When Fireworks AI processes data on behalf of another business as a contractor, this privacy policy does not apply to that processing, and you need to look to that business's own privacy policy for information about how your data is handled.
This analysis describes what Fireworks AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This carve-out defines the scope of Fireworks AI's privacy obligations by excluding situations where Fireworks processes data as a designated service provider rather than as an independent data controller. It clarifies that responsibility for privacy disclosures transfers to the primary business entity in service provider relationships.
Users of applications or services built on the Fireworks AI platform by other businesses may not have the protections described in this privacy notice, and the applicable privacy terms will be those of the business that built the application, not Fireworks AI directly.
Cross-platform context
See how other platforms handle Service Provider Carve-Out and similar clauses.
Compare across platforms →Monitoring
Fireworks AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In certain situations, Fireworks may function as a service provider for other businesses. This Privacy Notice does not apply to such processing, and we recommend you read the privacy notice of the respective customer if their processing concerns your personal data.— Excerpt from Fireworks AI's Fireworks AI Privacy Policy
REGULATORY LANDSCAPE: This provision reflects the processor versus controller distinction under GDPR, where Fireworks acts as a data processor on behalf of a customer who is the data controller, and the controller's privacy notice governs. Under CCPA and CPRA, this aligns with the service provider designation that exempts certain processing from consumer rights obligations, provided that a compliant service provider agreement is in place. The adequacy of that agreement is not addressed in this public notice. GOVERNANCE EXPOSURE: Medium. The carve-out is legally recognized under GDPR and CCPA frameworks, but its practical effect is that end users of third-party applications built on Fireworks AI may not know which entity's privacy notice governs their data or how to exercise rights. This creates a transparency gap that regulators have flagged in the context of B2B AI platforms. JURISDICTION FLAGS: EU and UK users interacting with Fireworks-powered applications through third parties should look to those third parties' GDPR-compliant privacy notices for applicable rights. California users of third-party applications should seek the controller's CCPA disclosures. The burden of informing end users falls on the third-party customer, not Fireworks AI in this model. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers deploying Fireworks AI as a backend for their own products must maintain their own GDPR and CCPA-compliant privacy notices for their end users, and must have a data processing agreement with Fireworks that satisfies Article 28 requirements. Procurement teams should confirm that Fireworks offers compliant DPA templates and that processing restrictions are contractually specified. COMPLIANCE CONSIDERATIONS: Businesses using Fireworks AI as a service provider should conduct a data mapping exercise to identify what personal data flows through the Fireworks infrastructure on behalf of their own users, ensure their DPA with Fireworks reflects lawful processing instructions, and verify that their own end-user privacy notices accurately describe Fireworks as a sub-processor where applicable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This carve-out defines the scope of Fireworks AI's privacy obligations by excluding situations where Fireworks processes data as a designated service provider rather than as an independent data controller. It clarifies that responsibility for privacy disclosures transfers to the primary business entity in service provider relationships.
Users of applications or services built on the Fireworks AI platform by other businesses may not have the protections described in this privacy notice, and the applicable privacy terms will be those of the business that built the application, not Fireworks AI directly.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Fireworks AI.