Monterro portfolio guidance · interactive checklist · DRAFT

GDPR step-plan — engaging an AI vendor established outside of the EU/EEA

A 10-step decision flow. Steps 1–3 run per purpose; steps 4–10 are shared. Work through them in any order.

0 of 10 complete
Standard
Outside EU/EEA
AI-specific
Possible stop

Complete all 10 steps to reach go-live

Work through each card. When all are marked done, the banner turns green.

In progress

🏢 Vendor reference · Common US AI vendors and their DPF status (verify annually)

🟢 DPF-certified (easy path)

Microsoft (Azure, Copilot, Azure OpenAI) · Google LLC (Gemini, Vertex AI) · Amazon / AWS (Bedrock) · Meta (scope-limited) · Perplexity AI

🟡 Not DPF-certified (SCC + TIA required)

OpenAI · Anthropic · xAI (Grok)

💡 Tip: Route OpenAI via Azure OpenAI, or Claude via AWS Bedrock: the host's DPF certification then applies, and you get EU-region hosting as a bonus. For non-US vendors, check first whether the country has an EU adequacy decision (e.g. UK, Switzerland, Japan), which is an even simpler route than DPF.

⚠️ DRAFT — not final. This page is a work-in-progress draft prepared by Monterro and is not intended for distribution, external sharing, or reliance in its current form. Content, structure and references are still under review and may change.

⚠️ Disclaimer. Monterro provides this guidance to support portfolio companies in their decision-making. Each portfolio company remains solely responsible for its own compliance, vendor selection, and data-protection decisions, and should consult qualified legal counsel before acting. Adequacy decisions, DPF status, and vendor certifications change over time; verify the EU adequacy list at commission.europa.eu and the DPF list at dataprivacyframework.gov/list before engaging any vendor, and re-check annually. This checklist is a supportive tool; it does not by itself confirm full legal compliance.