Every AI vendor's website carries the phrase "GDPR-compliant." The compliance team's job is to verify the claim before the contract is signed, not after the supervisory authority sends a Section 58 information request. The vendors who fail audit usually fail on architecture, not policy — and that distinction is the whole point of this checklist.
Where AI vendors actually leak data
Four mechanisms account for almost every breach finding in the AI category. Training contamination — fine-tuning runs that touch one tenant's data and leak features into model weights that other tenants then query. Log mixing — shared observability sinks where one client's prompts end up in another client's debugging dashboard. Inference leakage — KV-cache reuse and prefix sharing optimisations that look invisible until two tenants hit the same cached prefix. Backup overlap — disaster recovery snapshots that pool multiple tenants into the same encrypted blob, where the encryption key holder can see everything.
None of these are exotic. All of them have shown up in published incident reports against well-known AI vendors in the last twenty-four months.
The seven-item checklist
1. Data residency. Ask exactly where processing and storage happen. Physically. "EU region" is not an answer — name the city and the data center operator. If the vendor cannot answer in one sentence, the answer is that they do not know.
2. Article 28 DPA. The vendor must sign as processor, with the processing location named in the agreement. Generic DPAs that reserve the right to process "in any vendor region" fail Article 28 specificity tests.
3. Article 32 security measures. Encryption at rest and in transit is table stakes. The real questions are access logging granularity, breach notification SLA, and whether the audit log is itself tamper-evident.
4. Article 44 cross-border transfers. Does any data leave the EU at any point — including for support, debugging, model improvement, or backup? If yes, what is the transfer mechanism, and is it still valid after the latest Schrems jurisprudence?
5. Training data isolation. Is your data used, in any form, to improve models that other clients then query? This is the single most common failure point. Many vendors say no in marketing and yes in the fine print.
6. Audit trail. Can you, the client, read who-touched-what-when in real time? Not a quarterly report. A live feed. If the vendor controls when you see the log, the vendor controls the narrative.
7. Right-to-erasure. How fast and how completely can a customer's data be removed — including from backups, caches, and any derived artifacts? The answer needs a number of days and a list of systems.
S.V.I.'s answers
One client equals one physical server. Frankfurt for EU clients. No shared compute, no shared storage, no shared caches. Article 28, 32, and 44 compliant DPA with Frankfurt named as the processing location. No cross-tenant training, ever — the architecture makes it impossible, not just prohibited. Client-visible audit trail running in real time. Immutable logs that the client can read but the vendor cannot rewrite. /security.html documents the technical controls in full.
Architecture beats policy
Policies can be changed. They can be misconfigured. They can be violated by a tired engineer who deploys to the wrong cluster on a Friday afternoon. Architectural isolation cannot — if your data lives on a physically separate server with no logical path to another tenant's compute, no policy mistake can leak it. One client, one server — what it actually means walks through why this matters at the silicon layer rather than the IAM layer.
The 9-server, 3-continent setup
S.V.I. runs nine servers across Phuket, Singapore, and Frankfurt, with six backup facilities in Bangkok, KL, Tokyo, Seoul, London, and NY. EU clients are pinned to Frankfurt. Asia clients to Phuket or Singapore. Physical separation means breach scope is bounded — a compromise of one client server does not, and cannot, expose another. /architecture.html shows the topology in detail.
Evaluating any AI vendor in 15 minutes
Ask the seven questions above. Time how long the vendor takes to answer. A vendor with strong architecture answers each in under a minute, with specifics. A vendor with weak architecture pivots to certifications — SOC 2, ISO 27001 — which are valuable but address process maturity, not multi-tenancy isolation. Red flags: vague "EU region" answers, refusal to name the data center, training-data carve-outs in the fine print, audit logs available only on request.
For enterprise companies needing turnkey deployment with these guarantees baked in, see HandOfHands explained.
How to start
Send your draft AI vendor checklist to /contacts.html and we will answer it line by line for our own platform. If the answers hold up, we move to a DPA review. If they do not, you have saved your legal team a procurement cycle.