← All resources

Guide · 5 min read

GDPR, SOC 2, and confidentiality: what M&A boutiques need from AI vendors

The specific documentation, diligence questions, and contractual provisions firms should require before granting any AI vendor access to client data.

M&A advisory firms handle some of the most sensitive commercial information in the corporate world, confidential financial statements, undisclosed strategic plans, identities of buyers and sellers, and unannounced transactions that are material non-public information. Before any AI vendor is granted access to this data, the firm must conduct structured vendor diligence. This guide outlines the specific questions to ask, the regulatory frameworks to reference, and the documentation to require.

Regulatory and contractual context

Three frameworks govern most AI vendor diligence for M&A boutiques operating in the US and EU markets:

General Data Protection Regulation (GDPR). Applies to any processing of personal data of EU data subjects, regardless of where the processor is located. Articles 28 and 32 specifically govern the obligations of data processors (vendors) and the security of processing.

SOC 2 (Service Organization Control 2). Issued under the American Institute of CPAs’ Trust Services Criteria. SOC 2 Type II reports, issued after a multi-month audit, are the de facto standard for SaaS vendor security in North America.

ISO/IEC 27001:2022. International standard for information security management systems. Increasingly required by European clients and asset management firms.

In addition, M&A advisory firms typically operate under specific contractual confidentiality obligations with their clients. These obligations must be passed through to any vendor that handles deal data.

Required documentation

Before any AI vendor is given access to client data, request the following documentation:

  1. Current SOC 2 Type II report (preferred over Type I; Type I is a point-in-time review and is insufficient for production use).
  2. ISO 27001 certification, if available.
  3. Data Processing Agreement (DPA) that meets GDPR Article 28 requirements.
  4. Information Security Policy.
  5. Incident Response Plan, including breach notification timelines.
  6. Sub-processor list with locations.
  7. Penetration testing summary from the most recent annual test.

Vendors that cannot produce a current SOC 2 Type II report should not be used for production deal work. SOC 2 Type II is a baseline requirement, not a competitive differentiator.

Specific diligence questions

Data residency

  • In which geographic regions is customer data stored?
  • Can the vendor commit to a specific region (e.g., EU-only) in the contract?
  • Where are backups stored, and how is cross-region replication handled?
  • For EU-based clients, the data should be stored within the EU. Storage in the US triggers additional GDPR compliance requirements including Standard Contractual Clauses or adequacy decisions.

Model training and data use

  • Is customer data used to train the vendor’s models?
  • Is customer data used to train any underlying foundation model provider (e.g., OpenAI, Anthropic, Google) that the vendor relies on?
  • Can the vendor commit contractually that customer data will not be used for training purposes?
  • For most M&A use cases, the answer must be that customer data is not used for training. Some foundation model providers have specific enterprise tiers that guarantee this; the vendor should be able to specify which tier they use.

Encryption

  • Is data encrypted at rest? Specify algorithm and key management approach.
  • Is data encrypted in transit? Specify protocol version.
  • Industry standard for 2026: AES-256 at rest, TLS 1.3 in transit.
  • Are encryption keys managed by the vendor, the customer, or a third-party key management service? Customer-managed keys are preferred for the most sensitive data.

Access controls

  • What authentication mechanisms are available? Single sign-on (SSO) with the firm’s identity provider should be standard.
  • How is role-based access control (RBAC) implemented?
  • Is multi-factor authentication (MFA) required or optional?
  • Are administrative actions logged and reviewable by the customer?

Audit logging

  • What user actions are logged?
  • For how long are logs retained?
  • Can the customer access logs in real time?
  • Are logs themselves protected against tampering?

For M&A deal work, audit logs are not optional. The firm must be able to reconstruct, for any given deal, exactly which documents were accessed, by whom, and when.

Breach disclosure

  • What is the vendor’s commitment on breach notification timing?
  • GDPR Article 33 requires data controllers to notify supervisory authorities within 72 hours of becoming aware of a breach. The vendor must notify the customer in time to meet this obligation.
  • What is the vendor’s incident response process? Request the high-level Incident Response Plan.

Sub-processor management

  • What sub-processors does the vendor use? (Foundation model providers, cloud infrastructure providers, support tools, monitoring tools.)
  • Where are sub-processors located?
  • What is the process for notifying customers of new sub-processors?
  • GDPR Article 28(2) requires explicit customer consent for the addition of new sub-processors. The contract should include a notification mechanism with the right to object.

Data retention and deletion

  • How long is customer data retained by default?
  • What is the process for permanent deletion at contract end?
  • Can the customer request deletion of specific datasets mid-contract?
  • Is deletion certified, or is the customer relying on the vendor’s representation?

Foundation model dependencies

  • Which foundation models does the vendor use?
  • Are model invocations made through the foundation model provider’s API directly, or through an intermediary?
  • What is the data handling commitment of each foundation model provider in use?
  • This question is often missed in vendor diligence. A vendor’s own security posture is only as strong as the weakest sub-processor in its stack. If the vendor sends customer data to a foundation model API that retains the data or uses it for training, the customer’s data has effectively been shared with the foundation model provider.

Standard contractual provisions

The Data Processing Agreement with the vendor should include, at minimum:

  1. Specific identification of the data being processed.
  2. Confidentiality obligations on the vendor and its personnel.
  3. Security measures, referencing specific standards (AES-256, TLS 1.3, SOC 2, ISO 27001).
  4. Sub-processor approval process.
  5. Audit rights for the customer.
  6. Breach notification timelines aligned with the customer’s regulatory obligations.
  7. Data return or deletion obligations at contract end.
  8. Liability provisions in case of breach.
  9. Choice of law and jurisdiction.

For EU work, the contract should include Standard Contractual Clauses if data flows to non-adequate jurisdictions.

Common red flags

The following indicate that a vendor is not ready for production M&A use:

  • No current SOC 2 Type II report (or only Type I)
  • Inability to commit to data residency in a specific region
  • Unclear answers about foundation model data handling
  • No published sub-processor list
  • No defined breach notification process
  • Inability to provide audit logs in real time
  • No customer-side data export or deletion mechanism

Further reading

  • GDPR full text, particularly Articles 28, 32, 33, 34 (eur-lex.europa.eu)
  • AICPA SOC 2 Trust Services Criteria
  • ISO/IEC 27001:2022 standard
  • European Data Protection Board guidance on data processing agreements
  • NIST Cybersecurity Framework for benchmark security practices

Ready to evaluate NaS_OS on your own data room? Explore the product or browse the blog.

Apply for Access