Data Controller vs. Processor Distinction

What it is

CoreWeave acts as a data controller for information it collects directly from users, but may act as a data processor when enterprise customers run workloads that involve third-party personal data on CoreWeave's infrastructure.

Consumer impact (what this means for users)

If you are an enterprise customer using CoreWeave to process data about your own customers or employees, you are legally responsible for that data under GDPR — CoreWeave's role as your processor must be formalized in a written agreement.

Why it matters (compliance & risk perspective)

Enterprise customers who process personal data on CoreWeave's infrastructure bear legal responsibility as data controllers and must ensure a compliant Data Processing Agreement is in place with CoreWeave.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: The controller/processor distinction is governed by GDPR Art. 4(7) and (8), with processor obligations specified in Art. 28 (written DPA required), Art. 29 (processing only on controller's instructions), and Art. 32 (security obligations). UK GDPR and Swiss nFADP impose equivalent requirements. CCPA's service provider framework (§1798.140(ag)) creates analogous obligations for California-regulated data flows. (2)

Applicable agencies

Provision details

ConductAtlas Policy Archive
Entity: Weights & Biases | Document: Weights & Biases Privacy Policy | Record: CA-P-004031
Captured: 2026-04-30 05:25:00 UTC | SHA-256: d22dfd2783d85c77…
URL: https://conductatlas.com/platform/weights-biases/weights-biases-privacy-policy/data-controller-vs-processor-distinction/
Accessed: May 2, 2026