SUPPLY CHAIN & INCIDENTS
List your AI sub-processors and describe how you assess them.
Current as of July 2026.
A model answer
Our AI sub-processors are [list: model providers, inference hosts, data processors], each recorded with purpose, location and the basis on which data flows to them. Each is assessed before engagement and on a recurring cadence: what data they receive, whether they train on it, their security posture, and their own governance evidence. Customers are notified before we engage a new sub-processor. The current list is maintained and published.
Evidence a buyer expects
The actual list, current, with regions and purposes — plus evidence you assess them, not merely name them. Foundation-model providers count as AI sub-processors and buyers now expect to see them.
Why weak answers fail
Omitting the model provider is the most common failure and the most quickly caught. If your product calls an API, that provider is in your supply chain and the buyer's own compliance file needs it.
What Hael produces
Hael's Vendor Due Diligence register and per-vendor Vendor Assessment Artefact (ISO/IEC 42001 Clause 8.3, EU AI Act Article 25, GDPR Article 28) — plus the sub-processor register published to your trust page.
Related questions
Current as of July 2026. General information, not legal advice.
Keep reading
More from the answer library.
DATA & MODEL PROVENANCE
Describe the provenance of your training data and the rights under which it is used.
Read answer →
SUPPLY CHAIN & INCIDENTSWhat happens when your AI system behaves incorrectly or causes harm?
Read answer →
AI INVENTORY & OWNERSHIPDescribe how AI systems are inventoried, owned and reviewed within your organisation.
Read answer →