Purpose
The Vendor Data Protection Agreement (DPA) Checklist (DAT-03) is the canonical quality gate for reviewing and negotiating AI vendor data protection agreements. It ensures that every DPA governing an AI vendor’s access to client or firm data addresses professional responsibility obligations, privacy requirements, and AI-specific risk provisions required by the Legal AI Blueprint.
No AI vendor contract should be executed without a completed DAT-03 review.
Operating cadence: Per-engagement — completed for each AI vendor contract negotiation or material contract amendment.
Owner: Legal Operations, Risk and Compliance, Privacy Counsel.
---
When to Use This Module
- Before executing any AI vendor contract or data processing agreement
- When renewing or materially amending an existing AI vendor contract
- When a new AI feature is added to an existing vendor relationship not covered by the original DPA
- When completing VEN-01 Pass/Fail Criterion 1 (Data Protection Agreement) — this checklist is the verification instrument
---
AI Bill of Materials — Pre-DPA Requirement (Metric 0)
Before beginning DPA review, confirm the AI BoM pre-check:
| AI BoM Pre-Check | Status |
|—|—|
| Vendor has completed VEN-01 evaluation and cleared Pass/Fail criteria | Confirm |
| AI BoM entry draft exists for this vendor and solution | Confirm |
| Data classification of client data to be processed confirmed | Confirm |
DPA execution is a prerequisite for AI BoM activation. An AI BoM entry for a vendor solution cannot be marked active until the DPA review under this checklist is complete and the DPA is executed. The AI BoM entry must reference the executed DPA date and the DAT-03 review completion date.
---