This provision designates Perplexity as a data processor and restricts its processing of personal data to documented instructions from the customer acting as controller, with an exception for legally required processing.
This analysis describes what Perplexity AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause establishes the foundational processor-controller relationship required by GDPR Article 28, and its scope directly determines whether Perplexity's AI processing activities remain within the customer's instructed purposes or constitute independent controller activity.
Interpretive note: The full verbatim text of the instruction clause was not fully recoverable from the HTML-rendered document; the excerpt reflects the standard GDPR Article 28 formulation typically used in DPAs of this type.
Under this clause, enterprise customers bear responsibility for providing lawful documented instructions to Perplexity governing what personal data is processed, for what purposes, and on what legal basis; processing outside those instructions may constitute a breach of the DPA.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Perplexity AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Perplexity shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.— Excerpt from Perplexity AI's Perplexity Data Processing Addendum
REGULATORY LANDSCAPE: This provision engages GDPR Article 28(3)(a), which requires that processors act only on controller instructions. The relevant enforcement authorities are EU supervisory authorities and the UK ICO. Where Perplexity's AI platform processes data in ways that may exceed the scope of customer instructions, regulators may assess whether Perplexity is acting as an independent controller for those activities. GOVERNANCE EXPOSURE: Medium. The instruction-based processing limitation is standard under GDPR Article 28, but the practical scope of 'documented instructions' in the context of AI-driven query processing may require additional specificity. Customers must ensure that their instructions adequately cover Perplexity's use of input data for processing, model inference, and logging activities. JURISDICTION FLAGS: EU/EEA and UK jurisdictions create heightened exposure; GDPR and UK GDPR require written processor contracts with specific Article 28 content. California CCPA service provider designation requires analogous instruction-based restrictions. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should verify that the DPA's scope of instructions is consistent with the customer's own privacy notices and records of processing activities. If Perplexity processes data beyond documented instructions, the customer may face downstream regulatory liability as controller. COMPLIANCE CONSIDERATIONS: Legal teams should map all data flows into the Perplexity platform against the documented instructions provision and confirm that instructions are recorded in a form satisfying GDPR Article 28(3). Any use of Perplexity for purposes not covered by existing instructions should trigger a DPA amendment process.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause establishes the foundational processor-controller relationship required by GDPR Article 28, and its scope directly determines whether Perplexity's AI processing activities remain within the customer's instructed purposes or constitute independent controller activity.
Under this clause, enterprise customers bear responsibility for providing lawful documented instructions to Perplexity governing what personal data is processed, for what purposes, and on what legal basis; processing outside those instructions may constitute a breach of the DPA.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Perplexity AI.