What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This DPA explicitly engages GDPR (Regulation EU 2016/679) and CCPA, naming both as components of 'Applicable Data Protection Law.' For international data transfers, the DPA incorporates EU Commission Implementing Decision 2021/914 Standard Contractual Clauses, specifically Module 4 (Processor-to-Controller) for customers located in non-adequate third countries, with French law as the governing law for SCC disputes. The EU data protection supervisory authorities and the…

How does Mistral AI's Mistral AI Data Processing Addendum affect users?

This DPA primarily affects business customers who integrate Mistral AI's APIs and products into their own services, governing how their users' personal data is handled during processing. The agreement states that Mistral AI may use personal data to train its AI models unless the customer has opted out or uses a product that is opted out by default, meaning the configuration chosen by the business customer directly affects whether end-user data contributes to model training. You can check whethe…

How often is Mistral AI's Mistral AI Data Processing Addendum updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Mistral AI updates this document?

Yes. Watcher subscribers ($9.99/month) can add Mistral AI to their watchlist and receive same-day email alerts whenever this document or any other Mistral AI document changes.

CA-D-000771

Mistral AI Data Processing Addendum

Mistral AI

Last change detected May 11, 2026 Data processing addendum

SHA-256: 11ede9710f5d5e475d2… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Mistral AI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

6 Medium severity

1 Low severity

Summary

This is Mistral AI's Data Processing Addendum, the legal contract that governs how Mistral AI handles personal data on behalf of business customers who use its AI products and APIs. Under this document, Mistral AI may use customer data to train its AI models unless the business customer has actively opted out or is using a product that is opted out by default. Business customers should check their account configuration to confirm whether AI model training is active or disabled for their use case, and should subscribe to Mistral AI's Trust Center to receive notifications when new subprocessors are added.

Technical / Legal Breakdown

This Data Processing Addendum (DPA), effective March 12, 2026, governs the processing of personal data by Mistral AI on behalf of commercial customers under the main service agreement, establishing Mistral AI as a Processor and the customer as the Controller under GDPR and CCPA frameworks. The agreement states that Mistral AI processes personal data only on documented customer instructions, but separately authorizes Mistral AI to act as Controller for purposes including AI model training (unless the customer opts out or uses a product opted out by default), automated abuse moderation, and aggregated usage analytics. Notably, the DPA permits Mistral AI to terminate the agreement or affected products if a customer objects to a new subprocessor appointment and no resolution is reached within a 10-day objection window, a condition that places practical leverage on the vendor side; additionally, on-site audit rights are constrained by a 90-day advance notice requirement, a joint auditor selection process, and a customer-borne cost structure, which together represent a more restricted audit framework than some enterprise data processing agreements. The DPA explicitly engages GDPR (including SCCs via EU Commission Decision 2021/914 for international data transfers) and CCPA, with French law governing SCC Module 4 disputes for customers in non-adequate third countries. Compliance teams should evaluate the opt-out configuration for AI model training, the subprocessor notification subscription mechanism via the Trust Center, and the 30-day post-termination data deletion timeline against their own data retention and regulatory obligations.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 1 provision

Mistral AI as Controller for AI Model Training Compare →

Mistral AI is permitted to use your business's data, including inputs and outputs, to train its AI models unless you have turned off this feature. If anyone clicks thumbs up or thumbs down on a response, that feedback and the associated conversation can also be used for training.

Added May 11, 2026 Common Seen across 104 platforms

Medium — 6 provisions

Subprocessor Objection and Termination Right Compare →

If Mistral AI adds a new subprocessor (a third-party company that processes your data), you have 10 days to object in writing. If no agreement is reached, Mistral AI can end the contract or the affected services.

Added May 11, 2026 Standard Seen across 189 platforms
On-Site Audit Rights and Cost Allocation Compare →

Business customers can conduct one on-site audit per year to verify Mistral AI's data processing compliance, but must give 90 days advance notice, use a jointly selected independent auditor, and pay all audit costs themselves.

Added May 11, 2026 Standard Seen across 251 platforms
International Data Transfers and SCC Module 4 Compare →

Mistral AI is authorized to transfer personal data outside the EU/EEA using Standard Contractual Clauses. For customers located outside the EU/EEA in non-adequate countries, the SCC Module 4 applies, with French law and French courts governing any disputes.

Added May 11, 2026 Standard Seen across 246 platforms
Personal Data Breach Notification Compare →

If a data breach occurs, Mistral AI must notify business customers without undue delay. However, providing this notification does not mean Mistral AI is admitting fault or accepting liability for the breach.

Added May 11, 2026 Standard Seen across 262 platforms
Customer Responsibility for Consents and Data Subject Rights Compare →

Business customers are responsible for obtaining all necessary consents from their users, providing required privacy notices, and responding to any data subject rights requests (such as access, deletion, or correction requests) related to the processing covered by this DPA.

Added May 11, 2026 Standard Seen across 262 platforms
Automated Moderation and Abuse Monitoring as Controller Compare →

Mistral AI reviews API usage for abuse and policy violations as an independent Controller, meaning it uses data for its own enforcement purposes rather than solely on customer instructions. This does not apply if zero data retention has been activated.

Added May 11, 2026 Standard Seen across 189 platforms

Low — 1 provision

Post-Termination Data Deletion Compare →

When the service ends, Mistral AI will delete or return your personal data. After 30 days from termination, the data will no longer be accessible.

Added May 11, 2026 Standard Seen across 223 platforms

Monitoring

Mistral AI has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Mistral AI as Controller for AI Model Training and similar clauses.

Compare across platforms →