AI vendor due diligence, written by a CIPP/E DPO.
Before your business approves an AI tool, somebody has to read its DPA, check its subprocessors, work out its AI Act posture, and decide whether it survives a GDPR review. CompanyScope publishes that work for the AI tools UK and EU buyers actually use.
Free vendor profiles. No login. CIPP/E-reviewed. Updated when the vendor changes its terms.
Profiles in progress.
First six profiles live: OpenAI, Anthropic, Microsoft 365 Copilot, Google Gemini, Perplexity, ElevenLabs. Browse them all or read who's behind this.
What each profile covers
- What the tool does, in plain English.
- The data it processes — including special-category likelihood for typical use cases.
- DPA, subprocessor list, training-on-customer-data position. With direct links and quoted clauses.
- EU/UK transfer mechanism, data residency options, EU Data Boundary status if applicable.
- Security documentation (SOC 2, ISO 27001, ISO 42001).
- Likely AI Act role and risk tier for typical deployments.
- Specific DPIA prompts you should answer for your use case.
- Unresolved questions and red flags. The bit nobody else writes.
Cross-vendor topic guides
Reference reading for the questions that come up against every AI vendor:
- DPA for AI vendors — the eight clauses to check before signing
- EU AI Act for AI buyers — deployer-side obligations, role classification, the 2027 postponement
- HIPAA for AI tools — BAA gate, Security Rule, which vendors sign on which tier
Head-to-head comparisons
When the procurement question is "which of these two?" rather than "is this one safe?":
- OpenAI vs Anthropic DPA
- Copilot 365 vs Google Workspace AI
- OpenAI vs Copilot enterprise compliance
- Perplexity vs ChatGPT for regulated industries
- Gemini vs Vertex AI compliance
- ElevenLabs vs other voice AI vendors
Who this is for
Compliance officers, DPOs, agency principals, and IT decision-makers who have to approve AI vendors. Nothing here replaces legal advice. It compresses the research step that costs you a day per vendor into something you can read in five minutes.
When the public profile isn't enough
Michael runs Janus DPO-as-a-Service for businesses that need ongoing AI vendor governance — the procurement decisions you have to clear every quarter, not just the one in front of you today. He also writes one-off CIPP/E-reviewed Vendor Risk Notes for specific decisions (typically £149, scope-dependent).
Two routes in: read the Janus DPO-as-a-Service page for the ongoing-support route, or open any vendor profile and use the CTA at the bottom for either a retainer conversation or a single vendor note.