BlogHugo

Confidentiality of artificial intelligence contracts: 2026 guide

Confidentiality in artificial intelligence contracts refers to all the contractual clauses which govern the use, security and protection of data throughout its life cycle. A generic confidentiality clause is not enough: AI contracts require specific provisions covering the processing of personal data, prohibition of model training, audit rights and post-contract restitution. The key standards are the GDPR (in particular its article 28 on data processing agreements, called DPAs), and the European regulation on artificial intelligence, the AI ​​Act. Mastering these AI contractual obligations is today a central skill for any legal and compliance professional.

What are the essential clauses for confidentiality in artificial intelligence contracts?

A solid AI contract is based on a DPA compliant with Article 28 of the GDPR. Article 28 requires a detailed contractual framework: written instructions, confidentiality obligations, security measures, use of subcontractors, assistance with individual rights, and deletion or restitution of data at the end of the contract. This framework constitutes the minimal base. Any contract which deviates from this exposes the data controller to direct challenge by the CNIL or its European counterparts.

The clauses to be systematically integrated are the following:

  • Prohibition of training of models: this clause protects the client's strategic data by prohibiting the supplier from using this data to train, refine or improve its models without prior written agreement. It must explicitly cover derived artifacts: embeddings, metadata and refined models.
  • Rapid notification of violations: the subcontractor must notify any violation of personal data within a maximum period of 24 hours after becoming aware of it. The contract must specify the minimum content of this notification and the terms of assistance for the declaration to the supervisory authority.
  • Audit and log access clauses: the client must be able to audit the processing logs to verify compliance with the GDPR and the AI ​​Act. The concrete terms (notice, frequency, scope, confidentiality of results) must appear in the contract.
  • Restitution, deletion and reversibility: certified deletion and data portability must be contractually guaranteed at the end of the contract, with migration assistance if necessary.

Pro Tip: Require that the no-drive clause covers not only the raw data, but also any derived artifacts produced during contract execution. A supplier who refuses this extension signals a real risk.

How to segment the data lifecycle in contracts?

Life cycle segmentation of data is the most effective method to prevent leaks and comply with legal obligations. It consists of distinguishing three categories of data according to their phase of existence in the AI ​​system, and of applying to them distinct rules of purpose, rights and retention period.

Hands that orchestrate the different stages of the data life cycle.

PhaseData typeKey contract rules
Before AIData provided by the client (contracts, HR files, customer data)Limited purposes, restricted access, documented legal basis
During AIPrompts, processing logs, intermediate resultsShort shelf life, ban on reuse, auditable logs
After AIDerived data (embeddings, refined models, metadata)Certified deletion or restitution, prohibition of residual use

Derivative artifacts are the most underestimated risk. Embedding produced from confidential legal documents can encode sensitive information in non-obvious ways. The establishment of a data matrix with precise assignment of purposes, durations and restitution conditions prevents these artifacts from being exploited outside the contractual scope. This matrix must be annexed to the DPA and updated whenever the system evolves.

Pro Tip: Ask the vendor for a comprehensive list of all artifacts produced during contract execution. If this list does not exist, the post-contract deletion clause cannot be verified or applied.

Discover in pictures the different stages of the data life cycle in artificial intelligence.

How to guarantee GDPR and AI Act compliance through contractualization?

Regulatory compliance cannot be decreed: it must be contractualized. Here are the four obligations to include in any AI contract involving personal data or systems at risk.

1. GDPR framework for the controller and the subcontractor: The data controller defines the purposes and means. The subcontractor acts on documented instructions. The DPA formalizes this distribution and must be signed before any processing. Any modification of the general conditions or the confidentiality policy of the supplier requires the prior written consent of the customer. Failing this, the customer must be able to cancel without penalty within a contractually fixed period, for example 60 days.

2. AI Act technical documentation: AI contracts must provide technical documentation kept up to date, covering the complete model chain (foundation model and adaptations), accessible to the competent authorities. This documentation must be contractually guaranteed by the supplier, with an obligation to update in the event of changes to the system.

3. Audit terms and access rights: The contract must specify the client's right to conduct audits, access processing logs and receive periodic compliance reports. Log control is often the pivot point between a theoretical contract and a truly effective contract.

4. Stability of conditions clause: Any unilateral modification of the conditions of use of data by the supplier must trigger an obligation of formal notification to the customer. This clause protects against progressive shifts in purpose, common in AI SaaS contracts.

ObligationRegulatory basisCorresponding contractual clause
Treatment on instructionGDPR art. 28DPA with written instructions
Technical documentationAI ActUpdated technical annex
Violation NotificationGDPR art. 3324 hour deadline, minimum content defined
Stability of conditionsGood contractual practiceModification clause with right of termination

What are the legal risks related to AI privacy?

The legal risks linked to data protection in AI contracts are concrete and documented. Identifying them upstream allows them to be neutralized with appropriate clauses.

  • Trade secret violation via artifacts: A supplier that reuses embeddings produced from customer data may indirectly disclose strategic information to third parties or other customers. This risk is aggravated when the training prohibition clause does not cover indirect uses.
  • Late notification of violations: A notification exceeding the 24-hour deadline exposes the data controller to a sanction from the CNIL, regardless of the supplier's liability. The contract must provide for a contractual penalty in the event of late notification by the subcontractor.
  • Technical dependence and abusive retention of data: Some suppliers condition the return of data on high migration costs or excessive delays. Reversibility and post-contract deletion are often overlooked but decisive elements for lasting confidentiality.
  • Lack of portability: Without an explicit portability clause, the customer may find it impossible to retrieve their data in a usable format. This situation creates a contractual dependence which weakens any strategy of changing supplier.
  • Unregulated unilateral modifications: A supplier who modifies its confidentiality policy without prior consent from the customer may broaden the processing purposes without the customer being informed in time to react. The stability of conditions clause is the only effective contractual protection against this risk.

For professionals who wish to delve deeper into the requirements of GDPR and AI compliance, the audit and contractualization mechanisms are detailed in Safe-doc's specialized resources.

Key points

Confidentiality in AI contracts is based on five non-negotiable clauses: DPA compliant with Article 28 of the GDPR, training ban covering derived artifacts, notification of violations within 24 hours, audit rights on logs, and certified restitution post-contract.

ItemDetails
DPA compliant with GDPR art. 28Formalize instructions, confidentiality, security and deletion of data before any processing.
Training ban extendedExplicitly cover embeddings, metadata and refined models, not just raw data.
Notification within 24 hoursContract the deadline, the minimum content and the penalties in the event of delay by the subcontractor.
Life cycle segmentationApply separate rules to provided data, logs, and derived artifacts.
Post-contract reversibilityGuarantee portability, certified deletion and migration assistance upon signing.

What fifteen years of contract practice taught me about AI privacy

Most IA contracts I review contain a DPA. Very few contain a DPA that actually works. The difference is rarely the length of the document. It is due to the precision of the clauses on derived artifacts and the quality of the audit procedures.

The point that still surprises me is the resistance from suppliers on the extended training ban clause. When a supplier agrees to prohibit the use of raw data but refuses to include embeddings in the scope, this is a red flag. This means that embeddings have value for him. And this value comes from your data.

The post-contract phase is systematically under-negotiated. Legal teams focus their energy on signing and forget that the real exposure begins at termination. I have seen situations where sensitive data remained in a supplier's systems six months after the end of the contract, due to the lack of a certified deletion clause with deadline and proof.

My practical advice: treat the reversibility clause like a financial clause. Negotiate it with the same rigor as a penalty clause. A provider that cannot commit to a certified removal time and a documented migration procedure does not deserve your contractual trust.

The AI ​​Act adds a welcome layer of complexity. Mandatory technical documentation finally creates contractual leverage to require traceability of the processing chain. Use it systematically in your negotiations.

— Jacques

Safe-doc to secure your sensitive data before AI

Contractual clauses protect on paper. Safe-doc protects in practice, even before the data reaches the provider's AI system.

https://safe-doc.ai

Safe-doc pseudonymizes sensitive documents in real time, without ever storing them. Legal and compliance professionals can use ChatGPT, Claude or any other AI tool on confidential documents, without exposing personal data or violating their contractual obligations. The solution is designed to meet GDPR and AI Act requirements, and integrates into existing workflows without changing habits. For DPOs and compliance managers, Safe-doc offers a complete pseudonymization and audit service adapted to the most demanding AI contracts.

Frequently asked questions

What is a DPA in an AI contract?

A DPA (data processing agreement) is the contract imposed by Article 28 of the GDPR between the data controller and the subcontractor. It defines instructions, security measures, audit rights and data deletion conditions.

Why prohibit the training of models in the contract?

Without this clause, the provider may use your data to improve its own models. The clause must cover raw data and all derived artifacts, including embeddings and refined models.

What deadline applies for notifying a data breach?

The processor must notify the data controller within a maximum of 24 hours after becoming aware of the violation. This deadline must be explicitly stated in the DPA.

How does the AI ​​Act change contractual obligations?

The AI ​​Act requires complete and up-to-date technical documentation on the model processing chain. This documentation must be contractually guaranteed by the supplier and accessible to the competent authorities upon request.

What to do if the supplier changes its conditions unilaterally?

A stability of conditions clause must provide that any modification of the general conditions or the confidentiality policy requires the prior written consent of the customer. Failing this, the customer must be able to terminate the contract without penalty within a contractually fixed period.

Recommendation

Article generated by BabyLoveGrowth