AWS processes your data only to run the services you use, not for its own marketing or product purposes, and it offers a separate Data Processing Addendum for customers who need it to comply with GDPR or similar laws.
This analysis describes what AWS's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The Data Processing Addendum is a separate document that must be actively executed by customers who process personal data subject to GDPR or similar frameworks; it is not automatically incorporated into the main agreement.
Interpretive note: The specific contractual requirements for GDPR Article 28 compliance depend on the version of the DPA in effect and the nature of the personal data processed; legal review of the current DPA text is required to confirm adequacy.
Customers who process personal data of individuals in the EU, UK, or other regulated jurisdictions must execute a separate Data Processing Addendum with AWS to establish the legally required controller-processor relationship. Without this addendum, the customer's data processing activities on AWS may lack the contractual safeguards required by GDPR and similar laws.
How other platforms handle this
Cloudflare's current Privacy Policy is incorporated into this Agreement by this reference and is located at https://www.cloudflare.com/privacypolicy/. In addition, by using the Services, you acknowledge and agree that internet transmissions are never completely private or secure.
To the extent that Duo processes any Personal Data (as defined in the Duo Privacy Data Sheet) on behalf of Customer in connection with Customer's use of the Services, the terms of the Duo Data Processing Agreement ('DPA'), which are hereby incorporated by reference into this Agreement, shall apply a...
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
Monitoring
AWS has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"The AWS Privacy Notice describes our privacy practices. Each party will comply with applicable data protection laws in connection with the Service Offerings. AWS will process Customer Data only to provide the Service Offerings and related support and not for its own purposes, except as described in the AWS Privacy Notice or as you otherwise consent. AWS offers a Data Processing Addendum for customers who require one for GDPR or other legal compliance purposes.— Excerpt from AWS's AWS Customer Agreement
REGULATORY LANDSCAPE: GDPR Article 28 requires a written contract between data controllers and processors specifying the subject matter, duration, nature, and purpose of processing. AWS's Data Processing Addendum is designed to satisfy this requirement. The EU-US Data Privacy Framework and UK GDPR impose additional transfer mechanism requirements. CCPA's service provider restrictions also apply for California customers processing consumer personal information on AWS. GOVERNANCE EXPOSURE: High for customers with EU, UK, or California personal data obligations who have not executed the DPA. Without the addendum, the contractual basis for GDPR-compliant data processing is absent, potentially exposing the customer to enforcement action by EU supervisory authorities. JURISDICTION FLAGS: EU and UK customers face the greatest exposure if the DPA is not in place. California customers should confirm that AWS is designated as a service provider under their CCPA compliance program. Customers in other jurisdictions with data protection laws such as Brazil's LGPD, Canada's PIPEDA, or India's PDPB should assess whether equivalent contractual protections are in place. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should confirm that the AWS DPA has been executed and is current before any personal data is processed on AWS infrastructure. The DPA's terms, including sub-processor lists and transfer mechanism schedules, require ongoing monitoring for changes. COMPLIANCE CONSIDERATIONS: Data protection officers and privacy teams should maintain a record of DPA execution dates and versions. Updates to AWS's sub-processor list under the DPA may trigger notification obligations to data protection authorities or individual data subjects in some jurisdictions. Annual reviews of the DPA against current regulatory guidance are recommended.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The Data Processing Addendum is a separate document that must be actively executed by customers who process personal data subject to GDPR or similar frameworks; it is not automatically incorporated into the main agreement.
Customers who process personal data of individuals in the EU, UK, or other regulated jurisdictions must execute a separate Data Processing Addendum with AWS to establish the legally required controller-processor relationship. Without this addendum, the customer's data processing activities on AWS may lack the contractual safeguards required by GDPR and similar laws.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS.