✦ Reference
SaaS, AI & privacy law glossary.
Plain-English definitions for the terms in-house counsel, contracts, and procurement teams encounter every week. No clause-fluffing. What it is, why it matters, and where it shows up at the table.
01 · Browse by category
Five categories. One reference.
7 terms
Privacy & GDPR
- Article 28
- Data Processing Agreement (DPA)
- Records of Processing (Article 30)
- Schrems II
- Standard Contractual Clauses (SCCs)
- Sub-processor
View all 7 →
9 terms
Contracts & negotiation
- Business Associate Agreement (BAA)
- IP Indemnity Carve-out
- Limitation of Liability (LoL cap)
- Master Service Agreement (MSA)
- Mutual Indemnity
- Order Form
View all 9 →
6 terms
AI governance
- AI Use Policy
- ISO/IEC 42001
- NIST AI Risk Management Framework
- Output Ownership
- Prompt Confidentiality
- Training-Data Clause
View all 6 →
3 terms
Security & certifications
- Audit Rights
- Breach Notification
- SOC 2
View all 3 →
3 terms
Regulatory frameworks
- Colorado AI Act
- CPRA
- EU AI Act
View all 3 →
02 · A to Z
Every term, alphabetized.
A
AI Use Policy
An organization's internal policy governing employee use of AI tools, including approved tools, restricted data, output review, and incident handling.
AI governance
Article 28
The GDPR provision that turns the DPA from a one-time negotiation into an ongoing program obligation between a controller and its processors.
Privacy & GDPR
Audit Rights
The customer's contractual right to verify that a vendor is meeting its security, privacy, and operational obligations, usually through report review or third-party audit.
Security & certifications
B
Breach Notification
The contractual and regulatory obligation to notify affected parties when a security incident exposes personal data or breaches confidentiality.
Security & certifications
Business Associate Agreement (BAA)
The HIPAA-mandated contract between a covered entity (or another business associate) and a vendor that handles protected health information.
Contracts & negotiation
C
Colorado AI Act
Colorado's 2024 law regulating high-risk AI systems used in consequential decisions, in effect February 1, 2026, with developer and deployer obligations around bias and transparency.
Regulatory frameworks
CPRA
The California Privacy Rights Act, the 2020 amendment to CCPA that added a dedicated enforcement agency and tightened obligations around sensitive personal information and data sharing.
Regulatory frameworks
I
IP Indemnity Carve-out
The set of exceptions to a vendor's IP indemnity that exclude specific claim categories from coverage, typically modifications, third-party data, and combinations.
Contracts & negotiation
ISO/IEC 42001
The 2023 international standard for AI management systems, the first ISO certification scheme designed specifically for organizations that develop or deploy AI.
AI governance
M
Master Service Agreement (MSA)
The umbrella contract that sets the legal terms of the customer-vendor relationship and gets re-pointed by every subsequent order form.
Contracts & negotiation
Mutual Indemnity
An indemnification structure where each party agrees to defend the other against specific categories of third-party claims, rather than only the vendor indemnifying the customer.
Contracts & negotiation
O
Order Form
The deal-specific document that names the products purchased, the price, the term, and the start date, all sitting under the MSA's legal terms.
Contracts & negotiation
Output Ownership
The contractual question of who owns the outputs an AI system generates from a user's prompts: the user, the vendor, or some shared arrangement.
AI governance
S
Schrems II
The 2020 EU Court of Justice decision that invalidated the EU-US Privacy Shield and requires data exporters to assess third-country surveillance law before transferring personal data.
Privacy & GDPR
SOC 2
AICPA's audit standard for service organizations, certifying controls over security, availability, processing integrity, confidentiality, and privacy.
Security & certifications
Standard Contractual Clauses (SCCs)
EU-approved contractual terms that establish a legal basis for transferring personal data out of the EEA when no adequacy decision applies.
Privacy & GDPR
Statement of Work (SOW)
The contract addendum that defines deliverables, timeline, and price for a specific project sitting under an MSA.
Contracts & negotiation
Sub-processor
A third-party vendor that a processor engages to handle some part of personal-data processing on the controller's behalf.
Privacy & GDPR
Super-cap
A higher liability cap that sits above the standard limitation of liability for specific high-risk categories, usually data breach or IP indemnity.
Contracts & negotiation
T
Termination for Convenience
A contract right for one or both parties to terminate the agreement without cause, usually with a defined notice period, regardless of the other party's performance.
Contracts & negotiation
Training-Data Clause
The contract provision that addresses whether and how a vendor can use customer data, prompts, or outputs to train, fine-tune, or improve its AI models.
AI governance
Transfer Impact Assessment (TIA)
The documented assessment, required after Schrems II, of whether a third country's surveillance law provides essentially equivalent protection for personal data being transferred.
Privacy & GDPR
Want it in your team’s playbook?
The corporate training program turns these terms into the operational discipline your in-house team negotiates with every week.