DPA Templates for AI Email Vendors What to Demand
The exact clauses to insist on. Sub-processors, retention, training, audit, breach SLA.
Vendor DPAs are usually fine as starting points and bad as final agreements. The boilerplate covers GDPR baseline; AI email creates new risk classes that boilerplate misses. Five clauses to focus on:
Sub-processor clause
Demand: full list of sub-processors with function and jurisdiction, notification of changes 30 days in advance, customer right to object. Walk away if: list is “maintained by vendor on request” (no website list).
Retention clause
Demand: explicit retention periods for raw data, derived AI artifacts, and audit logs. Demand: customer-initiated deletion with 30-day SLA. Walk away if: “retained as long as commercially reasonable.”
Training-data exclusion
Demand: contractual statement that customer data is never used to train any AI model, including the vendor’s. Walk away if: “customer data may be used in aggregated form to improve service.” (This is a training back-door.)
Audit rights
Demand: right to request audit log of customer’s data once per year, with reasonable notice. Walk away if: audit only on “reasonable suspicion of breach.”
Breach notification
Demand: notification within 24 hours of vendor’s confirmation of incident. Walk away if: “as soon as practicable.”
Frequently asked questions
Will vendors actually negotiate DPAs?
Larger vendors have standard DPAs they enforce; you can sometimes get side-letters. Smaller vendors are more flexible. The asymmetry of effort is yours to spend.
Can I use a third-party DPA template?
Yes — IAPP, EDPB, and many DPAs publish templates. Use them as a benchmark for what “standard” looks like; some vendors will accept your template if you push.
Ready to try PrometheusMail?
14-day free trial, no credit card. First 100 waitlist teams get 50% off for life.
Join the waitlist →