Business customers can conduct one on-site audit per year to verify Mistral AI's data processing compliance, but must give 90 days advance notice, use a jointly selected independent auditor, and pay all audit costs themselves.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The 90-day advance notice requirement, jointly selected auditor, and customer-borne costs collectively create a high practical threshold for exercising on-site audit rights, which may limit their utility as a real-time compliance verification tool. These conditions are notable relative to some enterprise DPA frameworks that impose shorter notice periods or allow customer-selected auditors.
This provision affects business customers' ability to independently verify Mistral AI's data processing practices. The cost and procedural requirements mean that practical audit oversight is primarily available to larger enterprises with dedicated compliance resources.
How other platforms handle this
We have implemented appropriate technical and organizational security measures designed to protect the security of any Personal Information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technolo...
To the maximum extent permitted by applicable law, Kit shall not be liable for any indirect, incidental, special, consequential or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting ...
THE SERVICES ARE PROVIDED 'AS IS' AND 'AS AVAILABLE' WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. GRAMMARLY DOES NOT WARRANT THAT THE SERVICES WILL BE UN...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Only to the extent Customer cannot reasonably be satisfied with Mistral AI's compliance with this DPA through the exercise of the audit set out in Section 9.1 (Document Audit) of this DPA, Customer may conduct up to one (1) on-site audit per year to verify Mistral AI's compliance with this DPA, under the conditions defined below: This audit must be conducted with reasonable advance written notice of at least ninety (90) calendar days... This audit shall be carried out by an independent auditor selected jointly by the Parties for its expertise, independence and impartiality and which is, in any event, not a direct or indirect competitor of the Mistral AI... The costs of this audit shall be borne exclusively by Customer.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: GDPR Article 28(3)(h) requires processor agreements to include provisions allowing controllers to conduct audits and inspections. This provision satisfies that requirement but layers significant procedural and financial conditions on its exercise. The GDPR does not specify audit notice periods or cost allocation, leaving these as commercial terms. EU supervisory authorities may assess whether these conditions unreasonably limit the controller's ability to verify compliance. (2) GOVERNANCE EXPOSURE: Medium. The primary exposure is that the practical barriers to on-site audits may leave customers dependent on document-based reviews and Mistral AI's self-reported compliance information. For customers with regulatory obligations to conduct vendor oversight audits (e.g., under financial services or healthcare sector rules), the 90-day notice and cost-bearing requirements may conflict with those obligations. (3) JURISDICTION FLAGS: EU/EEA customers with GDPR Article 28 obligations face the most direct exposure. Customers in financial services (subject to EBA or PRA outsourcing guidelines), healthcare, or critical infrastructure sectors may have supervisory-mandated audit rights that require more flexible access terms. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should assess whether the document audit in Section 9.1 is practically sufficient for their vendor risk management obligations, and whether the 90-day notice, joint auditor selection, and customer cost provisions should be negotiated. The restriction that the auditor must not be a competitor of Mistral AI may limit auditor selection in the AI sector. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should document the basis on which they are satisfied with document-based audit outputs before concluding that an on-site audit is unnecessary, as this sequencing is a precondition for triggering on-site rights under Section 9.2. Annual planning for any anticipated audit should begin well in advance given the 90-day notice requirement.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The 90-day advance notice requirement, jointly selected auditor, and customer-borne costs collectively create a high practical threshold for exercising on-site audit rights, which may limit their utility as a real-time compliance verification tool. These conditions are notable relative to some enterprise DPA frameworks that impose shorter notice periods or allow customer-selected auditors.
This provision affects business customers' ability to independently verify Mistral AI's data processing practices. The cost and procedural requirements mean that practical audit oversight is primarily available to larger enterprises with dedicated compliance resources.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.