Loading…
Loading…
A contract between a data controller (the organization that determines how data is used) and a data processor (a vendor that processes data on the controller's behalf). Under GDPR, a DPA is legally required whenever a vendor processes personal data on your behalf. For AI tools, the DPA governs what data the vendor can access, how long they retain it, whether they can use it for training, and what security standards they must meet. Reviewing your AI vendors' DPAs is a core vendor due diligence step.
Why this matters for your team
A DPA is not optional — it is legally required under GDPR before any vendor can process EU personal data on your behalf. Make a signed DPA a blocker in your vendor onboarding process, not an afterthought. Every AI tool that touches personal data needs one.
Before deploying an AI writing tool that processes customer emails, a team reviews the vendor's DPA to confirm: the vendor will not use customer data for model training, data is deleted within 30 days, and EU data stays in the EU.