MICKAI
Article · 29 June 2026

Why Enterprise DPAs Are a False Security Blanket

A signed contract is a promise about liability, not a wall around your data. For the regulated buyer, the difference is everything.

Why Enterprise DPAs Are a False Security Blanket
Author
Micky Irons
Published
29 June 2026
Follow Micky Irons
LinkedInX
data processing agreementcloud AI riskdata sovereigntyzero data egressCompute-to-Data

A Data Processing Agreement is a promise about who is liable when your data is exposed. It is not a mechanism that prevents the exposure. When a board signs an enterprise DPA with a cloud AI vendor and treats it as the control that makes the deployment safe, it has confused a legal instrument with an engineering one. The contract allocates blame after the fact. It does nothing to keep the data inside the building in the first place.

Cinematic Greek pantheon scene, Themis the goddess of justice holding a scale where one pan holds a marble scroll and the other is empty, void-black background with satin-gold marble, dramatic chiaros
Cinematic Greek pantheon scene, Themis the goddess of justice holding a scale where one pan holds a marble scroll and the other is

That distinction is the whole argument. For most businesses it does not matter much, because the consequence of a breach is recoverable. For the regulated institution holding privileged, fiduciary or special-category data, the consequence is not recoverable, and a paragraph in a contract is cold comfort when the client wealth file, the un-redacted patient record, or the pre-patent formula has already moved to a server the firm does not own.

What a DPA actually does, and what it cannot

A DPA is a contractual layer. It records that the processor will only handle data on documented instructions, will apply appropriate security measures, will assist with breach notification, and will accept defined liability. Every word of that is about governance and recourse. None of it is a physical or network control.

When your data is sent to a cloud AI model, three things happen that no clause can undo. The data leaves your perimeter and travels across networks you do not control. It is processed by a third party on shared, multi-tenant infrastructure. And it sits, even transiently, in a location whose legal regime may differ from your own. A DPA describes how the vendor will behave around those facts. It does not change the facts.

A Data Processing Agreement does not stop an infrastructure hack, a vendor outage, or transit interception. The data still leaves the building. What you have bought is a clearer view of who to sue, not a guarantee that you will never need to.

The honest framing matters here, because the cloud vendors are not lying. An enterprise tier that promises not to train on your data is a real, enforceable commitment. The point is narrower and harder: the commitment governs intended use, and the risks that wreck a regulated firm are almost always unintended.

A void-black marble vault door standing open on a dark threshold, a thin river of liquid gold flowing out through the gap, cinematic Greek architecture, satin-gold veining, ominous chiaroscuro, framel
A void-black marble vault door standing open on a dark threshold, a thin river of liquid gold flowing out through the gap, cinemat

The three failures a contract cannot reach

Consider the specific events a DPA is powerless to prevent.

  • **The infrastructure hack.** A vendor compromise, a misconfigured tenant boundary, a supply-chain intrusion in a dependency: your data was at rest on someone else's hardware when it happened, and a contract did not stand between an attacker and the bytes. The exfiltration vulnerability vector is the route into that hardware, and the DPA is not on that route.
  • **The vendor outage.** When the provider goes dark, your intelligence capability goes dark with it. A clause may entitle you to service credits. It does not keep the firm running. A system you rent fails when the landlord's building loses power.
  • **Transit interception and residency drift.** Data in motion is data exposed, and a model endpoint in another jurisdiction is a cross-border transfer the moment the request leaves your network. Third-party interception liability is a function of the data travelling at all. Remove the journey and you remove the class of risk; keep the journey and a contract simply tells you whose fault the interception was.

None of these are exotic. They are the ordinary failure modes of any shared service. The regulated buyer's problem is that ordinary failure modes produce extraordinary consequences when the payload is a privileged matter or a special-category record.

Hermes the messenger god mid-stride carrying a sealed golden tablet across a dark chasm, broken golden bridge fragments suspended in void-black space, cinematic, satin-gold and obsidian, frameless, no
Hermes the messenger god mid-stride carrying a sealed golden tablet across a dark chasm, broken golden bridge fragments suspended

Why this lands hardest on the regulated firm

In private banking, financial secrecy is not a preference, it is the product. In a Magic Circle firm, attorney-client privilege is a duty that survives the convenience of any tool. In a hospital trust, special-category patient data sits under explicit statutory protection. In defence and aerospace, the perimeter is a matter of national security, not procurement.

For these institutions the regulator does not accept a DPA as evidence that the data was protected. The regulator asks where the data went. If the truthful answer is that privileged or special-category information travelled to a third party's shared infrastructure, the existence of a contract around that transfer is a mitigation of liability, not an answer to the question. This is the structural reason the highest-value-data sectors were effectively frozen out of cloud AI: the one control that genuinely satisfies the obligation, keeping the data in place, is the one control a cloud architecture cannot offer.

A shattered golden contract scroll dissolving into dark mist above a black marble plinth, cinematic Greek pantheon aesthetic, void-black and satin-gold, dramatic single light source, frameless, no tex
A shattered golden contract scroll dissolving into dark mist above a black marble plinth, cinematic Greek pantheon aesthetic, void

The Mickai answer: remove the transfer, do not insure it

Mickai, the Sovereign Intelligence Operating System (SIOS), takes the opposite path to the cloud. Rather than protecting a pipeline to a third-party server, it removes the pipeline. The architecture is Compute-to-Data: bring the artificial intelligence to where the data already lives, on hardware the institution owns, inside its own server room.

In this model, inference, chunking, embedding, vector storage and retrieval all run inside the customer firewall. Data never leaves the building. There is no cross-border transfer to govern, because there is no transfer. There is no third-party processor to contract with, because the only processor is the institution itself, on its own silicon. The five buyer hooks fall out of one architectural decision:

  • **Zero-trust data privacy:** what happens in the server room stays in the server room.
  • **Independence from vendor lock-in and outages:** the system runs independent of cloud outages because you own the compute.
  • **Data residency:** processing never leaves your geography, so data residency holds by location, not by promise.
  • **Fine-tune on proprietary alpha:** the deepest archives can be indexed locally without surrendering them to anyone.
  • **Predictable CapEx:** a depreciable asset you own, not a volatile per-token bill you rent.

The honest boundary stays in place throughout. Removing the transit does not magically discharge the firm's own duties: insider access and physical security remain the customer's responsibility, and the institution keeps its own obligations and internal controls. What changes is that the single largest, least controllable exposure, the journey of the data to someone else's machine, is removed rather than insured.

Argus the hundred-eyed giant rendered as a dark bronze and gold statue standing guard before a sealed obsidian chamber, void-black background, satin-gold highlights, cinematic chiaroscuro, frameless,
Argus the hundred-eyed giant rendered as a dark bronze and gold statue standing guard before a sealed obsidian chamber, void-black

What makes this defensible, not just appealing

A promise to keep data on-premise is only worth as much as the evidence behind it. Mickai answers that with engineering rather than assurance. Every action the system takes can be written to the Open Audit Record, a signed, inspectable account of what the model did and on what data, reproducible locally for a regulator or an internal auditor. Identity is hardware-bound, tying the deployment to the institution's own machines. And the architecture is protected by 104 filed UK patent applications, a defensible moat around the Compute-to-Data approach rather than a feature set a larger vendor can copy next quarter. It is built and owned, not rented: the institution holds the model snapshot, the weights and the audit trail, immune to a vendor changing its terms of service under them.

Micky Irons, founder, chief executive and named inventor, built the system around a single conviction: governance should be an engineering property, not a paragraph you sign and hope holds. A DPA asks you to trust the processor. Compute-to-Data removes the need for the trust by removing the processor.

A fortified Greek temple sealed within its own walls, golden light contained entirely inside the columns and not escaping, void-black night sky, satin-gold marble, cinematic wide shot, frameless, no t
A fortified Greek temple sealed within its own walls, golden light contained entirely inside the columns and not escaping, void-bl

The question for the board

The useful test is simple. Ask not what your DPA promises, but what physically happens to the data when the model runs. If the truthful answer is that it travels to infrastructure you do not own, then your security blanket is a contract, and a contract has never stopped a hack, survived an outage, or recalled a packet in transit.

If your firm holds data whose exposure is not recoverable, a private demonstration is the fastest way to see the difference between insuring a risk and removing it. We invite the COO, CIO, CISO, CFO and General Counsel to request a private demonstration, on a sandboxed deployment using dummy data, and watch the intelligence run with the building's connection to the outside world switched off.

ShareLinkedInXHacker NewsRedditMastodonBlueskyEmail
Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/why-enterprise-dpas-are-a-false-security-blanket. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
23 Jun 2026
Hold Your Own Keys
When you and your competitors all run your crown jewels through the same frontier model, the only thing standing between your secrets and theirs is a boundary you do not control. The frontier providers are excellent and their security is real. The exposure is structural, not an accusation. The answer is custody: hold your own keys.
23 Jun 2026
The Third Answer to the AI Water Crisis
A viral argument has split the internet into two camps: switch the AI data centres off to save the water, or starve the taps to feed a coming superintelligence. Both are wrong, because both assume intelligence has to live inside one giant water-cooled megacentre. It does not. The third answer is sovereign, distributed intelligence on hardware you own, sited where it is used. You keep the water and the intelligence.
22 Jun 2026
Keep the Logs. Now Prove They Were Not Edited.
Everyone keeps the logs. Almost no one can prove the logs were never edited. That gap is the quiet weakness at the centre of the artificial intelligence boom, and it is about to become the whole conversation. Mickai's answer is three layers of verifiable proof: seal a signed record, anchor its hash to Bitcoin, run it on sovereign hardware, so an auditor can check what a system actually did without ever being let inside.
22 Jun 2026
Your AI Decision Is Discoverable. Can You Prove What It Did?
Every automated decision is now discoverable, by a regulator, a court, or the person it harmed. Explainability cannot answer for it, because a model narrating its own reasoning is still just a story. Mickai builds the alternative: a signed Open Audit Record, a hash anchored to Bitcoin through Pantheon, all on sovereign hardware, so anyone can verify what an AI did without trusting the operator.
See all articles →