Why AI inference needs a DPA
When your application sends a prompt to an inference API, that prompt frequently contains personal data - names, emails, support tickets, medical or legal text. Under GDPR you are the controller and the inference provider is a processor acting on your instructions, and Article 28 requires that this relationship be governed by a written contract: the DPA. Without one, sending personal data to the provider has no lawful basis on the processing side, no matter how good the provider's security is.
A DPA is therefore one of the first things an enterprise or regulated buyer checks - "do you offer a signable DPA?" is a gating question in most procurement and security reviews. A provider that cannot produce a proper Article 28 DPA cannot be used for anything touching personal data, which rules it out of most serious EU deployments.
What a DPA must cover
Article 28 sets out what the agreement must contain. The processor must: process personal data only on the controller's documented instructions; ensure everyone with access is bound by confidentiality; implement appropriate technical and organizational security measures; not engage sub-processors without authorization, and flow the same obligations down to them; assist the controller with data-subject rights and breach notification; and delete or return the data at the end of the service.
The sub-processor clause is where sovereignty and the DPA meet. Every party in the chain that can touch the data - the datacenter, any managed-service or hardware vendor with access - is a sub-processor that must be named and bound. This is why transparency matters: a DPA is only as strong as the honesty of its sub-processor list, and a provider under foreign jurisdiction can still be compelled to disclose despite a signed contract.
The DPA at Infercom
Infercom offers a signable GDPR Article 28 Data Processing Agreement for enterprise customers, backed by an EU operating entity and EU processing. Our sub-processors and certifications are listed transparently in our Trust Center, including where a component - such as the hardware vendor - sits outside the EU, so you can assess the full chain rather than a badge. A DPA plus EU jurisdiction is what turns "your data stays in the EU" from a marketing line into a contract you can hold us to.
Sources
Related terms
GDPR for AI Inference
What Europe's data-protection law requires when your prompts contain personal data - a lawful basis, a processor agreement, and processing that stays within reach of EU law.
Data Residency
Where your data is physically stored and processed - a necessary part of sovereignty, but not the same as control over who can legally reach it.
Zero Data Retention (ZDR)
When an inference provider doesn't store your prompts or outputs after serving a request, and never trains on them - shrinking your data exposure to the moment of processing.
Inference
Running a trained AI model to produce outputs - the production workload of AI, and the one whose cost and speed compound with usage.
See how EU jurisdiction, data residency, and a signable DPA come together on our EU sovereign AI platform - control you can hold us to, not a badge.