When you use an AI model from a company other than Amazon through Bedrock, your data may be sent to that company and governed by their separate rules, not just AWS's rules.
This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision creates a meaningful data governance gap: customers who believe they are operating entirely within the AWS compliance framework may unknowingly subject their data to third-party providers with different, potentially less protective terms.
This change introduces a new optional service feature rather than modifying existing consumer rights or obligations. AWS explicitly disclaims providing regulated financial services, holding custody o…
Using third-party foundation models through Bedrock means your prompts, documents, and outputs may leave AWS's direct control and become subject to terms you have not directly negotiated, which could affect your data protection, confidentiality, and compliance posture.
How other platforms handle this
We may share your information with third-party advertising partners to provide you with targeted advertising. We also work with third-party analytics providers who help us understand how users interact with our Services. These third parties may use cookies, web beacons, and similar tracking technolo...
We process personal data you provide to Oura to enable third party integrations, services, features, and offerings. For example, with your permission, our Services may integrate with third-party services like Google Health Connect and Apple HealthKit, or those of our partners. Oura takes measures to...
We may share your personal data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. We may also share your personal data with advertising partners to display relevant advertising to y...
Monitoring
AWS Bedrock has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you use a third-party model, your inputs and outputs may be processed by the third-party model provider, and such processing will be subject to that provider's terms and conditions.— Excerpt from AWS Bedrock's AWS Service Terms
REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28 on sub-processor relationships and the obligation for data controllers to ensure sub-processors provide sufficient guarantees. It also implicates CCPA requirements for businesses relying on service provider exemptions, as onward data flows to third-party model providers may require additional contractual and disclosure steps. EU AI Act obligations for deployers of high-risk AI systems may also be triggered depending on the model and use case. GOVERNANCE EXPOSURE: High. The provision creates a layered data processing chain where the primary customer agreement with AWS does not fully govern the end-to-end data flow. Customers must independently assess each third-party model provider's terms, and the absence of a consolidated compliance framework covering all available models represents a significant due diligence burden for enterprise customers. JURISDICTION FLAGS: EU/EEA customers face the highest exposure, as GDPR requires documented sub-processor agreements and may require updated Records of Processing Activities (RoPA) for each third-party model provider used. California businesses should assess whether these onward transfers satisfy CCPA service provider chain requirements. Healthcare customers handling PHI should confirm whether third-party model providers have executed BAAs and whether Bedrock's BAA coverage extends to these providers. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should maintain an up-to-date inventory of third-party model providers available through Bedrock and the applicable terms for each. Enterprise contracts with AWS should address whether AWS provides contractual flow-down protections to third-party model providers or whether customers must contract directly. Standard B2B agreements built on the assumption of AWS-only data processing will need review if third-party models are in use. COMPLIANCE CONSIDERATIONS: Data mapping exercises should capture third-party model provider data flows as distinct processing activities. Consent mechanisms and privacy notices may need updating to disclose these onward transfers. Vendor risk assessments should be conducted for each third-party model provider in the customer's Bedrock deployment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision creates a meaningful data governance gap: customers who believe they are operating entirely within the AWS compliance framework may unknowingly subject their data to third-party providers with different, potentially less protective terms.
Using third-party foundation models through Bedrock means your prompts, documents, and outputs may leave AWS's direct control and become subject to terms you have not directly negotiated, which could affect your data protection, confidentiality, and compliance posture.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.