You are building an application for EU users. You are not sure what you need to check. You want to ship, not spend three weeks in legal review.
This checklist covers the practical questions. It is not legal advice — it is the starting point for a conversation with your legal team.
Does your application process personal data?
Personal data is any information that identifies or could identify an EU resident. Names, email addresses, user IDs, IP addresses, conversation content — all qualify. If your application sends any of this to an AI API, GDPR applies.
Where is the data processed?
GDPR restricts where personal data about EU residents can be processed. Processing in the EU is generally compliant. Processing in the US requires additional legal mechanisms.
Check your API provider’s documentation for EU data residency options. On sourc.dev, EU data residency availability is tracked per model.
Does the provider offer a Data Processing Agreement?
A DPA is the contractual mechanism that governs how a processor handles personal data on your behalf. If you are sending personal data to an API provider, you need a signed DPA.
Does the provider train on your data?
Some providers use API data to train future models. GDPR requires explicit consent for this. Most providers offer an opt-out — verify it is enabled.
Practical steps before go-live
- Confirm your API provider offers a DPA — sign it
- Enable EU data residency if available
- Confirm training data opt-out is enabled
- Document your data flows
- Add AI processing to your privacy policy
Start here: Check whether your API provider has a signed DPA available. If they do not offer one, that is a significant compliance risk.