You can outsource the model. You cannot outsource the obligation. A structured review of every AI vendor before it touches your data.
An AI vendor risk review is the operational due-diligence a UAE company runs before adopting an AI tool — checking data residency, processor versus controller roles, sub-processors, security posture, model and data lifecycle, contract terms, and exit. The controller keeps its PDPL-aware and DIFC Regulation 10-aware obligations even when the model is OpenAI, Anthropic, or Microsoft.
Most UAE companies do not train models. They buy them — OpenAI, Anthropic, Microsoft Copilot, a vertical SaaS tool with AI bolted on. The assumption that follows is the dangerous one: that buying from a large, well-resourced vendor moves the data-protection obligation onto the vendor. It does not.
In almost every arrangement the vendor is a processor and your company is the controller. PDPL-aware and DIFC Regulation 10-aware obligations — lawful basis, data-subject rights, human oversight of significant automated decisions, an audit trail — stay with the controller. A SOC 2 report from the vendor is evidence about the vendor's security; it is not a transfer of your obligations.
A vendor risk review is the operational step that makes this concrete. It maps what data the tool sees, where that data lives, who else can touch it down the sub-processor chain, and what happens to it when the contract ends — before the tool is wired into your WhatsApp, CRM, or email workflows, not after.
Data residency and flow: where prompts, uploads, and outputs are stored and processed, whether UAE personal data leaves the country, and whether the cross-border path is documented. A tool that quietly routes customer messages through a US region is a different risk profile than one with an EU or regional option.
Roles and sub-processors: the processor-versus-controller split written into the contract, plus the sub-processor list behind the headline vendor. A single AI feature can ride on three or four other companies — the model provider, a cloud host, an analytics layer, a logging service. Each one is a place your data can sit.
Security posture and model lifecycle: real artefacts, not marketing. Encryption in transit and at rest, access controls, breach-notification commitments, and crucially the training-data stance — whether your inputs are used to improve the vendor's model, how long they are retained, and how a model swap or version change is communicated. Vendor terms change; a review captured in 2024 does not describe the 2026 model.
Contract terms and exit: data-processing terms, audit rights, liability, and the exit path — can you export your data, is it deleted on termination, and can you prove it. A clean exit is a governance control, not an afterthought.
We run the review as a repeatable checklist against each AI vendor, not a one-off legal opinion. The output is a short risk record per tool: the data it touches, the residency and sub-processor map, the gaps we found, the human-approval points we recommend, and a clear adopt / adopt-with-conditions / hold call. That record feeds straight into your AI audit trails so a later supervisory review can see how the decision was made.
This is procurement work as much as governance work. Done early, it shapes the contract negotiation and the rollout design — for example, requiring a no-training-on-inputs term, a regional data option, or a documented human-approval workflow before the tool can act. Done late, it becomes a clean-up exercise after the data has already moved.
DVNC is not a law firm and does not give legal advice. We make the operational risk visible so your team, and your counsel where needed, can decide. For a full-estate view rather than a single tool, the review folds into the UAE AI Readiness Audit; for regulated fund and financial structures it pairs with DIFC / ADGM fund AI readiness.
Before you spend on AI, get a governed plan: where it pays off, where the data risk sits, and what to build first.
For DIFC and ADGM funds, family offices, and financial operations: assess AI use cases, document the workflows, then build the governed systems that survive an investor or regulator question.
Build logs, working systems, and field notes from running a portfolio of AI ventures. Sent weekly, never more.