Mistral AI reviews API usage for abuse and policy violations as an independent Controller, meaning it uses data for its own enforcement purposes rather than solely on customer instructions. This does not apply if zero data retention has been activated.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision authorizes Mistral AI to conduct automated moderation and abuse monitoring as a Controller, which means this processing is governed by Mistral AI's own legal basis and purposes rather than customer instructions. The carve-out for zero data retention configurations provides an option for customers who need to limit this processing.
API interactions may be subject to automated review by Mistral AI for abuse detection as an independent Controller, unless the customer has activated zero data retention. This processing occurs for Mistral AI's own enforcement purposes and is not fully within the customer's control.
How other platforms handle this
When our business customers use certain Services, we generally process and store limited personal information on their behalf as a data processor. For certain products such as Docusign's Contract Lifecycle Management (CLM) and Identity products, we may act as a processor and as a controller in certa...
In competitive game modes, we may record your gameplay, and your controller button inputs, and replay these together with your in-game profile information and game statistics to other players in-game and at live EA or partner events.
We and our service providers and other vendors may record, monitor, and retain emails, chats, calls, and texts. By communicating with us, you consent to this recording, monitoring, and retention. We may use chatbot technology and other automated methods of communication.
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Mistral AI is authorized to process the Personal Data as Controller for the purposes of: Automated moderation, including abuse monitoring on our APIs (except, in this last case, when zero data retention has been activated), to enforce the Agreement.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 22 (automated decision-making and profiling) and Articles 6 and 9 (lawful basis for processing), as Mistral AI's Controller-basis abuse monitoring requires an independent legal basis separate from the service agreement. The GDPR's legitimate interests basis under Article 6(1)(f) is the most likely legal basis for abuse monitoring, but the DPA does not specify this explicitly. EU supervisory authorities are the primary enforcement bodies. (2) GOVERNANCE EXPOSURE: Medium. Customers must ensure their privacy notices disclose Mistral AI's automated moderation processing where it affects their end users. The absence of automated moderation under zero data retention configurations is significant for customers with heightened confidentiality requirements (e.g., legal, healthcare, financial services). (3) JURISDICTION FLAGS: EU/EEA customers should assess whether Mistral AI's automated moderation constitutes profiling under GDPR and whether data subjects have rights to object or require human review. US customers in regulated sectors should assess whether automated review of API content creates additional compliance obligations. (4) CONTRACT AND VENDOR IMPLICATIONS: Customers with strict confidentiality obligations (attorney-client privilege, medical records, financial data) should evaluate whether zero data retention is required for their use case and document that configuration. The distinction between Processor-role processing and Controller-role abuse monitoring should be reflected in customer-facing privacy documentation. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether zero data retention is appropriate or required for their use case, and if so, confirm that it has been activated and documented. Privacy notices should disclose the automated moderation processing where applicable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision authorizes Mistral AI to conduct automated moderation and abuse monitoring as a Controller, which means this processing is governed by Mistral AI's own legal basis and purposes rather than customer instructions. The carve-out for zero data retention configurations provides an option for customers who need to limit this processing.
API interactions may be subject to automated review by Mistral AI for abuse detection as an independent Controller, unless the customer has activated zero data retention. This processing occurs for Mistral AI's own enforcement purposes and is not fully within the customer's control.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.