ClausePatrol
BlogSign InGet Started
Back to Blog
Compliance Guide
7 min read

TOS vs. Privacy Policy vs. DPA: Which One Actually Matters for AI?

CP
ClausePatrol Team
Legal & Compliance Experts

The Confusion

You open a SaaS vendor's website. There are three legal documents: Terms of Service (TOS), Privacy Policy, and Data Processing Agreement (DPA). Which one tells you if they're training AI on your data?

The answer: All of them—and sometimes none of them.

Why This Matters for Agencies

When you sign up for a SaaS tool, you're agreeing to a stack of legal documents. Most agencies skim the TOS, ignore the Privacy Policy, and never even look at the DPA.

But here's the trap: AI training clauses can hide in any of these documents—and vendors know you're not reading them all.

The 3 Documents, Explained

1. Terms of Service (TOS)

What it is: The "contract" between you and the vendor. It defines what you can and can't do with the service.

What it covers:

  • User conduct rules
  • License grants (what rights you give the vendor)
  • Liability limitations
  • Dispute resolution

⚠️ AI Training Risk:

High. TOS often include broad "license to use your content" clauses that may cover AI training. Look for phrases like:

  • "You grant us a license to use, modify, and create derivatives"
  • "We may use your content to improve our services"
  • "License to operate and develop the platform"

2. Privacy Policy

What it is: A disclosure of how the vendor collects, uses, and shares your personal information (names, emails, IP addresses).

What it covers:

  • Data collection practices
  • Third-party sharing
  • Cookie usage
  • User rights (GDPR, CCPA)

📘 AI Training Risk:

Medium. Privacy Policies focus on personal data, not content (your files, code, designs). But some vendors sneak in clauses about "service improvements" that include AI training. Look for:

  • "We use data to improve our products and features"
  • "Aggregate and anonymize data for analytics"
  • "Machine learning and AI development"

3. Data Processing Agreement (DPA)

What it is: A legally binding document required by GDPR/CCPA that defines how the vendor processes your customer data (not just personal info, but all data you upload).

What it covers:

  • Data processing scope and purpose
  • Sub-processor disclosures
  • Data retention and deletion
  • Security measures

✅ AI Training Risk:

This is the most important document. A well-written DPA will explicitly state whether the vendor can use your data for AI training. Look for:

  • "Data is processed only for the purposes you specify"
  • "We do not use customer data to train AI models"
  • "Purposes: [list that excludes 'product improvement']"

Pro tip: If a vendor doesn't offer a DPA, that's a red flag. GDPR requires it for any B2B service processing EU data.

The Trap: Contradictions Between Documents

Here's where it gets messy: these documents can contradict each other. A vendor might say in their DPA:

"We process data only for the purposes of providing the Service."

But then in their TOS, they add:

"You grant us a license to use your content to improve and develop our AI features."

Which one wins? Usually the DPA (because GDPR), but it's ambiguous enough that the vendor might argue the TOS allows it.

How to Read These Documents (5-Minute Method)

Step 1: Start with the DPA

Search for these phrases (Ctrl+F):

  • train or machine learning
  • improve or develop
  • purpose of processing (see if it includes "product development")

Good sign: "We do not use customer data for AI training."

Bad sign: No mention of AI, or vague wording like "operational purposes."

Step 2: Check the TOS for License Clauses

Search for:

  • license to use or license your content
  • improve our services
  • analyze or derive insights

Good sign: "License limited to operating the service."

Bad sign: "Perpetual, worldwide license to modify and create derivatives."

Step 3: Skim the Privacy Policy (Last)

The Privacy Policy is the least likely to contain AI clauses, but check the "How We Use Your Data" section for:

  • product development
  • research and analytics
  • aggregate data

Real Examples: What It Looks Like

❌ Bad Example: Adobe (2024)

From TOS:

"You grant Adobe a non-exclusive, worldwide, royalty-free license to use, reproduce, publicly display, distribute, modify, create derivative works based on, and translate your content."

Why it's bad: "Create derivative works" is broad enough to include AI training. No explicit exclusion.

✅ Good Example: Microsoft 365 (Commercial)

From DPA:

"Microsoft does not use customer data from Microsoft 365 commercial subscriptions to train AI models that are made available to other customers."

Why it's good: Explicit exclusion. No ambiguity.

⚠️ Ambiguous Example: Slack

From TOS:

"Customer authorizes Slack to use Customer Data to provide and improve the Services."

Why it's ambiguous: "Improve" could mean AI training, or it could mean bug fixes. Not clear.

The Priority List: Which Document to Trust

If you find conflicting statements, here's the legal hierarchy (generally):

  1. DPA (strongest protections, GDPR-enforced)
  2. TOS (binding contract)
  3. Privacy Policy (weakest, often just a "notice")

But: If the TOS gives the vendor broad license rights, the DPA might not override it. When in doubt, ask a lawyer—or switch vendors.

The Bottom Line

Here's what to do:

  • Always read the DPA first. If it's clean, you're probably safe.
  • Check the TOS for license clauses. Look for "improve," "develop," or "derivative works."
  • Skim the Privacy Policy for "research" or "analytics."
  • If any document is vague, assume the worst and ask the vendor for clarification in writing.
  • Monitor for changes. These documents update frequently—sometimes without notice.
CP
Written by ClausePatrol Team

Our legal and compliance experts monitor 1000+ SaaS vendors daily to help companies stay compliant with CCPA, GDPR, and state privacy laws.

Verified Compliance Experts

Track vendor policy changes automatically

ClausePatrol monitors 1000+ SaaS vendors and alerts you when they update their ToS, Privacy Policy, or DPA—especially when they add AI training clauses that could put you out of compliance.

Start monitoring for free →
No credit card required
Setup in 2 minutes

Related Articles

Dec 10, 2025

What to Audit Before Your SaaS Contracts Auto-Renew in January 2026

Most SaaS contracts auto-renew 30 days before expiration. If your vendor added AI training clauses in 2025, you have ~2 weeks to catch it before you're locked in for another year.

Read more
Dec 7, 2025

Your SaaS Vendor Just Changed Their ToS. Are You Still Compliant?

Companies are liable for their data processors under CCPA, GDPR, and state privacy laws. But most don't track when vendors add AI training clauses to their Terms of Service.

Read more
10
SaaS Tools
Dec 4, 2025

The Top 10 SaaS Tools Using Your Data for AI Training (2025 List)

Comprehensive list of popular SaaS tools training AI on your data. See which tools like Slack, Adobe, Zoom, and others claim AI training rights in their terms.

Read more