Book Free Call
AI vendor due diligence checklist for buyers in Germany
Guides

AI Vendor Due Diligence in Germany: Buyer Checklist

AI Vendor Due Diligence: Short Answer

German companies procuring AI tools should run vendor due diligence across four layers before signature: GDPR compliance, EU AI Act documentation, contract risk allocation, and operational safeguards such as hosting, incident handling, and auditability. A DPA under Article 28 GDPR is necessary, but it is only one part of the buyer-side review.

  • Check data protection, transfers, subprocessors, and training restrictions first.
  • Ask for AI Act role, instructions for use, and Annex III support material.
  • Review liability caps, IP terms, audit rights, and incident obligations together.
  • Document who approved the tool, for which use case, and under what limits.

AI vendor due diligence in Germany should be run across four layers before contract signature: GDPR compliance, EU AI Act documentation, contract risk allocation, and operational safeguards such as hosting, incident handling, and auditability. That is the buyer-side checklist German companies should complete before legal, procurement, or IT approve an AI supplier.

A signed Data Processing Agreement (DPA) under Article 28 GDPR is necessary, but it is not enough. It does not answer whether the vendor uses prompts for model training, whether an Annex III high-risk use case is in scope, whether the contract leaves your company with the real liability exposure, or whether the vendor can support your internal audit and incident process.

For businesses in Germany and the DACH region, the practical question is not whether AI procurement needs legal review. It is how to structure that review before the business uploads real customer, employee, or contract data.

Why AI Due Diligence Is More Than a DPA Review

Traditional software procurement often stops once the commercial terms are agreed, IT signs off on security, and legal approves the DPA. That workflow breaks down with AI vendors because AI procurement usually combines data protection, model governance, and business-process risk in one supplier relationship.

An AI vendor may:

  • process personal data and trade secrets at the same time,
  • rely on third-country infrastructure or remote support teams,
  • reserve rights to use customer inputs for model improvement,
  • produce outputs that create IP or accuracy risk,
  • support decisions about employees or customers, and
  • cap its liability at a level that does not reflect the buyer’s real downside.

That is why German buyers should review AI vendors through four legal and operational lenses at once:

  1. GDPR: role allocation, Article 28 DPA terms, Article 32 security, Article 35 DPIA triggers, and Chapter V transfer risk.
  2. EU AI Act: provider or deployer role, Annex III classification, Article 25 and 26 support duties, and Article 50 transparency issues.
  3. Contract law: liability caps, warranty disclaimers, IP indemnities, audit rights, and standard terms scrutiny under §§ 305-310 BGB.
  4. Operational governance: hosting, logging, incident response, deletion, exit planning, and approval workflows inside the company.

For the baseline privacy review, start with our GDPR AI vendor assessment checklist. For the broader intake process, our GDPR AI procurement guide is the right companion page.

Step 1: Classify the Vendor and the Use Case

Every AI vendor risk assessment should begin with classification. First classify the use case. Then classify the vendor.

The use case matters because a contract-analysis assistant used only on anonymised templates creates a different risk profile from a recruiting tool, customer chatbot, or internal copilot connected to HR and CRM data. The same vendor can look low-risk in one department and high-risk in another.

The vendor’s role matters too. Under GDPR, the vendor may be a processor, controller, or in some cases a joint controller. Under the EU AI Act, the same company could be a provider, general-purpose AI model provider, importer, distributor, or a supplier whose tool is used by you as deployer.

Ask these questions first:

  1. What business process will use the tool?
  2. What categories of data can users enter?
  3. Does the tool affect employees, candidates, customers, or regulated decisions?
  4. Does the vendor process data only on instructions, or also for its own purposes?
  5. Could the deployment fall into an Annex III high-risk context such as employment, credit, education, or access to essential services?

If the vendor cannot give a clear answer on role allocation, that is itself a diligence finding. It usually means the buyer needs a deeper review before procurement proceeds.

Step 2: Check GDPR and Transfer Risk

The second layer of AI supplier due diligence is the GDPR package. This is where many teams focus only on the DPA and miss the surrounding issues that matter just as much in practice.

At minimum, the buyer should verify:

  • whether a valid Article 28 GDPR DPA is available,
  • whether customer data is used only on documented instructions,
  • where data is stored and from where support access occurs,
  • whether Standard Contractual Clauses (SCCs) or another Chapter V mechanism cover non-EEA processing,
  • which subprocessors are involved,
  • what deletion and retention settings apply, and
  • whether prompts, files, telemetry, or outputs are used for training or service improvement.

This is also where buyers should check whether a Data Protection Impact Assessment (DPIA) under Article 35 GDPR may be required. Employee tools, profiling functions, systematic monitoring, and sensitive data processing should all raise the threshold for review.

For German companies, the employment angle matters early. If the tool is used in recruiting, performance scoring, shift planning, or workplace analytics, procurement should involve HR and consider works-council implications under Section 87(1) no. 6 BetrVG before pilot access is granted.

Step 3: Check EU AI Act Documentation and Deployer Support

As of May 21, 2026, the EU AI Act is already part of real-world procurement. The regulation entered into force on August 1, 2024. Prohibited-practice rules began applying on February 2, 2025. Rules for general-purpose AI and governance started applying on August 2, 2025. The general application date for most remaining obligations is August 2, 2026, with some later dates for certain product-regulated systems.

That timing means buyers should already ask for AI Act support materials before signing, especially where the deployment is customer-facing, employee-facing, or business-critical.

Ask the vendor for:

  • its AI Act role and whether it embeds or supplies a GPAI model,
  • instructions for use relevant to deployers,
  • information on intended purpose and known limitations,
  • transparency support where Article 50 may apply,
  • documentation relevant to human oversight, logging, and incident handling,
  • confirmation on whether the system could be used in an Annex III high-risk setting.

For Germany, it is also useful to note the enforcement landscape accurately. The Bundesnetzagentur (BNetzA) is already publishing implementation material and preparing central market-surveillance and coordination functions for major AI Act tasks in Germany, especially where no legacy product-surveillance structure exists. Buyers should therefore assume that their documentation trail may later need to satisfy both internal governance and regulatory scrutiny.

If AI Act readiness is still missing on the vendor side, review our EU AI Act August 2026 deadline checklist before moving the tool forward internally.

Step 4: Check Contract and Liability Terms

The fourth layer is the contract package. This is where many AI due diligence checklist projects fail because procurement accepts software-standard terms for a tool that creates non-standard legal risk.

Review at least the following clauses together:

  • ownership of inputs, outputs, feedback, and fine-tuning data,
  • confidentiality and trade-secret protection,
  • restrictions on training or product-improvement use,
  • audit rights and substitutes such as SOC 2 or ISO 27001 evidence,
  • service levels, support commitments, and incident notification timing,
  • IP indemnities for the product and, where relevant, output-related claims,
  • liability caps, exclusions, and carve-outs for data breaches or confidentiality violations,
  • exit rights, deletion confirmation, and export support.

Under German law, standard-form clauses may also need scrutiny under AGB control. Buyers should not assume that a broad disclaimer is automatically enforceable simply because the clause is common in US SaaS contracting.

The practical test is simple: if the vendor’s contract leaves your company carrying nearly all regulatory, business-interruption, and third-party claim risk, the legal review is not finished.

Step 5: Check Operational Diligence

Operational diligence is what turns a legal review into a working approval process. Even where the GDPR and contract package look acceptable, buyers still need to decide whether the tool can be operated safely inside the company.

Operational diligence should cover:

  • approved and prohibited data categories,
  • admin settings such as training opt-outs and retention controls,
  • logging and auditability,
  • incident escalation and internal owner mapping,
  • vendor stability, subcontractor dependency, and fallback planning,
  • offboarding, deletion, and data portability.

This point matters because many AI tools scale from a small pilot to a business-critical workflow within weeks. If the vendor loses a model dependency, changes its terms, or restructures its data-handling setup, the buyer needs a documented path for reassessment.

For employee-facing tools, this governance layer should be coordinated with our guidance on AI employee monitoring in Germany and similar HR-specific assessments.

AI Vendor Due Diligence Checklist for German Enterprises

Use this checklist before approving an AI supplier:

  1. Define the use case. Record the business owner, data categories, integrations, and expected outputs.
  2. Classify the legal roles. Determine whether the vendor is processor, controller, or joint controller under GDPR and what role it has under the AI Act.
  3. Request the privacy package. Collect the DPA, subprocessor list, SCCs or other transfer mechanism, retention terms, and security documentation.
  4. Check training restrictions. Confirm whether prompts, files, outputs, and telemetry are excluded from model training and product improvement.
  5. Screen for DPIA and labor-law risk. Escalate tools affecting employees, profiling, monitoring, or significant decisions.
  6. Request AI Act support materials. Ask for instructions for use, intended-purpose limits, high-risk indicators, and deployer-relevant documentation.
  7. Review the commercial contract. Compare liability caps, IP indemnities, audit rights, and incident obligations with the real business exposure.
  8. Approve only with usage limits. Define what data may be entered, which departments may use the tool, and which settings must remain enabled.
  9. Document the decision. Keep a written record for legal, procurement, security, and where relevant the works council.

Frequently Asked Questions

What is AI vendor due diligence in Germany?

AI vendor due diligence in Germany is the buyer-side legal and operational review a company should complete before signing with or deploying an AI supplier. It covers GDPR, international transfers, AI Act documentation, contract risk allocation, and governance measures such as logging, incident response, and deletion controls.

How does AI vendor due diligence differ from a DPA review?

A DPA review checks only the processor contract required by Article 28 GDPR. Full AI vendor due diligence also asks whether the vendor uses data for model training, how AI Act deployer obligations are supported, how outputs and IP are treated, what liability cap applies, and whether the tool is operationally suitable for the intended use case.

Do I need AI Act questions even if the tool is not obviously high-risk?

Yes. Many systems are not sold as high-risk products, but can still create deployer obligations, transparency duties, or Annex III concerns depending on the business context. Buyers should therefore ask for intended-purpose limits, instructions for use, and deployer support even where the vendor claims the tool is low risk.

What should German companies do before a pilot with real data?

Before a pilot, the company should classify the use case, verify the vendor role, review the DPA and transfer setup, check training restrictions, assess DPIA and labor-law triggers, and define usage limits. A “test first, legal later” workflow is especially risky once real employee, customer, or contract data enters the system.

Need Help Reviewing an AI Supplier?

If your team is buying AI for legal, HR, support, product, or internal knowledge work, the right time for AI vendor due diligence is before signature and before the first real-data pilot. Compound Law supports German companies with AI procurement review, DPA negotiation, AI Act contract analysis, and governance design for compliant rollouts.

This article provides general legal information only and does not replace advice on a specific procurement or deployment decision.

Related Compliance Guides

AI employee monitoring in Germany compliance guide
compliance

AI Employee Monitoring Germany: August 2026 GDPR & AI Act Guide

AI employee monitoring in Germany is lawful only in narrow cases. Learn the August 2026 AI Act rules, GDPR basis, works council duties, and DPIA triggers.
AI legal risk management framework for German enterprises
compliance

AI Legal Risk for German Enterprises: GDPR, EU AI Act & Contract Liability

German enterprises face five AI legal risks: GDPR violations, EU AI Act liability, AI output liability, vendor gaps, and employment law.
EU AI Act procurement requirements guide for German enterprise deployers
compliance

EU AI Act Procurement Requirements for German Enterprises

EU AI Act requires German deployers to build AI procurement compliance into vendor contracts before August 2026. Here is what to demand.

Frequently asked questions

No. A DPA is only the processor contract required by Article 28 GDPR. German buyers should also assess AI Act documentation, model-training rights, IP and confidentiality terms, liability allocation, security evidence, and whether the deployment triggers works-council or DPIA obligations.

Ask what data enters the system, where it is processed, whether customer content is used for model training, which subprocessors are involved, what AI Act role the vendor has, what documentation supports deployer obligations, which audit and security reports are available, and how liability and IP risk are allocated in the contract.

It matters already. The AI Act entered into force on August 1, 2024. Prohibited practices started applying on February 2, 2025. GPAI and governance rules started applying on August 2, 2025. The general application date for most remaining obligations is August 2, 2026, with some later dates for certain product-regulated systems.

Yes. AI used in recruiting, performance management, productivity monitoring, or scheduling can trigger Article 35 GDPR DPIA duties, Section 26 BDSG employee-data rules, AGG discrimination concerns, and works-council co-determination under Section 87(1) no. 6 BetrVG. These use cases also raise Annex III high-risk questions under the EU AI Act.

Book Free Call