Battleground 5

Security: ZDR, Sub-Processors & AI-Specific Controls

Standard SaaS security frameworks assume the perimeter is the boundary. SOC 2 Type II and ISO 27001 cover infrastructure, access controls, and operational security. They do not cover whether the LLM provider retains prompts, whether your retrieval index is tenant-isolated, or whether model outputs can leak training data.

Enterprise deals stall when the vendor's Security Addendum is silent on AI-specific attack vectors — prompt injection, model inversion, and data poisoning — and the buyer's security team refuses to sign off. An AI Security Schedule must address five components that traditional security frameworks do not reach.

First: Zero Data Retention verification. The contract must require that all third-party AI providers operate under ZDR terms, backed by evidence — not a trust center link. The vendor must ensure model inference providers prohibit retention of Customer Data after inference completion, prohibit use of Customer Data for model training or improvement, and require deletion within 30 days of processing. Upon request, the vendor must provide written evidence including contractual excerpts or third-party audit reports. The trust center page is the floor. Contractual verification is the ceiling.

Second: Sub-processor disclosure. The DPA sub-processor list must include AI providers and distinguish between infrastructure and model providers. The vendor must maintain a list of all sub-processors, including model inference providers and embedding service providers, and provide at least 14 days' prior notice before engaging a new model inference provider. A website update is not prior notice. The buyer needs a contractual right to object on reasonable data protection grounds — and an exit right if the objection cannot be resolved.

Third: AI-specific controls. The Security Schedule must address prompt injection defenses, output monitoring, data leakage prevention, and adversarial testing. Many vendors prohibit customers from conducting vulnerability assessments on AI features. The enterprise counter requires the vendor to implement prompt injection and jailbreak defenses, monitor outputs for toxicity, bias, and data leakage, conduct annual adversarial testing, and permit the customer to conduct security assessments on 30 days' notice, subject to reasonable scope limitations. A vendor that refuses to disclose testing rights is a red flag.

Fourth: Forensic investigation. Standard incident response covers unauthorized access. AI incidents are different: harmful outputs, training data leakage, and prompt manipulation do not require a traditional breach. In the event of an AI Security Incident — defined as any unauthorized access, manipulation, or unintended behavior resulting in disclosure, corruption, or misuse of Customer Data — the vendor must engage an independent forensic investigator at its expense and provide results within 30 days.

Fifth: Governance framework alignment. NIST AI RMF 1.0 and ISO/IEC 42001 are voluntary, but the market is treating them as de facto diligence standards. The vendor must maintain an AI risk management program aligned with one of these frameworks and provide the customer with a summary of its most recent assessment upon request. If a vendor cannot articulate how their system maps to one of these frameworks, the deal stalls.

Vendor View

"We have SOC 2 and ISO 27001. Our security program is audited annually. We cannot give you direct audit rights over our LLM providers — those relationships are commercially sensitive. We will share our SOC 2 report and an AI security summary. Forensic investigation for AI incidents we can agree to — at our cost if the incident is our fault, at yours if external."

Buyer View

"Your SOC 2 report does not tell me whether your model provider has zero retention. I need contractual verification of ZDR for every sub-processor in the AI supply chain. If there is an AI security incident, I need a forensic investigation by an independent specialist at your cost. And I need your governance aligned with NIST or ISO 42001 — not a policy statement, a program with documented controls."

Red Flags

  • Vendor refuses to disclose which LLM providers process customer data
  • Vendor prohibits penetration testing or adversarial testing of AI features entirely
  • SOC 2 report offered as the complete security answer with nothing AI-specific
  • Terms allow customer data for 'model improvement' — deliberate risk transfer, not an oversight
  • No forensic investigation commitment for AI-specific incidents (harmful outputs, training data leakage, prompt manipulation)
  • No sub-processor list covering model inference providers separately from infrastructure providers

Sample Clause (Illustrative)

"Provider shall ensure that all General-Purpose AI Model Providers process Customer Data under terms that: (a) prohibit retention of Customer Data after inference completion, (b) prohibit use of Customer Data for model training, fine-tuning, validation, or improvement, and (c) require deletion of all Customer Data from the provider's systems within 30 days of processing. Provider shall, upon Customer's request, provide written evidence of such terms, including relevant contractual excerpts or third-party audit reports. Provider shall maintain a list of all sub-processors, including model inference providers and embedding service providers, and shall provide Customer with at least 14 days' prior notice before engaging a new model inference provider. Customer shall have the right to object on reasonable data protection grounds, and if the objection cannot be resolved, Customer may terminate the affected Service Order without penalty. Provider shall: (i) implement prompt injection and jailbreak defenses, (ii) monitor AI Feature outputs for toxicity, bias, and data leakage, (iii) conduct annual adversarial testing of the AI Features, and (iv) maintain an AI risk management program aligned with NIST AI RMF 1.0 or ISO/IEC 42001 and provide Customer with a summary of its most recent assessment upon request."

Bridges the gap between traditional security frameworks (SOC 2, ISO 27001) and AI-specific attack surfaces. The ZDR verification clause requires the vendor to produce evidence — not a trust center link — that its model providers retain no customer data. The sub-processor clause treats model inference providers as a distinct category with specific disclosure and objection rights. The AI-specific controls clause addresses attack surfaces that SOC 2 does not reach: prompt injection, output monitoring, and adversarial testing. The governance alignment requirement creates a diligence benchmark that the buyer can verify and report to its own stakeholders.

Illustrative only. Clause language requires adaptation to your jurisdiction, deal context, and risk profile. Not legal advice.

Drawn from the Enterprise AI MSA Playbook (June 2026) by Laith Sarhan, Sarhan Data Law. Educational content only — not legal advice.