Who answers in case of incident?
The legal substrate changes with each option. Invisible in use, structuring in audit.
Single point of contact
Microsoft carries the relationship.
- → M365 DPA, Customer Copyright Commitment, Microsoft breach notification.
- → One vendor to audit.
Shared responsibility
Two parallel contracts.
- → New Anthropic DPA to sign, separate breach notification.
- → Different jurisdictions and retention periods.