AWS Bedrock · AWS Service Terms · View original document ↗

Customer Data Processing and Privacy Obligations

High severity Unique · 0 of 325 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for AWS Bedrock Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

If you feed personal information into Bedrock's AI models, you are legally responsible for making sure you have the right to do so under privacy law — AWS's Data Processing Addendum does not automatically cover all privacy obligations.

This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Customers processing personal data through Bedrock bear full legal responsibility for GDPR, CCPA, and other privacy law compliance — AWS's contractual protections are limited to what is specified in the Data Processing Addendum.

Recent Activity

This document changed recently

Medium May 9, 2026

This change introduces a new optional service feature rather than modifying existing consumer rights or obligations. AWS explicitly disclaims providing regulated financial services, holding custody o…

Consumer impact (what this means for users)

Businesses processing personal data — including names, emails, or other identifiable information — through Bedrock's AI models must independently establish a valid legal basis under GDPR, CCPA, and other applicable laws, and must ensure their own privacy notices accurately describe this AI processing.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Export Your Data
    Review the AWS Data Processing Addendum and privacy documentation to understand how your personal data is processed. Submit a data request through the AWS privacy portal if you need to understand or obtain records of your data processing activities.

How other platforms handle this

Duo Security Medium

To the extent that Duo processes any Personal Data (as defined in the Duo Privacy Data Sheet) on behalf of Customer in connection with Customer's use of the Services, the terms of the Duo Data Processing Agreement ('DPA'), which are hereby incorporated by reference into this Agreement, shall apply a...

Cloudflare Medium

Cloudflare's current Privacy Policy is incorporated into this Agreement by this reference and is located at https://www.cloudflare.com/privacypolicy/. In addition, by using the Services, you acknowledge and agree that internet transmissions are never completely private or secure.

Oura Medium

If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...

See all platforms with this clause type →

Monitoring

AWS Bedrock has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
If you process personal data using Amazon Bedrock, you are responsible for ensuring that you have a lawful basis for such processing and that your use of Amazon Bedrock complies with applicable privacy laws, including the AWS Data Processing Addendum where applicable.

— Excerpt from AWS Bedrock's AWS Service Terms

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY FRAMEWORK: This provision directly implicates GDPR Art. 6 (lawful basis), Art. 13-14 (transparency obligations), Art. 28 (processor agreements), and Art. 35 (DPIA requirements for high-risk AI processing). CCPA §1798.100 and §1798.120 apply for California residents. Brazil's LGPD (Art. 7) and Canada's PIPEDA impose parallel obligations for customers with users in those jurisdictions. The EU AI Act (Art. 10, 26) imposes additional data governance obligations for AI systems processing personal data. Enforcement authorities include EU DPAs (lead authority determined by controller establishment), California CPPA, and FTC.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    FTC Act Section 5 applies to businesses that process personal data through AI systems without adequate privacy disclosures or legal basis.
    File a complaint →
  • State AG
    California CPPA and other state AGs enforce CCPA and state privacy law requirements applicable to businesses processing personal data through Bedrock AI systems.
    File a complaint →

Applicable regulations

CCPA/CPRA
California, USA
ePrivacy Directive
European Union
FTC Act Section 5
United States Federal
GDPR
European Union

Provision details

Document information
Document
AWS Service Terms
Entity
AWS Bedrock
Document last updated
May 5, 2026
Tracking information
First tracked
May 7, 2026
Last verified
May 7, 2026
Record ID
CA-P-005323
Document ID
CA-D-00648
Evidence Provenance
Source URL
https://aws.amazon.com/service-terms/
Wayback Machine
View archived versions →
Content hash (SHA-256)
8c96717daae1f374f3c175da7b75c1eeb2b3852949018350a8af38b245c1ef17
Analysis generated
May 7, 2026 18:28 UTC
Methodology
summarize_document-v7
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: AWS Bedrock
Document: AWS Service Terms
Record ID: CA-P-005323
Captured: 2026-05-07 18:28:56 UTC
SHA-256: 8c96717daae1f374…
URL: https://conductatlas.com/platform/aws-bedrock/aws-service-terms/customer-data-processing-and-privacy-obligations/
Accessed: May 13, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories
Data usage

Other risks in this policy

Related Analysis

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does AWS Bedrock's Customer Data Processing and Privacy Obligations clause do?

Customers processing personal data through Bedrock bear full legal responsibility for GDPR, CCPA, and other privacy law compliance — AWS's contractual protections are limited to what is specified in the Data Processing Addendum.

How does this clause affect you?

Businesses processing personal data — including names, emails, or other identifiable information — through Bedrock's AI models must independently establish a valid legal basis under GDPR, CCPA, and other applicable laws, and must ensure their own privacy notices accurately describe this AI processing.

Is ConductAtlas affiliated with AWS Bedrock?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.