Enterprise
How procurement works with Ciao
A named contact, a reviewer-grade document set, and a predictable sequence from first call to signed agreement — built for security, legal and finance to run in parallel.
Procurement with Ciao follows a documented path: NDA, security pack, SOC 2 Type II report under NDA, questionnaire responses, then DPA and MSA review with legal before commercial terms. Unlike self-serve AI tools that leave procurement teams reverse-engineering a credit-card product, Ciao is bought like enterprise software — with the artifacts vendor risk, privacy and legal teams expect, available on request via the contact page.
Published 2026-07-03 · Last updated 2026-07-03
Why procurement for an AI development platform is different
Buying an AI development platform is not like buying a SaaS dashboard. The vendor will generate code your company runs in production, its model suppliers enter your data-flow diagram, and the governance of AI-made changes becomes part of your own control environment. Vendor risk teams are right to treat the category carefully — and most tools in it were built for individual developers, not for a sourcing process.
Ciao is built to be procured. There is a named enterprise contact rather than a support queue, a document set prepared for reviewers rather than assembled on demand, and a sequence that lets security, privacy and legal work in parallel instead of waiting on each other. This page describes that sequence so your team can plan the review before the first call.
The document set you can request
Ask for these by name in your first email — they are prepared for reviewers, not assembled on demand:
- Security pack — Architecture, isolation, encryption and data-handling detail written for security reviewers, available on request via the contact page.
- SOC 2 Type II report — Available under NDA — the independent audit evidence behind the security pack's claims.
- Data Processing Agreement — GDPR DPA covering processor obligations, data handling and subprocessor terms, ready for legal review.
- Master Service Agreement — The commercial contract, reviewed alongside the DPA during the legal stage.
- Questionnaire responses — Send the questionnaire your process actually uses — standard formats or your own spreadsheet — and responses come back grounded in the same audited documentation.
A typical procurement path
Sequences vary by organization, but a well-run review usually looks like this — with security and legal running in parallel after the NDA:
1. Scoping call
Establish what you are building, the deployment posture — Ciao cloud, your own AWS, Azure or GCP account, private VPC, or on-prem under separate terms — and who owns each review track on your side.
2. NDA
Signed early so the SOC 2 Type II report and security pack can move without waiting on commercial discussion.
3. Security review
Your team reads the pack and the report, sends the questionnaire, and can ask for a live demonstration of the controls — Guardrails review, the audit trail, security testing — instead of accepting written answers alone.
4. Legal review
DPA and MSA go to counsel. Redlines and jurisdiction questions are handled by the enterprise team, in parallel with the security track.
5. Commercial terms
Serious production programs start at USD 10,000 per year. Scope, seats, deployment posture and any pilot phase are agreed here.
6. Signature and onboarding
Identity setup — SSO, optional MFA, role-based access control — and workspace configuration happen at the start of onboarding, not months later.
How questionnaires are handled
Questionnaires are answered from the same sources your reviewers already hold: the security pack, the SOC 2 Type II report and the DPA. That keeps written answers consistent with the audited evidence — if a response and the report ever seem to disagree, flag it, because the report wins. Long or custom questionnaires are normal in this category; send what your process requires rather than trimming it to fit the vendor.
If your organization requires evidence attachments rather than written assertions, say so up front. The SOC 2 Type II report under NDA and the security pack are the attachments most frameworks accept, and mapping them to your evidence fields early avoids a second pass through the questionnaire.
What slows reviews down — and how to avoid it
Three delays recur in this category, and all are avoidable. The first is sequencing: teams that wait for the security track to finish before starting legal add weeks without reducing risk — the NDA opens both tracks at once. The second is ambiguity about deployment posture: whether the platform runs on Ciao cloud or inside your own account changes the data-flow diagram, so decide the posture early and review the right one. The third is treating the AI element as unprecedented: model vendors are subprocessors with contracts — zero-retention terms, and no training on customer code — and your existing subprocessor review process handles them once it has the documents in hand.
Artifact, purpose, and how to get it
| Artifact | What it covers | How to get it |
|---|---|---|
| Security pack | Architecture, isolation, encryption, data handling | Request via /contact |
| SOC 2 Type II report | Independently audited controls over a period | Under NDA, after the scoping call |
| DPA | GDPR processor obligations, subprocessors, data handling | Legal review during procurement |
| MSA | Commercial and contractual terms | Legal review during procurement |
| Questionnaire responses | Your format, answered from audited sources | Send the questionnaire to the enterprise team |
Commercial notes for sourcing teams
The USD 10,000 per year floor for production programs is a useful qualification line: it tells you the vendor expects a real relationship with support, review and onboarding, not a consumer subscription with an enterprise label. Pilots and phased starts are discussed at the commercial stage — bring your preferred structure to the conversation rather than assuming a fixed package.
Frequently asked questions
How long does the vendor review usually take?
That depends on your process, not Ciao's — the pack, report and questionnaire responses are ready when the NDA is signed. Teams that run the security and legal tracks in parallel typically spend their time on internal review rather than waiting on the vendor.
Can our legal team redline the DPA and MSA?
Bring redlines to the enterprise team during the legal stage. What is negotiable depends on agreement size and deployment posture, and you will get a plain answer rather than a stalled thread.
Do you support a pilot before full commitment?
Pilot structure is agreed at the commercial stage. Production programs start at USD 10,000 per year, and a scoped pilot within that framing is a normal request to raise with sales.
Who are Ciao's subprocessors, including model vendors?
Subprocessor information, including model providers, is part of the DPA and security-pack review. Inference runs under zero-retention model contracts, and customer code is not used to train models — the contractual language is in the documents, not just this page.
Can we speak to existing customers?
Ciao powers products used by millions globally, including Automo.AI, Desygner.com and WeBrand.com. Ask the enterprise team what reference conversations are possible for your segment and deployment posture.