The document lists a Data Processing Addendum as a distinct legal document available to commercial customers, indicating a separate controller-processor or controller-controller agreement exists for business use cases.
This analysis describes what Mistral AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The reference to a named data processing addendum signals that commercial customers are subject to specific data-processing terms, though those terms are not stated here.
Interpretive note: The excerpt is a document title only. No substantive legal proposition is stated. The canonical claim is limited to the fact that the label exists.
This provision applies to commercial customers rather than individual consumers. Under this structure, businesses using Mistral AI services are directed to a separate Data Processing Addendum that governs how personal data is processed in a commercial context.
How other platforms handle this
We will only collect, use and disclose your personal data with your consent, unless otherwise permitted or required by law. Your consent may be given expressly or implied, depending on the circumstances and the sensitivity of the information involved.
authorize ZipRecruiter to connect your account to the account of a "Connected Site" (e.g., Google, LinkedIn, Monster, Facebook or Twitter), we may be able to access information you have provided to the Connected Site...
telemetry information collected includes: (i) microservice settings, (ii) usage data and (iii) hardware environment.
Monitoring
Mistral AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Data Processing Addendum— Excerpt from Mistral AI's Mistral Terms of Use
(1) REGULATORY LANDSCAPE: A Data Processing Addendum directly engages GDPR Article 28, which requires that controllers use only processors providing sufficient guarantees and that processing be governed by a binding contract. The relevant enforcement authority is the applicable EU data protection supervisory authority in the member state of establishment. UK GDPR imposes equivalent requirements for UK-based commercial customers. (2) GOVERNANCE EXPOSURE: High for commercial customers processing personal data via Mistral AI services. The DPA must be reviewed to confirm it satisfies GDPR Article 28 mandatory clauses including processing instructions, confidentiality, security measures, sub-processor obligations, data subject rights assistance, and deletion or return of data. (3) JURISDICTION FLAGS: EU and EEA commercial customers face mandatory DPA requirements under GDPR. UK commercial customers face equivalent requirements under UK GDPR. California-based commercial customers should evaluate whether CCPA service provider agreement provisions are addressed. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams must access and review the full Data Processing Addendum text to assess sub-processor lists, international transfer mechanisms (such as Standard Contractual Clauses), audit rights, and incident notification timelines. The index page does not disclose whether the DPA is pre-signed, negotiable, or unilaterally imposed. (5) COMPLIANCE CONSIDERATIONS: Commercial customers should conduct a data mapping exercise to identify what personal data is transferred to Mistral AI, confirm the DPA addresses all GDPR Article 28 mandatory provisions, and evaluate whether the listed sub-processors are acceptable under their own data governance policies.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The reference to a named data processing addendum signals that commercial customers are subject to specific data-processing terms, though those terms are not stated here.
This provision applies to commercial customers rather than individual consumers. Under this structure, businesses using Mistral AI services are directed to a separate Data Processing Addendum that governs how personal data is processed in a commercial context.
ConductAtlas has identified this type of provision across 300 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mistral AI.