AI Vendor Packet
Sample reportPDF and CSV sample filesFreshness model reviewed May 22, 2026Not legal advice

Sample AI vendor commitment report

This sample shows what the paid report should make clear: which vendor sources were checked, which customer commitments may need review, who should decide, and what should stay qualified.

Download sample PDFDownload sample CSVRun your own scanBuy $199 packet

Selected vendors

5

Commitments

6

Findings

8

Decision records

8

Source citations

23

How to read this report

Read this before the appendices

Start with the conclusion, open decisions, source evidence, and limits. The PDF follows the same order so a reviewer does not have to hunt through source tables first.

Step 1

Start with the conclusion

Read the executive summary, scope conclusion, and review status before opening the appendices.

This tells a founder, security lead, or counsel whether the report can move forward or still has source and applicability holds.

Step 2

Route the open decisions

Use the first decisions and action plan to assign the owners who must approve, qualify, or hold customer answers.

This turns the report into a short decision list for security, privacy, legal, and founder review.

Step 3

Use sources as evidence

Open the source citations, source excerpts, and evidence table when a reviewer asks what supports a finding.

This keeps official vendor sources, reviewed dates, captured excerpts, and known gaps attached to each material claim.

Step 4

Keep the boundary attached

Attach limitations, the not-legal-advice note, and the readiness checks when the PDF or CSV is routed internally.

This avoids treating the report as legal approval, vendor certification, or a guarantee that every vendor change was detected.

Report cover sheet

Route vendor commitment review work with official source links before Trust Center, DPA, questionnaire, SOC 2, or customer response language goes out.

Needs owner review
Report field
Report ID
Value
sample-report
Report field
Report type
Value
Public sample report
Report field
Audience
Value
Security / GRC, Legal / Privacy, and Founder / Operator reviewers
Report field
External use status
Value
Sample only. Use it to inspect the report structure, not as current vendor coverage for a workspace.
Report field
Report type
Value
Public sample report
Report field
Workspace
Value
Sample workspace
Report field
Period
Value
Illustrative sample
Report field
Generated
Value
2026-05-24
Report field
Source coverage
Value
Reviewable with visible gaps
Report field
Scope
Value
5 vendors, 6 commitments, 8 source documents, and 8 material findings are represented.
Report field
Open work
Value
8 open findings and 0 source coverage gaps should be reviewed before external use.

Files to attach

File
PDF available
Use
Use the PDF as the review packet for security, legal, privacy, compliance, or founder review.
File
CSV available
Use
Use the CSV to assign findings, track review status, preserve source links, and copy evidence into internal systems.

Where to save it

  • Internal review ticket
  • SOC 2 monitoring evidence packet
  • Security questionnaire or Trust Center owner note
  • DPA, subprocessor, or privacy review file when applicable

AI Vendor Packet organizes official-source review evidence and suggested review actions. It does not provide legal advice, vendor certification, or final approval for customer answers.

Executive summary

Needs owner review

Use this sample to inspect the report structure, not as current coverage for your company.

5 vendors and 6 commitments are shown with 8 review prompts so your team can judge whether the paid report is useful. The findings are illustrative and should not be treated as live vendor coverage.

Readout
What changed
Review note
The sample highlights AI data-use, retention, DPA, subprocessor, and security statements that often affect customer commitments. 8 sample findings show where broad vendor language may need product-path review before external use. 23 source citations show the official-source trail a paid report should preserve.
Readout
Why it matters
Review note
Trust Center answers, DPA exhibits, security questionnaire responses, and SOC 2 monitoring evidence packet notes should stay aligned with the exact vendor source and product path. 7 high-priority items should be reviewed before relying on broad AI data-use or monitoring evidence language externally. 8 decision records identify who should approve, edit, hold, or mark the language not applicable.
Readout
Next review actions
Review note
Resolve failed, stale, or not-checked sources before using the report as evidence for customer answers. Confirm the exact product path, plan, data category, region, and customer commitment language for each material finding. Attach the source citations and decision register to the internal review ticket or SOC 2 monitoring evidence packet.
Readout
Do not conclude
Review note
Do not treat this report as legal advice, vendor certification, or final customer-facing approval. Do not treat sample findings as current paid coverage for your workspace. Do not assume unchecked, stale, or failed sources are safe to cite externally.

7 high-priority review prompts and 8 clearly labeled sample findings. 8 source documents checked or represented in the report scope. 8 decision records and 23 source citations are available for review. 0 captured excerpts are present; findings without captured excerpts keep the official URL and evidence limit visible.

Conclusion for this scope

For a production workflow using customer content, personal data, EU data, this sample shows how an internal AI-vendor commitment review should be organized. Do not copy customer wording until the named owners have made the scope decisions.

Internal review only

Scope basis

  • Selected vendors: OpenAI, Anthropic, Azure OpenAI / Microsoft AI, Google Vertex AI / Gemini for Cloud, AWS Bedrock.
  • Product path and plan: Customer-facing AI features using direct API and cloud-hosted model providers.
  • Commitment scope: 6 selected commitments plus the custom AI-training commitment.
  • Evidence basis: 23 source citations, 8 findings, and 8 source notes or excerpts.

What to do now

  • Resolve the first 3 decisions before using no-training, retention, DPA, or Trust Center language externally.
  • Attach the source citations and decision register to the internal review ticket or SOC 2 monitoring evidence packet.
  • Treat unresolved product-path, agreement, model, region, and downstream storage questions as holds, not as clean evidence.

Do not use this sample conclusion as legal advice, vendor certification, or final approval for a Trust Center answer, DPA exhibit, security questionnaire, or customer response.

Decisions to resolve first

Start here before using the report for a Trust Center answer, DPA exhibit, questionnaire response, or SOC 2 vendor note.

Decision
1. OpenAI: Does the customer answer describe OpenAI API Platform use only, or does it also cover ChatGPT workspace or unmanaged account use?
Owner
Security / GRC
Evidence to inspect
Data controls in the OpenAI platform; reviewed May 21, 2026.
Needed before external use
Answer the applicability question before using this finding externally: Does the customer answer describe OpenAI API Platform use only, or does it also cover ChatGPT workspace or unmanaged account use?
Decision
2. Anthropic: Is a zero data retention agreement actually signed, and which Anthropic products does it cover?
Owner
Legal / Privacy
Evidence to inspect
Zero data retention agreement applicability; reviewed May 21, 2026.
Needed before external use
Answer the applicability question before using this finding externally: Is a zero data retention agreement actually signed, and which Anthropic products does it cover?
Decision
3. Azure OpenAI / Microsoft AI: Should the customer DPA exhibit name Microsoft, OpenAI, or both for this workflow?
Owner
Legal / Privacy
Evidence to inspect
Microsoft Products and Services Data Protection Addendum; reviewed May 21, 2026.
Needed before external use
Answer the applicability question before using this finding externally: Should the customer DPA exhibit name Microsoft, OpenAI, or both for this workflow?

External use limit: hold customer answers until each decision has an owner, applicability answer, and source reference.

Action plan

Use this plan to inspect how a paid report should move from source evidence to owner decisions and closeout.

Sample action plan

Turn the report into a recorded internal review decision before Trust Center, DPA, security questionnaire, audit, or customer-response language is used externally.

Order
1
Owner
Founder / Operator
Action
Confirm report scope and external use limit
Status
Sample only
Completion criteria
Scope is confirmed or corrected before the report is routed as review evidence.
Order
2
Owner
Security / GRC
Action
Resolve source freshness and coverage gaps
Status
Sample only
Completion criteria
Source gaps are refreshed, copied into limitations, or marked as a hold before external use.
Order
3
Owner
Security / GRC
Action
Answer the applicability question
Status
Sample only
Completion criteria
Answer the applicability question before using this finding externally: Does the customer answer describe OpenAI API Platform use only, or does it also cover ChatGPT workspace or unmanaged account use?
Order
4
Owner
Security / GRC
Action
Answer the applicability question
Status
Sample only
Completion criteria
Answer the applicability question before using this finding externally: Confirm exact product path, plan, data categories, region, and customer commitment language before using this as evidence for customer answers.
Order
5
Owner
Security / GRC
Action
Answer the applicability question
Status
Sample only
Completion criteria
Answer the applicability question before using this finding externally: Confirm exact product path, plan, data categories, region, and customer commitment language before using this as evidence for customer answers.
Order
6
Owner
Legal / Privacy
Action
Answer the applicability question
Status
Sample only
Completion criteria
Answer the applicability question before using this finding externally: Is a zero data retention agreement actually signed, and which Anthropic products does it cover?
Order
7
Owner
Security / GRC
Action
Answer the applicability question
Status
Sample only
Completion criteria
Answer the applicability question before using this finding externally: Confirm exact product path, plan, data categories, region, and customer commitment language before using this as evidence for customer answers.
Order
8
Owner
Security / GRC
Action
Answer the applicability question
Status
Sample only
Completion criteria
Answer the applicability question before using this finding externally: Is the selected Vertex AI model, endpoint, and feature eligible for the retention language being reused?

Closure criteria

Criterion
Scope confirmed
Pass condition
A reviewer can tell which vendors, product paths, data categories, and customer-facing commitments are in scope.
Criterion
Source evidence current enough
Pass condition
Failed, stale, and not-checked sources are either refreshed, accepted as explicit limitations, or held out of external use.
Criterion
Owner decisions recorded
Pass condition
Each material finding has an owner decision, applicability decision, or documented hold.
Criterion
Files archived
Pass condition
The report files are attached to the internal review ticket, SOC 2 record, or legal/privacy review file.
Criterion
External-use decision recorded
Pass condition
A named owner records whether the report can support a Trust Center, DPA, questionnaire, audit, or customer-response update.

Escalation triggers

  • An official vendor source is failed, stale, missing, or outside the reviewed product path.
  • A finding depends on plan, region, agreement, model, or data category scope that is not recorded.
  • A customer answer would use vendor language before the named owner records a decision.
  • A reviewer wants to treat the report as legal advice, vendor certification, or final external approval.
  • Record the exact vendor products, plans, and data categories before reusing these answers with customers.

Close the report only after source gaps, applicability questions, owner decisions, file archival, and external use limits are recorded.

Review readiness checks

This sample shows the report format only; it is not evidence for customer answers.

Sample only

Sample findings are illustrative and cannot be accepted as current workspace coverage.

Check
Scope and identity
Status
Sample only
Review question
Can a reviewer see the report scope before reading findings?
Next step
Keep the evidence attached to the report record.
Check
Source coverage ready
Status
Sample only
Review question
Are failed, stale, and not-checked official sources resolved or held?
Next step
Refresh the source, mark it out of scope, or keep the affected row on hold.
Check
Evidence traceability
Status
Sample only
Review question
Can each material row be traced to source citations and evidence status?
Next step
Attach citations and resolve any re-checks before closeout.
Check
Owner decision record
Status
Sample only
Review question
Has each material finding been routed to an owner decision?
Next step
Record approve, edit, not-applicable, or hold for every material finding.
Check
Applicability assumptions
Status
Sample only
Review question
Are product path, plan, data categories, and agreement assumptions clear?
Next step
Confirm product path, plan, region, agreement scope, data categories, and customer commitment wording.
Check
Action plan
Status
Sample only
Review question
Does the packet give reviewers a closure path?
Next step
Complete action-plan holds and record the closeout decision.
Check
Files and archive path
Status
Sample only
Review question
Are the PDF and CSV ready to attach to the system of record?
Next step
Keep the evidence attached to the report record.

A proceed status means the report is organized for internal review. It does not provide legal advice, vendor certification, or final approval for customer answers.

Decision register

Use this to assign owners before a Trust Center answer, DPA exhibit, security questionnaire response, or SOC 2 vendor note goes out.

Finding
OpenAI: Confirm OpenAI API data-use scope before reusing customer AI training language
Owner
Security / GRC
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Does the customer answer describe OpenAI API Platform use only, or does it also cover ChatGPT workspace or unmanaged account use?
Finding
OpenAI: Separate provider retention from your own application retention
Owner
Security / GRC
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Confirm exact product path, plan, data categories, region, and customer commitment language before using this as evidence for customer answers.
Finding
Anthropic: Tie Claude model-training answers to the product path actually used
Owner
Security / GRC
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Confirm exact product path, plan, data categories, region, and customer commitment language before using this as evidence for customer answers.
Finding
Anthropic: Verify whether zero data retention is actually covered by your Anthropic agreement
Owner
Legal / Privacy
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Is a zero data retention agreement actually signed, and which Anthropic products does it cover?
Finding
Azure OpenAI / Microsoft AI: Keep Azure OpenAI evidence separate from direct OpenAI evidence
Owner
Security / GRC
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Confirm exact product path, plan, data categories, region, and customer commitment language before using this as evidence for customer answers.
Finding
Google Vertex AI / Gemini for Cloud: Confirm Vertex AI zero data retention before using that phrase with customers
Owner
Security / GRC
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Is the selected Vertex AI model, endpoint, and feature eligible for the retention language being reused?
Finding
AWS Bedrock: Use Bedrock-specific evidence for model provider access questions
Owner
Founder / Operator
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Which Bedrock models, regions, logging paths, agents, and knowledge bases are enabled?
Finding
Azure OpenAI / Microsoft AI: Review whether customer DPA exhibits should name Microsoft, OpenAI, or both
Owner
Legal / Privacy
Decision state
Needs applicability decision
External use
Hold external answers until product path, agreement scope, and applicability are resolved.
Record action
Answer the applicability question before using this finding externally: Should the customer DPA exhibit name Microsoft, OpenAI, or both for this workflow?

Applicability checks

This sample shows which product path, data category, agreement, and commitment assumptions a paid report should make explicit.

Close applicability only when product path, plan, model, region, data categories, agreement scope, and customer commitment wording are recorded or explicitly held.

Finding
OpenAI: Confirm OpenAI API data-use scope before reusing customer AI training language
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.
Finding
OpenAI: Separate provider retention from your own application retention
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.
Finding
Anthropic: Tie Claude model-training answers to the product path actually used
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.
Finding
Anthropic: Verify whether zero data retention is actually covered by your Anthropic agreement
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.
Finding
Azure OpenAI / Microsoft AI: Keep Azure OpenAI evidence separate from direct OpenAI evidence
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.
Finding
Google Vertex AI / Gemini for Cloud: Confirm Vertex AI zero data retention before using that phrase with customers
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.
Finding
AWS Bedrock: Use Bedrock-specific evidence for model provider access questions
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.
Finding
Azure OpenAI / Microsoft AI: Review whether customer DPA exhibits should name Microsoft, OpenAI, or both
Status
Sample only
Product path and plan
Customer-facing AI features using direct API and cloud-hosted model providers.
Required confirmation
Confirm the real workspace product path, plan, region, agreement, and data categories before using this sample as evidence.
External use limit
Do not use sample assumptions as evidence in customer answers.

Applicability checks are review prompts and owner-confirmation records. They are not legal advice, vendor certification, or automatic approval for customer answers.

Coverage and gaps

Sample shape, not paid coverage. This public sample shows the report structure using selected vendors and sources. It is not current paid coverage for your workspace.

Checked

8

Failed

0

Stale

0

Not checked

15

Reviewable with visible gaps: 8 sources are checked against 23 expected sources; 15 not checked source issues remain visible before external use.

Source coverage by vendor

Vendor
OpenAI
Completeness
Reviewable with visible gaps
Checked
2
Failed
0
Stale
0
Not checked
3
Vendor
Anthropic
Completeness
Reviewable with visible gaps
Checked
2
Failed
0
Stale
0
Not checked
4
Vendor
Azure OpenAI / Microsoft AI
Completeness
Reviewable with visible gaps
Checked
2
Failed
0
Stale
0
Not checked
2
Vendor
Google Vertex AI / Gemini for Cloud
Completeness
Reviewable with visible gaps
Checked
1
Failed
0
Stale
0
Not checked
4
Vendor
AWS Bedrock
Completeness
Reviewable with visible gaps
Checked
1
Failed
0
Stale
0
Not checked
2

Checked and not checked sources

Vendor
Anthropic
Source
Commercial Terms of Service
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
Anthropic
Source
Custom Data Retention Controls for Claude Enterprise
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
Anthropic
Source
Data Processing Addendum
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
Anthropic
Source
Privacy Policy
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
Anthropic
Source
Is my data used for model training?
Status
Checked
Last reviewed
May 21, 2026
Detail
Checked in this packet. Reviewed 1 day ago. This is recent enough for the current packet freshness model.
Vendor
Anthropic
Source
Zero data retention agreement applicability
Status
Checked
Last reviewed
May 21, 2026
Detail
Checked in this packet. Reviewed 1 day ago. This is recent enough for the current packet freshness model.
Vendor
AWS Bedrock
Source
AWS Service Terms
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
AWS Bedrock
Source
Cloud Security
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
AWS Bedrock
Source
Data protection in Amazon Bedrock
Status
Checked
Last reviewed
May 21, 2026
Detail
Checked in this packet. Reviewed 1 day ago. This is recent enough for the current packet freshness model.
Vendor
Azure OpenAI / Microsoft AI
Source
Microsoft Azure Product Terms
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
Azure OpenAI / Microsoft AI
Source
Microsoft Privacy Statement
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.
Vendor
Azure OpenAI / Microsoft AI
Source
Data, privacy, and security for Models sold by Azure in Microsoft Foundry
Status
Checked
Last reviewed
May 21, 2026
Detail
Checked in this packet. Reviewed 1 day ago. This is recent enough for the current packet freshness model.
Vendor
Azure OpenAI / Microsoft AI
Source
Microsoft Products and Services Data Protection Addendum
Status
Checked
Last reviewed
May 21, 2026
Detail
Checked in this packet. Reviewed 1 day ago. This is recent enough for the current packet freshness model.
Vendor
Google Vertex AI / Gemini for Cloud
Source
Cloud Data Processing Addendum
Status
Not checked
Last reviewed
May 21, 2026
Detail
Verified official source exists in the registry, but this public sample only shows selected report items. A paid scoped report should include it, explicitly exclude it, or show the reason it was not checked.

Source citations

Use this table to trace each finding and coverage source back to the official URL, reviewed date, freshness status, evidence status, and external use limit.

Finding / source

Confirm OpenAI API data-use scope before reusing customer AI training language

Data controls in the OpenAI platform

https://platform.openai.com/docs/guides/your-data

Citation role
Finding evidence
Source status
Checked
Evidence status
Source note
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

Separate provider retention from your own application retention

OpenAI Data Processing Addendum

https://openai.com/policies/data-processing-addendum/

Citation role
Finding evidence
Source status
Checked
Evidence status
Sample link only
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

Tie Claude model-training answers to the product path actually used

Is my data used for model training?

https://privacy.anthropic.com/en/articles/7996868-i-want-to-opt-out-of-my-prompts-and-results-being-used-for-training-models

Citation role
Finding evidence
Source status
Checked
Evidence status
Sample link only
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

Verify whether zero data retention is actually covered by your Anthropic agreement

Zero data retention agreement applicability

https://privacy.anthropic.com/en/articles/8956058-i-have-a-zero-data-retention-agreement-with-anthropic-what-products-does-it-apply-to

Citation role
Finding evidence
Source status
Checked
Evidence status
Source note
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

Keep Azure OpenAI evidence separate from direct OpenAI evidence

Data, privacy, and security for Models sold by Azure in Microsoft Foundry

https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/openai/data-privacy

Citation role
Finding evidence
Source status
Checked
Evidence status
Sample link only
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

Confirm Vertex AI zero data retention before using that phrase with customers

Vertex AI zero data retention

https://docs.cloud.google.com/vertex-ai/generative-ai/docs/vertex-ai-zero-data-retention

Citation role
Finding evidence
Source status
Checked
Evidence status
Source note
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

Use Bedrock-specific evidence for model provider access questions

Data protection in Amazon Bedrock

https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html

Citation role
Finding evidence
Source status
Checked
Evidence status
Source note
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

Review whether customer DPA exhibits should name Microsoft, OpenAI, or both

Microsoft Products and Services Data Protection Addendum

https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Citation role
Finding evidence
Source status
Checked
Evidence status
Source note
Last reviewed
May 21, 2026
Traceability action
Use the official URL and reviewed date as the sample citation pattern; a paid report should preserve captured excerpts when available.
Finding / source

No material finding tied to this source

Commercial Terms of Service

https://www.anthropic.com/legal/commercial-terms

Citation role
Coverage source
Source status
Not checked
Evidence status
Not checked in report
Last reviewed
May 21, 2026
Traceability action
Resolve the source coverage gap or explicitly mark it out of scope before treating the report as complete.
Finding / source

No material finding tied to this source

Custom Data Retention Controls for Claude Enterprise

https://privacy.anthropic.com/en/articles/10440198-custom-data-retention-controls-for-claude-enterprise

Citation role
Coverage source
Source status
Not checked
Evidence status
Not checked in report
Last reviewed
May 21, 2026
Traceability action
Resolve the source coverage gap or explicitly mark it out of scope before treating the report as complete.
Finding / source

No material finding tied to this source

Data Processing Addendum

https://www.anthropic.com/legal/data-processing-addendum

Citation role
Coverage source
Source status
Not checked
Evidence status
Not checked in report
Last reviewed
May 21, 2026
Traceability action
Resolve the source coverage gap or explicitly mark it out of scope before treating the report as complete.
Finding / source

No material finding tied to this source

Privacy Policy

https://www.anthropic.com/legal/privacy

Citation role
Coverage source
Source status
Not checked
Evidence status
Not checked in report
Last reviewed
May 21, 2026
Traceability action
Resolve the source coverage gap or explicitly mark it out of scope before treating the report as complete.

Sample findings show source notes. Paid reports preserve captured excerpts when a monitored source change produced a finding and keep a no-excerpt status when an excerpt is not available.

Source excerpts and notes

This section shows what supports each finding: a captured excerpt when available, otherwise a source note, reviewed date, how to use the source, and the limit on how it should be used.

Finding

OpenAI: Confirm OpenAI API data-use scope before reusing customer AI training language

Data controls in the OpenAI platform
Evidence status
Source note
Reviewed
May 21, 2026
Source note or excerpt
OpenAI API Platform data-control evidence is the source to verify model-training and retention scope for API usage.
How to use it
Check the API Platform path, organization settings, and any separate ChatGPT workspace use before reusing no-training language.
Finding

OpenAI: Separate provider retention from your own application retention

OpenAI Data Processing Addendum
Evidence status
Official source linked
Reviewed
May 21, 2026
Source note or excerpt
OpenAI Data Processing Addendum is linked as the official source for this sample finding.
How to use it
Verify the linked official source before relying on this finding outside the sample report.
Finding

Anthropic: Tie Claude model-training answers to the product path actually used

Is my data used for model training?
Evidence status
Official source linked
Reviewed
May 21, 2026
Source note or excerpt
Is my data used for model training? is linked as the official source for this sample finding.
How to use it
Verify the linked official source before relying on this finding outside the sample report.
Finding

Anthropic: Verify whether zero data retention is actually covered by your Anthropic agreement

Zero data retention agreement applicability
Evidence status
Source note
Reviewed
May 21, 2026
Source note or excerpt
Anthropic retention evidence needs agreement and product-scope validation before a zero-retention claim is reused.
How to use it
Confirm whether the zero data retention agreement is signed and which product path it covers.
Finding

Azure OpenAI / Microsoft AI: Keep Azure OpenAI evidence separate from direct OpenAI evidence

Data, privacy, and security for Models sold by Azure in Microsoft Foundry
Evidence status
Official source linked
Reviewed
May 21, 2026
Source note or excerpt
Data, privacy, and security for Models sold by Azure in Microsoft Foundry is linked as the official source for this sample finding.
How to use it
Verify the linked official source before relying on this finding outside the sample report.
Finding

Google Vertex AI / Gemini for Cloud: Confirm Vertex AI zero data retention before using that phrase with customers

Vertex AI zero data retention
Evidence status
Source note
Reviewed
May 21, 2026
Source note or excerpt
Vertex AI retention evidence should be checked against the selected model, endpoint, logging path, and downstream storage.
How to use it
Verify the specific Vertex AI feature and storage path before reusing retention or Trust Center language.

Source note only: this is not a legal quote, vendor certification, or final approval for customer answers.

Source freshness rules

For packet evidence, critical AI and SaaS vendor sources should show a recent reviewed date. Material vendor notices, Trust Center updates, DPA changes, subprocessor notices, and customer-reported changes should be checked before the packet is reused externally.

Rule
Official-source boundary
How the report uses it
Source evidence should come from official vendor documentation, Trust Center pages, product documentation, DPAs, or clearly identified primary vendor notices.
Rule
Recent review date
How the report uses it
Sources used in a paid packet should have a visible reviewed date and should be rechecked before they are reused for a new customer answer.
Rule
Urgent-change handling
How the report uses it
Material vendor notices, broken source links, DPA updates, subprocessor notices, and customer-reported source changes should be routed to the relevant owner before reuse.
Rule
Stale-source warning
How the report uses it
A source older than 60 days, missing a reviewed date, or failing the latest source check should be marked for review before the packet is reused externally.

Sample source dates

Report source links should show when the source was last reviewed and warn when the evidence needs a re-check before external use.

Vendor
OpenAI
Source
Data controls in the OpenAI platform
Last reviewed
May 21, 2026
Freshness
Fresh
Vendor
OpenAI
Source
OpenAI Data Processing Addendum
Last reviewed
May 21, 2026
Freshness
Fresh
Vendor
Anthropic
Source
Is my data used for model training?
Last reviewed
May 21, 2026
Freshness
Fresh
Vendor
Anthropic
Source
Zero data retention agreement applicability
Last reviewed
May 21, 2026
Freshness
Fresh
Vendor
Azure OpenAI / Microsoft AI
Source
Data, privacy, and security for Models sold by Azure in Microsoft Foundry
Last reviewed
May 21, 2026
Freshness
Fresh

Claim and evidence table

This table separates the customer commitment, official source evidence, report note, unknowns, and owner decision so the report stays reviewable instead of sounding like a legal conclusion.

Finding
Confirm OpenAI API data-use scope before reusing customer AI training language
Customer commitment
Customer data is not used for model training.
Evidence used
OpenAI: Data controls in the OpenAI platform; reviewed May 21, 2026; Fresh.
Source evidence recorded
Source note: OpenAI API Platform data-control evidence is the source to verify model-training and retention scope for API usage.
Why this may matter
OpenAI API commitments should cite the platform data controls source and should not be copied to ChatGPT workspace or unmanaged account use without a separate review.
Unknowns
Whether your API organization uses modified retention or abuse monitoring settings.
Owner decision
Security / GRC: Confirm product path, organization settings, and whether prompts are copied elsewhere. Current handoff status: Needs product-path confirmation.
Finding
Separate provider retention from your own application retention
Customer commitment
No specific customer commitment is mapped yet; treat this as a general review prompt.
Evidence used
OpenAI: OpenAI Data Processing Addendum; reviewed May 21, 2026; Fresh.
Source evidence recorded
Official source linked: OpenAI Data Processing Addendum is linked as the official source for this sample finding.
Why this may matter
OpenAI provider-side retention answers are only part of the commitment. Product logs, traces, support tickets, and databases can retain the same prompts or outputs longer.
Unknowns
Whether debugging or observability tools capture customer prompts.
Owner decision
Security / GRC: Inventory where prompts, outputs, files, and embeddings are stored after the API call.
Finding
Tie Claude model-training answers to the product path actually used
Customer commitment
No specific customer commitment is mapped yet; treat this as a general review prompt.
Evidence used
Anthropic: Is my data used for model training?; reviewed May 21, 2026; Fresh.
Source evidence recorded
Official source linked: Is my data used for model training? is linked as the official source for this sample finding.
Why this may matter
Claude API, Claude Enterprise, Claude Code, and unmanaged employee use can require different evidence. A customer answer should name the Anthropic product path.
Unknowns
Whether employees use Claude outside the managed organization.
Owner decision
Security / GRC: Identify every Claude product used in product and employee workflows.
Finding
Verify whether zero data retention is actually covered by your Anthropic agreement
Customer commitment
Customer data is retained only as long as necessary.
Evidence used
Anthropic: Zero data retention agreement applicability; reviewed May 21, 2026; Fresh.
Source evidence recorded
Source note: Anthropic retention evidence needs agreement and product-scope validation before a zero-retention claim is reused.
Why this may matter
Zero data retention language should be tied to an approved agreement and the products it covers. It should not be used as a generic Claude statement.
Unknowns
Whether your team has a negotiated Anthropic retention agreement.
Owner decision
Legal / Privacy: Record agreement scope before using zero-retention language externally. Current handoff status: Needs agreement confirmation.
Finding
Keep Azure OpenAI evidence separate from direct OpenAI evidence
Customer commitment
No specific customer commitment is mapped yet; treat this as a general review prompt.
Evidence used
Azure OpenAI / Microsoft AI: Data, privacy, and security for Models sold by Azure in Microsoft Foundry; reviewed May 21, 2026; Fresh.
Source evidence recorded
Official source linked: Data, privacy, and security for Models sold by Azure in Microsoft Foundry is linked as the official source for this sample finding.
Why this may matter
Azure-hosted model calls should cite Microsoft's Foundry data privacy source. Direct OpenAI API evidence should not be used for Azure deployments unless both paths are present.
Unknowns
Whether the selected model is covered by the Microsoft Foundry source.
Owner decision
Security / GRC: Confirm the Azure service, model, deployment region, and subscription.
Finding
Confirm Vertex AI zero data retention before using that phrase with customers
Customer commitment
Trust Center and questionnaire answers must remain accurate.
Evidence used
Google Vertex AI / Gemini for Cloud: Vertex AI zero data retention; reviewed May 21, 2026; Fresh.
Source evidence recorded
Source note: Vertex AI retention evidence should be checked against the selected model, endpoint, logging path, and downstream storage.
Why this may matter
Google Cloud publishes a separate zero data retention source for Vertex AI. Eligibility should be checked by model, endpoint, and feature before customer publication.
Unknowns
Whether product logs retain prompts or outputs outside Vertex AI.
Owner decision
Security / GRC: Check model, endpoint, logging, and downstream storage before publication. Current handoff status: Needs implementation review.

Sample findings include source notes. Paid reports include captured excerpts when a monitored source change produced the finding, or keep the no-excerpt status when only the official URL and reviewed date are available.

Evidence limit: review note only. The report does not provide legal advice, vendor certification, or final approval for customer answers.

Selected vendors

Vendor coverage uses five Tier 1 AI vendors with published source evidence.

Vendor
OpenAI
Coverage
5 verified sources
Profile
Open profile
Vendor
Anthropic
Coverage
6 verified sources
Profile
Open profile
Vendor
Azure OpenAI / Microsoft AI
Coverage
4 verified sources
Profile
Open profile
Vendor
Google Vertex AI / Gemini for Cloud
Coverage
5 verified sources
Profile
Open profile
Vendor
AWS Bedrock
Coverage
3 verified sources
Profile
Open profile

Commitment profile

These are the customer-facing promises this report checks against vendor evidence.

  • Customer data is not used for model training. Track whether vendor language could affect customer-facing model training commitments.
  • Subprocessors are reviewed before material changes. Track subprocessor changes and review evidence for customer and audit commitments.
  • Critical vendors have a current review packet. Track monitoring evidence packet coverage for critical vendors.
  • Customer data is retained only as long as necessary. Track retention and deletion language that may affect customer commitments.
  • Trust Center and questionnaire answers must remain accurate. Track whether upstream vendor changes could affect customer-facing statements.
  • EU personal data must be handled under approved transfer mechanisms. Track vendor changes that could require cross-border transfer review.

Custom commitment: We do not use customer content to train third-party AI provider models unless the customer has explicitly approved that use.

Top findings

These findings show the questions the report raises from official source coverage. Findings are labeled sample when they are not based on a live detected source change.

Download findings CSV
P1Sample findingOpenAI

Confirm OpenAI API data-use scope before reusing customer AI training language

OpenAI API commitments should cite the platform data controls source and should not be copied to ChatGPT workspace or unmanaged account use without a separate review.

Sample finding based on current source coverage, not a live detected change.

Owner: Security / GRC. Status: Needs product-path confirmation.

Suggested actions

  • Confirm whether customer data goes through the OpenAI API Platform or a different OpenAI product.
  • Attach the OpenAI platform data controls source to customer training and retention answers.
  • Review your own logs for prompt and output copies outside OpenAI.

Unknowns to confirm

  • Whether your API organization uses modified retention or abuse monitoring settings.
Data controls in the OpenAI platformRelated AI Vendor Packet page
P1Sample findingOpenAI

Separate provider retention from your own application retention

OpenAI provider-side retention answers are only part of the commitment. Product logs, traces, support tickets, and databases can retain the same prompts or outputs longer.

Sample finding based on current source coverage, not a live detected change.

Suggested actions

  • Inventory where prompts, outputs, files, and embeddings are stored after the API call.
  • Add a separate retention note for application logs and support workflows.
  • Record the OpenAI DPA and data controls review date.

Unknowns to confirm

  • Whether debugging or observability tools capture customer prompts.
OpenAI Data Processing AddendumRelated AI Vendor Packet page
P1Sample findingAnthropic

Tie Claude model-training answers to the product path actually used

Claude API, Claude Enterprise, Claude Code, and unmanaged employee use can require different evidence. A customer answer should name the Anthropic product path.

Sample finding based on current source coverage, not a live detected change.

Suggested actions

  • Identify every Claude product used in product and employee workflows.
  • Attach Anthropic's model training source to customer-facing answers.
  • Keep unmanaged Claude use outside customer commitments unless separately reviewed.

Unknowns to confirm

  • Whether employees use Claude outside the managed organization.
Is my data used for model training?Related AI Vendor Packet page
P1Sample findingAnthropic

Verify whether zero data retention is actually covered by your Anthropic agreement

Zero data retention language should be tied to an approved agreement and the products it covers. It should not be used as a generic Claude statement.

Sample finding based on current source coverage, not a live detected change.

Owner: Legal / Privacy. Status: Needs agreement confirmation.

Suggested actions

  • Confirm whether a zero data retention agreement exists.
  • Record which Anthropic products and organization keys are covered.
  • Review support tickets and logs for retained Claude prompts outside Anthropic.

Unknowns to confirm

  • Whether your team has a negotiated Anthropic retention agreement.
Zero data retention agreement applicabilityRelated AI Vendor Packet page
P1Sample findingAzure OpenAI / Microsoft AI

Keep Azure OpenAI evidence separate from direct OpenAI evidence

Azure-hosted model calls should cite Microsoft's Foundry data privacy source. Direct OpenAI API evidence should not be used for Azure deployments unless both paths are present.

Sample finding based on current source coverage, not a live detected change.

Suggested actions

  • Confirm the Azure service, model, deployment region, and subscription.
  • Attach Microsoft Foundry evidence to model training and provider access answers.
  • Review diagnostic logging and downstream Azure storage.

Unknowns to confirm

  • Whether the selected model is covered by the Microsoft Foundry source.
Data, privacy, and security for Models sold by Azure in Microsoft FoundryRelated AI Vendor Packet page
P1Sample findingGoogle Vertex AI / Gemini for Cloud

Confirm Vertex AI zero data retention before using that phrase with customers

Google Cloud publishes a separate zero data retention source for Vertex AI. Eligibility should be checked by model, endpoint, and feature before customer publication.

Sample finding based on current source coverage, not a live detected change.

Owner: Security / GRC. Status: Needs implementation review.

Suggested actions

  • Confirm whether the workflow uses Vertex AI, Gemini through Google Cloud, or Workspace Gemini.
  • Check zero data retention eligibility for the selected model and endpoint.
  • Inventory Cloud Logging, BigQuery, and application storage for prompt copies.

Unknowns to confirm

  • Whether product logs retain prompts or outputs outside Vertex AI.
Vertex AI zero data retentionRelated AI Vendor Packet page

Recommended actions

  • Record the exact vendor products, plans, and data categories before reusing these answers with customers.
  • Attach official source links and a last reviewed date to each Trust Center or questionnaire answer.
  • Review DPA and subprocessor evidence before answering personal data questions.
  • Add transfer-mechanism review to the follow-up list for EU personal data.
  • Create a monitoring evidence packet for selected critical vendors.

Evidence gaps and limitations

  • Unavailable source checks stay visible If a vendor source cannot be checked, the report names the affected document as a source coverage gap instead of treating it as clean evidence.
  • Unknown applicability is preserved When plan, region, agreement, model, or product-path scope is unclear, the report asks a review question rather than making a legal conclusion.
  • Human approval remains explicit AI Vendor Packet organizes official-source review evidence and suggested review actions. It does not provide legal advice or final approval for customer answers.
  • Sample findings are review prompts, not live detected changes, unless marked live.
  • AI Vendor Packet does not provide legal advice or decide whether a vendor is compliant.
  • Customer-facing commitments should be reviewed against the current vendor source and your actual implementation.

Before you buy

Use the sample to decide fit.

The paid report should be clear before checkout. Compare your use case against the fit notes, limits, and source confidence checks before buying.

Checkout checklist

  • Sample reviewed: Open the sample report, PDF, and CSV before buying so the structure is clear.
  • Vendor scope fits: Confirm the paid report limit covers the vendors that matter for this review.
  • Usage context is known: Have product path, plan, data categories, region, and customer commitment language ready before generating the packet.
  • Internal reviewer exists: Assign a security, privacy, legal, compliance, or founder reviewer who can make the remaining decision after evidence is collected.

Acceptance proof before checkout

Checkout buys organized evidence for a real review, not a rubber stamp. The report should say whether it can move forward internally or should stay on hold because source, applicability, owner-decision, or file blockers remain.

Sample status: Sample only. This sample shows the report format only; it is not evidence for customer answers.

Sample findings are illustrative and cannot be accepted as current workspace coverage.

Good fit

  • A customer, auditor, or internal approver is asking about AI vendors. The packet is meant for teams that need to answer security questionnaires, SOC 2 vendor monitoring requests, AI approval reviews, or customer follow-up with cited vendor evidence.
  • Your team has made customer-facing promises about vendor behavior. It is useful when Trust Center, DPA, subprocessors, model-training, retention, or security statements depend on upstream AI/SaaS vendor sources.
  • You need a review packet, not a new TPRM platform. The output is designed to be forwarded to security, privacy, legal, or founder reviewers with review questions and evidence links already organized.

Not a fit

  • You need counsel to approve customer wording. AI Vendor Packet can prepare evidence and suggested review actions, but it cannot decide legal obligations or approve contract, DPA, Trust Center, or questionnaire wording.
  • You need alerts, digest emails, or a full vendor risk program. The self-serve paid product is one packet. It does not include future alerts, digest emails, SSO, RBAC, or a full vendor intake and approval program.
  • You need a complete TPRM replacement across dozens of vendors. The packet is intentionally narrow: up to ten selected vendors, official source checks, commitment review prompts, and exportable evidence.

Trust checks

  • Official sources only: Material vendor facts should come from official vendor documentation or another clearly identified primary source. Unsupported facts become limitations or review questions.
  • Reviewed dates stay visible: Public pages and packets should show reviewed dates so a buyer can tell whether source checks are current enough for their review.
  • Sample files are available before checkout: The sample PDF and CSV show the report structure, source links, first decisions, action plan, claim/evidence table, and limitations before a buyer pays.
  • Clear source-gap handling: If an official source is stale, broken, or not applicable to the selected product path, the packet should preserve that gap and be corrected before being reused as evidence.

Review readiness in the paid report

The paid report should show the same proceed-or-hold checks against your selected vendors and commitment scope.

  • Final review status: The report gives a final proceed-or-hold status before it is sent to security, legal, privacy, founder, or audit review.
  • Source-gap holds: Failed, stale, and not-checked sources are kept as blockers or limitations instead of being hidden behind a clean report summary.
  • Assumption holds: The report records the assumptions that must be true before a finding can support customer wording.
  • Decision trail: Material findings are routed to security, legal, privacy, compliance, or founder reviewers with the decision that remains.
  • Archive-ready files: The PDF and CSV are tied to an archive path for SOC 2 monitoring evidence packets, internal tickets, or review notes.

A proceed status means the report is organized for internal review. It does not approve customer language, certify a vendor, or replace legal, security, privacy, or compliance review.

Download sample files

The PDF is for stakeholder review. The CSV is for findings triage and spreadsheet workflows.

Download sample PDFDownload sample CSV

Optional email

Add an email only if you want a reminder while reviewing this sample. It is not required for downloads or scanner access.

Next step after the sample report

Start with a $199 one-time review packet when you need cited evidence for a customer security review, SOC 2 vendor note, or internal approval. The paid report includes the same review readiness checks, so unresolved source, applicability, reviewer-decision, or file blockers stay visible.

Buy $199 packetSee packet pricing