AI Vendor DPA Builder

Generate a data processing agreement scoped to AI vendors in two minutes. Answer a few questions and download a ready-to-review Word document — with the no-training, retention, and sub-processor clauses generic templates leave out.

Enter both party names to generate your DPA.
DATA PROCESSING AGREEMENT (AI SERVICES) Between [CONTROLLER NAME] ("Controller") and [PROCESSOR / AI VENDOR NAME] ("Processor") 1. Definitions "Personal Data" means any information relating to an identified or identifiable individual that the Processor processes on the Controller's behalf under this Agreement. "AI Services" means the artificial-intelligence products or services the Processor provides to the Controller. 2. Roles and Scope [CONTROLLER NAME] (the "Controller") determines the purposes and means of processing. [PROCESSOR / AI VENDOR NAME] (the "Processor") processes Personal Data only on the Controller's documented instructions to deliver the AI Services. The categories of Personal Data processed are: Customer names, email addresses, and support-request contents. 3. Model Training and Improvement The Processor shall not use, and shall not permit any sub-processor or foundation-model provider to use, the Controller's personal data, prompts, inputs, or outputs to train, fine-tune, or otherwise improve any AI model, except with the Controller's prior written consent for a specified purpose. Where zero-retention or enterprise API tiers are offered by an underlying model provider, the Processor shall configure the AI Services to use them so the Controller's data is excluded from provider-side training. 4. Retention of Inputs, Outputs, and Logs The Processor shall retain prompts, inputs, outputs, and associated logs only for as long as needed to provide the AI Services or as required by law, and no longer than 30 days for abuse-monitoring or debugging logs unless the Controller agrees otherwise in writing. Any vector stores, caches, embeddings, or fine-tune artifacts containing the Controller's Personal Data are treated as Personal Data and are subject to the deletion obligations in this Agreement. 5. Sub-Processors and Foundation-Model Providers The Controller authorizes the Processor to engage the following sub-processors, which include the foundation-model providers powering the AI Services: OpenAI; Anthropic; Amazon Web Services. The Processor shall impose data-protection obligations on each that are no less protective than those in this Agreement and remains liable for their performance, and shall give at least 30 days' notice before adding or replacing a sub-processor. 6. Security The Processor shall implement appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest, access controls, and regular review of its security practices. 7. Personal Data Breach The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's Personal Data, and shall provide the information the Controller needs to meet its own notification obligations. 8. Deletion and Return On termination of the AI Services, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, including from logs, caches, and any model artifacts derived from the Controller's data, unless retention is required by law. 9. Audit and Compliance The Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement and allow for audits on reasonable notice. This Agreement is intended to satisfy Article 28 of the GDPR and the service-provider requirements of the CCPA/CPRA where applicable. 10. Governing Law This Agreement is governed by the laws of [JURISDICTION], and takes effect on [EFFECTIVE DATE]. Signatures Controller: [CONTROLLER NAME] ______________________ Date: __________ Processor: [PROCESSOR / AI VENDOR NAME] ______________________ Date: __________ This document is provided for general information only and is not legal advice.

Why a generic DPA isn’t enough for AI vendors

A standard data processing agreement was written for ordinary software vendors. AI vendors introduce three risks a generic template never addresses: your data being used to train their models, prompts and outputs being retained indefinitely in logs, and foundation-model providers (OpenAI, Anthropic, and others) quietly sitting underneath as undisclosed sub-processors. This builder writes those clauses in for you.

Want the full, hand-editable version with every clause and commentary? Download the AI data processing agreement template. New to vetting AI vendors? Start with the AI vendor evaluation checklist.

Want us to review the vendor, not just the paperwork?

We help small businesses evaluate AI vendors end to end — the contract, the data setup, and whether the solution will actually work.

Book a Consultation

Frequently Asked Questions

  • A DPA is the contract that governs how a vendor handles personal data on your behalf. For AI vendors it needs extra clauses generic templates miss — whether your data trains their models, how long prompts and outputs are retained, and which foundation-model providers sit underneath. This builder generates one scoped to those AI-specific issues.
  • If an AI vendor processes any personal data belonging to your customers or employees, yes — both GDPR (Article 28) and CCPA/CPRA effectively require a written data processing agreement. It is also simply good protection: it is the document that says your data will not be used to train someone else’s model.
  • It becomes binding once both parties review, complete, and sign it. Because data-protection law varies by jurisdiction, treat the generated document as a strong starting draft and have it reviewed by qualified counsel before signing. It is not legal advice.
  • Three things especially: an explicit no-training clause (your data is excluded from model training unless you consent), retention limits on prompts, outputs, and logs, and disclosure of the foundation-model providers and sub-processors in the stack. This builder includes all three.

This tool generates a draft agreement for general informational purposes and is not legal advice. Data-protection requirements vary by jurisdiction and industry — have the generated document reviewed by qualified legal counsel before signing.