If you are in the EU, UK, or anywhere outside Israel or the US, your data will be transferred to and stored in Israel and the United States. AI21 says it uses Standard Contractual Clauses as the legal mechanism to protect EU user data during this transfer.
This analysis describes what AI21 Labs's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Data transferred outside the EU or UK may be subject to different legal protections, and the adequacy of Standard Contractual Clauses as a transfer mechanism depends on whether supplementary measures are in place given the privacy laws of the recipient country.
Interpretive note: The adequacy of supplementary measures accompanying SCCs for US transfers cannot be assessed from the policy text alone, and the current status of any transfer impact assessment is not disclosed.
EU, UK, and non-US users' personal data is routinely transferred to Israel and the United States, with Standard Contractual Clauses cited as the legal safeguard for EU and UK users. Israel has been recognized by the EU as providing adequate data protection under GDPR, though this adequacy status should be monitored as regulatory reviews continue.
How other platforms handle this
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
Monitoring
AI21 Labs has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"AI21 is headquartered in Israel and operates servers and infrastructure in the United States and other jurisdictions. If you are located outside of Israel or the United States, your personal data may be transferred to and processed in those countries. For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.— Excerpt from AI21 Labs's AI21 Labs Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V, which governs transfers of personal data to third countries. Standard Contractual Clauses (SCCs) are a recognized transfer mechanism under GDPR Article 46. Israel has been granted EU adequacy status under GDPR, though this status is subject to periodic review. Transfers to the United States rely on SCCs and, depending on the data exporter, may also engage the EU-US Data Privacy Framework where applicable. UK GDPR imposes equivalent requirements for UK data exports, with the UK using its own international data transfer agreements (IDTAs). GOVERNANCE EXPOSURE: Medium. The reliance on SCCs for US transfers is standard practice but requires that a transfer impact assessment (TIA) be conducted to assess whether supplementary measures are needed given US surveillance law (particularly for data subject to FISA Section 702). The adequacy of AI21's TIA documentation is not disclosed in the policy. Israel's adequacy status reduces risk for Israel-bound transfers but should be monitored given the ongoing EU adequacy review cycle. JURISDICTION FLAGS: EU and EEA organizations using AI21 services should confirm that SCCs are executed and that TIAs have been completed. UK organizations should confirm that UK IDTAs or equivalent mechanisms are in place rather than EU SCCs, as the UK operates a separate transfer regime post-Brexit. Swiss organizations should note that Switzerland's Federal Act on Data Protection (nFADP) governs transfers, and AI21's reference to Switzerland alongside EU and UK suggests awareness of this requirement. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should request copies of AI21's executed SCCs and any available TIA documentation before onboarding AI21 as a data processor. Vendor assessments should confirm which specific legal entities are acting as data importers under the SCCs and whether sub-processors are covered. B2B contracts should specify the transfer mechanism applicable to the engagement. COMPLIANCE CONSIDERATIONS: Legal teams should update data transfer mapping to reflect AI21 as a recipient of EU and UK personal data transferred under SCCs. If AI21 is classified as a data processor for enterprise customers, the data processing agreement should incorporate the relevant transfer mechanism. Organizations should monitor EU Commission adequacy decisions affecting Israel and the US, as changes to adequacy status could require alternative transfer mechanisms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Data transferred outside the EU or UK may be subject to different legal protections, and the adequacy of Standard Contractual Clauses as a transfer mechanism depends on whether supplementary measures are in place given the privacy laws of the recipient country.
EU, UK, and non-US users' personal data is routinely transferred to Israel and the United States, with Standard Contractual Clauses cited as the legal safeguard for EU and UK users. Israel has been recognized by the EU as providing adequate data protection under GDPR, though this adequacy status should be monitored as regulatory reviews continue.
ConductAtlas has identified this type of provision across 48 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AI21 Labs.