AI Providers with DPA, SCCs and TIA
Using OpenAI without a DPA is an international transfer with no legal basis.
Framework / standard: GDPR Ch. V + Art. 28 · EU AI Act Art. 25 · ISO/IEC 42001 A.10
Enabling auto-descriptions with OpenAI sounds harmless. Legally, it means sending data to a sub-processor, possibly outside the EU. Do you have the DPA signed? The SCCs? The TIA?
Linedat models every AI provider as a versioned entity, with its chain of responsibility and the status of its legal documentation.
The controller → processor → sub-processor chain
Each provider records its type, jurisdiction, transfer mechanism (SCCs, adequacy, BCR), DPA and SCCs signing dates, the TIA outcome (post-Schrems II) and its sub-processors. Before enabling an AI feature, you can demonstrate that the legal basis for the transfer is in place.
Versioning and renewal
The DPA/SCCs/TIA status is versioned, with history, and the renewal date is flagged. You move from "I think so, it's somewhere" to "here it is, version 3, signed on 12/03".
The limits (what we do not claim)
Moving a provider to "active" requires a registered DPA, but the TIA and sub-processors are declarative (manual entry, not a questionnaire or a verification of what the provider actually declares). The runtime gate that would block use of a non-permitted provider does not yet exist: it is documentary and audited control, not a live block.
How Linedat helps
Linedat puts AI vendor risk inside the catalogue, not on a separate sheet: before your AI talks to a third party, you already know whether that party has its paperwork in order — and so do its sub-processors.
Related capabilities
Before a national ID or an IBAN leaves for OpenAI, it is redacted — in the critical path, not as an option.
AI System Inventory by Risk ClassThe AI Act audits systems, not API calls. Every AI system inventoried with its risk class.
Data Subject Rights (DSR) with Legal ClockCitizen rights are not managed by email: with the Art. 12 clock and data location via the RoPA.
