Vendor risk report
PreVend
prevend.ai
- Report date
- Nov 8, 2025
- Author
- Admin
- Vendor domain
- prevend.ai
Executive Summary
PreVend is a low-risk, high-impact vendor
- No sensitive data: PreVend only processes an email address and vendor name. That's it.
- No objectionable contract terms: Because PreVend is an informational product, there aren't many contract terms. There is no price protection, however.
Reference Documents
Product & Data Summary
- On‑Demand / Rapid Vendor Assessments: Identifying information for requester and the name of the vendor.
Security Overview
- No SOC 2 or ISO 27001: However, PreVend doesn't process any sensitive data.
- Notable: Has a Privacy Policy (updated Jan 2025) and a DPA; uses Stripe and Gmail as subprocessors; pledges “commercially reasonable” safeguards.
Stability Overview
- Founding/launch year: 2025
- Funding / money raised: $0
- Employee count: 1
Playbook Findings
Master Services Agreement
(8)Data Protection
DPA Present
Compliant
Data Protection
DPA Present
Contract language
Section 3. Data Processing
"The Data Processing Addendum is incorporated by reference into these Terms and governs our processing of personal data in connection with the Service."
View playbook rule
For vendors processing personal data, a Data Processing Agreement (DPA) or Addendum is required. The DPA should address GDPR/CCPA compliance, subprocessors, data subject rights, and security measures. Complete absence of DPA or privacy terms is unacceptable for any vendor handling customer or employee data. Also check for references to SOC 2, ISO 27001, or other compliance certifications.
Scope of Services
No Exclusivity or Sole Source Restrictions
Compliant
Scope of Services
No Exclusivity or Sole Source Restrictions
View playbook rule
Customer should not be required to use Vendor as its exclusive or sole source provider for any category of services or products. Exclusivity clauses prevent Customer from using competing or complementary solutions, eliminate negotiating leverage, and create vendor lock-in. Look for language like "exclusive provider," "sole source," "shall not use competing products," or "primary vendor for all [category] needs." These may appear in Scope of Services, Restrictions, or commercial terms sections.
Term and Termination
No Non-Solicit or Non-Compete Restrictions
Compliant
Term and Termination
No Non-Solicit or Non-Compete Restrictions
View playbook rule
Customer should not be restricted from hiring Vendor's employees or contractors, or from using competing products or building competitive solutions. One-sided non-solicit (Customer cannot hire from Vendor, but Vendor can hire from Customer) or non-compete clauses (Customer cannot use competitive products) are unacceptable. These clauses are often buried in "Restrictions" or "Miscellaneous" sections. Mutual non-solicit for executive-level hires during the term may be acceptable.
Intellectual Property
No Logo Use or Logo Use With Opt-Out
Compliant
Intellectual Property
No Logo Use or Logo Use With Opt-Out
View playbook rule
Vendor may use Customer's name, logo, and trademarks for marketing purposes (e.g., customer lists, case studies, website) only if Customer can opt out upon written notice. Automatic permission without opt-out rights is unacceptable. Look for language like "Customer grants Vendor a license to use Customer's marks" or "Vendor may list Customer as a reference." Acceptable: opt-in (requires consent) or opt-out (Customer can revoke via email). Unacceptable: no opt-out mechanism or requiring "reasonable" grounds to object.
Scope of Services
No Random Weird Stuff
Compliant
Scope of Services
No Random Weird Stuff
View playbook rule
There shouldn't be anything in the contract that is materially unusual in a B2B vendor SaaS agreement.
Term and Termination
No Uncapped Price Increases
Needs Attention
Term and Termination
No Uncapped Price Increases
View playbook rule
Price increases should be capped (e.g., CPI, 5-10% annually)
Order form override in effect
Price increases upon renewal shall not exceed five percent (5%) annually or the Consumer Price Index (CPI), whichever is greater.
Data Protection
No Broad Customer Content Use Rights / No AI Training on Customer Content
Compliant
Data Protection
No Broad Customer Content Use Rights / No AI Training on Customer Content
Contract language
Section 1. Use of Service
"PreVend analyzes vendor materials and returns a report ("Report") for your internal use only. You agree not to redistribute the Reports or rely on them as legal advice. The Reports are informational tools to assist your vendor review process."
Section 2. Data Use & Security
"We collect only the information you provide (such as your email and payment information) and use it solely to deliver the Service. We do not sell or share your data with third parties except as necessary to process payments or as required by law."
View playbook rule
Vendor must not have unrestricted rights to use Customer content for purposes beyond providing the service.
- That includes using aggregated and anonymized Customer content to improve the vendor's products and services.
- Using "usage data" or "system data" is OK and fine for product improvement and development purposes.
- We are only worried about the vendor using customer content directly or aggregating and anonymizing customer content to improve the product or train AI models.
Limitation of Liability
Standard Liability Cap
Compliant
Limitation of Liability
Standard Liability Cap
Contract language
Section 5. LIMITATION OF LIABILITY
"In no event shall our total liability to you exceed the amount you paid us in the twelve (12) months prior to the event giving rise to liability."
View playbook rule
Vendor's total liability must not be capped below 12 months of fees paid. Caps based on shorter periods (e.g., "fees paid in the prior month") or nominal amounts (e.g., "$100") are unacceptable. Look for language like "shall not exceed," "limited to," or "liability capped at."
Data Processing Addendum
(2)Data Protection
No Data Deletion
Compliant
Data Protection
No Data Deletion
Contract language
"We process data only on your instructions and for the duration of your subscription. Upon termination, we will delete your personal data within 90 days, or immediately upon your request." (Section 2. Scope of Processing)
Also: "Delete or return data upon termination or upon your request, except where retention is required to comply with applicable legal obligations (such as tax or audit requirements), in which case we will retain only the minimum data necessary for the shortest period legally required." (Section 3. Our Obligations)
View playbook rule
Vendor must commit to deleting all personal data upon the customer's request after the agreement terminates or expires.
- "Commercially reasonable efforts" or indefinite retention for "legal purposes" without clear limitations is unacceptable.
Security
No Security Standards Commitment
Compliant
Security
No Security Standards Commitment
Contract language
"We will: ... Implement appropriate security measures as described in Section 2 of the Terms of Service" (Section 3. Our Obligations)
Full context:
"We will:
- Process data only as instructed by you
- Ensure personnel are bound by confidentiality
- Implement appropriate security measures as described in Section 2 of the Terms of Service
- Assist you in responding to data subject requests
- Notify you without undue delay of any data breach
- Delete or return data upon termination or upon your request, except where retention is required to comply with applicable legal obligations ..."
View playbook rule
Vendor must commit to specific implementing, at least, commercially reasonably technical and organizational security measures for protecting personal data. Detailed security obligations and references to certifications are great, but not required.