Blog

Careers

Help Center

Try Perplexity

Perplexity Legal Hub

Perplexity Legal Hub

Perplexity Legal Hub

Information related to our terms of service, policies, intellectual property, and compliance.

Information related to our terms of service, policies, intellectual property, and compliance.

Legal overview

Legal overview

Legal overview

Platform User Terms

Platform User Terms

Platform User Terms

Enterprise & Developer Terms

Enterprise & Developer Terms

Enterprise & Developer Terms

Policies & Guidelines

Policies & Guidelines

Policies & Guidelines

Privacy & Data Protection

Privacy & Data Protection

Privacy & Data Protection

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the API Terms and Conditions and any Order entered into between Customer and Perplexity governing Customer’s use of the API Platform (the “Agreement”). To the extent that Perplexity processes any Personal Data in connection Customer’s use of the API Platform, this DPA sets forth Customer’s instructions for the processing of such Personal Data and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the API Terms and Conditions and Order shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the API Terms and Conditions or an Order, this DPA will govern to the extent of the conflict.

  1. DEFINITIONS.

    For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the API Terms and Conditions. All other capitalized terms in this DPA not otherwise defined in the API Terms and Conditions shall have the corresponding meanings given to them in Privacy Laws. 

    1. “Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time.

    2. “EU/UK Privacy Laws” means, as applicable: (i) the General Data Protection Regulation 2016/679 (the “GDPR”); (ii) the Privacy and Electronic Communications Directive 2002/58/EC; (iii) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (iv) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time. 

    3. “Personal Data” means any information that Perplexity processes on behalf of Customer to provide the API Platform that is defined as “personal data,” “personal information” or “personally identifiable information” under any Privacy Law.

    4. “Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data and requires Controllers and Processors to agree to specific contractual commitments regarding the processing of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

    5. “Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

    6. “Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time. 

    7. “US Privacy Laws” means, as applicable, the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, and any similar law of any other state related to the processing of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.

    8. The terms “Business,” “Controller,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the meaning given to them under applicable Privacy Laws.  

  2. AMENDMENTS.

    Customer agrees that Perplexity may make modifications to this DPA if changes are required for Perplexity to continue to process the Personal Data as contemplated by the Agreement or this DPA in compliance with Privacy Laws, or to address the legal interpretation of the Privacy Laws.

  3. ROLES OF THE PARTIES.

    The Parties acknowledge that in relation to any Personal Data received from Customer in providing the API Platform, for purposes of Privacy Laws, Customer is the Controller or Business and Perplexity is the Service Provider or Processor. 

  4. CUSTOMER OBLIGATIONS:

    Customer shall comply with all Privacy Laws in providing Personal Data to Perplexity in connection with its use of the API Platform, including any integration between the Customer Application and the API Platform. Customer represents and warrants that (a) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals and (b) Customer has complied with Privacy Laws in, including having a lawful basis for, disclosing the Personal Data to Perplexity and enabling Perplexity to process the Personal Data as set out in the Agreement and this DPA. Customer shall notify Perplexity without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, Perplexity shall not be required to continue processing such Personal Data.

  5. PROCESSING OF PERSONAL DATA.

    The Parties agree that the details of processing are as described in Annex 1. In processing Personal Data under the Agreement, Perplexity shall:

    1. only process Personal Data on documented instructions from Customer, for the limited and specific purpose described in Annex 1, unless otherwise permitted to process such Personal Data by applicable Privacy Laws, and at all times in compliance with Privacy Laws and the terms of this DPA, providing the same level of privacy protection as is required by Privacy Laws; 

    2. notify Customer promptly if it makes a determination that (i) it can no longer comply with Customer’s instructions for the processing of Personal Data, its obligations under Privacy Laws or the terms of this DPA or (ii) if it believes that the instruction of Customer infringes applicable Privacy Laws;

    3. to the extent required by Privacy Laws, grant Customer the right to take reasonable and appropriate steps to help ensure that Perplexity uses the Personal Data in a manner consistent with Customer’s obligations under this DPA and Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; 

    4. require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data.

  6. PROHIBITIONS.

    To the extent required by Privacy Laws, Perplexity shall not (a) Sell or Share Personal Data, (b) retain, use, or disclose the Personal Data outside of the direct business relationship between Perplexity and Customer and for any purpose other than for the specific purpose of providing the API Platform to Customer  or (c) combine the Personal Data received from, or on behalf of, Customer with any Personal Data that may be collected from Perplexity’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources.
     

  7. USE OF SUBCONTRACTORS. 

    1. Customer hereby grants Perplexity general written authorization to engage the subcontractors set out in Annex 2, subject to the requirements of this Section 7. 

    2. If Perplexity appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor, it shall provide Customer with seven business days’ prior written notice, during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Privacy Laws (and if Customer does not so object, Perplexity may proceed with the appointment or replacement).

    3. Perplexity shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant subcontractor than the obligations on Perplexity under this DPA.

    4. In the event Perplexity engages a subcontractor to carry out specific processing activities on behalf of Customer pursuant to EU/UK Privacy Laws, where that subcontractor fails to fulfil its obligations, Perplexity shall remain fully liable under applicable EU/UK Privacy Laws to Customer for the performance of that subcontractor’s obligations.

  8. ASSISTANCE.

    Perplexity shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide assistance to Customer, through appropriate technical and organizational measures, in entering into this DPA and: 

    1. notifying Customer of, and (if authorized by Customer) responding to, requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible;

    2. implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure; 

    3. to the extent required by Privacy Laws, conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities; and

    4. notifying relevant competent authorities and/or affected individuals of Personal Data breaches. 

  9. SECURITY MEASURES.

    Perplexity shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement appropriate technical, physical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 3, or otherwise agreed and documented between Customer and Perplexity from time to time, and shall continue to comply with them during the term of the Agreement. Perplexity shall provide data protection and security training to those employees and other persons authorized to access Personal Data. 

  10. ACCESS AND AUDITS.

    Upon reasonable written request of Customer, Perplexity shall allow for and contribute to inspections and audits regarding Perplexity’s compliance with its obligations under this DPA and Privacy Laws by, on Customer’s request, providing to Customer such information in Perplexity’s possession as is reasonably necessary to demonstrate such compliance and/or arranging for a qualified and independent auditor to conduct an assessment of Perplexity’s policies and technical and organizational measures for such compliance, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Perplexity will provide a report of such assessment to Customer upon reasonable request. Customer shall be permitted to request such information and/or audit no more than once every 12 months, upon 30 days’ advance written notice to Perplexity, and only after the Parties come to agreement on the scope of the audit and provided the auditor is bound by a duty of confidentiality. Notwithstanding the foregoing, in no event shall Vendor be required to give Customer access to information, facilities or systems to the extent doing so would cause Vendor to be in violation of confidentiality obligations owed to other customers or its legal obligations.

  11. DELETION OF PERSONAL DATA. 

    At Customer’s choice and direction, Perplexity shall delete or return all Personal Data to Customer as requested at the end of the provision of the API Platform to Customer, unless retention of the Personal Data is required by law, in which case, Perplexity shall notify Customer without undue delay of such legal requirement and shall upon the expiration of such retention obligation immediately delete or return the Personal Data, at Customer’s choice and direction. 

  12. DATA TRANSFERS.

    To the extent Perplexity processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as data importer, Perplexity shall comply with the data importer’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and: 

    1. for the purposes of Annex I or Part 1 (as relevant), Customer is a controller and Perplexity is a processor, and the parties, contact person’s details and processing details set out in the Agreement, this DPA and Annex 1 shall apply and the Start Date is the effective date of the Agreement;

    2. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 12;

    3. for the purposes of Annex II or Part 1 (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by Perplexity to assist Customer, as each are set out in Annex 3, shall apply; 

    4. if applicable, for the purposes of Annex III or Part 1 (as relevant), the list of authorized sub-contractors set out in Annex 2 shall apply; and 

    5. if applicable, for the purposes of: (i) Clause 9, Option 1 (“Specific prior authorization”) is deemed to be selected and a notice period of 30 days shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be included; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the Irish regulator; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be Irish law and Irish courts, respectively; (vi) Part 1, Customer as exporter may terminate the UK Addendum pursuant to Section 19 of such UK Addendum. 

To the extent Perplexity appoints an affiliate or third-party subcontractor to process the Personal Data in a Third Country, Perplexity shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer. At Customer’s request, Perplexity shall enter separately into the Controller to Processor Clauses with Customer and shall take any other alternative or additional steps reasonably requested by Customer in order to ensure that Perplexity’s processing of Personal Data takes place in accordance with the requirements of Privacy Laws. 


ANNEX 1

Details of Processing 

Nature of the processing

The provision of the API Platform to Customer as set out in the Agreement.

Purpose(s) of the processing

The provision of the API Platform to Customer as set out in the Agreement.

Categories of individuals whose Personal Data is processed

Users of API Platform.

Categories of Personal Data processed

Email address for users of the API Platform and information provided by users in unstructured data

Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws

None.

Frequency (e.g. one-off or continuous) and duration of the processing

On a continuous basis, for the duration of the term of the Agreement and any post-termination retention period as set out in the Agreement.

The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 7 is as set out in this Annex 1 and in Annex 2.

ANNEX 2

Authorized Subcontractors 

Subcontractor Name: Amazon Web Services

Type of Service: Cloud infrastructure

Location: Worldwide

ANNEX 3 

Security Measures 

Perplexity maintains reasonable Security Measures in proportionate measure to the risk presented by the processing of Personal Data and otherwise relies on security measures implemented and maintained by subcontractors set out in Annex 2, including Amazon Web Services.