The agreement states that AWS handles customer content in accordance with the AWS Privacy Notice, that customers retain ownership of their content, and that AWS will access or use customer content only as necessary to provide and maintain services or as otherwise agreed in writing. Customers consent to AWS's collection, use, and processing of their content by accepting the agreement.
This analysis describes what AWS's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes both the data ownership framework (customer retains content ownership) and the permitted scope of AWS's access to customer content (limited to service provision and maintenance). For customers processing personal data on AWS, this provision works in conjunction with the separately available Data Processing Addendum, which governs GDPR and equivalent regulatory obligations.
Interpretive note: The broad consent language for AWS to collect, use, and process customer content may interact with GDPR's specific lawful basis requirements in ways that depend on the categories of personal data involved and the applicable DPA terms; the main agreement alone is not a complete statement of data processing obligations for regulated data.
This revised provision clarifies customer ownership of content while obtaining explicit consent for collection and processing, and limits AWS's use to service provision and written agreements only.
View full change record →Removal of explicit reference to Data Processing Addendum availability and GDPR compliance specificity eliminates clear guidance on obtaining a DPA for regulatory compliance.
View full change record →The agreement establishes that customers own their content hosted on AWS but consent to AWS collecting, using, and processing that content for service provision purposes. The full scope of data handling practices is governed by the AWS Privacy Notice and, for personal data subject to GDPR or equivalent regulations, the separately available Data Processing Addendum.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
AWS has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"AWS will handle Your Content in accordance with the AWS Privacy Notice. As between you and AWS, you own all right, title and interest in and to Your Content. You consent to our collection, use, and processing of Your Content. AWS will not access or use Your Content except as necessary to provide and maintain the Service Offerings, or as otherwise expressly agreed to in writing.— Excerpt from AWS's AWS Customer Agreement
(1) REGULATORY LANDSCAPE: The data processing provision interacts directly with GDPR (where customer content includes EU/EEA personal data), CCPA (where California residents' personal information is processed), and HIPAA (where electronic protected health information is involved). The provision's broad consent language for AWS to collect, use, and process customer content requires evaluation against GDPR's lawful basis requirements for processing, as consent under a commercial agreement may not satisfy GDPR's consent standard for all processing purposes. The AWS Data Processing Addendum (available at https://aws.amazon.com/agreement/) provides GDPR-specific controller-processor obligations and should be reviewed alongside this provision. (2) GOVERNANCE EXPOSURE: Medium. The interaction between the broad consent clause in the main agreement and the more detailed GDPR-specific obligations in the DPA requires careful analysis for EU/EEA customers. For US customers without GDPR obligations, the customer content ownership provision combined with the service-limited access scope is operationally significant but generally consistent with standard cloud practices. (3) JURISDICTION FLAGS: EU/EEA customers must execute the AWS DPA to ensure GDPR compliance; the main agreement's consent mechanism alone is not sufficient for GDPR compliance. California customers processing California residents' data should assess whether the Privacy Notice and DPA terms satisfy CCPA obligations, including data subject rights and sale/sharing restrictions. HIPAA-covered entities must execute the AWS Business Associate Addendum. (4) CONTRACT AND VENDOR IMPLICATIONS: Data mapping exercises should document all categories of customer content processed on AWS, the applicable legal basis for processing, and the addenda executed to govern that processing. Vendor assessments should confirm that the appropriate DPA and BAA versions are current and executed. Downstream customer agreements that reference AWS as a sub-processor should be updated to reflect the AWS DPA's sub-processor notification mechanisms. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should ensure that the AWS DPA and BAA are executed before processing regulated personal data or PHI. The Privacy Notice should be reviewed periodically for changes that may affect the lawful basis for processing or data subject rights disclosures. Data transfer mechanisms for EU/EEA to US data flows should be confirmed as current, as the DPA's standard contractual clauses or equivalent mechanisms must remain valid.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes both the data ownership framework (customer retains content ownership) and the permitted scope of AWS's access to customer content (limited to service provision and maintenance). For customers processing personal data on AWS, this provision works in conjunction with the separately available Data Processing Addendum, which governs GDPR and equivalent regulatory obligations.
The agreement establishes that customers own their content hosted on AWS but consent to AWS collecting, using, and processing that content for service provision purposes. The full scope of data handling practices is governed by the AWS Privacy Notice and, for personal data subject to GDPR or equivalent regulations, the separately available Data Processing Addendum.
ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS.