A data processing agreement (DPA, in German Auftragsverarbeitungsvertrag or AVV) is the contract under Article 28 GDPR that regulates how an AI vendor (the processor) handles personal data on behalf of your organization (the controller). For EU AI chat platforms, three clause families fail more often than the rest: audit rights, sub-processor disclosure, and deletion. A DPA missing one of these three is not Article 28 compliant, regardless of marketing language. This checklist gives your DPO 12 specific questions to score every vendor DPA before you sign.

Vendors with a strong DPA welcome the questions. Vendors with a weak DPA push back, redirect to marketing materials, or quote standard industry terms. Push-back is a signal. The strongest DPAs in our EU ChatGPT alternative for enterprise comparison (Teamo AI, LangDock, Aleph Alpha) hand over the full DPA text within 24 hours of request and walk you through Article 28 clause-by-clause on a procurement call. The weakest hide behind available under NDA or enterprise tier only. For the broader compliance frame, see the EU AI Act + GDPR small business playbook.

Article 28GDPR clause that defines DPA requirements
12must-have clauses every EU AI chat DPA should pass
3clauses where vendor DPAs most often fail (audit, sub-processor, deletion)
20M EUR or 4 %max GDPR fine for processor DPA non-compliance (Article 83)

Why the DPA Matters More for AI Chat Than Other SaaS

Three reasons AI chat DPAs need stricter scrutiny than ordinary SaaS DPAs. One: AI training as a hidden processing purpose. Customer prompts and responses can be used to train, fine-tune, or evaluate models. Without an explicit contractual prohibition, this is processing for the vendor's own purposes (Article 6 lawful basis required) and turns the vendor from processor into joint controller, which changes the entire DPA structure. Two: model-vendor sub-processing. Most EU AI chats are gateways routing to upstream model vendors (OpenAI, Anthropic, Google, Meta). Each upstream is a sub-processor under Article 28(2). The DPA must disclose them, give you veto rights on changes, and contractually flow your no-training requirement down to them. Three: log retention asymmetry. AI chat generates extensive logs (prompts, responses, metadata, usage analytics). Vendors often retain these for service improvement which becomes processing for their own purposes if not contractually capped.

An ordinary SaaS DPA covers data storage, access, and deletion. An AI chat DPA needs all of that plus explicit handling of training, sub-processor flow-down, log retention, and disclosure of which exact model handled which exact request (for Article 50 transparency). The 12 clauses in the next section cover all of these specifically.

The 12 DPA Clauses Every EU AI Chat Vendor Must Pass

1

1. Vendor is incorporated in the EU and contracts under EU jurisdiction

2

2. All processing happens within the EU/EEA, no third-country transfer

3

3. Customer data is contractually excluded from any model training, fine-tuning, or evaluation

4

4. All sub-processors are disclosed by name with their roles, including upstream model vendors

5

5. Sub-processor changes require advance notification with veto right

6

6. Audit rights are real (on-site, third-party, or detailed annual report acceptable)

7

7. Breach notification within 72 hours of vendor awareness

8

8. Deletion on contract end covers all copies including backups within defined window

9

9. Log retention is contractually capped (typically 30 days for full content, 90 days for metadata)

10

10. Article 50 EU AI Act transparency disclosure UI is built-in or contractually committed

11

11. Per-message audit log is accessible to your compliance team

12

12. Liability cap is at least 12 months of fees (or higher for breach involving sensitive data)

Three quietly missing clauses kill most vendor DPAs: weak audit rights (capped at remote questionnaire), incomplete sub-processor disclosure (model vendors hidden), and vague deletion language (no specific window or backup coverage). Cross-check these three first, before reading the rest. If any of the three fail, the DPA is non-compliant regardless of how good the other clauses look.

Score your AI vendor against the 12 DPA clauses in 7 minutes

Independent assessment maps your current vendor DPA against the 12 must-have clauses. Output is a procurement-grade scorecard your DPO can use directly. EU-hosted, free.

Try It Free

How to Run the DPA Review with Vendors

Three steps that work in practice. One: request the full DPA text up front, not after the pilot starts. If a vendor only releases the DPA after a signed pilot agreement, walk away. Strong vendors send the DPA within 24 hours of request, weak ones make you ask twice and then send a heavily-redacted version. Two: have your DPO score the DPA against the 12 clauses in this checklist, with traffic-light status (green for compliant, yellow for conditional, red for failing). Bring the scorecard to the next vendor call and walk through it together. Strong vendors engage clause-by-clause, weak vendors deflect or escalate. Three: never sign a DPA where any of clauses 1-3, 4-5, or 6-8 are red. Those three groups are the structural minimums. Other clauses can be negotiated post-signature, the structural ones cannot.

For the broader compliance picture (DPA plus AI Act plus Betriebsrat), see the GDPR + AI Act compliance checklist and the GDPR + AI Act compliance software comparison for tooling that monitors DPA adherence over time.

Bonus: ask about concrete safety mechanisms beyond the DPA. Strong vendors implement runtime guards that go beyond contract clauses. Example: an AI hallucination guard rejects bulk-update tool calls where the AI's claimed prior value does not match the actual stored value, preventing the AI from hallucinating updates across long agent loops. Vendors with this kind of mechanism in place have thought about the real failure modes of AI in production, vendors that only point to their DPA have not. Ask specifically: what runtime guards prevent AI hallucination on bulk operations?

Run the AI Readiness Assessment alongside the DPA review

Independent baseline of which teams are ready for the AI rollout. Lets you scope the DPA negotiation specifically: which data categories, which sub-processors, which retention windows are actually needed.

Try It Free

The DPA is the contract that makes EU AI sovereignty real

Marketing language is not contractual. A vendor saying GDPR-compliant or EU-sovereign on their landing page does not bind them to anything. The DPA is the contract. If the DPA does not contain the 12 clauses in this checklist, the marketing language is unenforceable.

Three clause families fail most often: audit rights, sub-processor disclosure, deletion. Cross-check these three first. If any fails, the DPA is structurally non-compliant.

Strong vendors welcome the scrutiny. Teamo AI, LangDock, Aleph Alpha PhariaAssistant, Mistral Le Chat Enterprise, and DeutschlandGPT all engage clause-by-clause on procurement calls. Vendors that deflect standard industry terms are signaling weakness, not strength.