The data processing agreement (DPA) — the bedrock contract companies use to evaluate how vendors handle personal data — can no longer be trusted at face value. That is the central, and arguably most alarming, conclusion of DataGrail’s Privacy and AI Trends Report 2026, released today.The San Francisco-based privacy platform analyzed 2,400 popular business software providers and found that 63.6% of vendors that prominently advertise AI capabilities do not disclose a third-party AI subprocessor in their legal documentation. The implication: the majority of companies purchasing AI-enabled software may be unknowingly exposing their customers’ data to AI models and pipelines they never reviewed, never approved, and may not even know exist.”All software vendors are trying to move to become AI vendors, which makes sense, but the technologies are moving faster than AI governance can actually keep up,” DataGrail co-founder and CEO Daniel Barber told VentureBeat in an exclusive interview ahead of the report’s release. “The DPA should be the reliable document that teams use to evaluate AI risk, but based on that number, that’s not enough in 2026.”The finding drops into an enterprise landscape where organizations with high levels of shadow AI already experience average breach costs of $4.63 million — $670,000 more than those with low or no shadow AI, according to IBM’s 2025 Cost of Data Breach Report. And it arrives in a year when U.S. states gave out $3.425 billion in privacy-related fines — more than the last five years combined — a trend Gartner expects to accelerate through 2028.How researchers uncovered the growing gap between AI vendor contracts and realityDataGrail’s methodology for arriving at the 63.6% figure goes well beyond reading contracts. The company’s research team cross-referenced DPA disclosures against product documentation, GitHub environments, API connections, and marketing materials for each of the 2,400 vendors in its tracking universe.Barber walked VentureBeat through the process: “We looke …
