# AI data processing addendum

Use this addendum during procurement, security review, and implementation planning for any AI service that processes customer, employee, regulated, confidential, or operational data. It translates legal and policy requirements into implementation questions that engineering and operations teams can verify.

## Required facts

- Data categories: inputs, outputs, retrieved documents, tool payloads, logs, eval datasets, and feedback records.
- Processing location: provider region, customer VPC, private endpoint, on-premises service, or air-gapped environment.
- Retention: default retention, customer-configurable retention, deletion mechanism, backup window, and audit evidence.
- Subprocessors: provider, model host, logging system, analytics service, support vendor, and monitoring platform.
- Customer controls: encryption, access review, training exclusion, data export, deletion request, and incident notification.

## Review gate

Do not approve production processing until each data flow has an owner, purpose, retention policy, and operational control. Unknown data flow is a launch blocker.