Mistral AI is authorized to transfer personal data outside the EU/EEA using Standard Contractual Clauses. For customers located outside the EU/EEA in non-adequate countries, the SCC Module 4 applies, with French law and French courts governing any disputes.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The incorporation of SCC Module 4 by reference upon DPA acceptance provides a recognized GDPR transfer mechanism, but fixes French law as the governing law and French courts as the dispute forum, which affects where and under what legal framework customers in non-adequate third countries (such as the US, absent an adequacy decision) must pursue remedies.
Business customers outside the EU/EEA whose data is transferred internationally under this DPA will have their SCC-related disputes governed by French law in French courts, regardless of where the customer is located. This creates a practical and financial barrier to dispute resolution for non-European customers.
How other platforms handle this
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
We may transfer, process, and store all personal information we collect anywhere in the world. Different countries have different data protection laws. If we transfer personal information from the European Economic Area, Switzerland, Brazil and/or the United Kingdom to a country that does not provid...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable Data Protection Laws, or (b) pursuant to the SCCs. This Section only applies if Customer is located in a Restricted Country. By accepting this DPA, Mistral AI and Customer conclude Module 4 (Processor-to-Controller) of the SCCs which applies to any International Data Transfer conducted by Mistral AI acting as a Data Processor and is hereby incorporated... The governing law in Clause 17 is the law of France; The courts in Clause 18(b) are the Courts of France.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: This provision directly implicates GDPR Chapter V (Articles 44-49) governing international data transfers, and the EU Commission Implementing Decision 2021/914 (SCCs). The incorporation of SCC Module 4 (Processor-to-Controller) is appropriate where Mistral AI acts as Processor and the customer/data importer is a Controller in a non-adequate third country. EU supervisory authorities, including the EDPB and national DPAs, oversee compliance with transfer mechanisms. The validity of SCCs may require supplementary measures assessment (transfer impact assessment) depending on the destination country. (2) GOVERNANCE EXPOSURE: Medium. The primary exposure is that accepting the DPA constitutes acceptance of the SCC Module 4 terms, including French governing law and jurisdiction. Customers in regulated sectors or jurisdictions that require local law governing clauses in data processing agreements may face a conflict. (3) JURISDICTION FLAGS: US customers, post-EU-US Data Privacy Framework, should assess whether they are subject to adequacy coverage or whether SCCs remain the applicable transfer mechanism. UK customers should evaluate whether UK-specific transfer mechanisms (IDTA or UK Addendum to SCCs) are required in addition to or instead of the EU SCCs referenced here. Customers in China, India, or other jurisdictions with data localization requirements face additional exposure. (4) CONTRACT AND VENDOR IMPLICATIONS: Legal teams should verify whether the SCC Module 4 configuration (Processor-to-Controller) accurately reflects their data relationship with Mistral AI, as misidentification of the applicable module could undermine the transfer mechanism's validity. Transfer Impact Assessments may be required depending on the customer's jurisdiction and sector. (5) COMPLIANCE CONSIDERATIONS: Customers should document their transfer impact assessment for transfers conducted under these SCCs, update their Records of Processing Activities to reflect the SCC transfer mechanism, and verify whether any additional local law requirements apply in their jurisdiction. UK-based customers should specifically assess whether a UK Addendum is required alongside the EU SCCs.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The incorporation of SCC Module 4 by reference upon DPA acceptance provides a recognized GDPR transfer mechanism, but fixes French law as the governing law and French courts as the dispute forum, which affects where and under what legal framework customers in non-adequate third countries (such as the US, absent an adequacy decision) must pursue remedies.
Business customers outside the EU/EEA whose data is transferred internationally under this DPA will have their SCC-related disputes governed by French law in French courts, regardless of where the customer is located. This creates a practical and financial barrier to dispute resolution for non-European customers.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.