AI Risk Assessment

Does Your Vendor Train AI on Your Data?

March 14, 2026

As vendors embed AI into every product, compliance teams face a new question: does this vendor use my data to train AI? The answer is rarely straightforward.

EU AI Act

August 2026

Transparency obligations for AI system providers and deployers take effect

100%

of top SaaS

Major vendors now ship AI features — many enabled by default for all tiers

3+ parties

in every chain

Your data may flow through OpenAI, Anthropic, or Google before processing completes

Five signals to evaluate

🧠

Training Commitment

Does the vendor commit to not training AI models on your data? Watch for narrow language that excludes only "general" models.

Best: No training on customer data

Watch: "General models" exclusion, no statement

🔗

AI Providers

Which third-party models process your data — OpenAI, Anthropic, Google, Meta? Undisclosed providers mean an unassessable data chain.

Best: Named providers disclosed

Watch: AI features exist but no disclosure

⏱️

Data Retention

How long do AI providers store your inputs? Zero retention is strongest. Time-limited (30 days) is common. Unstated is a red flag.

Best: Zero retention after processing

Watch: Indefinite or unstated retention

🔒

Opt-Out Mechanism

Can administrators disable AI features? Best vendors provide admin toggles. Some require email requests. Others offer no mechanism.

Best: Admin toggle disables AI org-wide

Watch: No opt-out available

🏢

Enterprise Distinction

Enterprise tiers often have stronger protections — zero retention, no training. Verify which tier applies to your contract.

Best: Separate enterprise AI terms

Watch: Same policy for all tiers

Automate AI data usage assessment

ThirdProof discovers vendor AI policies automatically — training commitments, providers, retention, and opt-out — alongside 24 other intelligence sources. No questionnaires required.

Try ThirdProof Free →

No credit card required

How major vendors compare

Based on public disclosures as of March 2026. Policies change — ThirdProof re-checks with every investigation.

Vendor	Training	Providers	Retention	Opt-Out
Notion	No training	Anthropic, OpenAI	Zero (enterprise)	Admin toggle
Zoom	No training (enterprise)	Anthropic, OpenAI, Perplexity	30 days	Admin toggle
Atlassian	No training	OpenAI, Anthropic, Google	30 days	Admin toggle
Small SaaS vendor	Not stated	Not disclosed	Unknown	None found

Where vendors publish AI policies

There is no standard location. Policies appear across dedicated trust pages, help center articles, blog posts, terms addenda, and subprocessor lists. This fragmentation is why manual discovery fails.

/trust/ai

e.g. Atlassian

/help/ai-security

e.g. Notion

/ai-companion

e.g. Zoom

/legal/ai-terms

e.g. Various

/privacy (updated)

e.g. Various

/subprocessors

e.g. Various

Regulatory framework mapping

Framework	Status	AI Data Relevance
EU AI Act	Aug 2026	AI transparency, training data governance, high-risk system oversight
ISO 42001	Active	AI management system standard — third-party AI provider governance
NIST AI RMF	Active	Govern, Map, Measure, Manage — vendor AI risk evaluation
GDPR Art. 22	Active	Automated decision-making, data minimization, purpose limitation
HIPAA	Active	AI providers processing PHI require BAAs as business associates
SOC 2 CC9.2	Active	Third-party risk assessment must address vendor AI data handling

How ThirdProof automates this

1Stage 1

Direct URL crawling

Checks 15 common AI policy paths in parallel — /trust/ai, /security, /ai, /responsible-ai, and more. Scores each page for AI-relevance keywords.

2Stage 2

Search-based discovery

If direct crawling finds nothing, a site-scoped search queries the vendor's domain for AI data policy content. Catches help articles and blog posts.

3Stage 3

Signal extraction

Extracts training commitment, provider names, retention policy, opt-out mechanisms, and AI compliance references via pattern matching.

Runs alongside 23 other intelligence sources in every investigation — no additional effort.

Frequently asked questions

Does my vendor use my data to train AI?+

It depends on the vendor and your subscription tier. Major enterprise vendors like Notion, Zoom, and Atlassian explicitly commit to not training on customer data (especially for enterprise tiers). Many smaller vendors have no published policy. ThirdProof automatically discovers and extracts each vendor's AI training commitment as part of its investigation process.

Which AI providers process my vendor's data?+

Common third-party AI providers include OpenAI, Anthropic, Google (Gemini/Vertex AI), Meta (Llama), Mistral, Cohere, and AWS Bedrock. The specific provider depends on the vendor. Best-practice vendors disclose their providers on trust or security pages. ThirdProof extracts provider names automatically during vendor investigations.

What is zero data retention for AI?+

Zero data retention means the AI provider deletes your data immediately after processing — no inputs, outputs, or intermediate data are stored. This is the strongest retention posture. Time-limited retention (e.g., 30 days for abuse monitoring) is common. Indefinite retention or unstated retention policies represent the highest risk.

How do I opt out of vendor AI features?+

Opt-out mechanisms vary by vendor: admin-level toggles (best), email requests to the vendor's privacy team, or contract-level negotiations. Some vendors provide no opt-out mechanism. If your data classification requires opting out of AI processing and the vendor offers no mechanism, this is a material finding for your risk assessment.

Is vendor AI data usage a HIPAA concern?+

Yes. If a vendor's AI features process Protected Health Information (PHI), the vendor's AI providers (e.g., OpenAI, Anthropic) become business associates under HIPAA and require Business Associate Agreements (BAAs). A vendor processing PHI through a third-party AI provider without a BAA is a HIPAA violation regardless of the vendor's own BAA status with your organization.