Perplexity AI may engage third-party companies (subprocessors) to help it deliver services, and is typically required to notify business customers before adding new subprocessors. Customers may have a limited period to object.
This analysis describes what Perplexity AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Subprocessors are downstream vendors who also access or process personal data. The terms governing how and when customers are notified of new subprocessors affect whether businesses can maintain adequate oversight of their data supply chain.
Interpretive note: The actual subprocessor clause text was unavailable due to document truncation; the analysis reflects standard DPA structure and the document's stated subject matter.
Personal data processed through a business's Perplexity AI integration may be shared with third-party subprocessors. The DPA's notice mechanism determines whether the customer business has a meaningful opportunity to object before that sharing occurs.
How other platforms handle this
Mistral AI will provide reasonable notice to the Customer of any changes to the list of Subprocessors prior to engaging such Subprocessor. The Customer may only object in writing to Mistral AI's appointment of a new Subprocessor within ten (10) days of such notice by providing a written objection to...
Crusoe (Sees code data for inference): We manage Crusoe's compute for training some of our custom models, as well as hosting some of our custom models. Modal (Sees code data for inference): We manage Modal's compute for training some of our custom models, as well as hosting some of our custom models...
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
Monitoring
Perplexity AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
(1) REGULATORY LANDSCAPE: GDPR Article 28(2) and (4) require that processors obtain controller authorization before engaging subprocessors and that subprocessors are bound by equivalent data protection obligations. A notice-and-objection model (rather than prior written consent for each subprocessor) is permitted under GDPR but requires a clear objection window and escalation path. (2) GOVERNANCE EXPOSURE: Medium. If the DPA uses a general authorization model with notice rather than specific prior consent, customers have limited ability to block subprocessor additions before they take effect. This is common in cloud and SaaS DPAs but creates operational tension for customers with strict vendor approval processes. (3) JURISDICTION FLAGS: EU/EEA customers face heightened exposure if subprocessors are located in third countries without an adequacy decision, requiring reliance on SCCs or binding corporate rules. UK customers must separately assess UK GDPR transfer requirements post-Brexit. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request the current subprocessor list at contract execution and establish an internal process to review subprocessor change notifications within the objection window specified in the DPA. The DPA should specify the consequences if Perplexity AI adds a subprocessor over a customer's objection, typically allowing contract termination. (5) COMPLIANCE CONSIDERATIONS: Customers should map all subprocessors disclosed by Perplexity AI into their own records of processing activities and assess each subprocessor's security posture and geographic location. Transfer impact assessments may be required for subprocessors in jurisdictions without EU adequacy decisions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Subprocessors are downstream vendors who also access or process personal data. The terms governing how and when customers are notified of new subprocessors affect whether businesses can maintain adequate oversight of their data supply chain.
Personal data processed through a business's Perplexity AI integration may be shared with third-party subprocessors. The DPA's notice mechanism determines whether the customer business has a meaningful opportunity to object before that sharing occurs.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Perplexity AI.