Every AI governance framework — GDPR, EU AI Act, SOC 2, NIST AI RMF — starts with the same first step: know what AI tools you are using and what they do with your data. Without a register, you cannot confirm DPA coverage, classify tools under the EU AI Act, or answer investor due diligence questions about your AI vendor stack.
This template covers every field you need. Copy it into Notion, paste it into Google Sheets, or import the CSV. One row per tool.
At a glance: The AI tool register has three jobs: (1) GDPR Article 30 compliance — documenting every processing activity involving personal data, (2) EU AI Act Annex III classification — knowing which tools are high-risk before August 2026, (3) vendor management — confirming DPA and training opt-out for every production AI tool. This template covers all three in one document.
The Template
Notion Table Format
Create a new database in Notion with the following properties:
| Property | Type | Notes |
|---|---|---|
| Tool Name | Title | e.g., "Claude API", "Cursor", "Notion AI" |
| Vendor | Text | Company name |
| Owner | Person | Team member responsible for this tool |
| Use Case | Text | What your team uses it for |
| Data Processed | Multi-select | Options: Personal Data, Employee Data, Customer Data, PHI, PII, No Personal Data |
| Plan Tier | Select | Free / Pro / Business / Enterprise |
| DPA Signed | Select | Yes / No / Pending / Not Required |
| DPA Link | URL | Link to the signed DPA document |
| Training Opt-Out | Select | Confirmed / Not Confirmed / Not Applicable |
| EU AI Act Risk Tier | Select | Prohibited / High-Risk / Limited Risk / Minimal Risk / Not Classified |
| Data Residency | Text | e.g., "US only", "EU (Azure West Europe)" |
| Last Reviewed | Date | Date of last review |
| Notes / Pending Actions | Text | Any open items |
Spreadsheet Format (Copy-Paste CSV)
Tool Name,Vendor,Owner,Use Case,Data Processed,Plan Tier,DPA Signed,DPA Link,Training Opt-Out,EU AI Act Risk Tier,Data Residency,Last Reviewed,Notes
Claude API,Anthropic,[name],Code generation / document drafting,No Personal Data,API (Enterprise),Yes,[link],Confirmed,Minimal Risk,US only,2026-05-01,Zero-retention available on request
Cursor,Anysphere,[name],AI code assistant for engineering,No Personal Data (code only),Business,Yes,[link],Confirmed,Minimal Risk,US only,2026-05-01,Confirm privacy mode enabled
Notion AI,Notion,[name],Internal docs / meeting notes,Employee Data,Business,Yes,[link],Confirmed,Minimal Risk,US only,2026-05-01,Check AI feature settings per workspace
ChatGPT (via OpenAI API),OpenAI,[name],Customer support drafts,Customer Data,API + DPA,Yes,[link],Confirmed,Minimal Risk,US only,2026-05-01,SCCs included in DPA for EU data
GitHub Copilot,Microsoft/GitHub,[name],Code completion for all engineers,No Personal Data (code only),Business,Yes,[link],Confirmed,Minimal Risk,US only,2026-05-01,Code duplication filter enabled
HubSpot AI,HubSpot,[name],Email drafting / CRM automation,Customer Data,Professional,Yes (in MSA),[link],Confirmed,Minimal Risk,US (EU available),2026-05-01,Review sub-processor list
[AI hiring tool],[vendor],[name],Resume screening,Employee Data + Candidate PII,Enterprise,Pending,[link],Pending,HIGH-RISK (Annex III),US only,2026-05-01,EU AI Act conformity assessment required
Filling In the Hard Columns
DPA Signed — How to Check
Do not rely on memory. Check the actual legal records:
- Search your email for "[vendor name] DPA" or "[vendor name] Data Processing Agreement"
- Check your vendor portal — most enterprise AI providers have a self-serve DPA section
- Check your legal/contracts folder in your document management system
If no DPA exists for a tool that processes personal data: flag it as "Pending" and initiate the DPA process this week. Under GDPR Article 28, using a processor without a DPA is a violation — not a technicality, not a best practice issue.
Self-serve DPA portals for major AI providers:
- Anthropic: privacy.anthropic.com/dpa
- OpenAI: platform.openai.com → Settings → Privacy
- Google Cloud: cloud.google.com/terms/data-processing-addendum
- Microsoft Azure: microsoft.com/licensing (MSDPA)
- Mistral AI: mistral.ai/legal
Training Opt-Out — How to Confirm
The contract may say "we don't train on your data" but settings can override this. Verify in the actual product:
- OpenAI API: Settings → Privacy → "Improve model for everyone" → should be OFF
- GitHub Copilot: Organization settings → Policies → "Allow GitHub to use my code snippets" → OFF
- Google Vertex AI: Training opt-out is on by default for API customers; confirm in your Google Cloud console
- Anthropic Claude API: No training by default; enterprise zero-retention available on request
Mark "Not Confirmed" for any tool where you cannot verify the setting in the product dashboard. A contract clause is not confirmation — the setting is.
EU AI Act Risk Tier — Quick Classification
For each tool, answer two questions:
- Does this tool affect EU residents? (customers, employees, users in the EU)
- Does it fall into an Annex III category? (hiring, credit scoring, clinical decisions, education, critical infrastructure, law enforcement, migration, justice)
If YES to both: High-Risk — conformity assessment, technical documentation, and human oversight required before August 2026.
If YES to #1 but NO to #2: Limited Risk (if it's a chatbot or content generator making decisions transparent to users) or Minimal Risk (most tools).
If NO to #1: EU AI Act obligations are lighter, but classify anyway — your EU exposure may expand.
Use the EU AI Act Annex III checklist for the full 12-question classification process. Document your reasoning in the Notes column.
Pre-Populated Register: Common AI Tool Stack
Copy this as a starting point. Update the Owner, DPA Link, and Last Reviewed columns for your organization.
| Tool | Vendor | Typical Use | Data Processed | DPA Available | Training Opt-Out | EU AI Act Tier |
|---|---|---|---|---|---|---|
| Claude API | Anthropic | Code gen, summarization, drafting | No personal data | Yes | Yes (default) | Minimal risk |
| OpenAI API | OpenAI | GPT-4 completions | Depends on prompts | Yes | Yes (since Mar 2023) | Minimal risk |
| Azure OpenAI | Microsoft | Same as OpenAI, EU hosted | Depends on prompts | Yes (MSDPA) | Yes (default) | Minimal risk |
| Cursor | Anysphere | AI code assistant | Code only | Yes | Yes | Minimal risk |
| GitHub Copilot | Microsoft/GitHub | Code completion | Code snippets | Yes | Yes (org setting) | Minimal risk |
| Notion AI | Notion | Docs, meeting notes | Employee data | Yes (in MSA) | Yes | Minimal risk |
| Slack AI | Salesforce | Message summarization | Employee data | Yes (in DPA) | Verify | Minimal risk |
| HubSpot AI | HubSpot | CRM, email drafts | Customer data | Yes | Yes | Minimal risk |
| Grammarly Business | Grammarly | Writing assistance | Text content | Yes | Yes | Minimal risk |
| Otter.ai / Fireflies | Otter/Fireflies | Meeting transcription | Employee + customer voice | Check | Check | Limited risk |
| AI hiring tools (Greenhouse AI, Workday AI) | Various | Resume screening | Candidate PII | Must request | Must verify | HIGH-RISK |
| AI customer service (Intercom AI, Zendesk AI) | Various | Support ticket handling | Customer PII | Yes | Yes | Limited risk |
Note on AI hiring tools: Any AI used in resume screening, candidate ranking, or interview analysis is automatically Annex III high-risk under the EU AI Act. If you use any AI hiring tool, flag it as high-risk and initiate the conformity assessment process before August 2026.
Quarterly Review Process
Set a calendar reminder for quarterly register reviews. The review covers:
New tools added since last review:
- Any AI tool added in the quarter — add it to the register
- Confirm DPA was signed before the tool went into production use
Existing tools — check for changes:
- Vendor released model update or changed terms of service
- New sub-processors added (most vendors publish changelogs)
- Plan tier changed (free → paid, team → enterprise) — DPA coverage may change
Tools removed:
- Confirm data deletion from vendor after removing a tool
- Note the deletion confirmation date in the register before removing the row
Classification review:
- Any use case expansion that might change EU AI Act classification
- Regulatory guidance updates that affect classification
Quarterly is the minimum. Monthly is better for fast-growing teams.
Full Compliance Checklist
- Register created with all 12 columns
- Every AI tool in production use has an entry (including embedded SaaS AI features)
- DPA status confirmed for every tool that processes personal data
- Training opt-out verified in product settings (not just contract) for every production tool
- EU AI Act tier assigned for every tool affecting EU residents
- High-risk tools flagged with conformity assessment status
- Quarterly review date set with named owner
- Register location shared with AI Governance Lead and legal/compliance contact
- Register linked in your ROPA (GDPR Article 30 documentation)
Related Resources
- AI vendor due diligence checklist 2026 — 30 questions to run before adding a new AI vendor
- Privacy-first AI APIs: which don't train on your data — DPA request email template and full provider comparison
- EU AI Act Annex III checklist — 12 yes/no questions to classify each tool
- AI governance benchmark 2026 — score your governance maturity against 10 questions
- AI governance for small teams — complete guide — the full framework this register fits into
