Business customers are responsible for obtaining all necessary consents from their users, providing required privacy notices, and responding to any data subject rights requests (such as access, deletion, or correction requests) related to the processing covered by this DPA.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision places the full burden of consent management, privacy disclosure, and data subject rights handling on the business customer rather than on Mistral AI, which is consistent with the Controller-Processor framework but requires customers to have robust mechanisms in place for managing rights requests at the end-user level.
End users who want to exercise rights over their data (such as requesting deletion or access) must direct those requests to the business customer, not to Mistral AI directly. Mistral AI states it will not respond directly to end-user rights requests without customer consent, instead forwarding them to the customer.
How other platforms handle this
Your use of our websites, products, services, or other online activities ('Services') constitutes your consent to these practices.
"By clicking 'Next', you are indicating that you have read and agree to the TERMS OF USE AND PRIVACY POLICY"
We automatically collect certain information from your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Service, we collect information about the individual web pages or products th...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Customer shall: Comply with its obligations under the Applicable Data Protection Law regarding the Processing and any instruction provided to Mistral AI, Provide notice and obtain all consents and rights required by the Applicable Data Protection Law for Mistral AI to Process Personal Data as part of the Processing, under this DPA. Customer shall (a) provide Data Subjects with the information required by the Applicable Data Protection Law and (b) respond to all Data Subjects requests to exercise their rights regarding the Processing.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 12-22 (data subject rights) and Articles 13-14 (transparency obligations), as well as CCPA rights provisions including the right to know, delete, and opt-out. The customer-as-Controller framework means the customer bears primary accountability for rights fulfillment, with Mistral AI providing assistance as Processor. EU supervisory authorities enforce rights compliance against the Controller, making this provision a significant accountability assignment. (2) GOVERNANCE EXPOSURE: Medium. The exposure is primarily operational: customers must have functional processes for receiving, validating, and responding to data subject rights requests within regulatory timeframes (GDPR: one month, extendable to three; CCPA: 45 days, extendable to 90). The DPA commits Mistral AI to provide 'commercially reasonable assistance' for rights requests, but the customer bears ultimate responsibility. (3) JURISDICTION FLAGS: EU/EEA customers face the broadest data subject rights obligations under GDPR, including rights to access, rectification, erasure, restriction, portability, and objection. California residents have CCPA rights that the customer must be prepared to fulfill. Customers serving data subjects in other jurisdictions (UK, Brazil, Canada) face additional local law requirements not explicitly addressed in this DPA. (4) CONTRACT AND VENDOR IMPLICATIONS: Customers should assess whether their current privacy infrastructure can support timely rights request fulfillment for data processed by Mistral AI, including the ability to identify and retrieve or delete data processed through Mistral AI products. Downstream customer agreements should accurately allocate Controller responsibilities. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map all data flows through Mistral AI products to ensure rights request fulfillment processes can reach data held or processed by Mistral AI. Privacy notices should accurately describe the processing relationship and identify the customer as the responsible party for rights requests. Internal procedures should address how to engage Mistral AI's commercially reasonable assistance for complex rights requests.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision places the full burden of consent management, privacy disclosure, and data subject rights handling on the business customer rather than on Mistral AI, which is consistent with the Controller-Processor framework but requires customers to have robust mechanisms in place for managing rights requests at the end-user level.
End users who want to exercise rights over their data (such as requesting deletion or access) must direct those requests to the business customer, not to Mistral AI directly. Mistral AI states it will not respond directly to end-user rights requests without customer consent, instead forwarding them to the customer.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.