AI Vendor Contract Template: A Practical Guide for European SMEs

TL;DR: Annotated AI vendor contract and DPA template for European SMEs. Key clauses for GDPR Article 28, EU AI Act Article 25, and data residency.

Why this matters: AI vendor contracts in 2026 look nothing like the SaaS contracts your legal team reviewed two years ago. Training data provisions, model versioning rights, output indemnification, GDPR Article 28 data processing agreements, and EU AI Act Article 25 deployer obligations all need to appear somewhere in your vendor documentation. Most standard vendor agreements from US-based AI providers do not include these clauses. Most European SMEs accept vendor-provided terms without modification. The gap between those two facts is where legal exposure quietly accumulates.

This guide provides an annotated template of the clauses your AI vendor contracts should include, with plain-language explanations of why each clause matters and what a weak alternative looks like.

A companion article covers the negotiation strategy for getting vendors to accept these terms. This guide focuses on what the clauses should say.

Data Processing Agreement (DPA) Clauses

Clause 1: Subject Matter and Duration

Template language: "The Processor shall process Personal Data on behalf of the Controller solely for the purposes specified in Schedule 1 (Permitted Processing Purposes) and for no other purpose. Processing shall commence on the Effective Date and continue until termination of the Principal Agreement."

Why it matters: GDPR Article 28(3) requires the DPA to specify the subject matter and duration of processing. Vague language ("as necessary to provide the services") may not satisfy this requirement and gives the vendor latitude to use your data for purposes you did not intend, including model training.

Red flag: Any DPA that defines permitted purposes as "as required to deliver the services and improve the vendor's products." The "improve the vendor's products" carve-out covers model training unless explicitly excluded.

Clause 2: Data Residency and Sub-Processor Restrictions

Template language: "Personal Data processed under this Agreement shall be stored and processed exclusively within the European Economic Area, unless the Controller has provided prior written consent to processing in a specific third country, subject to the transfer mechanisms specified in Schedule 2 (International Transfer Mechanisms). Any sub-processor engaged to process Personal Data shall be restricted to jurisdictions listed in Schedule 2. The Processor shall notify the Controller no less than 30 days prior to adding any new sub-processor."

Why it matters: EU AI providers routinely use US-based infrastructure (AWS, Google Cloud, Azure) for model inference. Cross-border data transfers require either an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. The 30-day notice period for new sub-processors is the minimum that gives you a meaningful exit window.

Red flag: DPAs that list sub-processors by category ("cloud infrastructure providers") rather than by name, or that provide only 10-day notice windows.

Clause 3: Data Deletion and Return

Template language: "Upon termination of this Agreement, or upon the Controller's written request, the Processor shall: (a) return all Personal Data to the Controller in a machine-readable format within 30 days; (b) securely delete all Personal Data and copies thereof, including from backup systems, within 90 days; and (c) provide written certification of deletion upon request. Deletion shall be verified using [specific standard, e.g., NIST 800-88] or equivalent."

Why it matters: AI vendors retain training and inference logs unless explicitly contracted otherwise. Without a deletion clause with a specific standard, "deletion" may mean removal from production databases while backups persist for years.

Red flag: Deletion language limited to "upon termination we will delete your account" with no reference to Personal Data in logs, model weights, or backup systems.

EU AI Act Provisions

Clause 4: Provider Compliance Representation

Template language: "Where the AI System supplied under this Agreement is classified as a high-risk AI system under Annex III of Regulation (EU) 2024/1689 (EU AI Act), the Provider represents and warrants that: (a) the system has undergone the conformity assessment procedure specified in Article 43; (b) the system is registered in the EU database referred to in Article 71 where required; and (c) the Provider shall maintain the EU Declaration of Conformity for the duration of this Agreement and provide a copy upon request."

Why it matters: As a deployer, your Article 16 obligations are partially contingent on the provider meeting their Article 13 obligations. If your vendor cannot supply a Declaration of Conformity for a system you are using in a high-risk context, you cannot legally deploy it.

Red flag: Vendors whose standard agreement makes no reference to EU AI Act compliance or who respond to requests for the Declaration of Conformity with timelines beyond 6 months from the date of this contract.

Clause 5: Training Data Provisions

Template language: "The Provider shall not use Personal Data submitted by the Controller, or data derived from the Controller's use of the AI System (including prompts, outputs, interaction logs, and usage metadata), to train, fine-tune, or improve the Provider's models or any third-party models, without the Controller's explicit prior written consent specifying the purpose, duration, and scope of such use."

Why it matters: This clause appears in the EU AI Act governance framework context, not just the DPA. If a vendor uses your prompts or outputs to improve their models, that use may affect your competitive information and create obligations under GDPR if the data includes personal data.

Red flag: Terms of service that include language like "we may use aggregated, anonymised usage data to improve our services." "Anonymised" in AI contexts is not a defined standard; ask explicitly whether prompts are used for training.

Liability and Indemnification Clauses

Clause 6: AI Output Indemnification

Template language: "The Provider shall indemnify and hold harmless the Controller against third-party claims arising directly from the AI System generating outputs that: (a) infringe third-party intellectual property rights; (b) constitute defamation or false statements of fact; provided that the Controller has not modified the output before use and has used the system within its documented intended purpose."

Why it matters: AI copyright litigation is active in Europe and the US. If a vendor's model generates text or images that infringe existing IP, the deployer faces exposure unless the contract allocates that liability to the provider.

Red flag: Contracts that disclaim all liability for AI-generated outputs while simultaneously granting you a licence to use those outputs commercially.

Clause 7: Incident Notification

Template language: "The Provider shall notify the Controller within 72 hours of becoming aware of any Security Incident affecting Personal Data or any malfunction of the AI System that has or may have materially affected the accuracy, reliability, or safety of the AI System's outputs. Notification shall include the nature of the incident, the categories and approximate number of data subjects affected, and the measures taken or proposed."

Why it matters: The 72-hour window mirrors GDPR Article 33 (supervisory authority notification). Your ability to meet your own notification obligations depends on receiving timely notice from your vendor.

Minimum Contract Schedule: Checklist

Before signing any AI vendor agreement, verify it contains or can be amended to include:

• [ ] DPA with subject matter, duration, and permitted purposes specified
• [ ] Data residency clause naming specific regions and sub-processors
• [ ] No-training-use clause covering prompts, outputs, and interaction logs
• [ ] 30-day sub-processor change notice period
• [ ] Data deletion standard with certification requirement
• [ ] EU AI Act provider representation (where applicable to high-risk systems)
• [ ] AI output indemnification from provider for IP infringement
• [ ] 72-hour incident notification requirement
• [ ] Governing law specifying an EU member state
• [ ] Data subject rights facilitation clause (vendor will assist with DSARs within 30 days)

FAQ

Our vendor says their standard DPA covers GDPR. Is that sufficient? Usually not for AI-specific provisions. Standard SaaS DPAs predate the EU AI Act and typically do not include no-training-use clauses, high-risk system representations, or AI output indemnification. Review the standard DPA line by line against the checklist above rather than accepting a vendor's representation that it is GDPR compliant.

Can we negotiate these clauses with large AI vendors like OpenAI or Anthropic? Large providers have tiered contract options. The standard consumer terms are non-negotiable. Enterprise agreements typically allow DPA customisation, sub-processor disclosure, and no-training-use provisions. If you are spending more than EUR 50,000 per year with a provider, you should be on an enterprise agreement with a negotiated DPA.

We are a 15-person company. Do we need a lawyer to review AI vendor contracts? For any AI system you are using in a high-risk context (recruitment, credit, health, or employee monitoring), yes. For lower-risk productivity tools, a compliance officer or informed procurement lead working from the checklist above can handle initial review and escalate to legal counsel only for items the vendor declines to include.

What governing law should we specify? An EU member state governing law is strongly preferable. Irish, Dutch, and German courts have active AI and data protection case law. Avoid accepting US state law (Delaware, California) governing law for contracts involving personal data processing, as this creates a cross-border enforcement complexity for GDPR remedies.

Further Reading

• AI Vendor Contract Negotiation for European SMEs
• AI Vendor Evaluation Scorecard for European SMEs
• AI Vendor TCO and Hidden Costs for European SMEs

Need help building a vendor contract review process for your AI tool portfolio? Talk to an AI consultant who specialises in European AI governance.