AWS places the responsibility for following laws, including AI regulations and data protection rules, on you as the customer rather than on AWS itself.
This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision places the full burden of regulatory compliance for AI-generated content, data protection, and sector-specific rules on the customer, meaning organizations deploying Bedrock in regulated industries must independently ensure compliance rather than relying on AWS's own compliance certifications.
The updated terms establish new data-sharing mechanisms for users of Anthropic models on Amazon Bedrock. Specifically, AWS now explicitly authorizes notification to Anthropic of metadata present in requests sent to certain Anthropic products (e.g., Claude Code, computer use features), enabling Anthropic to conduct product-level usage attribution. Additionally, the terms introduce AWS WAF AI traffic monetization, which permits AWS to facilitate payment transactions between content publishers and buyers by sharing pricing, payment, and configuration information with payment providers and facilitators; the updated terms clarify that AWS does not provide regulated financial services and is not a party to fund flows, and that users' interactions with payment providers are governed by separate terms between the user and those parties. Users employing these features should review what metadata may be embedded in their requests and understand their own obligations to payment providers.
View change record →The updated terms establish that customers operating Amazon RDS databases on end-of-life software versions are now required to upgrade to supported versions. The agreement authorizes AWS to scan extension code used with Trusted Language Extensions for security and performance purposes, and establishes that extension code constitutes customer content. AWS disclaims responsibility for service failures caused by extensions or end-of-life database software. If a customer does not upgrade before an engine reaches end of life, AWS may snapshot the customer's data and delete the instance or cluster running the unsupported software, after providing prior notice of the engine end-of-life date.
View change record →The updated terms establish new operational requirements for any organization using Amazon Connect Talent to make or inform employment decisions. Customers must now obtain legally adequate privacy notices and consents from job applicants before their data is processed by the service. The terms require customers to review all AI output before making hiring decisions, implement processes for applicants to request information about the AI's role in decisions, and ensure their use of the tool complies with applicable labor, anti-discrimination, disability, data privacy, AI, wiretap, recordkeeping, and biometrics laws. Customers can configure an AI services opt-out policy through AWS Organizations to prevent their data from being used to train or improve AWS AI technologies.
View change record →Businesses using Bedrock to serve their own customers bear legal responsibility for ensuring that AI-generated content and data handling comply with applicable laws, including GDPR, CCPA, and sector-specific frameworks like HIPAA, independent of AWS's own compliance posture.
How other platforms handle this
This policy applies to you and anyone using the Services on your behalf, including your end users. You are responsible for ensuring that your use of the Services, and the use of the Services by others on your behalf, complies with this Policy.
You are solely responsible for ensuring the accuracy and completeness of all information you provide to Gusto in connection with the Services, including employee information, compensation data, and any other data necessary for Gusto to perform payroll processing and tax filing services on your behal...
You are solely responsible for your use of the Service and for all Inputs you make available to Pika, whether by uploading them through the Service or otherwise making them accessible to others. You are also solely responsible for any Outputs generated via the Service. You assume all risk associated...
Monitoring
AWS Bedrock has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You are responsible for compliance with all applicable laws, regulations, and third-party rights in connection with your use of the Services, including laws and regulations applicable to AI-generated content and your end users.— Excerpt from AWS Bedrock's AWS Service Terms
(1) REGULATORY LANDSCAPE: This provision engages GDPR, CCPA, HIPAA, the EU AI Act, and applicable sector regulations depending on the customer's industry and geography. The FTC's enforcement authority over AI-related unfair or deceptive practices also applies to customer-facing AI deployments built on Bedrock, and the terms confirm this responsibility rests with the customer. (2) GOVERNANCE EXPOSURE: High. For organizations in healthcare, financial services, or the EU, this clause means that AWS's infrastructure-level compliance certifications do not automatically satisfy the customer's own regulatory obligations, requiring independent compliance programs for each deployment context. (3) JURISDICTION FLAGS: EU customers face heightened exposure under the EU AI Act, which imposes specific transparency, human oversight, and documentation requirements on deployers of AI systems, all of which fall on the customer under this clause. California customers have CCPA obligations regarding AI-processed personal data. Healthcare customers must separately execute and maintain Business Associate Agreements with AWS if Bedrock is used with protected health information. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise contracts should include representations from the customer organization's legal team confirming that a jurisdiction-specific compliance review has been conducted for each Bedrock use case prior to production deployment. This clause effectively shifts compliance risk from AWS to the customer and should be flagged in vendor risk assessments. (5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams should conduct a use-case-by-use-case regulatory mapping for each Bedrock deployment, identifying applicable laws, required disclosures to end users about AI-generated content, and any consent or opt-out mechanisms required by applicable law. EU deployments should assess EU AI Act risk classification for each application built on Bedrock.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision places the full burden of regulatory compliance for AI-generated content, data protection, and sector-specific rules on the customer, meaning organizations deploying Bedrock in regulated industries must independently ensure compliance rather than relying on AWS's own compliance certifications.
Businesses using Bedrock to serve their own customers bear legal responsibility for ensuring that AI-generated content and data handling comply with applicable laws, including GDPR, CCPA, and sector-specific frameworks like HIPAA, independent of AWS's own compliance posture.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.