Gusto
· Gusto Terms of Service
This license covers highly sensitive data including employee Social Security numbers, bank account details, compensation, and personal information, and the scope of permitted use for service improvement warrants careful review.
The clause establishes the operational license necessary for Atlassian to process and maintain customer data within its infrastructure. This authorization is foundational to service delivery, as it permits the technical operations required to host and transmit data across Atlassian's systems.
This clause restricts a wide range of common developer and researcher activities, including automated content retrieval and IP masking, and could expose users who rely on such tools to claims of breach of contract.
The DPA governs how personal data submitted through the API is processed; because it is incorporated by reference rather than reproduced in the main terms, customers must review it separately to understand their data processing rights and obligations.
Steam
· Steam Privacy Policy
This provision establishes Valve's regulatory certification status for transatlantic data transfers and creates a hierarchical governance structure where DPF Principles take precedence over the privacy policy in the event of inconsistency. This affects the legal framework applicable to personal data processing from EU, UK, and Swiss users.
Notion
· Notion Terms of Service
The provision operationalizes Notion's role as a data processor under GDPR, establishing the infrastructure by which personal data is handled and transmitted across the service infrastructure. This framework determines how data flows through the service and which third-party entities are authorized to process data on Notion's behalf.
Miro
· Miro Terms of Service
For business customers under GDPR or other data protection laws, the DPA is the operative legal instrument defining Miro's obligations as a data processor, and the subprocessors list determines which third parties may access the personal data you upload to Miro.
The DPA is the operative document for GDPR and CCPA compliance purposes, and its terms govern data controller and processor obligations, sub-processor authorization, and cross-border transfer mechanisms for personal data processed through Atlassian products.
The specific obligations, data subject rights, sub-processor disclosures, and security measures that protect your personal data under GDPR are governed by the DPA, which is not reproduced in the main terms and requires separate review.
Auth0
· Auth0 Terms of Service
The incorporation by reference mechanism establishes the DPA as the operative framework governing Auth0's data processing obligations and practices, rather than relying solely on data handling terms within the primary Terms of Service document.
The terms explicitly state that customer prompts and content submitted through Bedrock inference are not used to train Amazon foundation models by default, which is a material data handling commitment relevant to customers submitting proprietary or sensitive data.
AWS
· AWS Customer Agreement
This provision establishes both the data ownership framework (customer retains content ownership) and the permitted scope of AWS's access to customer content (limited to service provision and maintenance). For customers processing personal data on AWS, this provision works in conjunction with the separately available Data Processing Addendum, which governs GDPR and equivalent regulatory obligations.
Developers and businesses using LangSmith's tracing and evaluation features may transmit sensitive data, personal information, or proprietary business logic to LangChain's infrastructure, and the terms governing how that data is processed are material to compliance with GDPR, CCPA, and industry-specific regulations.
Vercel
· Vercel Terms of Service
For businesses and developers who deploy applications handling personal data, the quality and scope of these data protection commitments directly affects GDPR and CCPA compliance obligations and the adequacy of Vercel as a data processor.
Merchants who do not have adequate privacy notices or data processing agreements in place with Adyen may face GDPR compliance exposure if their customers' payment data is processed without proper legal basis.
Incorporating data protection obligations by reference to a separate DPA means customers must actively identify and review an additional document to understand how their users' authentication data is processed, stored, and protected, which is critical for GDPR and CCPA compliance.
The incorporation of the DPA establishes the contractual framework governing how Shopify handles personal data subject to GDPR regulations. This creates binding obligations regarding data processing activities, including roles, responsibilities, and compliance standards that apply to merchants processing EU personal data through Shopify's platform.
Incorporating the privacy policy by reference means changes to that document affect your rights under this agreement, and the acknowledgment that transmissions are never fully secure may affect any expectation of confidentiality for data transmitted through Cloudflare's network.
The clause establishes the operational framework for data flows required under the payment processing model. Card scheme participation requires data sharing with multiple entities in the payment network, which is a foundational requirement for transaction processing and network-level regulatory compliance.
The breadth and scale of D&B's data processing means that a significant proportion of business professionals worldwide may have data held about them in the D&B Data Cloud, often without having a direct relationship with or awareness of D&B.
Data processor designation establishes the legal framework for how Mixpanel handles personal data, clarifying liability allocation and compliance obligations under data protection regulations. This designation typically triggers specific contractual requirements regarding data security, sub-processor management, and data subject rights.
This clause establishes the foundational processor-controller relationship required by GDPR Article 28, and its scope directly determines whether Perplexity's AI processing activities remain within the customer's instructed purposes or constitute independent controller activity.
This clause delineates the scope of Anthropic's Privacy Policy by carving out a category of service relationships where Anthropic's obligations are defined by separate data processing agreements with the commercial customer rather than by this public policy. This operational distinction affects which privacy framework applies depending on the service relationship structure.
This provision operationalizes Apple's retention obligations by establishing criteria for determining storage duration rather than specifying fixed retention periods. The framework ties retention duration to purpose fulfillment and risk assessment, creating a variable retention standard based on data classification and processing necessity.
Fly.io
· Fly.io Privacy Policy
Open-ended retention language means your personal data may be held indefinitely unless you actively request deletion, and the criteria for determining retention length are not defined with precision.
DeepL
· DeepL Privacy Policy
This provision establishes the operational framework for data lifecycle management, defining retention periods tied to purpose necessity and legal requirements rather than indefinite storage. It creates a procedural obligation for deletion or anonymization upon account termination.
Fastly
· Fastly Privacy Policy
The clause defines the operational framework for data lifecycle management, establishing both retention triggers (fulfillment of stated purposes and legal obligations) and termination conditions (deletion or anonymization upon loss of necessity). This structure addresses regulatory compliance requirements and establishes predictable data handling procedures.
Ford
· Ford Privacy Policy
This provision establishes Ford's data retention framework by defining retention duration as purpose-dependent rather than indefinite, while specifying the institutional factors that govern retention decisions. The clause creates a structured approach to data lifecycle management tied to legal necessity and risk assessment.
Visa
· Visa Privacy Notice
The clause defines the operational scope and duration of data retention practices, establishing that retention periods are determined by functional necessity rather than fixed time limits, and explicitly authorizing retention to support regulatory compliance and dispute resolution activities.
This provision establishes X's data retention framework and specifies exceptions to deletion requests. The operational significance is that account deletion does not automatically result in complete data removal across all categories, as certain data classes are subject to extended retention under defined circumstances.