W&B's handling of personal data within your organization's account is governed by a separate Data Processing Addendum, not just this main agreement, and you need to find and review that document separately.
This analysis describes what Weights & Biases's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The privacy and data protection obligations that matter most for GDPR and CCPA compliance are in a separate document that is incorporated by reference but not reproduced here, meaning organizations must actively obtain and review the DPA to understand their full data protection obligations.
Interpretive note: The DPA is incorporated by reference rather than reproduced, and the current DPA text is not available in the document provided, making it impossible to assess the adequacy of the privacy protections from this document alone.
Subscribing organizations cannot assess their data protection compliance posture from this MSA alone; the DPA is a critical companion document that governs what W&B can do with personal data uploaded to the platform and what protections apply.
How other platforms handle this
Miro's processing of personal data on behalf of customers is governed by the Customer Data Processing Addendum, which is incorporated into these Terms by reference. A current list of subprocessors used by Miro is available at miro.com/legal/subprocessors-list/ and is updated from time to time.
When you ask us to open an Account, we or someone acting for us will ask for information about you and where the money you will put in your Account comes from. We do this for a number of reasons, including to check your credit score and identity, and to meet our legal and regulatory requirements. Ou...
We may access, preserve, and share information with regulators, law enforcement, or others if we believe it is reasonably necessary to: detect, prevent, and address fraud and other illegal activity; protect ourselves, you, and others, including as part of investigations; and prevent death or imminen...
Monitoring
Weights & Biases has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"To the extent that W&B processes any Personal Data (as defined under applicable data protection law) on behalf of Customer in connection with Customer's use of the Services, the parties agree that such processing shall be subject to W&B's Data Processing Addendum ('DPA'), which is incorporated herein by reference and available at [DPA URL].— Excerpt from Weights & Biases's Weights & Biases Terms of Service
REGULATORY LANDSCAPE: This provision directly implicates GDPR Article 28, which requires a written contract between controller and processor that specifies the subject matter, duration, nature and purpose of the processing, the type of personal data, and the obligations of both parties. CCPA's service provider requirements similarly mandate written contractual terms restricting use of personal information. The DPA incorporated by reference is the vehicle for satisfying these requirements, but its adequacy can only be assessed by reviewing the current DPA text. The enforcing authorities are the relevant EU supervisory authorities (under GDPR) and the California Privacy Protection Agency (under CCPA). GOVERNANCE EXPOSURE: High (from a compliance process standpoint). Incorporating the DPA by reference without reproducing it creates a documentation and version-control risk: if W&B updates the DPA unilaterally, Customer organizations may not be alerted to material changes. Organizations should confirm what notice and consent mechanism governs DPA updates and whether they have the right to object to or terminate based on material DPA changes. JURISDICTION FLAGS: EU/EEA customers face the highest exposure: GDPR Article 28 requires the DPA to be in writing and to include specific mandatory provisions. If the DPA does not include Standard Contractual Clauses or an equivalent transfer mechanism, cross-border data transfers to W&B (a US company) may be non-compliant. UK customers face equivalent requirements under UK GDPR. California customers should confirm the DPA qualifies W&B as a 'service provider' under CCPA to avoid restrictions on sharing personal information. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should (a) obtain the current version of the W&B DPA at contract execution and maintain a signed copy; (b) confirm the DPA version is referenced by date or version number in the executed agreement to avoid ambiguity about which DPA applies; (c) assess whether the DPA includes Standard Contractual Clauses for EU data transfers and whether a Transfer Impact Assessment is required; and (d) establish an internal process to monitor DPA updates. COMPLIANCE CONSIDERATIONS: Compliance teams should (a) complete a vendor data processing assessment for W&B covering categories of personal data processed, transfer mechanisms, subprocessor list, and data retention policies; (b) confirm the DPA includes required GDPR Article 28 provisions including audit rights, subprocessor notification obligations, and data breach notification timelines; (c) update internal Records of Processing Activities (RoPA) to reflect W&B as a processor; and (d) assess whether a Data Protection Impact Assessment (DPIA) is required for the specific processing activities performed on the W&B platform.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The privacy and data protection obligations that matter most for GDPR and CCPA compliance are in a separate document that is incorporated by reference but not reproduced here, meaning organizations must actively obtain and review the DPA to understand their full data protection obligations.
Subscribing organizations cannot assess their data protection compliance posture from this MSA alone; the DPA is a critical companion document that governs what W&B can do with personal data uploaded to the platform and what protections apply.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Weights & Biases.