls over a periodUnder NDA, after the scoping call
DPAGDPR processor obligations, subprocessors, data handlingLegal review during procurement
MSACommercial and contractual termsLegal review during procurement
Questionnaire responsesYour format, answered from audited sourcesSend the questionnaire to the enterprise team

Commercial notes for sourcing teams

The USD 10,000 per year floor for production programs is a useful qualification line: it tells you the vendor expects a real relationship with support, review and onboarding, not a consumer subscription with an enterprise label. Pilots and phased starts are discussed at the commercial stage — bring your preferred structure to the conversation rather than assuming a fixed package.

Frequently asked questions

How long does the vendor review usually take?

That depends on your process, not Ciao's — the pack, report and questionnaire responses are ready when the NDA is signed. Teams that run the security and legal tracks in parallel typically spend their time on internal review rather than waiting on the vendor.

Can our legal team redline the DPA and MSA?

Bring redlines to the enterprise team during the legal stage. What is negotiable depends on agreement size and deployment posture, and you will get a plain answer rather than a stalled thread.

Do you support a pilot before full commitment?

Pilot structure is agreed at the commercial stage. Production programs start at USD 10,000 per year, and a scoped pilot within that framing is a normal request to raise with sales.

Who are Ciao's subprocessors, including model vendors?

Subprocessor information, including model providers, is part of the DPA and security-pack review. Inference runs under zero-retention model contracts, and customer code is not used to train models — the contractual language is in the documents, not just this page.

Can we speak to existing customers?

Ciao powers products used by millions globally, including Automo.AI, Desygner.com and WeBrand.com. Ask the enterprise team what reference conversations are possible for your segment and deployment posture.

Related pages

Serious development starts with serious responsibility.

Procurement & Vendor Review | Ciao