Do I need a DPA with every AI vendor?

Under GDPR Article 28, you must have a Data Processing Agreement with every third party that processes personal data on your behalf, which includes AI vendors who process personal data as part of their service. This applies regardless of whether the vendor is based in the EU. If the vendor is processing personal data in a country without an EU adequacy decision, you also need to ensure appropriate transfer mechanisms are in place, such as Standard Contractual Clauses. For AI vendors specifically, the DPA must address the risk that personal data could be used to train AI models — a risk not present in traditional SaaS vendor relationships.

Can AI vendors use my data to train their models?

By default, many consumer-facing AI services include terms that permit use of your inputs to improve their models. Enterprise and API tiers of major AI platforms typically offer no-training commitments — but you must confirm this in writing and have it reflected in the DPA. Under GDPR, using personal data to train AI models without an appropriate legal basis and data subject consent is likely unlawful. Your DPA should include an explicit clause prohibiting the vendor from using your data (including prompts and outputs) for model training, product improvement, or any purpose other than delivering the contracted service.

What should I check in an AI vendor's sub-processor list?

AI vendors typically use multiple sub-processors: cloud infrastructure providers (AWS, Azure, GCP), model hosting providers, and specialist AI compute providers. When reviewing the sub-processor list, check: whether all sub-processors are identified by name and jurisdiction; whether any are located in countries without EU adequacy decisions (requiring SCCs or BCRs); whether the vendor commits to notifying you before adding new sub-processors; and whether you have the right to object to new sub-processors. Pay particular attention to sub-processors in the US, as data transfers from the EU require reliance on the EU-US Data Privacy Framework or SCCs.

What is the 72-hour breach notification requirement?

Under GDPR Article 33, data controllers must notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. This means your DPA with AI vendors must require the vendor (as data processor) to notify you of any breach without undue delay and within a timeframe that allows you to meet your 72-hour regulatory obligation. In practice, DPAs should require vendor notification within 24 hours of a breach being identified — allowing you time to assess, document, and notify regulators within the 72-hour window. The DPA should also specify the content of the breach notification, the point of contact, and the vendor's obligation to cooperate with your regulatory notification process.

Get your Free 90 Days Gen AI Risk Discovery Trial -90 Days Gen AI Risk Trial -Start Now

Book a demo

Free TemplateLegal / Compliance

AI Data Processing Agreement Template

A ready-to-use DPA template tailored for AI and machine learning vendors. Covers data processing terms, sub-processors, cross-border transfers, breach notification, and GDPR/CCPA compliance clauses.

Updated March 2026 · 6 DPA sections · GDPR Article 28 compliant · AI-specific clauses included

Download Template Book Demo

6 sections

full DPA coverage

GDPR Art. 28

compliant structure

AI-specific

no-training clause included

Free

to use and customise

Why Standard DPAs Fall Short for AI Vendors

Most organisations use a generic DPA template for all SaaS vendors. AI vendors present data protection risks that generic DPAs don't address — particularly the risk that your data is being used to train AI models. Without AI-specific clauses, you cannot demonstrate GDPR compliance when deploying AI tools that process personal data.

GDPR

Requires DPAs with all data processors

Article 28 mandates a written contract with every processor. No DPA means no legal basis for the processing relationship.

AI risk

Model training clauses are in most vendor standard terms

Many AI vendors include the right to train on customer data in their standard terms. You must explicitly negotiate this out.

72 hrs

Breach notification window is tight

Vendor breach notification obligations must be set at 24 hours to give you time to meet your 72-hour regulatory deadline.

Sub-proc.

AI vendors use many sub-processors

AI services rely on multiple infrastructure, compute, and model hosting sub-processors — each a potential liability if not covered.

The DPA Template

Expand each section to view the template clauses. Have your legal counsel review and customise before execution. Note: this is a template, not legal advice.

This Data Processing Agreement ("Agreement") forms part of the Master Services Agreement between [Controller Name] ("Controller") and [Processor/Vendor Name] ("Processor").

Subject Matter

Processor will process personal data on behalf of Controller for the purpose of providing [describe AI service, e.g. AI-powered document analysis, AI writing assistance, AI code generation] as defined in the Master Services Agreement.

Nature of Processing

The processing activities may include collection, storage, analysis, structuring, retrieval, use, disclosure, and deletion of personal data as necessary to provide the contracted services. Processing shall occur exclusively in automated form unless otherwise agreed in writing.

Categories of Data Subjects

[e.g. Employees and contractors of the Controller; customers and prospects of the Controller; end users of the Controller's products — customise as applicable]

Categories of Personal Data

[e.g. Names, email addresses, job titles, professional communications, document content, usage data — customise based on actual data flows. Specify separately if any special category data under GDPR Article 9 is processed]

Processing Duration

Processing will continue for the term of the Master Services Agreement and until all personal data is returned or deleted in accordance with Section 6 of this Agreement.

Important: AI-specific clause — Processor shall not use Controller's personal data, prompts, or outputs to train, fine-tune, or improve Processor's AI models or any third-party AI models. Processing shall be limited solely to delivering the contracted services.

Download Full DPA Template

How to Negotiate an AI Vendor DPA

Follow these steps to review, negotiate, and execute a DPA with your AI vendors. Involve your legal counsel and DPO throughout the process.

Map data flows before reviewing the DPA

Before you can review a DPA, map exactly what personal data will flow to the AI vendor, for what purpose, under what legal basis, and whether data will leave your jurisdiction. Without this, you cannot identify which clauses are critical for your specific use case.

Identify and remove AI model training clauses

Review the vendor's standard DPA for clauses permitting use of your data to train AI models. This is the most common AI-specific risk in vendor DPAs. Require explicit written commitment that your data will not be used for model training, fine-tuning, or product improvement.

Negotiate the sub-processor list and transfer provisions

AI vendors typically use multiple sub-processors for model hosting and compute. Ensure the DPA includes a complete sub-processor list, 30-day advance notice of changes, your right to object, and appropriate transfer mechanisms (SCCs or adequacy decisions) for all cross-border processing.

Verify security certifications and audit rights

Request the vendor's ISO 27001 certificate and SOC 2 Type II report before signing. Ensure the DPA includes your right to audit compliance and the vendor's obligation to cooperate. A DPA without audit rights is difficult to enforce.

Track DPAs in your AI vendor register

Record the executed DPA in your AI vendor register with the effective date, annual review date, and breach notification contact. Set reminders for annual reviews — AI vendor sub-processor lists and terms change frequently. Failure to maintain current DPAs is a common GDPR audit finding.

Frequently Asked Questions

Track DPA Status Across All Your AI Vendors

Aona maintains a live vendor register that tracks which AI tools have executed DPAs, which are pending review, and which are flagged for renewal. Get full visibility of your AI vendor compliance posture without the spreadsheet maintenance.

Book a Demo

Related Resources

Aona AI Platform AI Vendor Security Questionnaire AI Acceptable Use Policy ISO 42001 Gap Analysis All Templates

AI Data Processing Agreement Template

Why Standard DPAs Fall Short for AI Vendors

The DPA Template

How to Negotiate an AI Vendor DPA

Frequently Asked Questions

Track DPA Status Across All Your AI Vendors

Product

Solutions

Resources

Compare

Compliance

Company

Contact