Stay informed about our most recent articles, training activites and job offers.

Therrien Couture Joli-Coeur Newsletter

Stay informed about our most recent articles, training activites and job offers.

By clicking "Sign me up", I confirm my registration to the subscription list and I consent to TCJ processing my email in order to send me newsletters on an ad hoc basis. I confirm that I have read and consented to the Privacy Policy.

Write us

By filling out this form, you enable our team to fully understand your needs and offer you the service best suited to your expectations. We thank you for your trust and promise to provide you with a follow up as soon as possible.

By clicking "Send", I confirm that I have read and consented to the Privacy Policy.

Privacy and cybersecurity

AI System Acquisition Contract: Essential Clauses and Considerations to Remember

  • Dany Guimond-Valcourt
  • Élyse Rioux
  • Baptiste Poulin
By Dany Guimond-Valcourt , Élyse Rioux and Baptiste Poulin

The integration of an artificial intelligence (“AI”) system into a business is not limited to a question of performance or innovation. It also raises major legal issues, often overlooked in contracts for the acquisition or integration of such systems.

In addition to the usual challenges related to information technology (IT) contracts, the acquisition of AI systems raises unique issues and specific risks that require special attention. Relying on standard IT contract templates could expose your organization to significant vulnerabilities.

In this context, adapting contracts becomes even more crucial to reflect the evolving nature of AI, its ethical considerations and the complexity of its data.

If you are considering purchasing or deploying an AI solution in your business, here are eight essential clauses to include in your contracts to protect your interests and ensure responsible AI use.

1.    Clearly Define the AI System

First and foremost, the contract must clearly and precisely describe the AI system being integrated. It must specify:

  • its nature (e.g., natural language processing, predictive algorithm, image or object recognition);
  • its purpose;
  • its scope.

This clause ensures that the parties’ expectations are properly defined and that there is no ambiguity regarding the scope of the delivered solution.

In practice: imagine your business acquires an AI system to “improve customer service”. Without a clear definition, the provider could deliver a basic conversational agent (chatbot), whereas you were expecting a virtual agent capable of handling complex queries. Not only do you risk ending up with results that do not align with your expectations, but you also risk investing in a solution that fails to meet your actual needs.

2.    Data Clause

The contract governing the integration of an AI system must establish a clear framework for all data-related aspects throughout its life cycle—from training to deletion.

Training Data—Origin, Quality and Compliance

The contract must specify:

  • the origin of the data used to train the model (internal, public, purchased, synthetically generated);
  • its quality (e.g., representativeness, accuracy, absence of obvious bias);
  • its compliance with applicable laws, particularly regarding the protection of personal information, according to the applicable jurisdictions (Private Sector Act, GDPR, etc.) and intellectual property.

Generated or Collected Data—Access, Retention and Reuse

The contract must regulate:

  • the rights of access to data collected or generated by the system;
  • the storage conditions (location, period of time, security, encryption);
  • the provider’s ability to reuse such data, particularly for retraining or improving the model.

Outcomes (outputs)—Access Rights and Reuse

Finally, it is essential to include provisions covering the following:

  • who can access the results generated by the system;
  • under what conditions these results may be reused, shared or archived;
  • whether these results can be used to train other models or for other purposes.

Data Retention Period and Destruction

The contract must also provide for:

  • the retention period for training data, collected data and results;
  • the terms governing the secure destruction of data when the contract expires or the data is no longer required;
  • traceability guarantees and proof of deletion (e.g., certificate of destruction).

3.    Intellectual Property Rights Clause

The integration of an artificial intelligence system into a business raises crucial intellectual property issues. The contract must clearly specify who holds the rights to the different elements of the system in order to safeguard technological investments and avoid any legal ambiguity.

It is essential to clarify who owns the developed AI, source code, models, algorithms and data used for training.

3.1 Nature of the Solution: Custom or Licensed

The contract must specify whether:

  • the AI system is custom-developed to meet your business’s specific needs (which may justify an assignment or co-ownership of rights); or
  • it is a standard licensed product, in which case your business only obtains a limited right of use.

Why it matters:

  • It determines your rights to operate, modify, evolve or transfer the solution.
  • It affects how long, where and how the technology can be used.

3.2 Ownership of Components: Code, Models, Algorithms and Data

The contract must distinguish between rights to:

  • the source code (operating software, interfaces, scripts);
  • the AI models (trained or pre-trained);
  • the underlying algorithms;
  • the training data (if provided by your business or generated as part of the project).

3.3 Rights to Future Improvements and Adaptations

It is essential to define:

  • who holds the rights to any improvements, modifications or retraining of the model performed after its integration;
  • if the business can reuse or commercialize these developments;
  • if the provider can integrate these improvements into other products.

Such a clause helps to protect your technological investments and avoid any ambiguity regarding the ownership of future innovations.

4.    System Performance Clause

To avoid deploying a costly solution that would not deliver the expected results, the contract should define the expected performance of the AI system. It is recommended to include key performance indicators (KPIs), such as:

  • precision thresholds (e.g., 95% correct detection);
  • acceptable error rates (e.g., less than 3% false positives);
  • the levels of bias tolerated (e.g., performance gap between demographic groups of less than 5%).

These indicators ensure that the delivered system meets the business’s operational objectives. In the event of non-compliance, recourse (e.g., penalties, model redesign, termination) or adjustment (e.g., retraining, recalibration) mechanisms may be implemented.

5.    Confidentiality Clause

The contract must include provisions to protect the confidentiality of sensitive information processed by the AI system. The clause must govern the access, use and retention of this data, including after the termination of the contract. It is a key safeguard to preserve your competitive advantage, maintain partner trust and reduce the risk of leaks or unauthorized use of your strategic information.

6.    Update, Maintenance and Audit Clause

Given the rapid evolution of artificial intelligence technologies, the contract must clearly establish the provider’s obligations for updating, maintaining and auditing the AI system.

This clause is intended to ensure that the solution remains efficient, secure, compliant with technological standards and norms, and aligned with your business’s evolving needs—thereby safeguarding your investment and preserving your competitive edge.                                                

6.1  Updates—Frequency, Scope and Notification

The contract must provide for:

  • the minimum frequency of updates;
  • their scope (e.g., model adjustments, performance improvements, vulnerability fixes);
  • access to risk analyses concerning the AI system and performance test results;
  • the provider’s obligation to provide advance notice of any major updates, with supporting documentation.

6.2  Maintenance—Corrective and Evolutive

The provider must undertake to:

  • provide corrective maintenance in the event of failure or decreased performance;
  • propose evolutive maintenance to integrate new functionalities or respond to regulatory changes;
  • comply with contractually agreed response times.

6.3  Auditability and Transparency

The contract should include:

  • the right for the business to request technical or compliance audits (internal or external);
  • access to up-to-date performance reports and risk analyses, particularly after each significant system update;
  • traceability of changes made to the model (versioning, change logs).

7.    Regulatory Compliance Clause

To ensure compliant, ethical and responsible use of the AI system, the contract should expressly stipulate that the parties undertake to comply with all applicable laws, regulations and guidelines, particularly regarding the following aspects:

  • Privacy, including obligations relating to the collection, use, retention, disclosure and destruction of personal data;
  • Intellectual property, with respect to data, models, and generated results;
  • Algorithmic transparency, when automated decisions have a significant impact on individuals.

 The contract should also include specific commitments relating to:

  • algorithmic fairness (e.g., absence of direct or indirect discrimination);
  • the transparency of automated decision-making processes;
  • the traceability of decisions made by AI.

 This clause plays an essential preventive role by:

  • strengthening the parties’ accountability;
  • providing legal protection in the event of litigation or a regulatory investigation;
  • fostering trust among users and stakeholders in the use of AI.

8.    Liability and Recourse Clause

The contract must clearly establish the respective responsibilities of the parties in the event of failure, algorithmic bias or damage caused by the use of AI. This clause is essential to regulate the following:

-       Distribution of responsibilities

-       Obligations of the provider

-       Recourse mechanisms

-       Particularity of modular or multi-vendor AI systems

Are you considering purchasing or deploying an AI solution in your business? Complete the Self-Assessment—Are you ready to integrate an AI solution? to briefly assess your risk level!

You can also contact a member of our Technology, Privacy and Cybersecurity Law team for assistance at every stage of your project.

Share this article
3