W&B's handling of personal data within your organization's account is governed by a separate Data Processing Addendum, not just this main agreement, and you need to find and review that document separately.
This analysis describes what Weights & Biases's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The privacy and data protection obligations that matter most for GDPR and CCPA compliance are in a separate document that is incorporated by reference but not reproduced here, meaning organizations must actively obtain and review the DPA to understand their full data protection obligations.
Interpretive note: The DPA is incorporated by reference rather than reproduced, and the current DPA text is not available in the document provided, making it impossible to assess the adequacy of the privacy protections from this document alone.
The updated Terms of Service no longer include the previous statement that services would become inaccessible from certain locations starting September 1st, 2025. This removal means the geographic restriction that was previously announced in the agreement is no longer formally stated in the current terms. Users who were affected by or concerned about the prior restriction should review current documentation to confirm whether any geographic limitations remain in effect.
View change record →Removal of explicit DPA incorporation may reduce customer protections regarding personal data processing and regulatory compliance obligations under GDPR and similar laws.
View full change record →Subscribing organizations cannot assess their data protection compliance posture from this MSA alone; the DPA is a critical companion document that governs what W&B can do with personal data uploaded to the platform and what protections apply.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Weights & Biases has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"To the extent that W&B processes any Personal Data (as defined under applicable data protection law) on behalf of Customer in connection with Customer's use of the Services, the parties agree that such processing shall be subject to W&B's Data Processing Addendum ('DPA'), which is incorporated herein by reference and available at [DPA URL].— Excerpt from Weights & Biases's Weights & Biases Terms of Service
REGULATORY LANDSCAPE: This provision directly implicates GDPR Article 28, which requires a written contract between controller and processor that specifies the subject matter, duration, nature and purpose of the processing, the type of personal data, and the obligations of both parties. CCPA's service provider requirements similarly mandate written contractual terms restricting use of personal information. The DPA incorporated by reference is the vehicle for satisfying these requirements, but its adequacy can only be assessed by reviewing the current DPA text. The enforcing authorities are the relevant EU supervisory authorities (under GDPR) and the California Privacy Protection Agency (under CCPA). GOVERNANCE EXPOSURE: High (from a compliance process standpoint). Incorporating the DPA by reference without reproducing it creates a documentation and version-control risk: if W&B updates the DPA unilaterally, Customer organizations may not be alerted to material changes. Organizations should confirm what notice and consent mechanism governs DPA updates and whether they have the right to object to or terminate based on material DPA changes. JURISDICTION FLAGS: EU/EEA customers face the highest exposure: GDPR Article 28 requires the DPA to be in writing and to include specific mandatory provisions. If the DPA does not include Standard Contractual Clauses or an equivalent transfer mechanism, cross-border data transfers to W&B (a US company) may be non-compliant. UK customers face equivalent requirements under UK GDPR. California customers should confirm the DPA qualifies W&B as a 'service provider' under CCPA to avoid restrictions on sharing personal information. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should (a) obtain the current version of the W&B DPA at contract execution and maintain a signed copy; (b) confirm the DPA version is referenced by date or version number in the executed agreement to avoid ambiguity about which DPA applies; (c) assess whether the DPA includes Standard Contractual Clauses for EU data transfers and whether a Transfer Impact Assessment is required; and (d) establish an internal process to monitor DPA updates. COMPLIANCE CONSIDERATIONS: Compliance teams should (a) complete a vendor data processing assessment for W&B covering categories of personal data processed, transfer mechanisms, subprocessor list, and data retention policies; (b) confirm the DPA includes required GDPR Article 28 provisions including audit rights, subprocessor notification obligations, and data breach notification timelines; (c) update internal Records of Processing Activities (RoPA) to reflect W&B as a processor; and (d) assess whether a Data Protection Impact Assessment (DPIA) is required for the specific processing activities performed on the W&B platform.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The privacy and data protection obligations that matter most for GDPR and CCPA compliance are in a separate document that is incorporated by reference but not reproduced here, meaning organizations must actively obtain and review the DPA to understand their full data protection obligations.
Subscribing organizations cannot assess their data protection compliance posture from this MSA alone; the DPA is a critical companion document that governs what W&B can do with personal data uploaded to the platform and what protections apply.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Weights & Biases.