Majority of AI Vendors Hide Subprocessors From Contracts
A DataGrail analysis of 2,400 business software vendors found that 63.6% of those advertising AI capabilities do not disclose third-party AI subprocessors in their legal documentation. This means companies purchasing AI-enabled software may unknowingly expose customer data to undisclosed AI models and systems they never reviewed or approved. The finding highlights a critical gap between what vendors claim in contracts and what they actually deploy in production.
TL;DR
- 63.6% of AI-enabled vendors fail to disclose third-party AI subprocessors in data processing agreements
- DataGrail cross-referenced DPAs against product documentation, GitHub, API connections, and marketing materials to identify gaps
- Organizations with high shadow AI exposure face average breach costs of $4.63 million, $670,000 more than those with low shadow AI
- The disclosure gap creates compliance risk, particularly for automated decision-making in hiring and other regulated domains
Why It Matters
Data processing agreements are the primary legal mechanism enterprises use to evaluate vendor data handling. If the majority of AI vendors are not disclosing their actual AI subprocessors in these contracts, the entire trust framework for vendor risk assessment breaks down. Companies could unknowingly violate FTC regulations on automated decision-making while exposing sensitive personal data to unvetted AI systems.
Business Impact
Enterprises relying on vendor DPAs to manage AI risk are operating with incomplete information. A company might approve one AI model for a recruiting tool while the vendor secretly uses two others, creating compliance exposure and potential liability. With U.S. states issuing $3.425 billion in privacy fines in 2025 alone, this disclosure gap represents a material financial and legal risk.
Key Implications
- DPAs can no longer serve as reliable standalone documents for evaluating vendor AI risk, requiring additional due diligence on product documentation and API integrations
- Enterprises face potential FTC violations if undisclosed AI systems make automated decisions on sensitive data without proper vetting
- The gap between disclosed and actual AI subprocessors creates shadow AI risk that correlates with significantly higher breach costs
What to Watch
Monitor whether regulators begin enforcing disclosure requirements for AI subprocessors in vendor contracts. Watch for enterprise adoption of supplementary vendor assessment tools that go beyond DPAs to verify actual AI deployments. Track whether major software vendors update their standard DPA language to include comprehensive AI subprocessor disclosure in response to this research.
Our Briefing
Weekly signal. No noise. Built for founders, operators, and AI-curious professionals.
No spam. Unsubscribe any time.
