Cohere
· Cohere SaaS Agreement
The agreement authorizes use of customer-submitted inputs and model outputs for model training by default; enterprise customers transmitting confidential, regulated, or sensitive data should confirm their opt-out status before using the API in production.
For business users, this distinction determines who controls your data and what rights apply: workspace content is governed by your agreement with ClickUp as a processor, while separately collected behavioral data is governed by ClickUp's own controller decisions.
Pinecone
· Pinecone Data Processing Addendum
This clause places the entire legal burden of ensuring lawful processing, including obtaining data subject consent where required, on the Customer rather than Pinecone. Submitting special category data in violation of this clause may constitute a breach of both the DPA and applicable Data Protection Laws.
This provision allocates the legal and compliance burden for contact list legality, consent documentation, and anti-spam law adherence entirely to the customer, creating direct regulatory exposure for customers whose contact acquisition or consent management practices are not compliant with GDPR, CAN-SPAM, CASL, or other applicable frameworks.
This provision places the legal compliance burden for Contact Data on the Customer as data controller, creating direct exposure under GDPR, CCPA, and other applicable privacy laws if data is transferred to HubSpot without adequate lawful basis, consent, or required disclosures to data subjects.
Twilio
· Twilio Terms of Service
This allocation of responsibility establishes that Twilio operates as a messaging infrastructure provider without monitoring obligations for customer-side regulatory compliance. The provision defines the operational boundary between Twilio's platform obligations and the customer's independent compliance obligations under messaging and telemarketing law.
This program uses network-level behavioral data, including browsing history and app activity, for commercial advertising purposes without requiring you to affirmatively consent before enrollment.
This provision authorizes Verizon to use network-level behavioral data, including browsing and app usage activity, as a telecommunications carrier to deliver targeted advertising. As a common carrier, Verizon's use of CPNI-adjacent network data for advertising purposes engages FCC regulatory authority in addition to general consumer privacy frameworks.
This provision establishes a default opt-in enrollment for a program that uses network-level data, including URLs visited and app usage, for advertising profiling. Under FCC CPNI rules, telecommunications carriers have historically been subject to restrictions on using certain network usage data for marketing without affirmative customer consent, and this default enrollment structure may require evaluation against those requirements.
This program uses sensitive browsing and app activity data for advertising without requiring you to affirmatively opt in, meaning your data is being used for ad personalization unless you take action to stop it.
The policy states that profiles maintained about Cash App users may be enriched with externally sourced inferred characteristics and advertising segments from data brokers, which goes beyond transactional data collection and engages CCPA/CPRA rights to know about third-party data sources and opt out of their use.
BeReal
· BeReal Terms of Service
BeReal's core product involves capturing dual-camera photos at random moments, which means the app regularly collects images of your face and surroundings, and the terms govern how that sensitive data is used and shared.
The collection of precise location data and trip details, combined with use for purposes described in a separate Privacy Notice incorporated by reference, means the full scope of data use is not entirely contained within these terms and requires review of an additional document.
Viewing history and location data are considered sensitive personal information under several state privacy laws, and the sharing of this data with third-party partners for advertising purposes may constitute a data sale under CCPA, giving California residents opt-out rights.
Meta
· Llama API Terms of Service
This provision creates a time-sensitive operational obligation that applies upon platform access termination or user request, requiring developers to have implemented data mapping and deletion workflows capable of identifying and purging all Meta platform-sourced data across their systems and sub-processors.
Meta
· Meta Platform Policy
This clause creates an operational obligation for Meta to process data deletion requests within defined parameters, establishing the conditions under which user data must be removed from Meta's systems and the exceptions to that obligation.
Box
· Box Terms of Service
Organizations subject to GDPR, CCPA, or other data protection laws need to ensure they have executed a Data Processing Agreement with Box, as the standard terms alone may not satisfy regulatory requirements for data processor relationships.
Cohere
· Cohere SaaS Agreement
The DPA structure is the primary mechanism through which GDPR, CCPA, and other data protection obligations are operationalized in the agreement; enterprise customers processing personal data through the API must ensure the DPA is executed and that its terms are consistent with their privacy compliance obligations.
OpenAI
· OpenAI API Data Usage Policies
A signed DPA is the primary contractual instrument establishing GDPR Article 28 compliance and CCPA service provider status; without it, enterprise customers may lack documented legal basis for processing personal data through OpenAI services.
Slack
· Slack Terms of Service
The incorporation of a DPA addresses regulatory requirements under data protection regimes such as GDPR and similar frameworks that require explicit contractual terms governing the processing of personal data. This establishes the legal framework for how customer data and end-user data are handled throughout the service relationship.
The privacy and data protection obligations that matter most for GDPR and CCPA compliance are in a separate document that is incorporated by reference but not reproduced here, meaning organizations must actively obtain and review the DPA to understand their full data protection obligations.
The DPA is a critical companion document for GDPR and CCPA compliance, but it is incorporated by reference rather than appended to the main agreement. Enterprise customers must review the DPA separately to understand their data protection obligations and Perplexity's commitments as a data processor.
Asana
· Asana Privacy Statement
The DPA is the primary contractual document establishing Asana's data protection obligations to enterprise customers. Without a signed DPA, an organization may lack the contractual protections required by GDPR and similar regulations.
The DPA governs GDPR and CCPA compliance for personal data processed through HubSpot, and its terms and obligations are legally binding even though they are in a separate document that many customers may not have read.
This provision establishes that EU and UK data protection obligations are addressed in a separate contractual instrument rather than within the ToS itself, creating a multi-document compliance framework that requires users to locate, review, and execute the DPA separately.
As a payment processor handling card data, Checkout.com's data practices directly affect how sensitive financial information belonging to end customers is stored, processed, and protected.
For any organization processing personal data of EU residents or other protected individuals on GCP, the DPA establishes the legal framework for that processing and determines whether Google acts as a processor under your instruction or in another capacity.
The terms establish that personal data processing is governed by a separately incorporated DPA, which is the operative compliance instrument for GDPR and CCPA obligations; customers must review and understand the DPA to meet their legal data processing obligations.
Fastly
· Fastly Terms of Service
Customers handling personal data subject to GDPR, UK GDPR, or CCPA need a Data Processing Addendum to meet their legal obligations, but this document indicates it is not automatically part of the agreement and must be separately requested.
Auth0
· Auth0 Terms of Service
Auth0 handles login credentials, authentication tokens, and user identity information for the end users of its customers' applications, making the data processing terms central to GDPR, CCPA, and other privacy law compliance for those businesses.