E011—Record processing locations
>Control Description
Document AI data processing locations
Application
Mandatory
Frequency
Every 12 monthsCapabilities
Universal
>Controls & Evidence (2)
Operational Practices
E011.1
Documentation: AI processing locationsCore - This should include:
- Maintaining AI infrastructure location documentation. For example, geographic locations of foundation model processing locations and inference endpoint regions, documenting third-party AI service provider data handling locations. - Reviewing and updating documentation regularly.
Typical evidence: Subprocessor list showing third-party AI provider locations, infrastructure documentation listing cloud regions and inference endpoints, or data flow diagram with geographic processing locations and version history or review dates.
Location: Trust Center
Legal Policies
E011.2
Documentation: Data transfer complianceSupplemental - This may include:
- Implementing transfer compliance procedures. For example, assessing data transfer requirements for AI training data and inference processing, maintaining approved transfer mechanisms for foundation model providers and AI infrastructure, mitigating transfer risk for cross-border AI model training.
Typical evidence: Demonstrated by DPA, data transfer impact assessments, approved transfer mechanism documentation (Standard Contractual Clauses, adequacy decisions), cross-border data flow approvals for AI training/inference, or risk assessments for international AI processing.
Location: Internal policies, Data Processing Agreement
>Cross-Framework Mappings
NIST AI RMF
Ask AI
Configure your API key to use AI features.