Data Processing Addendum

Effective:March 12, 2026

This Data Processing Addendum (the “Data Processing Addendum” or the “DPA”) forms part of and supplements the Agreement entered into by and between Mistral AI and Customer as of the Effective Date. 

1. Definitions

For the purposes of this Data Processing Addendum:

(a) “Agreement” means the service agreement entered into by and between the Parties, governing the provision of the Mistral AI Products by Mistral AI to the Customer. The DPA is hereby incorporated to the Agreement by reference.

(b) “Applicable Data Protection Law” means any applicable privacy, data security, or data protection law or regulation, including, to the extent applicable, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable since 25 May 2018 (the “GDPR”) and the California Consumer Privacy Act of 2018, as amended, and associated regulations promulgated thereunder (“CCPA”).

(c) “Description of Processing” means the Description of Processing attached to the Data Processing Addendum available at https://legal.mistral.ai/terms/data-processing-addendum (as such URL may be updated by Mistral AI from time to time.

(d) “International Data Transfer” means any transfer of Personal Data to a Restricted Country.

(e) “Mistral AI Products” means the products and services provided by Mistral AI to the Customer under the Agreement.

(f) “Personal Data” means any Customer Data that: (a) consists of “personal data” or “personal information” (or analogous variations of such terms) as defined under Applicable Data Protection Law, and (b) which Mistral AI Processes as a Processor, as further described in the Agreement.

(g) “Process” or “Processing” means the processing of Personal Data as described in the Description of Processing.

(h) “Restricted Country” means any country located outside of the European Economic Area (EEA) and that does not benefit from an adequacy decision from the European Commission.

(i) “SCC” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, the text of which is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914.

(j) “Subprocessor” means any Processor appointed by Mistral AI to carry-out all or part of the Processing on behalf of the Customer.

(k) “Trust Center” means the Mistral AI Trust Center available at https://trust.mistral.ai/ (as such URL may be updated by Mistral AI from time to time).

The terms “Controller”, “Processor”, “Data Subjects”, and “Personal Data Breach”, (in each case, or analogous variations thereof as defined in Applicable Data Protection Law) as used in this Agreement will have the meanings in the Applicable Data Protection Law, and if not defined, then as defined under GDPR. The capitalized terms not defined herein shall have the meaning given in the Agreement.

2. Role of the Parties and description of the Processing

2.1 Role of the Parties

Customer is the Controller of the Personal Data. Mistral AI Processes the Personal Data on behalf of Customer as a Processor.

2.2 Description of the Processing

A description of the Processing is available in the Description of Processing. Mistral AI may update the Description of the Processing from time to time to reflect new Mistral AI Products, features, functionalities or Subprocessors.

2.3 Mistral AI as Controller

Mistral AI is authorized to process the Personal Data as Controller for the purposes of:

  • Training its artificial intelligence models in accordance with its Privacy Policy, unless (a) Customer opted-out of training or (b) uses a Mistral AI Product that is opted-out by default and has not opted-in. Customer acknowledges that if Customer provides feedback to Mistral AI by using the in-app "thumbs up" or "thumbs down" features (the "Feedback"), Mistral will use such Feedback as well as the associated Input and Output, as Controller, to train its artificial intelligence models, conduct research or improve the Mistral AI Products.
  • Automated moderation, including abuse monitoring on our APIs (except, in this last case, when zero data retention has been activated), to enforce the Agreement. 
  • Processing usage and operational data (such as product usage events, performance metrics, billing metrics, and Feedback) to produce aggregated or anonymized data or statistics in accordance with the Agreement. Customer Data and Outputs will not be used to generate such data and statistics. Such data or statistics will be used for Mistral AI’s business purposes, including conducting research, developing or improving Mistral AI Products, performance, functionality, and/or user experience, provided that such use shall not include the training of Mistral AI's models.

3. General obligations of the Parties

3.1 Obligations of Mistral AI

Mistral AI shall:

  • Process the Personal Data only in accordance with the documented lawful instructions of Customer, including as set forth in this DPA or the Agreement, , unless required to do so by applicable laws. In such a case, Mistral AI shall promptly inform Customer of such legal requirement, unless prohibited to do so by applicable law and/or on important grounds of public interest,

  • Promptly inform Customer if, in its opinion, Customer’s instructions regarding the Processing infringe the Applicable Data Protection Law. In such an event, Mistral AI is entitled to refuse to perform the Processing that it believes to be in violation of the Applicable Data Protection Law,

  • Ensure that any person Mistral AI authorizes to Process Personal Data (including Mistral AI team members and the Subprocessors), is subject to a duty of confidentiality, 

  • Comply with all obligations applicable to it in its role as a Processor under Applicable Data Protection Law and provide the same level of privacy protection as is required by Applicable Data Protection Law,

  • Promptly notify Customer if Mistral AI determines it can no longer meet its obligations under this DPA, and allow Customer, upon notice to Mistral AI, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, and

  • Taking into account the nature of the Processing and the information available to Mistral AI, upon Customer’s written request and to the extent that is (a) commercially reasonable and (b) required by the Applicable Data Protection Law, provide Customer with reasonable and timely assistance (i) in the event of an investigation from a supervisory authority related to the Processing, (ii) to conduct a data protection impact assessment, (iii) in case of a prior consultation with a supervisory authority, (iv) to allow Customer to comply with its obligations under Article 32 of the GDPR, always subject to confidentiality and trade secrets, and (v) to contribute to the audits performed by Customer under Section 9 of this DPA.

3.2 Obligations of Customer

Customer shall:

  • Comply with its obligations under the Applicable Data Protection Law regarding the Processing and any instruction provided to Mistral AI,

  • Provide notice and obtain all consents and rights required by the Applicable Data Protection Law for Mistral AI to Process Personal Data as part of the Processing, under this DPA.

4. Data Subjects

4.1 Customer responsibility

Customer shall (a) provide Data Subjects with the information required by the Applicable Data Protection Law and (b) respond to all Data Subjects requests to exercise their rights regarding the Processing.

4.2 Assistance

Taking into account the nature of the Processing and upon Customer’s request, Mistral AI shall provide Customer with commercially reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise rights afforded to them under Applicable Data Protection Law (“Rights Request”).

4.3 Requests sent to Mistral AI

In the event that any Rights Request is made directly to Mistral AI, Mistral AI will not respond to such request directly without the Customer’s prior consent, unless required to do so by applicable law. Instead, Mistral AI will transfer that request to Customer who will then be solely responsible to respond to such request. If Mistral AI is legally required to respond to the Rights Request, Mistral AI will promptly notify the Customer of such legal requirement and provide it with a copy of the request unless prohibited to do so by applicable law.

5. Security

5.1 Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Mistral AI shall implement and maintain technical and organizational measures designed to protect Personal Data from any Personal Data Breach that meet or exceed requirements under Applicable Data Protection Law. The security measures implemented by Mistral AI under this DPA are listed in Exhibit 2 of this DPA. Customer acknowledges that such security measures are subject to technical progress and development and that Mistral AI may update them from time to time, provided that such updates do not materially decrease the overall security of the Processing.

6. Personal Data Breach

6.1 Notification

Taking into account the nature of the Processing and the information available to Mistral AI, Mistral AI shall notify Customer of any Personal Data Breach without undue delay after becoming aware of such Personal Data Breach. Mistral AI’s notification of or response to a Personal Data Breach in accordance with this Section 6 (Personal Data Breach) shall not be construed as an acknowledgment by Mistral AI of any fault or liability with respect to the Personal Data Breach.

6.2 Notification content

This notification shall include:

  • The name and contact details of Mistral AI’s point of contact point where more information can be obtained,

  • The nature of the Personal Data Breach, including but not limited to the categories and number of Data Subjects and Personal Data concerned by the Personal Data Breach,

  • A description of the measures Customer could take to mitigate the possible adverse effects of the Personal Data Breach and to prevent from another potential Personal Data Breach,

  • The likely consequences of the Personal Data Breach, and

  • The measures proposed or taken by Mistral AI following the Personal Data Breach, including to prevent from any new occurrence.

All of the information above may not be available at the time of initial notice and so may be provided by Mistral in phases as it becomes available.

6.3 Assistance

Upon Customer’s written request, taking into account the nature of the Processing and the information available to Mistral AI, Mistral AI shall provide the Customer with commercially reasonable assistance with respect to Customer’s compliance with its obligation to communicate the Personal Data Breach to Data Subjects, when required by the Applicable Data Protection Laws. If necessary, Mistral AI shall provide Customer with commercially reasonable and timely assistance to mitigate or remediate the Personal Data Breach.

7. Subprocessing

7.1 General authorization

Customer provides a prior and general authorization allowing Mistral AI to appoint any Subprocessors to assist Mistral AI in the provision of the Mistral AI Products and in the Processing, in accordance with the terms of this DPA. This authorisation is subject to the following:

  • Mistral AI will maintain an up-to-date list of its Subprocessors on Mistral AI’s website, including in the Trust Center,

  • If Customer subscribes to receive updates available on Mistral AI’s Subprocessor page on the Trust Center, Customer will be automatically notified by email of  any addition or replacement of a Subprocessor to this list,

  • Mistral AI will enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Personal Data to the same standards provided by this DPA, and

  • Mistral AI will remain liable to Customer if such Subprocessor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the DPA.

7.2 Notification

Mistral AI will provide reasonable notice to the Customer of any changes to the list of Subprocessors prior to engaging such Subprocessor. The Customer may only object in writing to Mistral AI’s appointment of a new Subprocessor within ten (10) days of such notice by providing a written objection to privacy@mistral.ai, provided that such objection is based on reasonable grounds relating to the Applicable Data Protection Law, otherwise such new Subprocessor will be deemed approved. If Customer provides an objection during this ten (10) days period, the Parties will consult and negotiate in good faith to find a mutually acceptable resolution to address any objections raised by Customer, and if none are agreed to, then Mistral AI reserves the right to terminate the Agreement or just the affected Mistral AI Products undergoing the Subprocessor change.

8. Transfers of Personal Data to a Restricted Country

8.1 General authorization

Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable Data Protection Laws, or (b) pursuant to the SCCs.

8.2 Customer located in a Restricted Country

This Section only applies if Customer is located in a Restricted Country. By accepting this DPA, Mistral AI and Customer conclude Module 4 (Processor-to-Controller) of the SCCs which applies to any International Data Transfer conducted by Mistral AI acting as a Data Processor and is hereby incorporated and completed as follows:

  • The “data exporter” is Mistral AI and the “data importer” is the Customer;

  • The optional docking clause in Clause 7 is implemented; the optional redress clause in Clause 11(a) is struck;

  • The governing law in Clause 17 is the law of France;

  • The courts in Clause 18(b) are the Courts of France; and

  • Annex I and II to the Module 4 of the SCCs are the Description of Processing and the Trust Center, respectively.

9. Audit

9.1 Document audit

Upon Customer’s written request, Mistral AI will make available all documents and information reasonably necessary to demonstrate that the Processing carried-out by Mistral AI complies with this DPA in a timely manner, to the extent that is commercially reasonable and required by the Applicable Data Protection Laws, subject to confidentiality and trade secrets.

9.2 Onsite audit

Only to the extent Customer cannot reasonably be satisfied with Mistral AI’s compliance with this DPA through the exercise of the audit set out in Section 9.1 (Document Audit) of this DPA, Customer may conduct up to one (1) on-site audit per year to verify Mistral AI’s compliance with this DPA, under the conditions defined below:

  • This audit must be conducted with reasonable advance written notice of at least ninety (90) calendar days,

  • This audit shall be carried out by an independent auditor selected jointly by the Parties for its expertise, independence and impartiality and which is, in any event, not a direct or indirect competitor of the Mistral AI,

  • The selected auditor shall be bound by a confidentiality agreement,

  • This audit shall be conducted during Mistral AI’s regular business hours,

  • This audit shall restrict its findings to only information and/or Personal Data relevant to Customer,

  • The audit shall not unreasonably impair or slow down the Mistral AI Products offered by Mistral AI or affect the organizational management of the Mistral AI,

  • Mistral AI will contribute to the audit upon Customer’s request and to the extent that is commercially reasonable,

  • An identical copy of the audit report shall be given to both Parties following the completion of the audit. Each Party may make observations regarding the audit report but the findings will be deemed the confidential information of Mistral AI,

  • The costs of this audit shall be borne exclusively by Customer.

10. Return or destruction of Personal Data

10.1 Return or destruction

After the end of the provision of the Mistral AI Products, Mistral AI will delete or return to Customer all Personal Data Processed on Customer’s behalf, in accordance with Mistral AI’s deletion policies and procedures. Customer acknowledges that the Personal Data will no longer be accessible upon the expiry of a thirty (30) days period following the termination of the Customer’s access to and use of the Mistral AI Products.

11. General

11.1 Term

This DPA shall commence on the earlier of (a) the effective date of the Agreement and (b) the date Mistral AI first Processes Personal Data on behalf of Customer, and will continue for the duration of the Agreement.

11.2 Incorporation and conflict

The Data Processing Addendum is incorporated in the Agreement by reference and forms an integral part of the Agreement. In the event of any conflict between the terms of the DPA and the remainder of the Agreement, the terms of the DPA shall prevail to the extent of such conflict.

11.3 Liability

The liability of each Party and each Party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

12. Specific Privacy Laws

12.1 Applicability

The terms in each subsection of this Section 12 (Specific Privacy Laws) apply only where the corresponding law applies to the Processing of Personal Data.

12.2 CCPA

Mistral AI shall not: (i) Process the Personal Data for a commercial purpose other than as necessary to provide the Mistral AI Products to Customer; (ii) “sell” or “share” (each as defined by the CCPA) any Personal Data; (iii) Process the Personal Data outside of the direct business relationship between Processor and Customer; or (iv) combine Personal Data with any other personal data or information it collects (directly or via any third party) other than as expressly permitted under Applicable Data Protection Law for Processors.

EXHIBIT 1 - Description of the Processing

Mistral AI may update the description of the Processing from time to time to reflect new Mistral AI Products, features, functionalities or Subprocessors.

1. List of Parties

  • Controller: Customer.

  • Processor: Mistral AI, a French limited joint-stock corporation, incorporated in Paris, under number 952 418 325, having its registered offices at 15 rue des Halles, 75001 Paris, France. Contact details: privacy@mistral.ai. 

With respect to any International Data Transfer, the data exporter and the data importer are set out in Section 8.2 of the DPA. 

2. Description of Processing

  • Categories of data subjects: Customer’s authorized users, and any other natural person whose personal data is processed by Customer when using the Mistral AI Products in accordance with the Agreement.  

  • Categories of personal data: Customer’s authorized users account data and any personal data processed by Customer when using the Mistral AI Products in accordance with the Agreement. 

  • Special categories of personal data (if applicable): None. 

  • Duration and frequency of the Processing: On a continuous basis, for the duration of the Agreement. 

  • Nature of the Processing: Providing the Mistral AI Product and performing its obligations in accordance with the Agreement which involves processing (including collection, organization, storage and structuring) of personal data; Debugging; Assessing, testing and verifying the performance of the Mistral AI Products provided to Customer pursuant to Mistral AI’s obligations under the Agreement. When Customer is using the Mistral AI Products under the Partner-Served Deployment Terms, Mistral AI only processes the Personal Data for the purpose of providing support services in accordance with those terms. 

  • Purpose(s) of the data transfer and further Processing: Providing the Mistral AI Product and performing its obligations in accordance with the Agreement; Debugging; Assessing, testing and verifying the performance of the Mistral AI Products provided to Customer pursuant to Mistral AI’s obligations under the Agreement. When Customer is using the Mistral AI Products under the Partner-Served Deployment Terms, Mistral AI only processes the Personal Data for the purpose of providing support services in accordance with those terms. 

  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: the duration of the Agreement.

  • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: The list of subprocessors is available here.

EXHIBIT 2 - Technical and organizational measures

The technical and organizational measures implemented by Mistral AI are listed in Mistral AI’s trust center available at https://trust.mistral.ai/.

Mistral AI may update these measures at any time, subject to Section 5 (Security) of the DPA.