advanta

HomeModule LibraryData

Module DAT-03 sigil: Data pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module DAT-03. The Pillar geometry encodes Data (Pillar 2); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SDAT-03
P2· L-G· Bands FoundationalOperational

· DAT-03

Vendor Data Protection Obligations

The Data Protection Agreement is where the firm's data leverage actually lives — and most vendor templates leave the firm exposed in ways that only surface during incident response, by which point the negotiation window is closed. The Vendor DPA Checklist provides the canonical clause-by-clause review against ABA Rule 1.6 confidentiality obligations, EU GDPR Art. 28 processor duties, training-data prohibitions, sub-processor controls, and incident notification timelines. It is the negotiation instrument that prevents post-signature surprises. Methodology v2026.1.

strategic

·

Per-engagement

·

3–6 hours per vendor engagement, depending on complexity and negotiation cycles

Methodology v2026.1·Verified 23 May 2026·Reviewed 23 May 2026

Executive Summary

DAT-03 is the canonical checklist for reviewing and negotiating Data Protection Agreements (DPAs) with AI vendors that handle client or firm data. It operationalises professional responsibility obligations, privacy requirements, and AI-specific risk controls into a structured review process that must be completed before any AI vendor contract is executed or materially amended. The checklist covers data handling and confidentiality, security baselines, AI-specific provisions (including model transparency, sub-processor controls, and agentic safeguards), business continuity and exit rights, regulatory compliance, and core contract terms. It is tightly integrated with the AI Bill of Materials (AI BoM), the Risk Taxonomy 2026, and the Defensibility Posture Statement (DPS). A completed DAT-03 review, linked to the executed DPA, forms the primary evidence bundle that the organisation has taken reasonable, documented steps to protect client data and supervise AI vendors in line with ABA rules and global privacy regulations.

Defensibility Evidence Produced

Fully completed and signed-off DPA checklist demonstrates that contractual data protection provisions were reviewed against professional responsibility requirements and Risk Taxonomy 2026; the AI BoM activation gate ensures no vendor solution operates without documented data protection compliance; the executed DPA constitutes the data protection DPS evidence bundle for the Defensibility lens

Elements:

Methodology transparencyEvidence framework

Purpose

The Vendor Data Protection Agreement (DPA) Checklist (DAT-03) is the canonical quality gate for reviewing and negotiating AI vendor data protection agreements. It ensures that every DPA governing an AI vendor’s access to client or firm data addresses professional responsibility obligations, privacy requirements, and AI-specific risk provisions required by the Legal AI Blueprint.

No AI vendor contract should be executed without a completed DAT-03 review.

Operating cadence: Per-engagement — completed for each AI vendor contract negotiation or material contract amendment.

Owner: Legal Operations, Risk and Compliance, Privacy Counsel.

When to Use This Module

  • Before executing any AI vendor contract or data processing agreement
  • When renewing or materially amending an existing AI vendor contract
  • When a new AI feature is added to an existing vendor relationship not covered by the original DPA
  • When completing VEN-01 Pass/Fail Criterion 1 (Data Protection Agreement) — this checklist is the verification instrument

AI Bill of Materials — Pre-DPA Requirement (Metric 0)

Before beginning DPA review, confirm the AI BoM pre-check:

| AI BoM Pre-Check | Status |

|—|—|

| Vendor has completed VEN-01 evaluation and cleared Pass/Fail criteria | Confirm |

| AI BoM entry draft exists for this vendor and solution | Confirm |

| Data classification of client data to be processed confirmed | Confirm |

DPA execution is a prerequisite for AI BoM activation. An AI BoM entry for a vendor solution cannot be marked active until the DPA review under this checklist is complete and the DPA is executed. The AI BoM entry must reference the executed DPA date and the DAT-03 review completion date.

Section 1: Data Handling and Confidentiality

Operational Signals

dat-03.executed-dpa-coverage

Defensibility Posture Statement

Executed DPA in place for every active AI vendor — DE-3 Evidence framework record.

On change

dat-03.clause-deviation-rate

Annual Legal AI OS Index

Clause deviations from canonical checklist tracked per vendor for Annual Index defensibility-discipline signal.

Quarterly

dat-03.subprocessor-change-events

Console

Sub-processor change notifications logged and reviewed for Console intelligence substrate.

On change

Inputs · Outputs

Inputs

  • · VEN-01 Pass/Fail documentation and vendor shortlist
  • · Vendor's proposed DPA terms
  • · Sub-processor list from vendor
  • · Applicable regulatory requirements (GDPR, CCPA, ABA Rules 1.6/1.1/5.3)

Outputs

  • · DAT-03 review completion record
  • · Negotiated DPA with all required provisions
  • · VEN-01 Pass/Fail Criterion 1 PASS confirmation
  • · AI BoM activation clearance
  • · GOV-03 Risk Register entries for any DPA gaps

Framework Crosswalk

NIST AI Risk Management Framework

NIST

DAT-03 operationalises third-party and data governance controls for AI systems, supporting NIST AI RMF Govern and Manage functions.

ISO/IEC 27001 Information Security Management

ISO

Security certification, access control, logging, and incident response checks in DAT-03 align with ISO 27001 Annex A controls for information security and supplier relationships.

EU General Data Protection Regulation (GDPR)

European Union

DPA content requirements, SCCs, breach notification, and data subject protections in DAT-03 map to GDPR Articles 28, 32–34, and Chapter V on international transfers.

EU AI Act

European Union

AI model transparency, risk controls, and high-risk system roadmap checks support compliance planning for EU AI Act obligations on providers and deployers.

ABA Model Rules of Professional Conduct

American Bar Association

DAT-03 explicitly maps DPA provisions to ABA Rules 1.1, 1.5, 1.6, 3.1, and 5.3, evidencing reasonable measures over confidentiality, competence, and supervision of AI vendors.

Operational Artefacts

  • DAT-03 Vendor DPA Checklist (structured worksheet)

    checklist · v2026.1

    Gated
  • Sample AI vendor DPA redline playbook

    docx · v2026.1

    Gated

Diagnostic Relevance

Running the DPA Checklist strengthens the Defensibility lens — expected Band progression: Foundational → Operational.

Confidence: high

Key Takeaways

  • DPA execution is a prerequisite for AI BoM activation — no vendor solution can be marked active until DAT-03 review is complete and the DPA is executed

  • The no-training clause must be an absolute contractual and technical prohibition — reasonable commercial efforts is not sufficient to satisfy professional responsibility requirements

  • Agentic Tier AI solutions require five enhanced DPA provisions: autonomous action audit trail, kill-switch guarantee, scope limitation controls, intervention rate logging, and escalation protocol

  • Sub-processor DPA chain must be confirmed — the primary DPA is only as strong as its sub-processor provisions

  • ABA Rules 1.6, 1.1, 5.3, 3.1, and 1.5 are all implicated; legal team review is required before DPA execution

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal OperationsRisk & Compliance

Strengthens

Defensibility lensSophistication lens

Module Details

Format
Module
Difficulty
Foundational
Pillar
P2
Owner
Legal Operations, Risk and Compliance, Privacy Counsel
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperational

Where this Module lives

The DPA Checklist operates downstream of the RFP and POC and immediately before contract execution. It consumes the AI Use Policy (GOV-02) data-handling scope and feeds the AI BoM with executed DPA records as binding compliance evidence. The Module produces DE-2 (Methodology transparency) and DE-3 (Evidence framework) records into the DPS. Without it, vendor data terms get accepted on the vendor's MSA template.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.