AI vendor review packet source pages for SaaS teams
Review official source pages for the AI vendors most likely to affect customer commitments about model training, data retention, subprocessors, DPA coverage, and security evidence.
Published profiles
25
Vendor pages with official sources
Issue pages
25
Training, retention, DPA, subprocessor, and security topics
Last reviewed
May 21
Source registry review date
OpenAI
This page tracks the OpenAI documents a SaaS team usually needs when it promises customers how AI inputs, outputs, files, retention, subprocessors, and model training are handled. The highest-risk review area is making sure API Platform commitments are not copied to a different OpenAI product without checking the product-specific source.
Category
AI model provider
Sources reviewed
5 official sources
Issue pages
2 published
Anthropic
This page tracks Anthropic sources that matter when a SaaS team uses Claude in a product or internal workflow. The main review question is whether the team is relying on commercial product terms, enterprise controls, or a separate zero data retention agreement, because those paths carry different evidence needs.
Category
AI model provider
Sources reviewed
6 official sources
Issue pages
2 published
Azure OpenAI / Microsoft AI
This page tracks Microsoft sources that SaaS teams usually need when Azure hosts AI model calls. The key review point is scope: Microsoft's AI Foundry data privacy page applies to models sold by Azure in Microsoft Foundry, so teams should confirm the deployed model, region, logging, and contract path before reusing commitments.
Category
Cloud AI platform
Sources reviewed
4 official sources
Issue pages
2 published
Google Vertex AI / Gemini for Cloud
This page tracks Google Cloud sources for Vertex AI and Gemini for Cloud review. The main review point is whether a team is using standard Vertex AI data processing, an eligible zero data retention path, or a workflow that stores prompts or responses in customer-controlled Google Cloud resources.
Category
Cloud AI platform
Sources reviewed
5 official sources
Issue pages
2 published
AWS Bedrock
This page tracks AWS sources that matter when a SaaS team uses Amazon Bedrock instead of calling a model provider directly. The main review point is scope: Bedrock has its own data protection and abuse detection documentation, and those statements should not be mixed with direct Anthropic, OpenAI, or other provider terms unless both paths are reviewed.
Category
Cloud AI platform
Sources reviewed
4 official sources
Issue pages
2 published
Slack
Slack should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Slack Privacy Policy, Slack Main Services Agreement, Slack Data Processing Addenda, Slack Security. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Slack, the highest-risk drift pattern is that teams often copy short collaboration-tool answers even when customer files, support transcripts, or integrations have changed.
Category
Workplace collaboration platform
Sources reviewed
4 official sources
Issue pages
3 published
Microsoft 365 / Copilot
Microsoft 365 / Copilot should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Data, Privacy, and Security for Microsoft 365 Copilot, Security for Microsoft 365 Copilot, Microsoft Products and Services Data Protection Addendum, Microsoft Privacy Statement. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Microsoft 365 / Copilot, the highest-risk drift pattern is that tenant AI answers can drift when teams mix Microsoft 365 Copilot evidence with Azure AI or direct OpenAI evidence.
Category
Productivity and workplace AI service
Sources reviewed
4 official sources
Issue pages
3 published
Google Workspace / Gemini
Google Workspace / Gemini should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Google Workspace with Gemini, Google Workspace Specific Terms, Google Workspace Subprocessors, Google Workspace Security. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Google Workspace / Gemini, the highest-risk drift pattern is that customer answers can become stale when Workspace AI evidence is mixed with Google Cloud AI evidence.
Category
Productivity and workplace AI service
Sources reviewed
4 official sources
Issue pages
3 published
Intercom
Intercom should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Intercom Privacy Policy, Intercom Terms and Policies, Intercom Data Processing Agreement, Intercom Subprocessors List. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Intercom, the highest-risk drift pattern is that support teams can add new automation, transcripts, or integrations without refreshing customer data and subprocessor answers.
Category
Customer support and messaging platform
Sources reviewed
4 official sources
Issue pages
3 published
Zendesk
Zendesk should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Zendesk Privacy Notice, Zendesk Customer Agreement, Zendesk Data Processing Agreement, Zendesk Sub-processor Policy, Zendesk Trust Center. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Zendesk, the highest-risk drift pattern is that support-ticket exports and new service features can leave customer-facing subprocessor and retention statements behind.
Category
Customer support and service platform
Sources reviewed
5 official sources
Issue pages
3 published
AWS
AWS should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: AWS Cloud Security, AWS Service Terms, AWS Data Privacy FAQ. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For AWS, the highest-risk drift pattern is that broad AWS security statements can hide service-specific logging, retention, region, and account configuration choices.
Category
Cloud infrastructure provider
Sources reviewed
3 official sources
Issue pages
0 published
GCP
GCP should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Google Cloud Platform Terms of Service, Google Cloud Data Processing Addendum, Google Cloud Platform Subprocessors, Google Cloud Security. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For GCP, the highest-risk drift pattern is that cloud platform commitments can drift when logs, analytics, and storage sit outside the AI provider path.
Category
Cloud infrastructure provider
Sources reviewed
4 official sources
Issue pages
0 published
Azure
Azure should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Microsoft Azure Product Terms, Microsoft Products and Services Data Protection Addendum, Microsoft Privacy Statement, Microsoft Trust Center. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Azure, the highest-risk drift pattern is that teams often cite Microsoft cloud terms without naming the exact Azure service, region, and customer agreement path.
Category
Cloud infrastructure provider
Sources reviewed
4 official sources
Issue pages
0 published
Cloudflare
Cloudflare should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Cloudflare Privacy Policy, Cloudflare Terms, Cloudflare Customer Data Processing Addendum, Cloudflare Security. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Cloudflare, the highest-risk drift pattern is that edge logs, security events, and traffic inspection settings may not match broad statements about data minimization or retention.
Category
Edge network and security provider
Sources reviewed
4 official sources
Issue pages
0 published
Stripe
Stripe should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Stripe Privacy Policy, Stripe Services Agreement, Stripe Data Processing Agreement, Stripe Service Providers, Sub-Processors, and Affiliates. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Stripe, the highest-risk drift pattern is that payment data answers can drift when a product adds subscriptions, tax, identity, or connected-account flows.
Category
Payments and financial infrastructure provider
Sources reviewed
4 official sources
Issue pages
0 published
Paddle
Paddle should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Paddle Privacy Policy, Paddle Master Services Agreement, Paddle Data Processing Addendum, Paddle Data Sharing Addendum. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Paddle, the highest-risk drift pattern is that customer-facing privacy and processor language can drift when merchant-of-record roles are described as ordinary payment processing.
Category
Merchant of record and billing provider
Sources reviewed
4 official sources
Issue pages
0 published
Chargebee
Chargebee should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Chargebee Privacy Notice, Chargebee Terms of Service, Chargebee EU-GDPR documentation, Chargebee Security. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Chargebee, the highest-risk drift pattern is that billing commitments can drift when product teams add payment gateways, retention settings, or revenue tools around Chargebee.
Category
Subscription billing platform
Sources reviewed
4 official sources
Issue pages
0 published
Salesforce
Salesforce should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Salesforce Privacy Information, Salesforce Agreements and Terms, Salesforce Trust. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Salesforce, the highest-risk drift pattern is that CRM records often contain broad personal data and long retention, so stale Trust Center answers can spread quickly.
Category
CRM and customer data platform
Sources reviewed
3 official sources
Issue pages
0 published
HubSpot
HubSpot should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: HubSpot Privacy Policy, HubSpot Customer Terms of Service, HubSpot Data Processing Agreement, HubSpot Security Program. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For HubSpot, the highest-risk drift pattern is that marketing and CRM retention statements can drift when forms, enrichment, ads, or automation rules change.
Category
CRM and marketing platform
Sources reviewed
4 official sources
Issue pages
0 published
Zoom
Zoom should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Zoom Privacy Statement, Zoom Terms of Service, Privacy at Zoom, Zoom Third-Party Subprocessors and Affiliates, Zoom Security. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Zoom, the highest-risk drift pattern is that recording, transcript, and AI Companion settings can affect customer answers more than the generic meeting-service description.
Category
Communications and collaboration platform
Sources reviewed
5 official sources
Issue pages
0 published
Notion
Notion should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Notion Privacy Practices, Notion Terms, Notion Security Practices, Notion AI Security and Privacy Practices. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Notion, the highest-risk drift pattern is that knowledge base content can include customer details, and AI connector settings can change the evidence needed for customer answers.
Category
Workspace knowledge and collaboration platform
Sources reviewed
4 official sources
Issue pages
0 published
GitHub Copilot
GitHub Copilot should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Responsible use of GitHub Copilot features, GitHub General Privacy Statement, GitHub Terms of Service, GitHub Customer Terms. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For GitHub Copilot, the highest-risk drift pattern is that developer tooling answers can drift when Copilot plan type, repository context, or AI training settings change.
Category
Developer AI assistant
Sources reviewed
4 official sources
Issue pages
0 published
Mistral
Mistral should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Mistral Privacy documentation, Mistral AI Terms of Use. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Mistral, the highest-risk drift pattern is that model training and retention answers can differ between API, managed chat, connectors, and self-deployment paths.
Category
AI model provider
Sources reviewed
2 official sources
Issue pages
0 published
Cohere
Cohere should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Cohere Privacy Policy, Cohere Terms of Use, Cohere Secure AI Framework, Cohere Usage Policy. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Cohere, the highest-risk drift pattern is that fine-tuning, private deployment, and hosted API commitments can require different evidence.
Category
AI model provider
Sources reviewed
4 official sources
Issue pages
0 published
Hugging Face
Hugging Face should be reviewed when a SaaS team relies on it for workflows that may touch customer data, internal evidence, or regulated account records. This page keeps the review grounded in official sources: Hugging Face Privacy Policy, Hugging Face Terms of Service, Hugging Face Hub Security, Hugging Face Inference Endpoints Security and Compliance. The practical question is whether your customer-facing answer still matches the exact product, plan, agreement, and data path in use. For Hugging Face, the highest-risk drift pattern is that teams may treat model hosting, public repositories, private datasets, and inference endpoints as one data path when they need separate review.
Category
AI platform and model hosting provider
Sources reviewed
4 official sources
Issue pages
0 published
Review boundary
AI Vendor Packet organizes review packet evidence, source links, and review prompts. It does not provide legal advice or decide whether a vendor is compliant. Confirm terms with your legal, privacy, or security team before changing customer commitments.
Check vendor sources against your own customer promises.
Start with a vendor, select the commitments your team has already made, and identify which source questions need review.