Glossary
The compliance terms behind AI tool risk
Every term the AI Tool Risk Directory checks, defined in one plain sentence, then explained. Written for a team that has to make a call, not pass an exam.
AI vendor risk assessment
An AI vendor risk assessment is the structured process of checking an AI tool's data handling, certifications and contract terms before it touches company or customer data, plus the written record a reviewer can point to later.
Data residency
Data residency is where an AI vendor actually stores and processes your data, meaning which country or region and under which legal jurisdiction, as distinct from where the vendor is headquartered.
GDPR Data Processing Agreement (DPA)
A GDPR Data Processing Agreement (DPA) is the contract GDPR requires between a data controller (you) and a data processor (the AI vendor) before the vendor may process personal data of EU or UK individuals on your behalf.
HIPAA Business Associate Agreement (BAA)
A HIPAA Business Associate Agreement (BAA) is a contract required under HIPAA before any vendor may receive, process or store Protected Health Information (PHI) on a covered entity's behalf; with no signed BAA, no PHI may go into that tool.
ISO 27001
ISO 27001 is an internationally recognised certification confirming that a company runs a formal information security management system (ISMS), an ongoing programme rather than a one-time checklist.
Model training on your data
Model training on your data is whether an AI vendor uses the content you submit, meaning prompts, uploads and generated outputs, to train or fine-tune its models for other users, as opposed to keeping it isolated to your own session.
Shadow AI
Shadow AI is AI tools that employees adopt on their own, such as a personal ChatGPT account, a browser extension or a free transcription app, without IT or security ever approving or even knowing about them.
SOC 2
SOC 2 is an independent audit report, issued by an outside CPA firm rather than the vendor itself, confirming that a company's security, availability and confidentiality controls actually work as claimed over a period of time.
Subprocessor
A subprocessor is a third party an AI vendor relies on to deliver its service, such as a cloud host, a model provider or an analytics tool, that also ends up touching your data even though you never signed a contract with it directly.
Training opt-out
A training opt-out is the setting, sometimes a toggle and sometimes just a plan upgrade, that stops an AI vendor from using your prompts, uploads or conversations to train or improve its models.