D&B processes a wide range of data types including personal data about individuals in their professional capacity, covering businesses, economic activity, sustainability, and legal events, at a scale of over 600 million organizations globally.
This analysis describes what Dun & Bradstreet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The breadth and scale of D&B's data processing means that a significant proportion of business professionals worldwide may have data held about them in the D&B Data Cloud, often without having a direct relationship with or awareness of D&B.
Given the 600M+ organization data footprint, individuals working in or associated with any business entity globally may have professional and personally identifiable data held by D&B, potentially including contact details, business role, and AI-generated assessments. The scope of 'personal data' within this universe is explicitly acknowledged but not further defined in this document.
How other platforms handle this
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
Crusoe (Sees code data for inference): We manage Crusoe's compute for training some of our custom models, as well as hosting some of our custom models. Modal (Sees code data for inference): We manage Modal's compute for training some of our custom models, as well as hosting some of our custom models...
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
Monitoring
Dun & Bradstreet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We process many types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal, and other significant business events, and third-party risks. Some of the data we process is considered personal data. Some of the systems we use to process data are AI Systems. Our Dun & Bradstreet Data Cloud contains data and insights on over 600M+ organizations around the globe.— Excerpt from Dun & Bradstreet's D&B Privacy Policy
REGULATORY LANDSCAPE: The acknowledged presence of personal data within a 600M+ organization dataset implicates GDPR (for EU and EEA data subjects), UK GDPR, Swiss FADP, CCPA and CPRA (for California residents), and equivalent national privacy laws globally. The scale of processing and the data broker context may trigger heightened regulatory attention under GDPR's accountability and data minimization principles, as well as CCPA's requirements for data brokers. GOVERNANCE EXPOSURE: Medium. The broad scope of data types (people, businesses, economic activity, sustainability, legal events, third-party risks) combined with AI system use creates a complex data map. Organizations that supply data to D&B through commercial relationships should assess whether their data sharing agreements with D&B adequately define and limit the scope of data D&B may incorporate into the Data Cloud. JURISDICTION FLAGS: The global scale of the Data Cloud means virtually every jurisdiction with privacy legislation is implicated. EU and UK operations carry the highest regulatory risk given GDPR's extraterritorial scope and active enforcement. California, Colorado, Virginia, Texas, and other U.S. states with comprehensive privacy laws create additional compliance requirements for data about residents of those states. CONTRACT AND VENDOR IMPLICATIONS: B2B customers licensing data from D&B should assess whether their agreements specify which data fields are sourced from the Data Cloud, whether personal data is included, and what data minimization or purpose limitation obligations apply to their specific use case. Vendor due diligence should address D&B's sub-processor arrangements and whether any data contributed by the customer organization is incorporated into the broader Data Cloud. COMPLIANCE CONSIDERATIONS: Compliance teams should conduct a data mapping exercise to identify whether any personal data from their organization has been or could be incorporated into the D&B Data Cloud, and whether appropriate contractual safeguards are in place. Teams should also review D&B's Responsible Data Processing Sheets for specific products to understand data lineage and processing purposes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The breadth and scale of D&B's data processing means that a significant proportion of business professionals worldwide may have data held about them in the D&B Data Cloud, often without having a direct relationship with or awareness of D&B.
Given the 600M+ organization data footprint, individuals working in or associated with any business entity globally may have professional and personally identifiable data held by D&B, potentially including contact details, business role, and AI-generated assessments. The scope of 'personal data' within this universe is explicitly acknowledged but not further defined in this document.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Dun & Bradstreet.