AI Vendor DPA Tracker 2026: 25+ Tools: GDPR DPA Status, Training Policy, Links

25 AI vendors, DPA status, training policy, EU residency, and DPA link in one table.

Key: ✅ Yes / ❌ No / ⚠️ Conditional or opt-out required

Last verified: May 2026. DPA terms change, always verify directly with the vendor before relying on this table for a compliance decision.

TL;DR: 25 AI vendors, DPA status, whether they train on your data, EU data residency, and self-serve DPA link, in one table. Key findings: API tiers almost always have a DPA; consumer/free tiers almost never do. EU data residency is available at Azure OpenAI, Google Vertex AI, and Mistral, but not at Anthropic or OpenAI direct. If your team is using a consumer-tier AI tool for work tasks, you likely have no legal data processing framework in place.

How to Read This Table

DPA available?, Whether a Data Processing Agreement covering GDPR Article 28 processor obligations is available for this plan tier. A DPA is required before you can legally send EU personal data to the vendor under GDPR.

Trains on your data?, Whether the vendor uses your inputs (prompts, outputs, code, documents) to train or improve their foundation models. "No" means the vendor's policy states they do not use your data for training. A DPA gives you a legal commitment; "No" on a free tier without a DPA is a policy statement only.

EU data residency?, Whether data can stay inside the EU. "EU regions available" means you can configure the service to process data in EU data centers without a cross-border transfer mechanism. "US + SCCs" means data is processed in the US, covered for EU transfers via Standard Contractual Clauses in the DPA.

DPA link, Where to find the self-serve DPA for the relevant tier.

The Core Pattern

Three rules explain almost every row in this table:

Rule 1: API tiers have DPAs; consumer tiers do not. The free ChatGPT, free Claude.ai, Google AI Studio, and personal Copilot are consumer products. If your team is using these with business data, you have no legal data processing framework. Switch to the API tier or an organizational plan.

Rule 2: EU residency requires either Microsoft, Google Cloud, Mistral, or Hugging Face (EU regions). If genuine EU data residency is a requirement (stricter than SCCs), these are your options. Anthropic and OpenAI direct route all traffic through US infrastructure.

Rule 3: "No training" on consumer tiers requires opt-out; on paid tiers it is default. ChatGPT (free) trains on your data by default, you must go to Settings > Data controls > Improve the model for everyone and disable it. On paid organizational plans (Team, Enterprise), the no-training commitment is default and backed by the DPA.

What "SCCs" Means for Your Team

Standard Contractual Clauses (SCCs) are the EU Commission's approved template contracts for transferring personal data from the EU to countries without an EU adequacy decision, including the US. A DPA that includes SCCs is sufficient for GDPR-compliant transfers to US-based AI vendors for most purposes.

If your legal team says "we can't use SCCs," the options are:

1. Use an EU-residency provider (Azure OpenAI, Vertex AI, Mistral, AWS EU regions)
2. Deploy a self-hosted open-source model (no vendor transfer)
3. Anonymize all data before it leaves the EU (no personal data = no GDPR transfer restriction)

How to Verify a DPA Before Sending Data

Before your team sends any prompt containing personal data to an AI vendor:

1. Confirm the tier: Is your team on a plan that includes a DPA? If in doubt, check the vendor's pricing page, DPA availability is usually listed under compliance features.
2. Access the DPA: Follow the self-serve link in the table above. For enterprise agreements, ask your account manager.
3. Check for SCCs: For non-EU vendors, confirm the DPA includes EU Standard Contractual Clauses or that the vendor has an EU adequacy decision equivalent.
4. Note the sub-processor list: GDPR requires you to know who the vendor shares data with. The DPA should include a sub-processor list or a URL to one.
5. Record it: Add the DPA link, date accessed, and the specific product/tier to your AI tool register.

Vendors Not in This Table

If an AI tool your team uses is not in this table and you cannot find a DPA in their privacy documentation:

• The tool is likely a consumer product without a DPA, treat it as non-compliant for EU personal data
• Check the vendor's "for business" or "enterprise" page, DPA availability is often listed there
• If you cannot find a DPA after 5 minutes of searching, the vendor probably does not offer one for the tier you are on

For tools that handle EU personal data and cannot provide a DPA, your options are: stop using the tool for data involving EU residents, require employees to anonymize data before use, or replace the tool.

Using This Table in an AI Tool Register

When you add an AI tool to your team's AI tool register, record:

This creates an audit trail showing you assessed each vendor's data handling before deploying.

Common DPA Gaps That Cause Compliance Problems

After reviewing DPAs for 25+ AI vendors, the most common gaps that small teams encounter are:

Sub-processor lists that are not kept current. GDPR requires you to know who processes data on your behalf. Many vendors publish a sub-processor list in their DPA but update it infrequently. Check whether the DPA gives you advance notice of sub-processor changes (30 days is the standard), and whether you have the right to object. If the DPA only requires "reasonable notice" with no objection right, that is a weak control.

Training opt-out language buried in supplemental terms. The main DPA may state "we do not train on your data" while a separate model improvement policy contains an opt-in that is enabled by default. For each vendor, verify the training commitment in the DPA against the actual account settings. Screenshot the settings at the time of DPA acceptance and save it alongside the DPA record.

No deletion commitment timeline. GDPR Article 17 (right to erasure) requires vendors to delete data on request. A DPA that says "we will delete data upon contract termination" but provides no timeline for when deletion actually occurs is not meaningfully compliant. Look for "within X business days" language, if it is missing, ask the vendor directly before accepting.

SCCs that reference outdated model clauses. The EU adopted new Standard Contractual Clauses in 2021 (replacing 2010 and 2004 versions). DPAs that reference the old model clauses are technically invalid for EU data transfers. Most major vendors have updated their SCCs, but smaller vendors may not have, check the date and version of the SCCs referenced in the DPA.

If your team finds any of these gaps in a current vendor's DPA, the appropriate response is to raise it with the vendor's legal or privacy team before the next contract renewal. Document the gap and your escalation in the AI tool register.

California AB 2013: Training Data Disclosure for Vendors Selling in California

California AB 2013, in effect January 1, 2026, requires AI developers who deploy systems to California residents to publish a summary of their training data. This affects how you evaluate vendors: a vendor that cannot point you to a training data disclosure page is potentially out of compliance with California law, which is a procurement risk.

When evaluating any vendor in this table, check whether they have published:

• Training data summary (which data sources, what time period, whether personal data was included)
• Synthetic data disclosure (if applicable)
• A process to update the disclosure when training data materially changes

Most major vendors (OpenAI, Anthropic, Google, Microsoft) have published model documentation that addresses these requirements. Smaller AI vendors may not have, and that is a yellow flag in DPA due diligence. For the full AB 2013 requirement breakdown, see the California AB 2013 training data transparency guide.

Four Questions to Ask Any AI Vendor Before Signing

If a vendor is not in this table or their DPA is unclear, these four questions get to the substance faster than reading a 40-page agreement:

1. "Where is my data processed, and is an EU representative listed for GDPR purposes?" This surfaces data residency and controller/processor structure. A vendor that cannot answer confidently likely has not completed their GDPR readiness work.

2. "Do you train AI models on API inputs from business customers, and what is the opt-out mechanism at the account level?" "We don't train on your data" appears in many consumer terms but not all API terms. Get the specific answer for the tier you are purchasing, and confirm the opt-out is a per-account switch, not a per-user setting.

3. "What is your sub-processor list update cadence, and do we receive advance notice before new sub-processors are added?" 30 days advance notice is the standard expectation. Vendors that cannot commit to this may not maintain their sub-processor list reliably.

4. "How long is data retained after deletion, and do you offer zero-data-retention options?" Both OpenAI and Anthropic retain API data for up to 30 days for safety review even after account deletion requests. If your use case requires shorter retention (e.g., regulated data, healthcare), ask about zero-data-retention API plans before signing a standard agreement.

References

• Anthropic: privacy.anthropic.com
• OpenAI: openai.com/policies
• Microsoft: microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
• Google Cloud: cloud.google.com/terms/data-processing-addendum
• Mistral: mistral.ai/terms/dpa
• EU GDPR Article 28: Processor obligations
• EU GDPR Chapter V: Transfers to third countries
• Related: Privacy-first AI APIs for GDPR compliance
• Related: AI tool register template

Related Reading

• Privacy-first AI APIs, which don't train on your data
• Anthropic vs OpenAI GDPR compliance compared
• California AB 2013 AI training data transparency compliance
• AI tool register template
• AI vendor due diligence checklist
• ChatGPT Team vs Enterprise compliance differences
• AI governance guide for small teams
• AI agent persistent memory GDPR compliance 2026