Perplexity Data Processing Addendum

Last updated: July 8th, 2025

This Data Processing Addendum (“DPA”) forms part of and is incorporated into certain terms of service and other agreements that make express reference to it between Perplexity AI, Inc. (“Perplexity”) and business customers (“Customer”), including without limitation the Perplexity Pro for Enterprise Terms of Service and the Perplexity API Terms of Service, governing Customer’s use of Perplexity’s services (the “Services”, and such relevant terms of service or other agreement, the “Agreement”). To the extent that Perplexity processes any Personal Data in connection with Customer’s use of the Services, this DPA sets forth Customer’s instructions for the processing of such Personal Data and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Agreement, the DPA shall control.

1. Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Perplexity Pro for Enterprise Terms and Conditions. All other capitalized terms in this DPA not otherwise defined in the Agreement shall have the corresponding meanings given to them in Privacy Laws.

   
   

   1. “Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time.
      
      

   2. “EU/UK Privacy Laws” means, as applicable: (i) the General Data Protection Regulation 2016/679 (the “GDPR”); (ii) the Privacy and Electronic Communications Directive 2002/58/EC; (iii) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (iv) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
      
      

   3. “Personal Data” means any information that Perplexity processes on behalf of Customer to provide the Services that is defined as “personal data,” “personal information” or “personally identifiable information” under any Privacy Law.
      
      

   4. “Privacy Laws” means, as applicable, EU/UK Privacy Laws, US Privacy Laws and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data and requires Controllers and Processors to agree to specific contractual commitments regarding the processing of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
      
      

   5. “Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.
      
      

   6. “Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.
      
      

   7. “US Privacy Laws” means, as applicable, the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, any similar law of any other state related to the processing of Personal Data, and any regulations promulgated under any of the foregoing, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
      
      

   8. The terms “Business,” “Controller,” “Processor,” “Sell,” “Service Provider,” and “Share” shall have the meaning given to them under applicable Privacy Laws.

2. Roles of the Parties. The Parties acknowledge that in relation to any Personal Data received from Customer in providing the Services, for purposes of Privacy Laws, Customer is the Controller or Processor or Business and Perplexity is the Service Provider or Processor. 
   
   

3. Customer Obligations: Customer shall comply with all Privacy Laws in providing Personal Data to Perplexity in connection with its use of the Services, including the use of any integrations with the Services. Customer represents and warrants that (a) all Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals and (b) Customer has complied with Privacy Laws in (including having a lawful basis for), and otherwise has all necessary rights, permissions, consents and authorizations for, disclosing the Personal Data to Perplexity and enabling Perplexity to process the Personal Data as set out in the Agreement and this DPA. Customer shall not take any action that would render the provision of Personal Data to Perplexity hereunder a Sale or Share under US Privacy Laws or otherwise render Perplexity not a Service Provider or Processor under US Privacy Laws. Customer shall notify Perplexity without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with Privacy Laws, in which case, Perplexity shall not be required to continue processing such Personal Data.
   
   

4. Processing of Personal Data. The Parties agree that the details of processing are as described in Annex 1. In processing Personal Data under the Agreement, Perplexity shall:
   
   

   1. only process Personal Data on documented instructions from Customer, for the limited and specific purpose described in Annex 1, unless otherwise permitted to process such Personal Data by applicable Privacy Laws, and at all times in compliance with Privacy Laws and the terms of this DPA, providing the same level of privacy protection as is required by Privacy Laws; 
      
      

   2. notify Customer promptly if it: (i) makes a determination that it can no longer comply with Customer’s instructions for the processing of Personal Data, its obligations under Privacy Laws or the terms of this DPA or (ii) believes that the instruction of Customer infringes applicable Privacy Laws;
      
      

   3. to the extent required by Privacy Laws, grant Customer the right to take reasonable and appropriate steps to help ensure that Perplexity uses the Personal Data in a manner consistent with Customer’s obligations under this DPA and Privacy Laws, and stop and remediate any unauthorized use of the Personal Data; and
      
      

   4. require that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data.
      
      

5. Prohibitions. To the extent required by Privacy Laws, Perplexity shall not (a) Sell or Share Personal Data, (b) retain, use, or disclose the Personal Data outside of the direct business relationship between Perplexity and Customer and for any purpose other than for the specific purpose of providing the Services to Customer or (c) combine the Personal Data received from, or on behalf of, Customer with any Personal Data that may be collected from Perplexity’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources. For the avoidance of doubt, Personal Data will not be used for training of Perplexity’s large language models. If Perplexity receives (i) any legally binding request for disclosure of Personal Data by a law enforcement authority; or (ii) any notice, inquiry or investigations with respect to the Personal Data from any supervisory authority/regulator (or similar); or (iii) any complaint or request from a data subject, in each case related to Perplexity’s processing of Personal Data for on or behalf of the Customer under this DPA, then (to the extent permitted by law) Perplexity shall notify the Customer.
   
   

6. Use of Subcontractors. 
   
   

   1. Customer hereby grants Perplexity general written authorization to engage the subcontractors set out in Annex 2, subject to the requirements of this Section 6. 
      
      

   2. If Perplexity appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor that is not a Model Provider (as defined below), it shall provide Customer with ten business days’ prior written notice (email sufficient), during which Customer can object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with Privacy Laws (and if Customer does not so object, Perplexity may proceed with the appointment or replacement). If the Customer does object within five days, the Customer and Perplexity shall work together in good faith to agree upon a resolution to the objection (e.g. restricting use of Personal Data or the Customer temporarily or permanently not using a particular aspect or feature of the Services). If despite those good faith discussions, a resolution cannot be found, then Customer (as its sole remedy) may terminate the Agreement, and receive a refund of any unused prepaid Fees (as defined in the Agreement).
      
      

   3. If Perplexity appoints a new subcontractor or intends to make any changes concerning the addition or replacement of any subcontractor that provides large language models or other generative artificial intelligence models (a “Model Provider”), Perplexity will notify Customer (email sufficient) and will update the list of “Third-Party Providers” set forth at www.perplexity.ai/hub/legal/third-party-models (each of which is, for clarity, a Model Provider under this DPA). If Customer objects to the appointment or replacement, Customer’s sole recourse is to (and Customer must) cease all use of the relevant Third-Party Model via the Services (which, for clarity, Customer may do at any time after the appointment or replacement).
      
      

   4. Perplexity shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant subcontractor than the obligations on Perplexity under this DPA.
      
      

   5. In the event Perplexity engages a subcontractor to carry out specific processing activities on behalf of Customer pursuant to EU/UK Privacy Laws, where that subcontractor fails to fulfil its obligations, Perplexity shall remain fully liable under applicable EU/UK Privacy Laws to Customer for the performance of that subcontractor’s obligations.
      
      

7. Assistance. Perplexity shall, in relation to the processing of Personal Data and to enable Customer to comply with its obligations which arise as a result thereof, provide assistance to Customer by: 
   
   

   1. notifying Customer of requests from individuals pursuant to their rights under Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Customer to do the same, insofar as this is possible;
      

   2. to the extent required by Privacy Laws, conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities; and
      
      

   3. notifying Customer of any unauthorized or illegal access, destruction, use, loss, modification, or disclosure of Personal Data (“Personal Data Breach”) without undue delay after Perplexity becomes aware of such Personal Data Breach. 
      
      

8. Security Measures. Perplexity shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the processing, implement appropriate technical, physical and organizational measures designed to provide a level of security appropriate to the risk, as set out in Annex 3, or otherwise agreed and documented between Customer and Perplexity from time to time, and shall continue to comply with them during the term of the Agreement. Perplexity shall provide data protection and security training to those employees and other persons authorized to access Personal Data. 
   
   

9. Access and Audits. Upon reasonable written request of Customer and to the extent required of Perplexity by Privacy Laws, Perplexity shall allow for and contribute to inspections and audits regarding Perplexity’s compliance with its obligations under this DPA and Privacy Laws by, on Customer’s request, providing to Customer such information in Perplexity’s possession as is reasonably necessary to demonstrate such compliance and/or arranging for a qualified and independent auditor to conduct an assessment of Perplexity’s policies and technical and organizational measures for such compliance, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Perplexity will provide a report of such assessment to Customer upon reasonable request. Customer shall be permitted to request such information and/or audit (to the extent required by Privacy Laws) no more than once every 12 months, upon 30 days’ advance written notice to Perplexity, and only after the Parties come to agreement on the scope of the audit and provided the auditor is bound by a duty of confidentiality. Notwithstanding the foregoing, in no event shall Vendor be required to give Customer access to information, facilities or systems to the extent doing so would cause Vendor to be in violation of confidentiality obligations owed to other customers or its legal obligations.
   
   

10. Deletion of Personal Data.   Perplexity shall delete (or, at Customer’s option, return) all Personal Data within thirty days of the end of the provision of the Services to Customer, unless retention of the Personal Data is required by law, in which case, Perplexity shall notify Customer without undue delay of such legal requirement and shall upon the expiration of such retention obligation delete (or, at Customer’s option, return) the Personal Data. 
    
    

11. Data Transfers. To the extent Perplexity processes Personal Data subject to EU/UK Privacy Laws in a Third Country, and it is acting as a data importer, Perplexity shall comply with the data importer’s obligations set out in the Controller to Processor Clauses or the Processor to Processor Clauses (as applicable), which are hereby incorporated into and form part of this DPA, and: 
    
    

    1. for the purposes of Annex I or Part 1 (as relevant), (i) Customer is a controller or processor (as applicable) and Perplexity is a processor, and (ii) the parties, contact person’s details and processing details set out in the Agreement, this DPA and Annex 1 shall apply and the Start Date is the effective date of the Agreement;
       
       

    2. if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 11;
       
       

    3. for the purposes of Annex II or Part 1 (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by Perplexity to assist Customer, as each are set out in Annex 3, shall apply; 
       
       

    4. if applicable, for the purposes of Annex III or Part 1 (as relevant), the list of authorized sub-contractors set out in Annex 2 shall apply; and 
       
       

    5. if applicable, for the purposes of: (i) Clause 9, Option 2 (“General written authorization”) is deemed to be selected and reference is made to Section 6.b and 6.c with respect to notice periods; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be included; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the Irish regulator; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be Irish law and Irish courts, respectively; and (v) Part 1, Customer as exporter may terminate the UK Addendum pursuant to Section 19 of such UK Addendum. 

To the extent Perplexity appoints an affiliate or third-party subcontractor to process the Personal Data in a Third Country, Perplexity shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer. At Customer’s request, Perplexity shall enter separately into the Controller to Processor Clauses with Customer and shall take any other alternative or additional steps reasonably requested by Customer in order to ensure that Perplexity’s processing of Personal Data takes place in accordance with the requirements of Privacy Laws.to a party hereunder.

ANNEX 1

Details of Processing: 

Nature of the processing

The provision of the Services to Customer as set out in the Agreement.

Purpose(s) of the processing

The provision of the Services to Customer as set out in the Agreement.

Categories of individuals whose Personal Data is processed

Authorized Users of Services, and otherwise as determined by the Customer.

Categories of Personal Data processed

Authorized Users’ Account information and personal information contained in Input submitted through the Services as determined by the Customer. Any personal information contained within Input will be stored until the later of (a) the date it is deleted by Customer through the Services’ interface and (b) the date that is thirty days after Perplexity is no longer providing the Services to Customer.

Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws

No sensitive data is intended to be processed unless an Authorized User includes it unexpectedly in Input.

Frequency (e.g. one-off or continuous) and duration of the processing

On a continuous basis, for the duration of the term of the Agreement and any post-termination retention period as set out in the Agreement.

The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 6 is as set out in this Annex 1 and in Annex 2.

ANNEX 2

Authorized Subcontractors:

ANNEX 3 

Security Measures: 

Perplexity maintains reasonable Security Measures in proportionate measure to the risk presented by the processing of Personal Data and otherwise relies on security measures implemented and maintained by subcontractors set out in Annex 2, including Amazon and Microsoft. Please refer to the Agreement for more details on Perplexity’s security commitments.