The GDPR Compliance Checklist for Document AI Platforms
Picking a document AI vendor in the EU? Here's the GDPR checklist your procurement and DPO will actually run — and what answers should look like.
The GDPR Compliance Checklist for Document AI Platforms
If you're evaluating a document AI vendor for an EU deployment, your procurement team and DPO will run a checklist. Here's the practical version of that checklist — what to ask, what good answers look like, and what to do when a vendor can't answer.
This isn't legal advice. Talk to a real lawyer for your specific deployment. But these are the questions that come up in every GDPR review of a SaaS vendor.
The core principle
Under GDPR, when you (the customer) put personal data into a vendor's platform, you are the controller and the vendor is the processor. The processor must support your obligations as controller. Most of GDPR's vendor questions come down to: can this vendor support what I have to do as controller?
Article 15 — Right of access
The requirement: Data subjects can request all personal data you hold about them.
What to ask the vendor:
- "Can I export all data my users have entered, including their profile, documents they've uploaded, and their activity history?"
- "Is the export in a machine-readable format?"
- "Can a user trigger this themselves, or do I need to file a ticket with you?"
Good answer: Self-serve export endpoint that returns JSON or CSV including profile, organization memberships, workspace memberships, documents created, API keys, audit log entries.
Red flag: "Send us a support ticket and we'll get back to you in 30 days." That's longer than the GDPR response window.
Article 17 — Right to erasure ("right to be forgotten")
The requirement: Data subjects can request permanent deletion of their personal data.
What to ask:
- "Can users delete their accounts themselves?"
- "Is deletion a hard delete, or do you keep a soft-delete record?"
- "What happens to documents they uploaded? To audit logs? To backups?"
Good answer: Self-serve deletion endpoint with explicit confirmation. Hard-delete of user record and direct identifiers. Anonymization of audit logs (preserving compliance evidence without identifying the subject). Document content preserved for workspace integrity but ownership cleared.
Red flag: "We don't delete data because we need it for analytics." That's a GDPR violation.
Article 20 — Right to data portability
The requirement: Data must be portable in a structured, commonly-used, machine-readable format.
What to ask:
- "What format does the export use?"
- "Is it complete enough that I could import it into another system?"
Good answer: JSON export with documented schema, including all user-controlled data.
Red flag: PDF exports only, or proprietary formats that lock data in.
Article 28 — Processor obligations and DPA
The requirement: Controller and processor must have a written contract (DPA) covering subject matter, duration, nature of processing, types of data, obligations, and rights.
What to ask:
- "Do you have a DPA template I can review?"
- "Does it include the EU SCCs (Standard Contractual Clauses)?"
- "Who are your sub-processors?"
- "How will you notify me of sub-processor changes?"
Good answer: Standard DPA available before contract signature, list of sub-processors maintained publicly, 30-day notice for sub-processor changes with right to object.
Red flag: "We'll send you our DPA after the deal closes." This is non-negotiable infrastructure for any EU deployment.
Article 32 — Security of processing
The requirement: Appropriate technical and organizational measures to ensure security.
What to ask:
- "Is data encrypted in transit and at rest?"
- "What encryption standards do you use?"
- "Do you have SOC 2 Type II?"
- "How do you manage access to production systems?"
- "What security audits have you completed?"
Good answer: TLS 1.3 in transit, AES-256 at rest, SOC 2 Type II in progress or complete, RBAC with audit logging, regular penetration testing, vulnerability scanning.
Red flag: Vague answers like "industry standard security." Press for specifics.
Articles 33 & 34 — Breach notification
The requirement: Notify supervisory authority within 72 hours of becoming aware of a breach. Notify data subjects without undue delay if high risk to their rights.
What to ask:
- "Do you have a documented incident response plan?"
- "How quickly will you notify me of a breach affecting my data?"
- "What information will you include in the notification?"
Good answer: Documented incident response plan with severity classification, defined SLAs (e.g., notify customer within 24h of confirmed breach), templates for breach notification including all GDPR-required information.
Red flag: "We'll let you know as soon as we figure out what happened." If they don't have a plan, they don't have a process.
Data residency
Not technically a GDPR requirement, but commonly demanded.
What to ask:
- "Where is data stored?"
- "Can I require data to stay in the EU?"
- "Where are sub-processors located?"
- "If data leaves the EU, what safeguards are in place?"
Good answer: EU data residency option with no data leaving the region. Where transfers happen, EU SCCs in place with named sub-processors.
AI-specific concerns
These aren't in GDPR explicitly but are now standard procurement questions for AI vendors.
What to ask:
- "Do you train your models on customer data? Can I opt out?"
- "Which third-party AI providers do you use (OpenAI, Anthropic, etc.)?"
- "Do those providers train on data sent to their APIs?"
- "How long do AI providers retain inference data?"
Good answer: Customer data never used for training. Sub-processor list discloses AI providers. Zero Data Retention agreements with OpenAI/Anthropic where available. Self-hosted deployment available for sensitive workloads.
Red flag: "We may use customer data to improve our models." For regulated work, that's a hard no.
DocuLens scorecard
For transparency, here's where DocuLens stands today:
| Article | Implementation |
|---|---|
| Art. 15 (access) | ✅ Self-serve export endpoint returns JSON of all user data |
| Art. 17 (erasure) | ✅ Self-serve deletion with confirmation, cascading hard-delete, audit log anonymization |
| Art. 20 (portability) | ✅ Same JSON export — machine-readable, importable |
| Art. 28 (DPA) | ✅ DPA template available, sub-processors documented |
| Art. 32 (security) | ✅ TLS 1.3, AES-256 at rest, RBAC, audit logs, SOC 2 in progress |
| Art. 33-34 (breach) | ✅ Documented incident response plan with 72h notification SLA |
| Cookie consent | ✅ Granular consent banner |
| Sub-processor transparency | ✅ Public list with role and location |
| EU data residency | 🟡 Available on request, default config currently US |
| AI training opt-out | ✅ Customer data never used for training; ZDR with OpenAI/Anthropic where available |
The areas marked 🟡 are operational work in progress. Everything else is shipping today.
Bottom line
GDPR isn't a checklist you complete once. It's an ongoing posture. The vendors who do it well make compliance easier for you (self-serve subject rights, clear DPAs, transparent sub-processors). The vendors who don't make compliance your problem.
When evaluating document AI for EU deployment, run this checklist. If a vendor can't answer most of it on the first sales call, they're not ready for your data.
Try DocuLens for free. We'll show you our DPA, our incident response plan, and our self-serve subject rights endpoints — before you sign anything.