AI Vendor Data Sovereignty Screener

When you procure an AI SaaS tool, you are not just buying software. You are establishing a permanent, high-velocity data supply chain.

The core friction for mid-market deployers is the convergence of the EU AI Act and GDPR Chapter V.

Data residency is not data sovereignty. Using US-based cloud infrastructure creates supply chain dilution. It exposes your data to foreign jurisdictions via the US CLOUD Act.

If a vendor routes your internal corporate data to external servers for processing, the liability rests entirely on your organization. You cannot outsource this governance.

The Corporate Exhaust Analogy

Allowing an AI vendor to train their models on your internal data is like hiring a catering company for a private board meeting.

Later, you discover they recorded your strategic conversations to sell as an audiobook.

You paid them for a service, but they monetized your proprietary exhaust. In the AI era, your prompts are your intellectual property.

3D illustration of a corporate data pipeline being filtered and blocked from external AI vendor ingestion

Vet the Vendor Data Processing Agreement (DPA)

Use the screener below to evaluate the vendor terms of service before signing the contract.

Generate a formal Vendor AI Risk Attestation to attach to your internal procurement ticket.

Privacy By Design: This executes entirely in your browser. We never see your responses.

1. The Ingestion Trap (Model Training)

According to the vendor terms of service, do they use customer inputs to train or improve their own foundational AI models? Example: Prompts and uploaded files.

No or Zero Retention API

The vendor explicitly guarantees in writing that customer data is never used for training.

Opt-Out Required

They train on data by default. We must manually toggle a setting to opt out.

Yes or Unclear

They retain the right to improve their services using our data. There is no enterprise opt-out available.

Data Security Note: Your selections stay right here on your screen.

2. The Geographic Pipeline (Inference Data)

Where does the actual compute and inference processing of the AI workload take place?

Routing inference data outside the EU triggers immediate GDPR Chapter V and Schrems II liability. This applies even if the vendor promises zero data retention.

Strictly EU or Local

Compute is handled strictly within the EU with no US sub-processors. Alternatively, it is fully local on corporate hardware.

US Cloud or External

Inference data is routed to the US or UK. This relies on Standard Contractual Clauses or DPF. It exposes prompts to the US CLOUD Act.

Unknown or API Wrapper

The vendor passes inference data to third-party APIs. There is a high risk of sub-processor dilution and untraceable routing.

Privacy Note: We do not track your answers.

3. The Retention Window

How long does the vendor store the prompts and generated outputs on their servers?

Zero Retention

Data is dropped immediately after the output is generated. Example: Enterprise APIs.

Trust and Safety Window

Data is stored temporarily to monitor for abuse, then automatically purged. Example: 30-day retention.

Indefinite or Profile Linked

Data is saved to user history indefinitely until manually deleted.

Data Sovereignty Lock: We do not transmit, sync, or store your response.

Decision flowchart for evaluating AI vendor DPAs and geographic data routing

Target Vendor or Application Name

Security Note: What you type stays on your machine.

Disclaimer: This structural mapping acts as a preliminary screening tool for vendor evaluation. It does not replace a formal Data Processing Agreement (DPA) review or a Transfer Impact Assessment (TIA) under GDPR. Consult licensed EU privacy counsel.

AI Vendor Data Sovereignty Screener

Vet the Vendor Data Processing Agreement (DPA)

1. The Ingestion Trap (Model Training)

2. The Geographic Pipeline (Inference Data)

3. The Retention Window

Procurement Attestation Record

Get Your Compliance Toolkit