Business customers can conduct one on-site audit per year to verify Mistral AI's data processing compliance, but must give 90 days advance notice, use a jointly selected independent auditor, and pay all audit costs themselves.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The 90-day advance notice requirement, jointly selected auditor, and customer-borne costs collectively create a high practical threshold for exercising on-site audit rights, which may limit their utility as a real-time compliance verification tool. These conditions are notable relative to some enterprise DPA frameworks that impose shorter notice periods or allow customer-selected auditors.
This provision affects business customers' ability to independently verify Mistral AI's data processing practices. The cost and procedural requirements mean that practical audit oversight is primarily available to larger enterprises with dedicated compliance resources.
How other platforms handle this
Instacart is a technology platform. For alcohol deliveries, the retailer is the seller of record and is responsible for compliance with all applicable alcohol beverage control laws and regulations. Instacart does not sell alcohol directly. By placing an order that includes alcohol, you represent tha...
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
We use cookies and similar tracking technologies to track the activity on our websites and services and store certain information. Tracking technologies used include beacons, tags, and scripts to collect and track information and to improve and analyze our services. You can instruct your browser to ...
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Only to the extent Customer cannot reasonably be satisfied with Mistral AI's compliance with this DPA through the exercise of the audit set out in Section 9.1 (Document Audit) of this DPA, Customer may conduct up to one (1) on-site audit per year to verify Mistral AI's compliance with this DPA, under the conditions defined below: This audit must be conducted with reasonable advance written notice of at least ninety (90) calendar days... This audit shall be carried out by an independent auditor selected jointly by the Parties for its expertise, independence and impartiality and which is, in any event, not a direct or indirect competitor of the Mistral AI... The costs of this audit shall be borne exclusively by Customer.— Excerpt from Mistral AI's Mistral AI Data Processing Addendum
(1) REGULATORY LANDSCAPE: GDPR Article 28(3)(h) requires processor agreements to include provisions allowing controllers to conduct audits and inspections. This provision satisfies that requirement but layers significant procedural and financial conditions on its exercise. The GDPR does not specify audit notice periods or cost allocation, leaving these as commercial terms. EU supervisory authorities may assess whether these conditions unreasonably limit the controller's ability to verify compliance. (2) GOVERNANCE EXPOSURE: Medium. The primary exposure is that the practical barriers to on-site audits may leave customers dependent on document-based reviews and Mistral AI's self-reported compliance information. For customers with regulatory obligations to conduct vendor oversight audits (e.g., under financial services or healthcare sector rules), the 90-day notice and cost-bearing requirements may conflict with those obligations. (3) JURISDICTION FLAGS: EU/EEA customers with GDPR Article 28 obligations face the most direct exposure. Customers in financial services (subject to EBA or PRA outsourcing guidelines), healthcare, or critical infrastructure sectors may have supervisory-mandated audit rights that require more flexible access terms. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should assess whether the document audit in Section 9.1 is practically sufficient for their vendor risk management obligations, and whether the 90-day notice, joint auditor selection, and customer cost provisions should be negotiated. The restriction that the auditor must not be a competitor of Mistral AI may limit auditor selection in the AI sector. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should document the basis on which they are satisfied with document-based audit outputs before concluding that an on-site audit is unnecessary, as this sequencing is a precondition for triggering on-site rights under Section 9.2. Annual planning for any anticipated audit should begin well in advance given the 90-day notice requirement.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The 90-day advance notice requirement, jointly selected auditor, and customer-borne costs collectively create a high practical threshold for exercising on-site audit rights, which may limit their utility as a real-time compliance verification tool. These conditions are notable relative to some enterprise DPA frameworks that impose shorter notice periods or allow customer-selected auditors.
This provision affects business customers' ability to independently verify Mistral AI's data processing practices. The cost and procedural requirements mean that practical audit oversight is primarily available to larger enterprises with dedicated compliance resources.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.