What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This DPA explicitly engages GDPR (Regulation EU 2016/679) and CCPA, naming both as components of 'Applicable Data Protection Law.' For international data transfers, the DPA incorporates EU Commission Implementing Decision 2021/914 Standard Contractual Clauses, specifically Module 4 (Processor-to-Controller) for customers located in non-adequate third countries, with French law as the governing law for SCC disputes. The EU data protection supervisory authorities and the…

How does Mistral AI's Mistral AI Data Processing Addendum affect users?

This DPA establishes the data processing framework for end users whose personal data flows through Mistral AI's services via business customer integrations. The document specifies that Mistral AI may use personal data for AI model training based on the configuration settings selected by the business customer account holder, meaning the opt-in or opt-out status of model training is determined by business customer configuration choices. End users' data handling is therefore subject to the account…

How often is Mistral AI's Mistral AI Data Processing Addendum updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Mistral AI updates this document?

Yes. Monitor subscribers ($19/month) can add Mistral AI to their watchlist and receive same-day email alerts whenever this document or any other Mistral AI document changes.

CA-D-000771

Mistral AI Data Processing Addendum

Mistral AI

Last change detected May 11, 2026 Data processing addendum

SHA-256: 11ede9710f5d5e475d2… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Mistral AI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

6 Medium severity

1 Low severity

Summary

This Data Processing Addendum establishes the terms under which Mistral AI processes personal data as a data processor on behalf of business customers using its AI products and APIs. The agreement authorizes Mistral AI to use customer data to train its AI models unless the business customer has configured an opt-out or is using a product category with opt-out as the default setting. The agreement requires business customers to monitor subprocessor changes through the Trust Center and permits Mistral AI to engage new subprocessors subject to a 10-day objection period.

Technical / Legal Breakdown

This Data Processing Addendum (DPA), effective March 12, 2026, governs the processing of personal data by Mistral AI on behalf of commercial customers under the main service agreement, establishing Mistral AI as a Processor and the customer as the Controller under GDPR and CCPA frameworks. The agreement states that Mistral AI processes personal data only on documented customer instructions, but separately authorizes Mistral AI to act as Controller for purposes including AI model training (unless the customer opts out or uses a product opted out by default), automated abuse moderation, and aggregated usage analytics. Notably, the DPA permits Mistral AI to terminate the agreement or affected products if a customer objects to a new subprocessor appointment and no resolution is reached within a 10-day objection window, a condition that places practical leverage on the vendor side; additionally, on-site audit rights are constrained by a 90-day advance notice requirement, a joint auditor selection process, and a customer-borne cost structure, which together represent a more restricted audit framework than some enterprise data processing agreements. The DPA explicitly engages GDPR (including SCCs via EU Commission Decision 2021/914 for international data transfers) and CCPA, with French law governing SCC Module 4 disputes for customers in non-adequate third countries. Compliance teams should evaluate the opt-out configuration for AI model training, the subprocessor notification subscription mechanism via the Trust Center, and the 30-day post-termination data deletion timeline against their own data retention and regulatory obligations.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

High — 1 provision

Mistral AI as Controller for AI Model Training Compare →

Mistral AI is permitted to use your business's data, including inputs and outputs, to train its AI models unless you have turned off this feature. If anyone clicks thumbs up or thumbs down on a response, that feedback and the associated conversation can also be used for training.

Added May 11, 2026 Standard Seen across 284 platforms

Medium — 6 provisions

Subprocessor Objection and Termination Right Compare →

If Mistral AI adds a new subprocessor (a third-party company that processes your data), you have 10 days to object in writing. If no agreement is reached, Mistral AI can end the contract or the affected services.

Added May 11, 2026 Standard Seen across 252 platforms
On-Site Audit Rights and Cost Allocation Compare →

Business customers can conduct one on-site audit per year to verify Mistral AI's data processing compliance, but must give 90 days advance notice, use a jointly selected independent auditor, and pay all audit costs themselves.

Added May 11, 2026 Standard Seen across 252 platforms
International Data Transfers and SCC Module 4 Compare →

Mistral AI is authorized to transfer personal data outside the EU/EEA using Standard Contractual Clauses. For customers located outside the EU/EEA in non-adequate countries, the SCC Module 4 applies, with French law and French courts governing any disputes.

Added May 11, 2026 Standard Seen across 252 platforms
Personal Data Breach Notification Compare →

If a data breach occurs, Mistral AI must notify business customers without undue delay. However, providing this notification does not mean Mistral AI is admitting fault or accepting liability for the breach.

Added May 11, 2026 Standard Seen across 284 platforms
Customer Responsibility for Consents and Data Subject Rights Compare →

Business customers are responsible for obtaining all necessary consents from their users, providing required privacy notices, and responding to any data subject rights requests (such as access, deletion, or correction requests) related to the processing covered by this DPA.

Added May 11, 2026 Standard Seen across 262 platforms
Automated Moderation and Abuse Monitoring as Controller Compare →

Mistral AI reviews API usage for abuse and policy violations as an independent Controller, meaning it uses data for its own enforcement purposes rather than solely on customer instructions. This does not apply if zero data retention has been activated.

Added May 11, 2026 Common Seen across 170 platforms

Low — 1 provision

Post-Termination Data Deletion Compare →

When the service ends, Mistral AI will delete or return your personal data. After 30 days from termination, the data will no longer be accessible.

Added May 11, 2026 Standard Seen across 199 platforms

Monitoring

Mistral AI has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Mistral AI as Controller for AI Model Training and similar clauses.

Compare across platforms →