What is a Data Processing Agreement?

A DPA is the contract required by GDPR Article 28 whenever a processor handles personal data on a controller's behalf. For AI vendors that means anyone whose API or tool sees your customers' or employees' data. Without a compliant DPA the processing itself can be unlawful.

Which Article 28 clauses are mandatory?

Article 28(3) sets out a defined list — processing only on documented instructions, confidentiality, security measures, sub-processor controls, assistance with data-subject rights, breach notification, deletion or return on termination, and audit rights. All of these are treated as critical in this checklist.

Why does AI model training matter in a DPA?

Many AI vendors reserve the right to use customer inputs to improve their models. If your data includes personal data, that is a new purpose that needs a lawful basis and should be contractually addressed. A clear no-training clause closes a common and serious gap.

Can keyword matching miss a clause that is actually present?

Yes. The same obligation can be drafted with very different wording, so a missing flag means review, not a verdict. Treat the tool as a fast triage that tells you where to read the contract carefully.

Does my contract text leave my browser?

No. All matching happens locally in JavaScript. The DPA text is never uploaded or stored anywhere.

AI Vendor Data Processing Agreement Checklist

AI vendor DPA checklist

Every AI vendor that touches your customers’ or staff’s personal data is a processor under GDPR, and that triggers a hard requirement: a Data Processing Agreement that contains the specific clauses listed in Article 28. Vendors’ template DPAs vary wildly in quality, and a missing clause can leave you exposed when a regulator or customer asks how the data is governed. This tool screens a pasted DPA against the mandatory list in seconds.

How it works

You paste the vendor’s full DPA text and the tool scans it for each Article 28 obligation — documented-instructions processing, confidentiality, security measures under Article 32, sub-processor authorisation and flow-down, assistance with data-subject rights, breach notification, deletion or return on termination, and audit rights — plus AI-specific concerns like international transfer safeguards and whether the vendor commits not to train its models on your data. Each clause is marked present or apparently missing, with critical clauses separated from secondary ones so you know what blocks sign-off.

Tips and notes

A missing flag means read, not reject. The same duty can be worded a dozen ways; the tool points you to where to look rather than giving a final ruling.
Push hardest on sub-processors and training. The two clauses vendors most often weaken are the right to control onward sub-processors and a clear no-training commitment — both are where your data quietly travels.
Pair with a risk matrix. A clean DPA tells you the contract is sound; a third-party risk matrix tells you whether the vendor’s actual practices match what they promised.