If you feed personal information into Bedrock's AI models, you are legally responsible for making sure you have the right to do so under privacy law — AWS's Data Processing Addendum does not automatically cover all privacy obligations.
This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision allocates data processing compliance responsibility to the customer rather than AWS, establishing that AWS Bedrock does not automatically create lawful processing authority and that customers must independently verify regulatory compliance before deployment.
The updated terms establish new data-sharing mechanisms for users of Anthropic models on Amazon Bedrock. Specifically, AWS now explicitly authorizes notification to Anthropic of metadata present in requests sent to certain Anthropic products (e.g., Claude Code, computer use features), enabling Anthropic to conduct product-level usage attribution. Additionally, the terms introduce AWS WAF AI traffic monetization, which permits AWS to facilitate payment transactions between content publishers and buyers by sharing pricing, payment, and configuration information with payment providers and facilitators; the updated terms clarify that AWS does not provide regulated financial services and is not a party to fund flows, and that users' interactions with payment providers are governed by separate terms between the user and those parties. Users employing these features should review what metadata may be embedded in their requests and understand their own obligations to payment providers.
View change record →The updated terms establish that customers operating Amazon RDS databases on end-of-life software versions are now required to upgrade to supported versions. The agreement authorizes AWS to scan extension code used with Trusted Language Extensions for security and performance purposes, and establishes that extension code constitutes customer content. AWS disclaims responsibility for service failures caused by extensions or end-of-life database software. If a customer does not upgrade before an engine reaches end of life, AWS may snapshot the customer's data and delete the instance or cluster running the unsupported software, after providing prior notice of the engine end-of-life date.
View change record →The updated terms establish new operational requirements for any organization using Amazon Connect Talent to make or inform employment decisions. Customers must now obtain legally adequate privacy notices and consents from job applicants before their data is processed by the service. The terms require customers to review all AI output before making hiring decisions, implement processes for applicants to request information about the AI's role in decisions, and ensure their use of the tool complies with applicable labor, anti-discrimination, disability, data privacy, AI, wiretap, recordkeeping, and biometrics laws. Customers can configure an AI services opt-out policy through AWS Organizations to prevent their data from being used to train or improve AWS AI technologies.
View change record →Businesses processing personal data — including names, emails, or other identifiable information — through Bedrock's AI models must independently establish a valid legal basis under GDPR, CCPA, and other applicable laws, and must ensure their own privacy notices accurately describe this AI processing.
How other platforms handle this
Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contac...
We collect information about you when you shop in our stores, including through store cameras, loyalty programs, payment processing systems, and other in-store technologies. This information is used to improve store operations, loss prevention, and marketing.
We target (and measure the performance of) ads to Members, Visitors and others both on and off our Services directly or through a variety of partners, using the following data, whether separately or combined: Data from advertising technologies on and off our Services, like web beacons, pixels, ad ta...
Monitoring
AWS Bedrock has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you process personal data using Amazon Bedrock, you are responsible for ensuring that you have a lawful basis for such processing and that your use of Amazon Bedrock complies with applicable privacy laws, including the AWS Data Processing Addendum where applicable.— Excerpt from AWS Bedrock's AWS Service Terms
REGULATORY FRAMEWORK: This provision directly implicates GDPR Art. 6 (lawful basis), Art. 13-14 (transparency obligations), Art. 28 (processor agreements), and Art. 35 (DPIA requirements for high-risk AI processing). CCPA §1798.100 and §1798.120 apply for California residents. Brazil's LGPD (Art. 7) and Canada's PIPEDA impose parallel obligations for customers with users in those jurisdictions. The EU AI Act (Art. 10, 26) imposes additional data governance obligations for AI systems processing personal data. Enforcement authorities include EU DPAs (lead authority determined by controller establishment), California CPPA, and FTC.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision allocates data processing compliance responsibility to the customer rather than AWS, establishing that AWS Bedrock does not automatically create lawful processing authority and that customers must independently verify regulatory compliance before deployment.
Businesses processing personal data — including names, emails, or other identifiable information — through Bedrock's AI models must independently establish a valid legal basis under GDPR, CCPA, and other applicable laws, and must ensure their own privacy notices accurately describe this AI processing.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.