What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This DPA engages GDPR (EU 2016/679) as its primary framework, with the controller-processor distinction being central to its obligations. UK GDPR and CCPA/CPRA are also engaged given the multilingual EU-member-state targeting and California data subject exposure. The European Data Protection Board and national supervisory authorities within EU member states serve as primary enforcement bodies; the FTC and California Privacy Protection Agency (CPPA) have relevance for U…

How does Perplexity AI's Perplexity Data Processing Addendum affect users?

This DPA primarily affects businesses using Perplexity AI's API or enterprise services rather than individual end users directly. However, individuals whose personal data is processed through those business integrations are indirectly affected, as the DPA governs the security, retention, and transfer conditions applied to their data. If you are an individual whose data is processed by a business using Perplexity AI, your rights under GDPR or CCPA would typically be exercised through the busines…

How often is Perplexity AI's Perplexity Data Processing Addendum updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Perplexity AI updates this document?

Yes. Watcher subscribers ($9.99/month) can add Perplexity AI to their watchlist and receive same-day email alerts whenever this document or any other Perplexity AI document changes.

CA-D-000763

Perplexity Data Processing Addendum

Perplexity AI

Last change detected May 11, 2026 Data processing addendum

SHA-256: 2c33c9805a68f45988e… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Perplexity AI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

0 High severity

6 Medium severity

1 Low severity

Summary

This is Perplexity AI's Data Processing Addendum, a legal contract for businesses that use Perplexity's API or enterprise products and need a formal agreement governing how Perplexity handles personal data on their behalf. Under this addendum, Perplexity AI commits to processing personal data only as instructed by the business customer, maintaining security measures, and notifying customers before adding new subprocessors who may also access that data. If your business uses Perplexity's API, you should review the subprocessor list and ensure your own privacy notices accurately describe how Perplexity processes data on your behalf.

Technical / Legal Breakdown

This Data Processing Addendum (DPA) governs the processing of personal data by Perplexity AI on behalf of business customers who use the Perplexity API or enterprise services, establishing a controller-processor relationship under applicable data protection law including GDPR and CCPA. The agreement states obligations for Perplexity AI as a data processor, including processing personal data only on documented instructions from the customer (controller), implementing appropriate technical and organizational security measures, and maintaining confidentiality obligations for authorized personnel who access personal data. The DPA includes Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms for international data transfers, and establishes subprocessor engagement terms that permit Perplexity AI to engage third-party subprocessors subject to prior notice to the customer, which is a common but operationally significant provision that may limit customer control over downstream data handling. The document engages GDPR (EU 2016/679) and UK GDPR as primary frameworks, with secondary relevance to CCPA/CPRA for California-based data subjects, and the existence of multilingual versions across EU member state languages suggests deliberate compliance positioning for the European market. Material compliance considerations include the adequacy of the subprocessor list, the specificity of processing instructions, and whether the DPA's scope covers all personal data processed through API integrations or only data explicitly designated by the customer.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

Medium — 6 provisions

Controller-Processor Relationship Compare →

This provision establishes that businesses using Perplexity AI's API or enterprise services are the 'controllers' of personal data (they decide what data is processed and why), while Perplexity AI acts as the 'processor' (it handles data only on the business's instructions).

Added May 11, 2026 Standard Seen across 189 platforms
Subprocessor Engagement Compare →

Perplexity AI may engage third-party companies (subprocessors) to help it deliver services, and is typically required to notify business customers before adding new subprocessors. Customers may have a limited period to object.

Added May 11, 2026 Standard Seen across 189 platforms
International Data Transfers Compare →

When personal data is transferred from the EU or UK to the United States (where Perplexity AI operates), the DPA relies on Standard Contractual Clauses or equivalent legal mechanisms to authorize that transfer under GDPR.

Added May 11, 2026 Standard Seen across 246 platforms
Security Measures Compare →

Perplexity AI commits to implementing appropriate technical and organizational security measures to protect personal data from unauthorized access, loss, or disclosure while it processes that data on the customer's behalf.

Added May 11, 2026 Standard Seen across 262 platforms
Data Subject Rights Assistance

Perplexity AI agrees to assist the business customer in responding to data subject rights requests, such as requests for access, correction, deletion, or data portability from individuals whose data is being processed.

Added May 11, 2026 Rare
Limitation of Liability Compare →

The DPA likely includes provisions that limit how much Perplexity AI can be held financially responsible if something goes wrong with the processing of personal data, typically capping liability at the amount paid by the customer over a defined period.

Added May 11, 2026 Standard Seen across 228 platforms

Low — 1 provision

Data Deletion or Return Upon Termination Compare →

When the business customer stops using Perplexity AI's services, the DPA typically requires Perplexity AI to delete or return personal data processed under the agreement, at the customer's choice, within a specified timeframe.

Added May 11, 2026 Standard Seen across 223 platforms

Monitoring

Perplexity AI has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Controller-Processor Relationship and similar clauses.

Compare across platforms →