Business customers are responsible for obtaining all necessary consents from their users, providing required privacy notices, and responding to any data subject rights requests (such as access, deletion, or correction requests) related to the processing covered by this DPA.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision places the full burden of consent management, privacy disclosure, and data subject rights handling on the business customer rather than on Mistral AI, which is consistent with the Controller-Processor framework but requires customers to have robust mechanisms in place for managing rights requests at the end-user level.
End users who want to exercise rights over their data (such as requesting deletion or access) must direct those requests to the business customer, not to Mistral AI directly. Mistral AI states it will not respond directly to end-user rights requests without customer consent, instead forwarding them to the customer.
How other platforms handle this
In addition to the above rights, your local laws (including those in the EU, UK, Japan, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia, or Utah) may afford you f...
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
Depending on where you live, you may have certain rights with respect to your personal information. These rights may include: The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which we collected i...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Customer shall: Comply with its obligations under the Applicable Data Protection Law regarding the Processing and any instruction provided to Mistral AI, Provide notice and obtain all consents and rights required by the Applicable Data Protection Law for Mistral AI to Process Personal Data as part of the Processing, under this DPA. Customer shall (a) provide Data Subjects with the information required by the Applicable Data Protection Law and (b) respond to all Data Subjects requests to exercise their rights regarding the Processing.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 12-22 (data subject rights) and Articles 13-14 (transparency obligations), as well as CCPA rights provisions including the right to know, delete, and opt-out. The customer-as-Controller framework means the customer bears primary accountability for rights fulfillment, with Mistral AI providing assistance as Processor. EU supervisory authorities enforce rights compliance against the Controller, making this provision a significant accountability assignment. (2) GOVERNANCE EXPOSURE: Medium. The exposure is primarily operational: customers must have functional processes for receiving, validating, and responding to data subject rights requests within regulatory timeframes (GDPR: one month, extendable to three; CCPA: 45 days, extendable to 90). The DPA commits Mistral AI to provide 'commercially reasonable assistance' for rights requests, but the customer bears ultimate responsibility. (3) JURISDICTION FLAGS: EU/EEA customers face the broadest data subject rights obligations under GDPR, including rights to access, rectification, erasure, restriction, portability, and objection. California residents have CCPA rights that the customer must be prepared to fulfill. Customers serving data subjects in other jurisdictions (UK, Brazil, Canada) face additional local law requirements not explicitly addressed in this DPA. (4) CONTRACT AND VENDOR IMPLICATIONS: Customers should assess whether their current privacy infrastructure can support timely rights request fulfillment for data processed by Mistral AI, including the ability to identify and retrieve or delete data processed through Mistral AI products. Downstream customer agreements should accurately allocate Controller responsibilities. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map all data flows through Mistral AI products to ensure rights request fulfillment processes can reach data held or processed by Mistral AI. Privacy notices should accurately describe the processing relationship and identify the customer as the responsible party for rights requests. Internal procedures should address how to engage Mistral AI's commercially reasonable assistance for complex rights requests.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision places the full burden of consent management, privacy disclosure, and data subject rights handling on the business customer rather than on Mistral AI, which is consistent with the Controller-Processor framework but requires customers to have robust mechanisms in place for managing rights requests at the end-user level.
End users who want to exercise rights over their data (such as requesting deletion or access) must direct those requests to the business customer, not to Mistral AI directly. Mistral AI states it will not respond directly to end-user rights requests without customer consent, instead forwarding them to the customer.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.