AI Data Processing Addendum (DPA)

What Is AI Data Processing Addendum (DPA)?

An AI data processing addendum (DPA) is a binding written contract between a data controller and an AI vendor that limits how the vendor may process personal data, and it satisfies the processor-agreement requirement in GDPR Article 28(3). It is the document that turns a vendor's marketing promise of 'we take privacy seriously' into enforceable obligations a regulator and a court will recognize.

You are the controller in this relationship: you decide why and how personal data gets used. The AI vendor is the processor, acting only on your written instructions. The addendum is the paperwork that proves that relationship exists and that the processor agreed to specific limits before it ever saw a single record.

The word 'addendum' matters. This is almost always bolted onto a master agreement, an order form, or a SaaS terms of service rather than signed standalone. It supplements the commercial contract with the privacy-and-security terms that the underlying deal usually skips.

What makes the AI version different from a generic DPA is the model-training problem. A traditional processor stores or transmits your data and then deletes it. An AI vendor can ingest your data into a training corpus, where it stops being a discrete record you can simply erase and becomes statistical weights inside a model. The AI DPA exists to draw a hard line around that risk.

Why This Matters Now

On December 20, 2024 the Italian Garante fined OpenAI 15 million euros, finding the company had no lawful basis under GDPR Article 6 for the personal data in its training corpus, among other failures. It was the first major generative-AI fine in the EU, and it landed squarely on the issue an AI DPA is built to control: documented instructions and a verified lawful basis for what the model ingests.

The regulators have written down their position. The European Data Protection Board's Opinion 28/2024, adopted December 18, 2024, says that personal data unlawfully processed to train an AI model can make the model's later deployment unlawful too, 'unless the model has been duly anonymised.' That single finding turns a sloppy training pipeline into a downstream liability for everyone who uses the model.

Web-scraping is not a loophole. The CNIL hit Clearview AI with a 20 million euro penalty in October 2022 plus 100,000 euros per day, rejecting the argument that 'publicly available' images escaped the Article 6 lawful-basis requirement. If your vendor's training data was scraped, that history sits upstream of you.

California's requirements tighten on January 1, 2026, when provisions of the California Privacy Protection Agency's regulations add cybersecurity-audit, risk-assessment, and automated-decision-making-technology obligations. Service-provider contracts now need cooperation clauses for ADMT and risk-assessment reporting that older CCPA DPAs never contemplated.

The FTC put U.S. vendors on notice. In a January 2024 staff statement, the agency warned that an AI company's privacy commitments in its contracts must actually limit model training and exclude customer data from fine-tuning, and that quietly changing those terms to grab training data can be an unfair or deceptive practice.

EU customers increasingly treat data residency and an explicit AI-training prohibition as non-negotiable line items in procurement. If you sell software and cannot produce a clean AI DPA on request, you lose the deal before legal even reviews it.

The Legal Backbone

What a strong AI data processing addendum actually contains

Start with the roles and the subject matter. The addendum should name the controller, name the processor, and describe in an exhibit the categories of data subjects, the categories of personal data, the nature and purpose of the processing, and the duration. When a regulator audits the relationship, the processing-details exhibit is the first thing it reads, and a vague one signals that nobody thought carefully about scope.

The instruction clause is the spine. State that the processor may handle personal data only on the controller's documented instructions, with this addendum and the underlying service agreement being those instructions, and that the processor will tell the controller if it believes an instruction violates data-protection law. The Garante's OpenAI decision turned on the absence of a documented lawful basis for what the model ingested, so this clause is where you tie processing to permitted purposes and nothing else.

Then the AI training prohibition, the clause that sets this apart from a generic DPA. Spell out that the vendor will not use customer personal data to train, fine-tune, or improve any model, will not use it for benchmarking or feature detection, and will not retain it for those purposes after the service is delivered. Mature contracts back this with teeth: liquidated damages per violation, or a representation that the vendor's foundation models were not trained on unlawfully processed personal data. Industry standard clauses, such as the Common Paper prohibit-AI-training term, exist precisely because buyers stopped trusting general assurances.

Security comes next, and Article 32 sets the floor. Specify encryption at rest, with AES-256 being the going market standard, and TLS 1.2 or higher in transit. Add role-based access control on a least-privilege basis, audit logging of personal-data access with a defined retention window, and pseudonymization for sensitive fields where feasible. Microsoft's published DPA, for instance, commits to 256-bit AES at rest and TLS 1.2-plus in transit, which is a useful benchmark when you are negotiating against a smaller vendor's thinner promises.

Sub-processor governance protects you from your vendor's vendors. The addendum should require either specific or general written authorization for sub-processors, maintain a current published sub-processor list, give you at least 30 days' notice before a new sub-processor is added, and give you the right to object. Under Article 28(10) the original processor stays fully liable for its sub-processors' failures, so insist that the vendor flows down identical protections. OpenAI's April 2025 update moved to a 30-day notice plus objection model, and Microsoft has signaled a separate 30-day notice track specifically for AI sub-processors, which tells you where the market is heading.

Data-subject rights and breach notification round out the cooperation duties. The processor must assist you in responding to access, deletion, and other requests within your statutory deadlines, and must notify you of a personal-data breach quickly, with 24 to 48 hours now the typical contractual ask, well inside the GDPR's 72-hour controller deadline. Include audit and assurance rights here: either a direct audit right or, more commonly, an agreement to provide a current SOC 2 Type II report or equivalent.

Deletion and return is where loose drafting costs you. Commit the vendor to delete or return all personal data on termination, with cryptographic erasure of live data within about 30 days, purge from backups within roughly 90 days to match standard backup-rotation cycles, and a written deletion certificate. For the AI context, add language addressing whether data already used in training can be removed, acknowledging the EDPB's view that unlawfully trained data creates lingering deployment risk. If the vendor cannot promise to un-train your data, you want to know that before you sign, not after a subject access request.

Finish with international transfers and liability. Identify the transfer mechanism, whether DPF certification or the relevant 2021 SCC module, and attach it. Address data residency if EU customers require it. Then set out liability and indemnification, clarifying the processor's financial accountability, including for sub-processor breaches under Article 28(4). None of this works if the commercial liability cap in the master agreement silently swallows the privacy obligations, so check how the cap interacts with this addendum before you call it done.

When You Need This

You are buying or selling SaaS, and personal data of EU or California residents will pass through the vendor's systems. Sign the addendum before any records move; Article 28(3) requires the written contract to be in place before processing starts.

You are deploying an AI tool, an LLM API, a copilot, a transcription service, that will see customer names, emails, support tickets, or any other personal data. The training-prohibition and deletion clauses are the reason this exists.

An enterprise customer's procurement team has sent you a DPA to sign, or a security questionnaire asking for yours. You need your own clean version to negotiate from rather than accepting theirs wholesale.

You are sending personal data out of the EEA, to a U.S. cloud region or an offshore support team, and need to document the transfer mechanism the GDPR requires.

You are a controller engaging a sub-processor chain and want the liability flow-down and notice rights that keep you from being blindsided when your vendor swaps in a new provider.

Your existing DPA predates 2025 and says nothing about AI training, the CCPA 2026 ADMT rules, or the EDPB's anonymization guidance. An out-of-date addendum can be worse than none, because it looks like coverage you do not have.

How to Fill Out AI Data Processing Addendum (DPA)

1. 1. Identify the roles and attach a processing-details exhibit

   Name the controller and the processor, then build the exhibit that describes the categories of data subjects, the types of personal data, the nature and purpose of processing, and the duration. Be specific. 'Customer account data and support communications, processed to deliver the AI assistant service, for the term of the subscription' beats a one-line generality that an auditor will pick apart.

2. 2. Write the documented-instructions clause

   State that the processor handles personal data only on your documented instructions, that this addendum and the service agreement constitute those instructions, and that the processor must flag any instruction it believes breaks the law. Confirm the lawful basis under Article 6 sits with you as controller, and that the instructions never authorize processing beyond the stated purposes.

3. 3. Insert the AI training prohibition with teeth

   Prohibit use of your personal data to train, fine-tune, improve, benchmark, or evaluate any model. Add that the vendor will not retain the data for those purposes after service delivery. Where leverage allows, attach liquidated damages per violation or a representation that the vendor's models were not built on unlawfully processed personal data. This is the clause regulators and EU buyers look for first.

4. 4. Set the Article 32 security floor

   Require encryption at rest at AES-256, TLS 1.2 or higher in transit, role-based least-privilege access, audit logging with a stated retention period, and pseudonymization for sensitive fields. Reference the vendor's current SOC 2 Type II report or equivalent assurance, and make delivery of that report on request an express obligation in the addendum.

5. 5. Lock down sub-processors

   Require written authorization for sub-processors, a maintained and accessible sub-processor list, at least 30 days' advance notice of any addition, and an objection right. Require the vendor to bind every sub-processor to materially the same terms, and confirm in writing that the vendor remains fully liable for them under Article 28(10).

6. 6. Define breach notification and data-subject assistance

   Set a notification window of 24 to 48 hours from the vendor's awareness of a breach, comfortably inside your own 72-hour GDPR deadline, and specify what the notice must contain. Require the vendor to help you fulfill access, deletion, and other data-subject requests within your statutory timelines, including the roughly one-month Article 17 erasure clock.

7. 7. Specify deletion, return, and the AI-forgetting question

   Commit the vendor to cryptographic erasure of live data within about 30 days of termination, backup purge within about 90 days, and a written deletion certificate. Add language on whether data already used in any model can be removed, and capture the vendor's honest answer, because the EDPB has signaled that unlawfully trained data can taint deployment that you cannot simply delete your way out of.

8. 8. Name the transfer mechanism and reconcile liability

   Identify whether transfers rely on EU-U.S. Data Privacy Framework certification or a specific 2021 SCC module, and attach the operative module. Add a CCPA service-provider rider with the Section 7051 terms and the 2026 ADMT cooperation duties if California data is in scope. Finally, check that the master agreement's liability cap does not silently gut these privacy obligations, and have a qualified privacy lawyer review the package before signing.

Key Terms Defined

Controller

The party that determines the purposes and means of processing personal data. In an AI vendor relationship, you, the customer, are almost always the controller, because you decide why the data is being used and which tool processes it.

Processor

A party that processes personal data on the controller's behalf and on its instructions, without deciding the purposes itself. An AI vendor running an inference service over your customer data is acting as your processor, which is why GDPR Article 28 forces a written contract between you.

Sub-processor

A third party a processor engages to help process the data, such as a cloud host or an AI infrastructure provider underneath your direct vendor. Under Article 28(10) the original processor stays fully liable for its sub-processors, so the addendum must govern who they are and how they are added.

Lawful basis

One of the six grounds in GDPR Article 6 that makes processing legal, such as consent, contract necessity, or legitimate interest. Training an AI model on personal data is itself processing that needs its own lawful basis, the exact point the Garante found missing in the OpenAI case.

Standard Contractual Clauses (SCCs)

European Commission pre-approved model contract terms, in their modernized 2021 form, that legalize transfers of EEA personal data to countries without an adequacy decision. You attach the module matching your transfer type, controller-to-processor for most AI vendor deals.

Cryptographic erasure

Deleting data by destroying the encryption keys that protect it, rendering the underlying ciphertext permanently unreadable. It is the practical deletion method most DPAs specify, because it can purge data across distributed storage faster than overwriting every copy.

Related Documents

Legal Authorities & Sources

This page is grounded in primary law. The statutes and official resources below are the authorities behind the guidance above. Verify the current text of any statute before relying on it.

• GDPR Article 28: Processor obligations
• GDPR Article 17: Right to erasure
• EDPB Opinion 28/2024 on AI models and personal data (Dec 18, 2024)
• California Attorney General: CCPA
• CPPA regulations update effective January 1, 2026 (Sept 23, 2025 announcement)
• European Commission: Standard Contractual Clauses (SCCs)
• EU-U.S. Data Privacy Framework adequacy decision 2023/1795
• CNIL: 20 million euro penalty against Clearview AI
• FTC: AI companies, uphold your privacy and confidentiality commitments (Jan 2024)

Frequently Asked Questions