When you use AI models from companies other than Amazon in Bedrock, you are also agreeing to that external company's own terms of service, not just AWS's terms.
This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Customers using third-party foundation models through Bedrock are bound by an additional, separate layer of terms from the model provider, which may impose different restrictions on output use, data handling, or permitted applications that are not visible within the primary AWS Service Terms.
The updated terms establish new data-sharing mechanisms for users of Anthropic models on Amazon Bedrock. Specifically, AWS now explicitly authorizes notification to Anthropic of metadata present in requests sent to certain Anthropic products (e.g., Claude Code, computer use features), enabling Anthropic to conduct product-level usage attribution. Additionally, the terms introduce AWS WAF AI traffic monetization, which permits AWS to facilitate payment transactions between content publishers and buyers by sharing pricing, payment, and configuration information with payment providers and facilitators; the updated terms clarify that AWS does not provide regulated financial services and is not a party to fund flows, and that users' interactions with payment providers are governed by separate terms between the user and those parties. Users employing these features should review what metadata may be embedded in their requests and understand their own obligations to payment providers.
View change record →The updated terms establish that customers operating Amazon RDS databases on end-of-life software versions are now required to upgrade to supported versions. The agreement authorizes AWS to scan extension code used with Trusted Language Extensions for security and performance purposes, and establishes that extension code constitutes customer content. AWS disclaims responsibility for service failures caused by extensions or end-of-life database software. If a customer does not upgrade before an engine reaches end of life, AWS may snapshot the customer's data and delete the instance or cluster running the unsupported software, after providing prior notice of the engine end-of-life date.
View change record →The updated terms establish new operational requirements for any organization using Amazon Connect Talent to make or inform employment decisions. Customers must now obtain legally adequate privacy notices and consents from job applicants before their data is processed by the service. The terms require customers to review all AI output before making hiring decisions, implement processes for applicants to request information about the AI's role in decisions, and ensure their use of the tool complies with applicable labor, anti-discrimination, disability, data privacy, AI, wiretap, recordkeeping, and biometrics laws. Customers can configure an AI services opt-out policy through AWS Organizations to prevent their data from being used to train or improve AWS AI technologies.
View change record →This standalone provision was replaced with the more comprehensive 'Layered Model Provider Acceptable Use Policy' that incorporates terms by reference rather than merely requiring agreement.
View full change record →Accessing third-party models such as Anthropic Claude, Meta Llama, or Cohere models through Bedrock automatically binds the customer to that model provider's terms, which may include restrictions on use cases, output sharing, or data submission that differ from AWS's own terms.
How other platforms handle this
Target reserves the right to change these Terms at any time. We will post notification of changes to these Terms on this page. Your continued use of the Target Services after any changes to these Terms constitutes your acceptance of the new Terms.
We reserve the right, at our sole discretion, to amend these Terms of Service at any time and will update these Terms of Service in the event of any such amendments. We will notify our Users of material changes to this Agreement, such as price changes, at least 30 days prior to the change taking eff...
We may modify the Terms from time to time. The most current version of the Terms will be located here. You understand and agree that your access to or use of the Service is governed by the Terms effective at the time of your access to or use of the Service. If we make material changes to these Terms...
Monitoring
AWS Bedrock has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Third-party models available through Amazon Bedrock are provided pursuant to the relevant third-party model provider's terms. By using those models, you agree to the applicable model provider terms.— Excerpt from AWS Bedrock's AWS Service Terms
(1) REGULATORY LANDSCAPE: The incorporation by reference of third-party model provider terms creates a layered contractual structure that compliance teams must track separately for each model provider used. Where third-party model providers process customer data as part of inference, GDPR data processing chain obligations may require that sub-processor agreements exist between AWS and those providers, and that customers are informed of the sub-processor identity. (2) GOVERNANCE EXPOSURE: Medium. The practical compliance burden is high because each third-party model provider may have materially different terms governing permitted use cases, output restrictions, and data retention, requiring separate review for each model used in production. (3) JURISDICTION FLAGS: EU customers have heightened exposure under GDPR sub-processor notification and consent requirements where third-party model providers constitute sub-processors of personal data. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should establish a registry of all third-party foundation models used in Bedrock deployments and obtain and review the applicable model provider terms for each, treating each as a separate vendor relationship with independent contractual obligations. (5) COMPLIANCE CONSIDERATIONS: Legal teams should verify whether AWS's data processing agreements and sub-processor disclosures cover the specific third-party model providers in use, and whether additional data transfer mechanisms are required for cross-border personal data flows to non-AWS model provider infrastructure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Customers using third-party foundation models through Bedrock are bound by an additional, separate layer of terms from the model provider, which may impose different restrictions on output use, data handling, or permitted applications that are not visible within the primary AWS Service Terms.
Accessing third-party models such as Anthropic Claude, Meta Llama, or Cohere models through Bedrock automatically binds the customer to that model provider's terms, which may include restrictions on use cases, output sharing, or data submission that differ from AWS's own terms.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.