Gusto
· Gusto Terms of Service
This license covers highly sensitive data including employee Social Security numbers, bank account details, compensation, and personal information, and the scope of permitted use for service improvement warrants careful review.
The clause establishes the operational license necessary for Atlassian to process and maintain customer data within its infrastructure. This authorization is foundational to service delivery, as it permits the technical operations required to host and transmit data across Atlassian's systems.
This clause restricts a wide range of common developer and researcher activities, including automated content retrieval and IP masking, and could expose users who rely on such tools to claims of breach of contract.
The DPA governs how personal data submitted through the API is processed; because it is incorporated by reference rather than reproduced in the main terms, customers must review it separately to understand their data processing rights and obligations.
Steam
· Steam Privacy Policy
This provision establishes Valve's regulatory certification status for transatlantic data transfers and creates a hierarchical governance structure where DPF Principles take precedence over the privacy policy in the event of inconsistency. This affects the legal framework applicable to personal data processing from EU, UK, and Swiss users.
Notion
· Notion Terms of Service
The provision operationalizes Notion's role as a data processor under GDPR, establishing the infrastructure by which personal data is handled and transmitted across the service infrastructure. This framework determines how data flows through the service and which third-party entities are authorized to process data on Notion's behalf.
Miro
· Miro Terms of Service
For business customers under GDPR or other data protection laws, the DPA is the operative legal instrument defining Miro's obligations as a data processor, and the subprocessors list determines which third parties may access the personal data you upload to Miro.
The DPA is the operative document for GDPR and CCPA compliance purposes, and its terms govern data controller and processor obligations, sub-processor authorization, and cross-border transfer mechanisms for personal data processed through Atlassian products.
The specific obligations, data subject rights, sub-processor disclosures, and security measures that protect your personal data under GDPR are governed by the DPA, which is not reproduced in the main terms and requires separate review.
Auth0
· Auth0 Terms of Service
The incorporation by reference mechanism establishes the DPA as the operative framework governing Auth0's data processing obligations and practices, rather than relying solely on data handling terms within the primary Terms of Service document.
The terms explicitly state that customer prompts and content submitted through Bedrock inference are not used to train Amazon foundation models by default, which is a material data handling commitment relevant to customers submitting proprietary or sensitive data.
AWS
· AWS Customer Agreement
This provision establishes both the data ownership framework (customer retains content ownership) and the permitted scope of AWS's access to customer content (limited to service provision and maintenance). For customers processing personal data on AWS, this provision works in conjunction with the separately available Data Processing Addendum, which governs GDPR and equivalent regulatory obligations.
Developers and businesses using LangSmith's tracing and evaluation features may transmit sensitive data, personal information, or proprietary business logic to LangChain's infrastructure, and the terms governing how that data is processed are material to compliance with GDPR, CCPA, and industry-specific regulations.
Vercel
· Vercel Terms of Service
For businesses and developers who deploy applications handling personal data, the quality and scope of these data protection commitments directly affects GDPR and CCPA compliance obligations and the adequacy of Vercel as a data processor.
The incorporation of the DPA establishes the contractual framework governing how Shopify handles personal data subject to GDPR regulations. This creates binding obligations regarding data processing activities, including roles, responsibilities, and compliance standards that apply to merchants processing EU personal data through Shopify's platform.
Merchants who do not have adequate privacy notices or data processing agreements in place with Adyen may face GDPR compliance exposure if their customers' payment data is processed without proper legal basis.
Incorporating data protection obligations by reference to a separate DPA means customers must actively identify and review an additional document to understand how their users' authentication data is processed, stored, and protected, which is critical for GDPR and CCPA compliance.
Incorporating the privacy policy by reference means changes to that document affect your rights under this agreement, and the acknowledgment that transmissions are never fully secure may affect any expectation of confidentiality for data transmitted through Cloudflare's network.
The clause establishes the operational framework for data flows required under the payment processing model. Card scheme participation requires data sharing with multiple entities in the payment network, which is a foundational requirement for transaction processing and network-level regulatory compliance.
The breadth and scale of D&B's data processing means that a significant proportion of business professionals worldwide may have data held about them in the D&B Data Cloud, often without having a direct relationship with or awareness of D&B.
Data processor designation establishes the legal framework for how Mixpanel handles personal data, clarifying liability allocation and compliance obligations under data protection regulations. This designation typically triggers specific contractual requirements regarding data security, sub-processor management, and data subject rights.
This clause establishes the foundational processor-controller relationship required by GDPR Article 28, and its scope directly determines whether Perplexity's AI processing activities remain within the customer's instructed purposes or constitute independent controller activity.
This clause delineates the scope of Anthropic's Privacy Policy by carving out a category of service relationships where Anthropic's obligations are defined by separate data processing agreements with the commercial customer rather than by this public policy. This operational distinction affects which privacy framework applies depending on the service relationship structure.
This provision establishes the operational framework governing data lifecycle management, linking retention duration to business necessity and regulatory mandate rather than indefinite storage. The multi-factor assessment approach (amount, nature, sensitivity, risk, legal requirements) creates a structured basis for retention decisions.
This provision operationalizes Apple's retention obligations by establishing criteria for determining storage duration rather than specifying fixed retention periods. The framework ties retention duration to purpose fulfillment and risk assessment, creating a variable retention standard based on data classification and processing necessity.
BeReal
· BeReal Privacy Policy
The absence of specific retention timelines for categories of data such as dual-camera imagery and location data makes it difficult for users to know exactly how long their most sensitive information is held.
ADP
· ADP Privacy Statement
Without specific retention timelines for each data category, it is difficult for individuals or employers to predict when their data will be deleted, which affects the practical ability to enforce deletion rights.
The retention standard is tied to broadly stated purposes rather than specific time periods, which means the duration of data retention may vary and is not fixed to a defined schedule visible to users.
Neon
· Neon Privacy Policy
This provision establishes the operational framework governing how long Neon maintains personal data in its systems. The retention standard ties duration to purpose fulfillment and legal obligation rather than specifying fixed retention periods, requiring contextual assessment of each data category.
Lyft
· Lyft Privacy Policy
This provision establishes the data retention framework by defining multiple legitimate bases for retaining personal information beyond the active service period, including compliance obligations and operational security functions that extend retention timelines.