When you build and run your own apps using Vercel, Vercel acts as a processor of your users' data, not the controller, meaning you as the developer are responsible for your users' privacy rights in that context.
This analysis describes what Vercel AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Developers deploying applications on Vercel need to understand that they, not Vercel, are legally responsible for their end users' data under GDPR and similar laws, and they must have their own privacy notices and legal bases for processing.
End users of applications hosted on Vercel should know their privacy rights in that context are determined by the developer who built the application, not by Vercel's privacy policy, meaning Vercel's policy does not directly protect them in that scenario.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
Monitoring
Vercel AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When you use our Services to build and run your own applications, we act as a data processor on your behalf with respect to any personal information you collect and process using our Services. In these circumstances, you are the data controller.— Excerpt from Vercel AI's Vercel AI SDK Privacy
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Article 4(7) and Article 4(8) definitions of controller and processor, and Article 28 requirements for data processing agreements between controllers and processors. Under CCPA/CPRA, an analogous service provider relationship may apply. Enforcement of these obligations falls on EU supervisory authorities and the California Privacy Protection Agency respectively. (2) GOVERNANCE EXPOSURE: High. The controller/processor distinction is foundational to GDPR compliance architecture. Vercel's assertion that customers are controllers for their deployed applications creates significant downstream compliance obligations for those customers, including maintaining valid legal bases for processing, honoring data subject rights, and ensuring Vercel's subprocessor arrangements are compatible with their own DPAs. (3) JURISDICTION FLAGS: EU/EEA creates the highest exposure given the mandatory DPA requirement under GDPR Article 28 for all controller-processor relationships. UK GDPR carries equivalent requirements. Customers operating in multiple jurisdictions may face layered obligations depending on where their end users are located. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams must execute a separate Data Processing Agreement with Vercel before processing personal data of EU/EEA or UK residents through Vercel's platform. The standard privacy policy does not substitute for a GDPR-compliant DPA. Customers should review Vercel's subprocessor list as part of vendor due diligence and ensure they have appropriate contractual protections for onward transfers. (5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm that a current DPA with Vercel is in place and covers all relevant data categories and processing activities. Data mapping exercises should clearly document Vercel as a processor for application data and as a controller for platform account data, with different legal obligations applying to each. Any customers in regulated sectors such as healthcare or financial services should assess whether deploying workloads on Vercel creates sector-specific compliance gaps.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Developers deploying applications on Vercel need to understand that they, not Vercel, are legally responsible for their end users' data under GDPR and similar laws, and they must have their own privacy notices and legal bases for processing.
End users of applications hosted on Vercel should know their privacy rights in that context are determined by the developer who built the application, not by Vercel's privacy policy, meaning Vercel's policy does not directly protect them in that scenario.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Vercel AI.