Vendor Model Risk Assessment
Project: Pickles GmbH — AI Governance Framework Stage: Stage 3 — Regulatory Alignment Status: Draft Version: v1 Date: 2026-02-26 Assumptions: Built on outline assumptions — not verified against real Pickles GmbH data
Purpose
This document provides a framework for assessing and managing the risks associated with third-party AI model providers used by Pickles GmbH. It covers:
- Data processing agreement (DPA) requirements under GDPR Article 28
- Attorney-client confidentiality requirements under §43e BRAO (as mediated through Pickles GmbH's service to lawyer clients)
- Sub-processor selection criteria and due diligence checklist
- International data transfer risk and Standard Contractual Clauses (SCCs)
- Security review checklist
- Model update monitoring requirements
[ASSUMPTION A-004] This document is premised on the assumption that Pickles GmbH uses at least one third-party AI model provider whose API receives data that may include personal data from lawyer client queries. If Pickles GmbH runs all AI inference in-house with no external model API calls, sections relating to third-party providers are not applicable — but the document should be updated to confirm this.
[LEGAL REVIEW REQUIRED] The contractual and regulatory obligations described in this document require legal review before implementation. DPAs and SCCs are legal instruments — their execution must be overseen by a qualified legal practitioner.
1. Regulatory Basis
| Instrument | Provision | Topic |
|---|---|---|
| GDPR | Article 28 | Processor / sub-processor obligations |
| GDPR | Articles 44, 46 | International data transfers and appropriate safeguards |
| GDPR | Article 32 | Security of processing |
| BDSG | Section 64 | Security requirements — automated processing |
| BRAW | §43e | IT outsourcing and attorney-client confidentiality |
| EU AI Act | Article 25(4) | Written agreements along the AI value chain |
| EU AI Act | Article 15 | Accuracy, robustness, and cybersecurity of high-risk AI |
| BRAK AI Position Paper | Section 3.2 | §43e BRAO obligations for AI providers |
2. Third-Party Model Provider Risk Profile
2.1 Risk Context
Third-party AI model providers occupy a uniquely sensitive position in the Pickles GmbH data flow for two independent reasons:
Reason 1 — GDPR sub-processor risk: Queries submitted to a model API may contain personal data of the lawyer client's own clients (natural persons whose legal matters are being analysed). These data subjects have no direct relationship with Pickles GmbH or the model provider. If the model provider retains, logs, or uses this data for training without authorisation, Pickles GmbH and its lawyer clients face GDPR liability.
Reason 2 — §43e BRAO attorney-client confidentiality risk: The BRAK AI Position Paper (Section 3.2) confirms that passing client secrets to a model provider, even if the provider does not actually read the information, constitutes a potential disclosure under §203(1)(3) StGB (breach of professional secrecy). The mere opportunity for access is sufficient. Pickles GmbH therefore bears a duty to ensure that any model provider receiving data from lawyer queries has contractual confidentiality obligations meeting §43e BRAO standards.
Reason 3 — EU AI Act value chain obligations: EU AI Act Article 25(4) requires that where a third party supplies an AI system, tools, or services integrated into a high-risk AI system, the provider and third party must have a written agreement specifying the information, capabilities, and technical access necessary for the provider to comply with EU AI Act obligations.
This obligation applies explicitly to SYS-04 (high-risk) and creates a separate contractual requirement alongside GDPR Article 28 DPA obligations.
3. Sub-Processor Criteria and Due Diligence
3.1 Minimum Selection Criteria
Before any third-party AI model provider is approved for use with Pickles GmbH's platform, the following minimum criteria must be satisfied:
| # | Criterion | Basis | Status |
|---|---|---|---|
| C-01 | Provider will execute a GDPR Article 28-compliant Data Processing Agreement | GDPR Article 28(1) | ☐ Not confirmed [ASSUMPTION] |
| C-02 | Provider's DPA includes a prohibition on using client data for model training or improvement without explicit authorisation | GDPR Article 28(3)(a); R9 from L2-5.2 | ☐ Not confirmed [ASSUMPTION] |
| C-03 | Provider will execute §43e BRAO-compliant service agreement including: (1) confidentiality obligation with criminal consequences, (2) purpose limitation, (3) termination obligation if confidentiality cannot be guaranteed | §43e(2)(3) BRAO | ☐ Not confirmed [ASSUMPTION] |
| C-04 | Provider operates data processing infrastructure within the EEA, OR will execute EU Standard Contractual Clauses (SCCs) for non-EEA transfers | GDPR Article 46; BRAK §43e(4) BRAO | ☐ Not confirmed [ASSUMPTION] |
| C-05 | Provider maintains appropriate technical and organisational security measures (Article 32 compliant) | GDPR Article 32; BDSG §64 | ☐ Not confirmed [ASSUMPTION] |
| C-06 | Provider will not engage further sub-processors handling Pickles GmbH/client data without Pickles GmbH's prior written authorisation | GDPR Article 28(2) | ☐ Not confirmed [ASSUMPTION] |
| C-07 | Provider cooperates with audits and inspections by Pickles GmbH or its mandated auditor | GDPR Article 28(3)(h) | ☐ Not confirmed [ASSUMPTION] |
| C-08 | Provider returns or deletes all client data upon termination of the service relationship | GDPR Article 28(3)(g) | ☐ Not confirmed [ASSUMPTION] |
| C-09 | Provider notifies Pickles GmbH without undue delay of any personal data breach | GDPR Article 33(2); BDSG §65(2) | ☐ Not confirmed [ASSUMPTION] |
| C-10 | For high-risk AI model providers: Provider supplies technical information required under EU AI Act Article 25(4) | EU AI Act Article 25(4) | ☐ Not confirmed [ASSUMPTION] |
3.2 Preferred Provider Characteristics
The following are preferred (not minimum) criteria:
| # | Preference | Basis |
|---|---|---|
| P-01 | Infrastructure located in Germany or EU — preferred over non-EU equivalents | BRAK §43e(4) BRAO; BRAK AI Position Paper Section 3.2 |
| P-02 | ISO/IEC 27001 certified for information security | GDPR Article 32; best practice |
| P-03 | ISO/IEC 42001 certified or in process | EU AI Act Article 15; best practice |
| P-04 | EU AI Act compliance commitments — published or contractually provided | EU AI Act Article 25 |
| P-05 | Clear, public model card / model documentation available | Traceability; EU AI Act Article 25(4) |
| P-06 | Promptly communicates model updates, capability changes, and version deprecations | L3-6.3 Model Change Management Protocol |
4. Data Processing Agreement — Required Content
4.1 GDPR Article 28(3) Mandatory DPA Terms
Every DPA executed with a third-party AI model provider must include the following terms, per GDPR Article 28(3):
| # | Required Term | Article 28(3) Paragraph |
|---|---|---|
| DPA-01 | Processor processes personal data only on documented instructions from Pickles GmbH | 28(3)(a) |
| DPA-02 | Persons authorised to process data have committed to confidentiality | 28(3)(b) |
| DPA-03 | Processor takes all measures required pursuant to Article 32 (security) | 28(3)(c) |
| DPA-04 | Processor respects conditions for engaging sub-processors | 28(3)(d) |
| DPA-05 | Processor assists Pickles GmbH in responding to data subject rights requests | 28(3)(e) |
| DPA-06 | Processor assists with Articles 32–36 obligations (security, breach notification, DPIA) | 28(3)(f) |
| DPA-07 | At Pickles GmbH's choice: deletes or returns all data after service end; deletes copies | 28(3)(g) |
| DPA-08 | Processor makes available all information to demonstrate compliance; allows audits | 28(3)(h) |
| DPA-09 | Processor immediately informs Pickles GmbH if an instruction infringes GDPR | 28(3)(h) final subparagraph |
4.2 Additional DPA Terms — Legal AI Context
Beyond the GDPR Article 28 minimum, the following additional terms must be included given the legal AI context:
| # | Additional Term | Basis |
|---|---|---|
| ADD-01 | No-training guarantee: Explicit prohibition on using any client data, query content, or output data for model training, fine-tuning, improvement, or any secondary purpose beyond service delivery | GDPR Article 28(3)(a); L2-5.2 Risk R9 |
| ADD-02 | Confidentiality obligation with criminal consequences: Written acknowledgment of confidentiality obligation with explicit reference to criminal liability under §203(1)(3) StGB | §43e(3)(1) BRAO |
| ADD-03 | Purpose limitation in knowledge acquisition: Limitation on the scope of access to client information strictly to what is necessary for service delivery ("need-to-know" principle) | §43e(3)(2) BRAO; BRAK Section 3.2 |
| ADD-04 | Termination obligation: Obligation to terminate the relationship immediately if the confidentiality guarantee can no longer be maintained | §43e(2) sentence 2 BRAO |
| ADD-05 | AI-specific processing controls: No persistent storage of query content beyond what is technically necessary for inference (session-scoped only); specific retention deletion requirements | L2-5.2 Controls; GDPR Article 5(1)(e) |
| ADD-06 | Model update notification: Provider must notify Pickles GmbH before deploying material model updates affecting output quality, accuracy, or safety behaviour | EU AI Act Article 25(4); L3-6.3 |
| ADD-07 | Audit and testing access: Pickles GmbH has the right to conduct or commission security assessments | GDPR Article 28(3)(h) |
| ADD-08 | EU AI Act Article 25(4) information: Provider must supply technical documentation, model performance information, and AI-related information sufficient for Pickles GmbH to comply with EU AI Act obligations for high-risk systems | EU AI Act Article 25(4) |
4.3 DPA Execution Requirements
| Requirement | Basis |
|---|---|
| DPA must be in writing, including electronic form | GDPR Article 28(9) |
| §43e BRAO service agreement must be in text form (at minimum) | §43e(2) BRAO |
| DPA must be executed before any client data is transmitted to the model provider | GDPR Article 28(1) |
| DPA cannot be based on standard terms that conflict with Article 28(3) requirements | GDPR Article 28 |
| Commission Standard Contractual Clauses (SCCs) may be used as a basis where applicable | GDPR Article 28(6)(7) |
5. International Data Transfer Risk Assessment
5.1 Transfer Risk by Provider Location
[ASSUMPTION A-004] The location of Pickles GmbH's third-party model provider is unknown. The following risk assessment applies by provider location:
| Provider Location | GDPR Transfer Mechanism | §43e(4) BRAO Assessment | Risk Level |
|---|---|---|---|
| Germany | No cross-border transfer; GDPR applies | German confidentiality law fully applicable | Lowest — Preferred per BRAK guidance |
| EU/EEA (non-Germany) | No Chapter V mechanism required; GDPR applies | Comparable confidentiality protection | Low |
| UK | Adequacy decision (UK GDPR Adequacy Decision, June 2021) — review ongoing | Adequate confidentiality framework | Low-Medium — monitor adequacy decision status |
| USA (Data Privacy Framework participants) | EU-US Data Privacy Framework (adequacy decision July 2023) | Comparable protection uncertain for legal confidentiality | Medium — TIA still recommended; §43e(4) assessment required |
| USA (non-DPF) | SCCs required (Commission Decision 2021/914) + TIA | Comparable protection uncertain | High — TIA + SCCs required; consider alternative providers |
| Other third countries (no adequacy) | SCCs + TIA required; possible derogations under Article 49 | §43e(4) requires special protective measures | Very High — legal review required before use |
5.2 Transfer Impact Assessment (TIA) Requirement
Where Pickles GmbH uses a non-EEA model provider, it must conduct a Transfer Impact Assessment per EDPB Recommendations 01/2020. The TIA must:
- Assess the legal framework of the destination country — whether laws permit government access to transferred data in ways incompatible with GDPR
- Evaluate whether SCCs are effective in the destination country given the legal context
- Identify whether supplementary measures are needed (technical, contractual, or organisational)
- Document the assessment and the conclusion
[LEGAL REVIEW REQUIRED] A TIA for major AI model provider jurisdictions (particularly the USA) requires specialist legal input. Pickles GmbH cannot conduct a TIA without a qualified data protection practitioner familiar with international transfer law.
5.3 SCC Module Selection
If SCCs are required, the correct module from Commission Decision 2021/914 must be selected:
| Transfer Scenario | SCC Module |
|---|---|
| Pickles GmbH (controller) → model provider (processor) — for user account data | Module 2: Controller to Processor |
| Pickles GmbH (processor for lawyer clients) → model provider (sub-processor) — for client query data | Module 3: Processor to Processor |
[LEGAL REVIEW REQUIRED] The correct module depends on the confirmed controller/processor analysis per L2-5.1 Section 2.
6. Security Review Checklist
This checklist must be completed for each third-party AI model provider before initial approval and reviewed annually (or when the provider reports material security changes).
6.1 Technical Security
| # | Control Area | Question | Status |
|---|---|---|---|
| SEC-01 | Encryption in transit | Does the provider use TLS 1.3+ for all API communications? | ☐ [ASSUMPTION — to verify] |
| SEC-02 | Encryption at rest | Does the provider encrypt data at rest using AES-256 or equivalent? | ☐ [ASSUMPTION — to verify] |
| SEC-03 | Data isolation | Are Pickles GmbH's queries isolated from other customers' data at inference time? | ☐ [ASSUMPTION — to verify] |
| SEC-04 | No data logging by default | Does the provider's API default to no logging of query content? | ☐ Critical [ASSUMPTION — to verify] |
| SEC-05 | Data deletion | Can the provider confirm deletion of all session data within a defined short period? | ☐ Critical [ASSUMPTION — to verify] |
| SEC-06 | Access controls | Does the provider implement role-based access and audit logging for staff access to system components? | ☐ [ASSUMPTION — to verify] |
| SEC-07 | Adversarial input defences | Has the provider published information about defence against prompt injection, data poisoning, and model evasion? | ☐ [ASSUMPTION — to verify] |
| SEC-08 | Penetration testing | Does the provider conduct regular third-party penetration testing and make results available? | ☐ [ASSUMPTION — to verify] |
| SEC-09 | Incident response | Does the provider have a documented incident response procedure with <72hr notification commitment? | ☐ [ASSUMPTION — to verify] |
| SEC-10 | Data residency | Can the provider confirm EU data residency for processing and storage? | ☐ [ASSUMPTION — to verify] |
6.2 Compliance and Certification
| # | Area | Question | Status |
|---|---|---|---|
| COMP-01 | ISO/IEC 27001 | Is the provider ISO/IEC 27001 certified? Provide certificate. | ☐ [ASSUMPTION — to verify] |
| COMP-02 | ISO/IEC 42001 | Has the provider adopted ISO/IEC 42001 or an equivalent AI management framework? | ☐ [ASSUMPTION — to verify] |
| COMP-03 | EU AI Act | Has the provider published EU AI Act compliance commitments relevant to their models? | ☐ [ASSUMPTION — to verify] |
| COMP-04 | GDPR DPA | Does the provider offer a GDPR-compliant DPA including Article 28(3) terms and no-training guarantee? | ☐ Critical [ASSUMPTION — to verify] |
| COMP-05 | Supervisory authority investigations | Is the provider currently under investigation by a data protection supervisory authority? | ☐ [ASSUMPTION — to verify] |
| COMP-06 | Sub-processors | Does the provider maintain and publish a current sub-processor list? | ☐ [ASSUMPTION — to verify] |
6.3 Model Transparency
| # | Area | Question | Status |
|---|---|---|---|
| MOD-01 | Model card | Has the provider published a model card or equivalent documentation for the model used? | ☐ [ASSUMPTION — to verify] |
| MOD-02 | Training data | Has the provider disclosed the general nature of training data and data governance practices? | ☐ [ASSUMPTION — to verify] |
| MOD-03 | Performance benchmarks | Has the provider published performance benchmarks relevant to legal text tasks? | ☐ [ASSUMPTION — to verify] |
| MOD-04 | Known limitations | Has the provider disclosed known limitations and failure modes? | ☐ [ASSUMPTION — to verify] |
| MOD-05 | Hallucination rate | Has the provider published hallucination rate data or guidance? | ☐ [ASSUMPTION — to verify] |
| MOD-06 | Bias assessment | Has the provider published bias assessment results for the model? | ☐ [ASSUMPTION — to verify] |
7. Model Update Monitoring
7.1 Why Model Updates Are High-Risk for Legal AI
Third-party AI model providers regularly update their models. For a legal AI provider like Pickles GmbH, model updates carry particular risks:
- Accuracy regression: An updated model may perform worse on legal citation accuracy or legal reasoning tasks
- Behavioural changes: Output style, length, or safety filtering may change without warning
- Capability changes: A model update could expand or restrict the model's ability to handle certain legal topics
- EU AI Act implications: Substantial changes to a third-party model that is integrated into a high-risk system (SYS-04) may require re-assessment under EU AI Act Article 6(2) and Article 17
For a full model update management protocol, see L3-6.3. This section addresses the vendor-specific monitoring obligations.
7.2 Required Contractual Commitments from Model Providers
| # | Commitment | Basis |
|---|---|---|
| MU-01 | Provider gives advance notice (minimum 30 days [ASSUMPTION]) of material model updates affecting output quality, accuracy, safety, or API behaviour | EU AI Act Article 25(4); good practice |
| MU-02 | Provider maintains version-locked API access for a defined period (e.g., 6–12 months) after a new model version is deployed | Good practice; operational continuity |
| MU-03 | Provider publishes release notes and changelog for each model update | Transparency; EU AI Act Article 25(4) |
| MU-04 | Provider cooperates with Pickles GmbH's regression testing on updated models before production deployment | Good practice; EU AI Act Article 9(6) |
| MU-05 | Provider notifies Pickles GmbH of security vulnerabilities or adversarial risk disclosures affecting the model | EU AI Act Article 15(5); GDPR Article 32 |
7.3 Pickles GmbH's Internal Model Update Response Process
When a third-party model provider announces a material update, Pickles GmbH must:
| Step | Action | Owner [ASSUMPTION] | Timing |
|---|---|---|---|
| 1 | Receive provider update notification | Head of Engineering [ASSUMPTION] | Before update deployment |
| 2 | Assess whether update constitutes a material change under L3-6.3 criteria | Head of Product + Engineering [ASSUMPTION] | Within 5 business days of notification |
| 3 | Conduct regression testing on benchmark legal query suite | Head of Engineering [ASSUMPTION] | Before production deployment |
| 4 | Assess EU AI Act implications (Article 6(2) substantial modification?) | Legal / AIRO [ASSUMPTION] | Before production deployment |
| 5 | Update Technical Documentation Pack (L2-4.2 Section 6) to record change | Head of Engineering [ASSUMPTION] | At point of deployment |
| 6 | Deploy update in staging environment; validate outputs | Head of Engineering [ASSUMPTION] | Before production deployment |
| 7 | Deploy to production with monitoring | Head of Engineering [ASSUMPTION] | After validation |
| 8 | Notify lawyer clients of material model changes affecting system behaviour [ASSUMPTION] | Client Success / Legal [ASSUMPTION] | Per client notification obligations in DPA |
Full change management process is documented in L3-6.3-Model-Change-Management-Protocol-v1.md.
8. Ongoing Vendor Management
8.1 Review Frequency
| Review Type | Frequency | Trigger |
|---|---|---|
| Security checklist review | Annual | Annually; or on notification of security incident |
| DPA compliance review | Annual | Annually; or when provider updates DPA terms |
| SCC/TIA review | Biennial or on legal framework change | Schrems II-type events; adequacy decision changes |
| Sub-processor list review | Quarterly | On provider sub-processor change notification |
| Model update assessment | Per update | On provider model update notification |
| §43e BRAO compliance review | Annual | Annually; or on legal developments in BRAK guidance |
8.2 Vendor Risk Register
For each approved third-party model provider, maintain a vendor risk register entry covering:
| Field | Content |
|---|---|
| Provider name | [PLACEHOLDER] |
| Model(s) used | [PLACEHOLDER] |
| Provider location | [PLACEHOLDER] |
| Transfer mechanism | [PLACEHOLDER — EEA / SCC Module 2 / SCC Module 3 / DPF] |
| DPA executed date | [PLACEHOLDER] |
| §43e BRAO agreement executed date | [PLACEHOLDER] |
| SCCs executed date (if applicable) | [PLACEHOLDER] |
| TIA conducted date (if applicable) | [PLACEHOLDER] |
| ISO 27001 certificate number | [PLACEHOLDER] |
| Last security review date | [PLACEHOLDER] |
| Next review due | [PLACEHOLDER] |
| Current risk level | [PLACEHOLDER — Low / Medium / High] |
| Open issues | [PLACEHOLDER] |
9. Provider Non-Compliance Response
If a third-party model provider fails to meet minimum criteria (Section 3.1), or is found to be in breach of DPA terms:
| Severity | Response |
|---|---|
| Critical breach (e.g., data training without consent; confidentiality breach) | Suspend API use immediately; notify lawyer clients per DPA terms; notify DPO; assess GDPR breach notification obligations; consider supervisory authority notification; engage legal counsel |
| Material non-compliance (e.g., failure to delete data; sub-processor not authorised) | Issue formal notice to provider; set cure period (maximum 30 days [ASSUMPTION]); escalate to suspension if not cured |
| Procedural non-compliance (e.g., late update notification) | Issue formal notice; document; review at next scheduled vendor assessment |
Per §43e(2) BRAO: if confidentiality cannot be guaranteed, "cooperation must be terminated immediately."
Document Control
| Field | Detail |
|---|---|
| Document ID | L2-5.3 |
| Applies to | All third-party AI model providers used by Pickles GmbH [ASSUMPTION A-004] |
| Next review | Before first model provider engagement; annually thereafter |
| Cross-references | L2-5.1 (Data Flow Map), L2-5.2 (DPIA Assessment), L3-6.3 (Model Change Management), L1-3.3 (AI Intake Approval Workflow) |
| Regulatory basis | GDPR Articles 28, 44, 46, 32; BDSG §64; §43e BRAO; EU AI Act Articles 15, 25(4) |
| Assumptions relied upon | A-003, A-004, A-005 |