Contracts
Terms of Service (AIP Self-Service)
Effective May 6th 2024
DownloadTable of Contents
Effective May 2nd 2024 to May 6th 2024
DownloadTable of Contents
Effective April 9th 2024 to May 2nd 2024
DownloadTable of Contents
Effective April 8th 2024 to April 9th 2024
DownloadTable of Contents
Data Protection Addendum (AIP Now)
Effective May 23rd 2024
DownloadTable of Contents
- “Adequate Country” means a country that may import Personal Data and is deemed by the governing authority of the exporting country to provide an adequate level of data protection under the applicable Data Protection Laws;
- “Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of more than fifty percent of the voting equity securities or other equivalent voting interests of an entity. In respect of Palantir, Affiliate shall include, without being limited to, all entities listed in Exhibit A, Part II and any other Palantir affiliates from time to time;
- “Completions” has the meaning given to it in Exhibit D of this DPA;
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and includes, as applicable, the term “controller” “business” and any other similar or equivalent terms under applicable Data Protection Laws;
- “Customer Personal Data” means any Personal Data contained within Customer Data that is subject to Data Protection Laws;
- “Data Incident” means any breach, as defined by applicable Data Protection Laws, of Palantir’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Palantir;
- “Data Protection Authority” means a competent authority responsible for enforcing the application of the relevant Data Protection Laws, and includes, as applicable, any data protection authority, privacy regulator, supervisory authority, Attorney General, state privacy agency or any governmental body or agency enforcing Data Protection Laws;
- “Data Protection Laws” means all applicable laws and regulations as amended from time to time regarding data protection, consumer privacy, electronic communications and marketing laws to the extent applicable to the Processing of Customer Personal Data by Palantir under the Agreement, such as:
- California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
- California Privacy Rights Act of 2020 (“CPRA”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”);
- The EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); and
- The Switzerland Federal Data Protection act of 19 June 1992 as replaced and/or updated from time to time (“FDP”).
- “Data Protection Officer” means the natural person or company appointed where necessary under applicable Data Protection Laws to ensure an organization's compliance with Data Protection Laws and cooperate with the Data Protection Authorities;
- “Data Subject” means the identified or identifiable person to whom Personal Data relates, and includes, as applicable, the term “consumer” and any other similar or equivalent terms under Applicable Data Protection Laws;
- “DPA Effective Date” means the Effective Date of the Agreement;
- “EEA” means the European Economic Area;
- “EU SCCs” means the standard contractual clauses for use in relation to exports of Personal Data from the EEA approved by the European Commission under Commission Implementing Decision 2021/914, or such other clauses as replace them from time to time;
- “Personal Data” means: (a) any information relating to (i) an identified or identifiable natural person and/or (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws), and (b) any information treated or receiving similar treatment as “personal data”, “personal information”, “personally identifiable information or any similar, or equivalent terms under applicable Data Protection Laws;
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms “process”, “processes” and “processed” will be interpreted accordingly;
- “Processor” means the entity which Processes Personal Data on behalf of a Controller, including as applicable the terms “processor”, “service provider” “contractor” and any equivalent or similar terms that address the same, or similar, responsibilities under applicable Data Protection Laws as applicable;
- “Request” means a request from a Data Subject or anyone acting on their behalf to exercise their rights under Data Protection Laws;
- “Restricted Transfer” means a transfer, or onward transfer, of Personal Data from a country where such transfer would be restricted or prohibited by applicable Data Protection Laws (or by the terms of a data transfer agreement put in place to address the data transfer restrictions of Data Protection Laws) without implementing safeguards such as the Standard Contractual Clauses to be established under clause 14 below;
- “Security Documentation” means the Documentation describing the security standards that apply to the Service as provided by or on behalf of Palantir from time to time;
- “Sell” or “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for valuable consideration.
- “Service” shall have the meaning as set out in the Agreement and this DPA.
- “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions in which no money is exchanged;
- “Subprocessor” means any processor or service provider who processes personal data on behalf of Palantir for the purpose of providing the Service as set out in the Agreement, Exhibit A and any other relevant applicable exhibits of this DPA.
- “Standard Contractual Clauses” or “SCCs” means either (a) the standard data protection clauses approved pursuant to the Data Protection Laws of the applicable exporting country from time to time to legitimise exports of Personal Data from that country, or (b) where the applicable exporting country has Data Protection Laws that regulate the export of personal data but no approved standard data protection clauses, the EU SCCs shall apply- in each case incorporating the appropriate Completions, and where more than one form of such approved clauses exists in respect of a particular country, the clauses that shall apply shall be: (i) in respect of any situation where Customer acts as a Controller of Customer Personal Data, that form of clauses applying to Controller to Processor transfers; and (ii) in respect of any situation where Customer acts as a Processor of Customer Personal Data, that form of clauses applying to Processor to Processor transfers; and
- “Technical and Organisational Measures” means the technical and organisational measures agreed by the Parties in the Agreement and any additional technical and organisational measures implemented by Palantir pursuant to its obligations under applicable Data Protection Laws.
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services and AI services. | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | Cloud hosting and infrastructure, and AI services (Microsoft Azure) | One Microsoft Way Redmond, WA 98052, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services is East US, South Central US, West Europe and other Azure regions as they become available. | Standard Contractual Clauses |
Google LLC | Cloud hosting and infrastructure (Google Cloud Platform) and AI services. | 1600 Amphitheatre Parkway Mountain View, 94043 CA, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services are all regions available for features of Generative AI on Google Vertex AI and other regions as they become available. | Standard Contractual Clauses |
Proofpoint, Inc. | Alerting and encrypted notification service. | 892 Ross Drive, Sunnyvale, CA 94089, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
OpenAI LLC | AI services | 3180 18th Street, San Francisco, CA 94110, USA | The location for the purpose of providing the AI service can be the United States and other regions as they become available. | Standard Contractual Clauses |
Oracle America, Inc. | Cloud hosting and infrastructure. | 500 Oracle Parkway, Redwood Shores, CA 94065 | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement | Standard Contractual Clauses |
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
Effective May 3rd 2024 to May 23rd 2024
DownloadTable of Contents
- “Adequate Country” means a country that may import Personal Data and is deemed by the governing authority of the exporting country to provide an adequate level of data protection under the applicable Data Protection Laws;
- “Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of more than fifty percent of the voting equity securities or other equivalent voting interests of an entity. In respect of Palantir, Affiliate shall include, without being limited to, all entities listed in Exhibit A, Part II and any other Palantir affiliates from time to time;
- “Completions” has the meaning given to it in Exhibit D of this DPA;
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and includes, as applicable, the term “controller” “business” and any other similar or equivalent terms under applicable Data Protection Laws;
- “Customer Personal Data” means any Personal Data contained within Customer Data that is subject to Data Protection Laws;
- “Data Incident” means any breach, as defined by applicable Data Protection Laws, of Palantir’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Palantir;
- “Data Protection Authority” means a competent authority responsible for enforcing the application of the relevant Data Protection Laws, and includes, as applicable, any data protection authority, privacy regulator, supervisory authority, Attorney General, state privacy agency or any governmental body or agency enforcing Data Protection Laws;
- “Data Protection Laws” means all applicable laws and regulations as amended from time to time regarding data protection, consumer privacy, electronic communications and marketing laws to the extent applicable to the Processing of Customer Personal Data by Palantir under the Agreement, such as:
- California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
- California Privacy Rights Act of 2020 (“CPRA”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”);
- The EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); and
- The Switzerland Federal Data Protection act of 19 June 1992 as replaced and/or updated from time to time (“FDP”).
- “Data Protection Officer” means the natural person or company appointed where necessary under applicable Data Protection Laws to ensure an organization's compliance with Data Protection Laws and cooperate with the Data Protection Authorities;
- “Data Subject” means the identified or identifiable person to whom Personal Data relates, and includes, as applicable, the term “consumer” and any other similar or equivalent terms under Applicable Data Protection Laws;
- “DPA Effective Date” means the Effective Date of the Agreement;
- “EEA” means the European Economic Area;
- “EU SCCs” means the standard contractual clauses for use in relation to exports of Personal Data from the EEA approved by the European Commission under Commission Implementing Decision 2021/914, or such other clauses as replace them from time to time;
- “Personal Data” means: (a) any information relating to (i) an identified or identifiable natural person and/or (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws), and (b) any information treated or receiving similar treatment as “personal data”, “personal information”, “personally identifiable information or any similar, or equivalent terms under applicable Data Protection Laws;
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms “process”, “processes” and “processed” will be interpreted accordingly;
- “Processor” means the entity which Processes Personal Data on behalf of a Controller, including as applicable the terms “processor”, “service provider” “contractor” and any equivalent or similar terms that address the same, or similar, responsibilities under applicable Data Protection Laws as applicable;
- “Request” means a request from a Data Subject or anyone acting on their behalf to exercise their rights under Data Protection Laws;
- “Restricted Transfer” means a transfer, or onward transfer, of Personal Data from a country where such transfer would be restricted or prohibited by applicable Data Protection Laws (or by the terms of a data transfer agreement put in place to address the data transfer restrictions of Data Protection Laws) without implementing safeguards such as the Standard Contractual Clauses to be established under clause 14 below;
- “Security Documentation” means the Documentation describing the security standards that apply to the Service as provided by or on behalf of Palantir from time to time;
- “Sell” or “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for valuable consideration.
- “Service” shall have the meaning as set out in the Agreement and this DPA.
- “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions in which no money is exchanged;
- “Subprocessor” means any processor or service provider who processes personal data on behalf of Palantir for the purpose of providing the Service as set out in the Agreement, Exhibit A and any other relevant applicable exhibits of this DPA.
- “Standard Contractual Clauses” or “SCCs” means either (a) the standard data protection clauses approved pursuant to the Data Protection Laws of the applicable exporting country from time to time to legitimise exports of Personal Data from that country, or (b) where the applicable exporting country has Data Protection Laws that regulate the export of personal data but no approved standard data protection clauses, the EU SCCs shall apply- in each case incorporating the appropriate Completions, and where more than one form of such approved clauses exists in respect of a particular country, the clauses that shall apply shall be: (i) in respect of any situation where Customer acts as a Controller of Customer Personal Data, that form of clauses applying to Controller to Processor transfers; and (ii) in respect of any situation where Customer acts as a Processor of Customer Personal Data, that form of clauses applying to Processor to Processor transfers; and
- “Technical and Organisational Measures” means the technical and organisational measures agreed by the Parties in the Agreement and any additional technical and organisational measures implemented by Palantir pursuant to its obligations under applicable Data Protection Laws.
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services and AI services. | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | Cloud hosting and infrastructure, and AI services (Microsoft Azure) | One Microsoft Way Redmond, WA 98052, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services is East US, South Central US, West Europe and other Azure regions as they become available. | Standard Contractual Clauses |
Google LLC | Cloud hosting and infrastructure (Google Cloud Platform) and AI services. | 1600 Amphitheatre Parkway Mountain View, 94043 CA, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services are all regions available for features of Generative AI on Google Vertex AI and other regions as they become available. | Standard Contractual Clauses |
Proofpoint, Inc. | Alerting and encrypted notification service. | 892 Ross Drive, Sunnyvale, CA 94089, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
OpenAI LLC | AI services | 3180 18th Street, San Francisco, CA 94110, USA | The location for the purpose of providing the AI service can be the United States and other regions as they become available. | Standard Contractual Clauses |
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
Effective May 1st 2024 to May 3rd 2024
DownloadTable of Contents
- “Adequate Country” means a country that may import Personal Data and is deemed by the governing authority of the exporting country to provide an adequate level of data protection under the applicable Data Protection Laws;
- “Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of more than fifty percent of the voting equity securities or other equivalent voting interests of an entity. In respect of Palantir, Affiliate shall include, without being limited to, all entities listed in Exhibit A, Part II and any other Palantir affiliates from time to time;
- “Completions” has the meaning given to it in Exhibit D of this DPA;
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and includes, as applicable, the term “controller” “business” and any other similar or equivalent terms under applicable Data Protection Laws;
- “Customer Personal Data” means any Personal Data contained within Customer Data that is subject to Data Protection Laws;
- “Data Incident” means any breach, as defined by applicable Data Protection Laws, of Palantir’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Palantir;
- “Data Protection Authority” means a competent authority responsible for enforcing the application of the relevant Data Protection Laws, and includes, as applicable, any data protection authority, privacy regulator, supervisory authority, Attorney General, state privacy agency or any governmental body or agency enforcing Data Protection Laws;
- “Data Protection Laws” means all applicable laws and regulations as amended from time to time regarding data protection, consumer privacy, electronic communications and marketing laws to the extent applicable to the Processing of Customer Personal Data by Palantir under the Agreement, such as:
- California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
- California Privacy Rights Act of 2020 (“CPRA”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”);
- The EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); and
- The Switzerland Federal Data Protection act of 19 June 1992 as replaced and/or updated from time to time (“FDP”).
- “Data Protection Officer” means the natural person or company appointed where necessary under applicable Data Protection Laws to ensure an organization's compliance with Data Protection Laws and cooperate with the Data Protection Authorities;
- “Data Subject” means the identified or identifiable person to whom Personal Data relates, and includes, as applicable, the term “consumer” and any other similar or equivalent terms under Applicable Data Protection Laws;
- “DPA Effective Date” means the Effective Date of the Agreement;
- “EEA” means the European Economic Area;
- “EU SCCs” means the standard contractual clauses for use in relation to exports of Personal Data from the EEA approved by the European Commission under Commission Implementing Decision 2021/914, or such other clauses as replace them from time to time;
- “Personal Data” means: (a) any information relating to (i) an identified or identifiable natural person and/or (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws), and (b) any information treated or receiving similar treatment as “personal data”, “personal information”, “personally identifiable information or any similar, or equivalent terms under applicable Data Protection Laws;
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms “process”, “processes” and “processed” will be interpreted accordingly;
- “Processor” means the entity which Processes Personal Data on behalf of a Controller, including as applicable the terms “processor”, “service provider” “contractor” and any equivalent or similar terms that address the same, or similar, responsibilities under applicable Data Protection Laws as applicable;
- “Request” means a request from a Data Subject or anyone acting on their behalf to exercise their rights under Data Protection Laws;
- “Restricted Transfer” means a transfer, or onward transfer, of Personal Data from a country where such transfer would be restricted or prohibited by applicable Data Protection Laws (or by the terms of a data transfer agreement put in place to address the data transfer restrictions of Data Protection Laws) without implementing safeguards such as the Standard Contractual Clauses to be established under clause 14 below;
- “Security Documentation” means the Documentation describing the security standards that apply to the Service as provided by or on behalf of Palantir from time to time;
- “Sell” or “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for valuable consideration.
- “Service” shall have the meaning as set out in the Agreement and this DPA.
- “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions in which no money is exchanged;
- “Subprocessor” means any processor or service provider who processes personal data on behalf of Palantir for the purpose of providing the Service as set out in the Agreement, Exhibit A and any other relevant applicable exhibits of this DPA.
- “Standard Contractual Clauses” or “SCCs” means either (a) the standard data protection clauses approved pursuant to the Data Protection Laws of the applicable exporting country from time to time to legitimise exports of Personal Data from that country, or (b) where the applicable exporting country has Data Protection Laws that regulate the export of personal data but no approved standard data protection clauses, the EU SCCs shall apply- in each case incorporating the appropriate Completions, and where more than one form of such approved clauses exists in respect of a particular country, the clauses that shall apply shall be: (i) in respect of any situation where Customer acts as a Controller of Customer Personal Data, that form of clauses applying to Controller to Processor transfers; and (ii) in respect of any situation where Customer acts as a Processor of Customer Personal Data, that form of clauses applying to Processor to Processor transfers; and
- “Technical and Organisational Measures” means the technical and organisational measures agreed by the Parties in the Agreement and any additional technical and organisational measures implemented by Palantir pursuant to its obligations under applicable Data Protection Laws.
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services and AI services. | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | Cloud hosting and infrastructure, and AI services (Microsoft Azure) | One Microsoft Way Redmond, WA 98052, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services is East US, South Central US, West Europe and other Azure regions as they become available. | Standard Contractual Clauses |
Google LLC | Cloud hosting and infrastructure (Google Cloud Platform) and AI services. | 1600 Amphitheatre Parkway Mountain View, 94043 CA, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services are all regions available for features of Generative AI on Google Vertex AI and other regions as they become available. | Standard Contractual Clauses |
Proofpoint, Inc. | Alerting and encrypted notification service. | 892 Ross Drive, Sunnyvale, CA 94089, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
OpenAI LLC | AI services | 3180 18th Street, San Francisco, CA 94110, USA | The location for the purpose of providing the AI service can be the United States and other regions as they become available. | Standard Contractual Clauses |
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
Effective May 1st 2024 to May 1st 2024
DownloadTable of Contents
- “Adequate Country” means a country that may import Personal Data and is deemed by the governing authority of the exporting country to provide an adequate level of data protection under the applicable Data Protection Laws;
- “Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of more than fifty percent of the voting equity securities or other equivalent voting interests of an entity. In respect of Palantir, Affiliate shall include, without being limited to, all entities listed in Exhibit A, Part II and any other Palantir affiliates from time to time;
- “Completions” has the meaning given to it in Exhibit D of this DPA;
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and includes, as applicable, the term “controller” “business” and any other similar or equivalent terms under applicable Data Protection Laws;
- “Customer Personal Data” means any Personal Data contained within Customer Data that is subject to Data Protection Laws;
- “Data Incident” means any breach, as defined by applicable Data Protection Laws, of Palantir’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Palantir;
- “Data Protection Authority” means a competent authority responsible for enforcing the application of the relevant Data Protection Laws, and includes, as applicable, any data protection authority, privacy regulator, supervisory authority, Attorney General, state privacy agency or any governmental body or agency enforcing Data Protection Laws;
- “Data Protection Laws” means all applicable laws and regulations as amended from time to time regarding data protection, consumer privacy, electronic communications and marketing laws to the extent applicable to the Processing of Customer Personal Data by Palantir under the Agreement, such as:
- California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
- California Privacy Rights Act of 2020 (“CPRA”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”);
- The EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); and
- The Switzerland Federal Data Protection act of 19 June 1992 as replaced and/or updated from time to time (“FDP”).
- “Data Protection Officer” means the natural person or company appointed where necessary under applicable Data Protection Laws to ensure an organization's compliance with Data Protection Laws and cooperate with the Data Protection Authorities;
- “Data Subject” means the identified or identifiable person to whom Personal Data relates, and includes, as applicable, the term “consumer” and any other similar or equivalent terms under Applicable Data Protection Laws;
- “DPA Effective Date” means the Effective Date of the Agreement;
- “EEA” means the European Economic Area;
- “EU SCCs” means the standard contractual clauses for use in relation to exports of Personal Data from the EEA approved by the European Commission under Commission Implementing Decision 2021/914, or such other clauses as replace them from time to time;
- “Personal Data” means: (a) any information relating to (i) an identified or identifiable natural person and/or (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws), and (b) any information treated or receiving similar treatment as “personal data”, “personal information”, “personally identifiable information or any similar, or equivalent terms under applicable Data Protection Laws;
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms “process”, “processes” and “processed” will be interpreted accordingly;
- “Processor” means the entity which Processes Personal Data on behalf of a Controller, including as applicable the terms “processor”, “service provider” “contractor” and any equivalent or similar terms that address the same, or similar, responsibilities under applicable Data Protection Laws as applicable;
- “Request” means a request from a Data Subject or anyone acting on their behalf to exercise their rights under Data Protection Laws;
- “Restricted Transfer” means a transfer, or onward transfer, of Personal Data from a country where such transfer would be restricted or prohibited by applicable Data Protection Laws (or by the terms of a data transfer agreement put in place to address the data transfer restrictions of Data Protection Laws) without implementing safeguards such as the Standard Contractual Clauses to be established under clause 14 below;
- “Security Documentation” means the Documentation describing the security standards that apply to the Service as provided by or on behalf of Palantir from time to time;
- “Sell” or “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for valuable consideration.
- “Service” shall have the meaning as set out in the Agreement and this DPA.
- “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions in which no money is exchanged;
- “Subprocessor” means any processor or service provider who processes personal data on behalf of Palantir for the purpose of providing the Service as set out in the Agreement, Exhibit A and any other relevant applicable exhibits of this DPA.
- “Standard Contractual Clauses” or “SCCs” means either (a) the standard data protection clauses approved pursuant to the Data Protection Laws of the applicable exporting country from time to time to legitimise exports of Personal Data from that country, or (b) where the applicable exporting country has Data Protection Laws that regulate the export of personal data but no approved standard data protection clauses, the EU SCCs shall apply- in each case incorporating the appropriate Completions, and where more than one form of such approved clauses exists in respect of a particular country, the clauses that shall apply shall be: (i) in respect of any situation where Customer acts as a Controller of Customer Personal Data, that form of clauses applying to Controller to Processor transfers; and (ii) in respect of any situation where Customer acts as a Processor of Customer Personal Data, that form of clauses applying to Processor to Processor transfers; and
- “Technical and Organisational Measures” means the technical and organisational measures agreed by the Parties in the Agreement and any additional technical and organisational measures implemented by Palantir pursuant to its obligations under applicable Data Protection Laws.
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services and AI services. | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | Cloud hosting and infrastructure, and AI services (Microsoft Azure) | One Microsoft Way Redmond, WA 98052, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services is East US, South Central US, West Europe and other Azure regions as they become available. | Standard Contractual Clauses |
Google LLC | Cloud hosting and infrastructure (Google Cloud Platform) and AI services. | 1600 Amphitheatre Parkway Mountain View, 94043 CA, USA | The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services are all regions available for features of Generative AI on Google Vertex AI and other regions as they become available. | Standard Contractual Clauses |
Proofpoint, Inc. | Alerting and encrypted notification service. | 892 Ross Drive, Sunnyvale, CA 94089, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement. | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
OpenAI LLC | AI services | 3180 18th Street, San Francisco, CA 94110, USA | The location for the purpose of providing the AI service can be the United States and other regions as they become available. | Standard Contractual Clauses |
Authorized Third-Party Subprocessors | ||||
Subprocessor | Purpose | Registered Address | Location | Transfer Mechanism |
Amazon Web Services, Inc. | Cloud hosting and infrastructure, alerting and encrypted notification services | 410 Terry Avenue North, Seattle, WA 98109, USA | As selected by Customer in the Order Form or, as applicable, other parts of the Agreement | Standard Contractual Clauses |
Microsoft Corporation | User authentication as an identity provider (where selected as chosen identity provider by Customer). | One Microsoft Way Redmond, WA 98052, USA | United States | Standard Contractual Clauses |
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
- Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
- The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
- This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
- As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
Use Case Restrictions
Effective April 25th 2024
DownloadTable of Contents
PALANTIR USE CASE RESTRICTIONS
By using the Palantir Foundry Platform or Palantir’s AI Platform (“AIP”) (including any other technology made available by Palantir to Customer “Palantir Technology”, which term if otherwise defined in the Agreement shall for purposes of these Palantir Use Case Restrictions have the definition provided in the Agreement), Customer agrees to abide by the following use case restrictions. Any capitalized terms not defined in these Use Case Restrictions will have the meaning provided to them in the Palantir Terms of Service, or any applicable agreement governing Customer’s use of the Palantir Technology (the “Agreement”).
In accordance with the Agreement, you and the Customer you represent (including such Customer’s users) will not use the Palantir Technology for any Prohibited Use Case. Customer must obtain Palantir’s prior written approval to use or permit any of Customer’s users to use the Palantir Technology for any Use Cases Requiring Pre-Approval.
Prohibited Use Cases:
- Political parties, committees, campaigns, or organizations workflows
- Offensive cyber workflows
- Predictive policing efforts
- Influencing union organizing efforts
- Facial recognition for surveillance workflows
- Predatory targeting workflows
- Clinical judgment or decision making, medical advice, diagnostic or therapeutic purposes, and/or as a medical device or accessory (as defined by the applicable law).
Use Cases Requiring Pre-Approval:
- Any use of government data
- Law enforcement workflows (including, but not limited to, investigative watchlists)
- Immigration enforcement, monitoring, or surveillance workflows
- Mobility collecting, monitoring, or tracking workflows
- Video analysis workflows (e.g., CCTV)
- Tobacco, controlled substances, or illicit drugs related workflows
- Gambling related workflows.
- Employee monitoring workflows
- Biometric identity verification workflows
- Social media data use
Effective February 1st 2024 to April 25th 2024
DownloadTable of Contents
PALANTIR USE CASE RESTRICTIONS
By using the Palantir Foundry Platform or Palantir’s AI Platform (“AIP”) (including any other technology made available by Palantir to Customer “Palantir Technology”, which term if otherwise defined in the Agreement shall for purposes of these Palantir Use Case Restrictions have the definition provided in the Agreement), Customer agrees to abide by the following use case restrictions. Any capitalized terms not defined in these Use Case Restrictions will have the meaning provided to them in the Palantir Terms of Service, or any applicable agreement governing Customer’s use of the Palantir Technology (the “Agreement”).
In accordance with the Agreement, you and the Customer you represent (including such Customer’s users) will not use the Palantir Technology for any Prohibited Use Case. Customer must obtain Palantir’s prior written approval to use or permit any of Customer’s users to use the Palantir Technology for any Use Cases Requiring Pre-Approval.
Prohibited Use Cases:
- Political parties, committees, campaigns, or organizations workflows
- Offensive cyber workflows
- Predictive policing efforts
- Influencing union organizing efforts
- Facial recognition for surveillance workflows
- Predatory targeting workflows
- Clinical judgment or decision making, medical advice, diagnostic or therapeutic purposes, and/or as a medical device or accessory (as defined by the applicable law).
Use Cases Requiring Pre-Approval:
- Law enforcement workflows (including, but not limited to, investigative watchlists)
- Immigration enforcement, monitoring, or surveillance workflows
- Mobility collecting, monitoring, or tracking workflows
- Video analysis workflows (e.g., CCTV)
- Tobacco, controlled substances, or illicit drugs related workflows
- Gambling related workflows.
- Employee monitoring workflows
- Biometric identity verification workflows
- Social media data use