Practical AI and SaaS for Business

GDPR AI Vendor Processor Agreements

Signing up for an AI tool that touches personal data means the vendor becomes a GDPR processor, and Article 28 sets out specific things their contract with you has to cover. This guide explains what to actually check before you sign, beyond a vendor's general claim of being GDPR compliant.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You run operations at a 20-person consultancy, and you're about to sign up for a new AI drafting tool that will handle real client information. The problem isn't whether the vendor says they're GDPR compliant, most do, it's whether their actual contract covers what Article 28 requires. This guide walks through exactly what to check before you sign, not after. No legal background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

The moment an AI vendor processes personal data on your business's behalf, that vendor becomes a GDPR "processor," and GDPR requires a specific written contract covering that relationship, not just a general privacy policy. A lot of businesses check whether a vendor's marketing page mentions GDPR and stop there. That's not the same as checking whether the actual contract covers what Article 28 requires.

In short: GDPR Article 28 requires a written contract between your business and any AI vendor processing personal data on your behalf, covering specific things: processing only on your instructions, confidentiality, security measures, sub-processor rules, help with data subject rights, and data deletion or return at the end. Check the vendor's actual data processing agreement for these, a general privacy policy doesn't automatically cover them.

The plain-English answer

Yes, you need a proper processor agreement, and no, a vendor's general terms of service or privacy policy usually isn't the same document. A compliant processor agreement, often called a Data Processing Agreement or DPA, is a specific contract, sometimes a standalone document, sometimes an addendum to the main terms, that spells out how the vendor will handle personal data on your instructions. If a vendor can't point you to a specific DPA, separate from their general terms, that's worth asking about directly before you rely on them being compliant.

Why this matters for your business

A 20-person consultancy adopting an AI drafting tool that touches real client information is exactly the kind of business this affects. The tool doesn't need to be built specifically for compliance work to trigger this requirement, any AI tool processing personal data, client names, case details, contact information, on your behalf makes the vendor a processor under GDPR, and that relationship needs the specific contractual safeguards Article 28 sets out.

The risk of skipping this check isn't abstract. GDPR makes clear that a business using a processor is responsible for using only processors offering sufficient guarantees, meaning the vendor selection and contract review itself is part of your compliance obligation, not something you can fully delegate to the vendor's own claims.

What GDPR actually requires

GDPR Article 28 sets out specific elements a processor agreement needs to cover. The vendor must process data only on your documented instructions, not for their own separate purposes. They must keep the data confidential. They must implement appropriate technical and organisational security measures. They can't bring in a sub-processor, another company that also touches the data, without your authorisation, and if they do, a matching agreement needs to be in place with that sub-processor too. They must help you respond to data subject rights requests, and at the end of the contract, they must delete or return all the data, your choice, not theirs.

For an AI tool specifically, two of these points deserve extra attention beyond the standard checklist. Sub-processors matter more than usual, because an AI vendor often relies on underlying model providers or cloud infrastructure as sub-processors, and a contract that's silent on this leaves you unable to confirm who else actually touches your data. Model training use matters too, a compliant DPA should be explicit about whether your data is used to improve or train the vendor's underlying model, and if so, whether you can opt out, this is a genuinely AI-specific question that a generic, pre-AI processor agreement template often doesn't address at all.

What this looks like in practice

Picture the operations manager reviewing the AI drafting tool's contract before signing. The vendor's marketing page says "GDPR compliant" prominently, and the standard terms of service look reasonable on a skim. Digging into the actual data processing agreement, a separate document linked from the account settings rather than the main sign-up page, reveals it says nothing about sub-processors at all, and nothing about whether client data is used for model training.

Rather than assume it's fine because everything else reads well, the operations manager goes back to the vendor with two specific questions before signing: who are your sub-processors, and is our data used for model training. The vendor's answer, and how quickly and clearly they give it, tells the manager more about the vendor's actual GDPR maturity than the marketing page ever could.

What you can do about it

A short check before signing any AI vendor's terms:

  • Locate the vendor's specific Data Processing Agreement, not just their general terms of service or privacy policy.
  • Check it names or references sub-processors, and confirms you'll be notified of any new ones.
  • Check it explicitly addresses whether your data is used for model training, and whether you can opt out.
  • Confirm it commits to deleting or returning your data at the end of the contract, at your choice.
  • If any of this is missing or unclear, ask the vendor directly before you sign, not after.

If the AI tool also involves transferring data outside the EU, which is common with US-built AI tools, see our guide on using a US AI tool with EU customer data for the additional cross-border transfer requirement on top of the processor agreement itself.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.

Is a vendor's general terms of service enough, or do I need a separate document?

Look for a specific Data Processing Agreement or equivalent, separate from the general terms. Some vendors fold Article 28 terms into a dedicated section of their main contract, which can be fine, but check it actually covers the required elements rather than assuming general terms cover it by default.

What if the AI vendor won't disclose their sub-processors?

Treat that as a real concern, not a minor gap. GDPR requires you to authorise sub-processor use, which isn't meaningful if you don't know who they are. A vendor unwilling to name their sub-processors is a signal worth weighing seriously against the tool's other benefits.

Do I need a new processor agreement for every AI tool we use?

Yes, each vendor processing personal data on your behalf needs its own compliant agreement. There's no single umbrella contract that covers every AI tool your business uses, each vendor relationship is assessed and documented separately.

What happens if we use an AI vendor with no proper processor agreement in place?

This is a distinct GDPR compliance gap, independent of whether anything actually goes wrong with the data. If a regulator investigates, being unable to produce a compliant processor agreement for a vendor handling personal data is a straightforward finding against the business.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Also sending data outside the EU to a US-based AI vendor?

Check the transfer requirement