DPA

Data processing agreement: the contract that spells out how a vendor handles your data on your behalf. What they can do with it, how long they keep it, whether they train on it, and what happens if there is a breach. The document that turns a vendor's privacy promises into binding terms.

What it is

When you put company data into a tool, the vendor becomes a "processor" acting on your instructions. A DPA is the contract that governs that relationship. For an AI vendor, the clauses that matter most are: do they train on your data (you want no), how long do they retain it, who can access it, where is it stored, and what are their breach-notification obligations. Business and enterprise AI plans come with a DPA; consumer plans generally do not.

Why CEOs care

Because the DPA is where "we take privacy seriously" becomes enforceable or stays marketing. A handshake or a help-center FAQ is not a commitment; a DPA is. If you are putting customer or employee data through an AI tool, the DPA is the thing your counsel reads, and the absence of one is a signal you are on a consumer tier that was never meant for company data.

Where you'll see it

In any business-tier AI purchase, and in the diligence step of setting up AI without leaking customer data. Ask every vendor: "Can we get your DPA, and does it say you do not train on our data?"

Example

Before rolling out a business AI plan, a CEO has counsel check the DPA confirms no training on company data and a defined retention window. That one document is the difference between a governed tool and a hope.

Related

• zero-data-retention
• pii