AI Third-Party DPA Review: 10 Clauses to Look For

When I review AI vendor DPAs for clients, I run through the same checklist of ten clauses every time. Most vendor templates handle three or four well, do four or five badly, and miss one or two entirely. This is the working list, with the language I use to negotiate each clause. It's not a substitute for legal counsel — your contracts attorney owns the redlines — but it's the framework that makes the legal conversation productive instead of starting from scratch every time.

1. Training Data Carve-Out

The single most important clause. The vendor must contractually agree that Customer Data is not used to train any model.

**Strong language:** 'Vendor shall not use Customer Data — including inputs, outputs, prompts, completions, embeddings, or any derived representations — to train, fine-tune, evaluate, benchmark, or otherwise improve any model, whether operated by Vendor, an Affiliate, or any third party. This restriction applies to foundation models, fine-tuned models, retrieval-augmented systems, and any future model architectures.'

**Weak language to reject:** 'Vendor may use de-identified or aggregated data for service improvement.' De-identification of free-form text isn't reliably possible. Aggregation isn't well-defined.

2. Sub-Processor Disclosure and Right to Object

AI systems route through multiple parties. You need to know who, and have a right to object.

**Strong language:** 'Vendor will maintain a current list of Sub-Processors at [URL], updated at least 30 days in advance of any change. Customer may object in writing to any new Sub-Processor, and the parties will negotiate in good faith to resolve the objection, including by Vendor offering an alternative arrangement or, if no resolution is reached, Customer's right to terminate the affected portion of the Service.'

3. Model-Update Notification

Material model changes change the system's behavior. Notification is required for re-validation.

**Strong language:** 'Vendor will provide Customer at least 30 days' advance written notice of any Material Model Change, including model version upgrades, retraining events, and changes to alignment, safety, or guardrail systems that may materially affect outputs. "Material" includes any change reasonably likely to alter the distribution of outputs for typical Customer use cases.'

4. Data Residency and Processing Location

Where data is processed matters for regulatory and contractual compliance.

**Strong language:** 'Customer Data shall be processed and stored exclusively in [agreed regions, e.g., the United States]. Vendor will not transfer Customer Data outside the agreed regions without Customer's prior written consent. Vendor will provide documentation of processing locations upon request.'

5. Retention and Deletion

Define retention windows and certify deletion — including derived representations like embeddings.

**Strong language:** 'Prompts, outputs, and logs shall be retained no longer than [30] days. Embeddings and derived representations shall be deleted within [60] days of the deletion of the source content. On termination of the Agreement, Vendor shall, within 60 days, delete all Customer Data, including derived representations, embeddings, cached outputs, and backups (subject to a defined backup-rotation window), and shall provide Customer with written certification of such deletion.'

6. Incident Notification With AI-Specific Triggers

Standard breach notification clauses don't contemplate AI-specific incidents.

**Strong language:** 'Vendor shall notify Customer within 72 hours of becoming aware of any Security Incident. "Security Incident" includes, without limitation: (a) unauthorized access to or disclosure of Customer Data; (b) prompt injection or other attacks resulting in unauthorized data access or policy-violating outputs from Customer's account; (c) model jailbreaks producing policy-violating content traceable to Customer; (d) downstream contamination of training data with Customer Data; and (e) any incident affecting Sub-Processors that implicates Customer Data.'

7. Audit and Documentation Rights

You need access to the documentation that proves the program works.

**Strong language:** 'Customer may, on reasonable notice and no more than once per year (unless a Security Incident has occurred), conduct or commission audits to verify Vendor's compliance. Vendor shall provide Customer with: (a) current SOC 2 Type II report or equivalent; (b) ISO 27001 certification (and ISO 42001 once available); (c) model cards and system cards for any model touching Customer Data; (d) bias testing methodology and results; (e) penetration test summaries; and (f) Vendor's AI governance documentation.'

8. Bias Testing and Documentation

For AI systems making or supporting consequential decisions, bias testing must be contractually required.

**Strong language:** 'For any model used to make or substantially inform consequential decisions affecting individuals, Vendor shall conduct bias testing using a documented methodology at least annually and shall make the methodology and results available to Customer upon request. Vendor shall promptly notify Customer of any bias findings that materially affect the model's suitability for Customer's use case.'

9. Indemnification for IP, Privacy, and Output Liability

Foundation models occasionally regurgitate training data. Models occasionally produce defamatory or infringing content. The indemnity needs to address it.

**Strong language:** 'Vendor shall defend, indemnify, and hold Customer harmless from and against any third-party claim arising from: (a) infringement of IP rights by Vendor's models or outputs; (b) Vendor's breach of the training data carve-out; (c) Vendor's gross negligence in handling Customer Data; and (d) defamatory, discriminatory, or otherwise legally actionable outputs produced by Vendor's models, except to the extent caused by Customer's misuse.'

10. Liability Cap That Reflects AI Risk

Standard SaaS liability caps (12 months of fees) don't reflect AI-specific risk.

**Strong language:** 'The liability cap shall not apply to: (a) breach of confidentiality obligations; (b) breach of the training data carve-out; (c) Vendor's indemnification obligations; (d) gross negligence or willful misconduct; or (e) Security Incidents resulting in exposure of regulated data. For all other claims, the cap shall be the greater of [$X] or [Y] months of fees paid in the preceding 12 months.'

How to Run the Review

Print the vendor's DPA. Mark each clause as green (acceptable), yellow (negotiate), or red (must change). Bring the red and yellow to your contracts attorney. Don't rewrite the contract from scratch — pick your fights. The vendors that matter will negotiate on most of these clauses. The vendors that won't negotiate on any of them are telling you something. Our AI Vendor Risk Scorecard gives you a structured way to capture the decisions and rationale, and our broader AI Governance & Compliance practice provides the operational wrapper so the contractual terms turn into actual ongoing control.

What Happens After Signature

The signed DPA is the starting line, not the finish line. Track sub-processor changes, model-update notifications, and incident notifications. Re-review annually. Most contractual protections fail not because the contract was weak, but because nobody was paying attention to whether the vendor was honoring the contract. That ongoing attention is the part of vendor management that most mid-market programs neglect — and the part that determines whether the contract actually protects you.