Businesses that use AI21's API have a separate contract (a data processing agreement) that governs how their data is handled, and that agreement may provide different protections than what is described in this general privacy policy.
This analysis describes what AI21 Labs's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Enterprise API customers operate under different data terms than regular users, which means the data protections available to a business and its users depend on the specific contractual terms negotiated, not solely on this public privacy policy.
Interpretive note: The specific terms of AI21's enterprise data processing agreement are not publicly disclosed, making it impossible to assess the actual protections provided to enterprise API customers from the privacy policy alone.
If your organization uses AI21's API to build products or services, the data handling terms that apply are those in a separate agreement, not this public privacy policy. End users of applications built on the AI21 API should be aware that their data protections depend on both AI21's API terms and their direct service provider's privacy practices.
How other platforms handle this
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
We process many types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal, and other significant business events, and third-party risks. Some of the data we process is considered personal data. Some of the ...
Monitoring
AI21 Labs has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are an enterprise customer using our API, your data is handled pursuant to the applicable data processing agreement between AI21 and your organization. The terms of that agreement govern the collection, use, and retention of data processed through the API, and may differ from the terms applicable to consumer product users described in this Privacy Policy.— Excerpt from AI21 Labs's AI21 Labs Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 28, which requires that data processors act only on documented instructions from the data controller and that a written data processing agreement be in place. CCPA and CPRA impose analogous requirements for service provider agreements. The existence of a separate DPA is standard industry practice for API-based AI services and aligns with regulatory expectations, though the terms of AI21's DPA are not disclosed publicly. GOVERNANCE EXPOSURE: Medium. The policy's reference to a separate DPA without disclosing its terms creates an information gap for enterprise procurement teams and end users of API-based applications. The key compliance risk is whether the DPA's terms are sufficiently protective to satisfy the data controller's obligations under GDPR, CCPA, and other applicable frameworks, and whether sub-processor disclosures and audit rights are adequate. JURISDICTION FLAGS: EU and EEA enterprise customers must ensure that the DPA includes all GDPR Article 28 mandatory provisions. UK enterprise customers should confirm compliance with UK GDPR. California enterprise customers should confirm that the DPA qualifies AI21 as a 'service provider' under CCPA and CPRA, which limits AI21's use of data for its own purposes. Regulated sector enterprise customers (healthcare, financial services, legal) face heightened exposure if the DPA does not specifically address sector-specific data handling requirements. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should obtain and review the current version of AI21's DPA before or at the time of contracting. Key review areas include: permitted processing purposes, restrictions on model training use of customer data, sub-processor lists and notification procedures, audit rights, data deletion timelines upon contract termination, and breach notification obligations. The DPA should be assessed against organizational vendor management standards and sector-specific regulatory requirements. COMPLIANCE CONSIDERATIONS: Legal teams should ensure that the DPA is executed prior to any personal data being processed through the API. If AI21 is used to process data of EU or UK individuals, the DPA must incorporate SCCs or equivalent transfer mechanisms. Organizations should request AI21's sub-processor list and monitor for changes that may trigger re-assessment. A vendor risk assessment should be completed that references the DPA terms rather than the public privacy policy alone.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Enterprise API customers operate under different data terms than regular users, which means the data protections available to a business and its users depend on the specific contractual terms negotiated, not solely on this public privacy policy.
If your organization uses AI21's API to build products or services, the data handling terms that apply are those in a separate agreement, not this public privacy policy. End users of applications built on the AI21 API should be aware that their data protections depend on both AI21's API terms and their direct service provider's privacy practices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AI21 Labs.