Artifact · LLM vendor data-boundary checklist
This is the usable version of the checklist in Inference-service data boundary: copy the template below, one per vendor, fill each cell with "answer + source of the term + version date," and review quarterly — because the terms change (see the OpenAI / Anthropic comparison in that entry).
Vendor terms are broken out by endpoint / feature / model and change frequently, and can be overridden by a legal order. Any cell without a "source + date" should be treated as unverified. File this as an audit artifact, don't ask once and discard.
How to use
- Create one checklist per LLM provider you use (including the same vendor's tiers: API / team / enterprise / consumer).
- Fill three things per cell: the answer, the source of the term (official-doc URL / contract clause), and the verification date.
- No source / contradicts the contract / past its review date → mark
unverified, fill it in before any deployment decision. - Quarterly review: re-run it, diff the changed cells.
Template (ask each item)
1. Training use
- Are API inputs / outputs used to train models? Default, or opt-out?
- Do consumer / team / enterprise / API tiers default differently?
- Does opt-out cover logs, caches, eval sets, and human-review samples at the same time?
2. Retention
- How many days by default? Are abuse-monitoring copies counted separately?
- At expiry, real deletion or just "invisible"?
- Which features / endpoints have different retention (e.g. batch, code-execution containers, Files API)?
3. Abuse review / human access
- Is retained data subject to human / automated review? Who can access it?
- Any "no privileged access"–style design commitment from the vendor?
4. Zero data retention (ZDR)
- Offered? Self-serve toggle or account-team enabled per endpoint?
- Which APIs / features it covers and doesn't (Console, consumer products, some stateful features often aren't covered)?
5. Subprocessors
- Where's the subprocessor list? Does it include cloud / monitoring / vector store / third parties?
- How are changes notified?
6. Data residency
- Can you pin a region? Which jurisdiction does it default to?
7. Legal docs
- Can you sign a DPA? A BAA for healthcare? SOC2 / ISO reports?
- Cross-border transfer mechanism (e.g. SCCs)?
8. Secondary-leak surface
- Do observability / tracing / logs secondarily retain private context?
- Are prompt caches, eval sets, and human-review samples within opt-out / ZDR coverage?
Per-vendor record (copy and fill)
| Item | Answer | Source (URL / clause) | Verified on |
|---|---|---|---|
| Training use | |||
| Retention | |||
| Abuse review / human access | |||
| ZDR (covers / doesn't) | |||
| Subprocessors | |||
| Data residency | |||
| DPA / BAA / compliance reports | |||
| Secondary-leak surface |
"They don't train on it" is often true — but that's only one cell. Filling every cell above, stamping it, and reviewing quarterly is what it takes to verify the data boundary — exactly the "one line = the whole boundary" false security that Inference-service data boundary breaks.