Book Free Call
Perplexity GDPR compliance and data processing agreement for German businesses
tools

Perplexity GDPR Compliance for German Businesses: DPA and AVV

Perplexity AI offers a Data Processing Agreement (DPA) for Enterprise customers, but not for free or standard Pro accounts. German businesses using Perplexity to process personal data must be on the Enterprise plan and have a signed DPA in place — this functions as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 DSGVO. Without an Enterprise agreement, Perplexity may use query data to improve its models, which is incompatible with GDPR obligations if those queries contain personal data. Search queries submitted to Perplexity can constitute personal data — particularly queries about identified or identifiable individuals, HR matters, client information, or legal cases. German companies deploying Perplexity as a business research tool must assess whether their use involves personal data and upgrade to an enterprise plan accordingly.

Does Perplexity Have a Data Processing Agreement (DPA)?

Perplexity AI provides a Data Processing Agreement for Enterprise customers. The DPA governs Perplexity’s processing of personal data on your behalf and designates Perplexity as a data processor under Article 28 GDPR.

Key terms of the Perplexity Enterprise DPA:

  • Processor designation: Perplexity acts as your data processor for queries and outputs generated under the Enterprise plan. Your organization remains the data controller.
  • No training on Enterprise data: Under the Enterprise plan, query data and outputs are not used to train or improve Perplexity’s AI models. This is a fundamental difference from the free and Pro consumer plans.
  • Data transfer mechanism: The DPA includes provisions for international data transfers, including Standard Contractual Clauses (SCCs) for EU-US transfers.
  • Data retention limits: Enterprise agreements specify data retention periods and deletion procedures.
  • Sub-processor disclosure: Perplexity discloses its infrastructure and processing sub-processors.

Critical point for free and Pro users: If you are using Perplexity’s free tier or standard Pro subscription for business purposes, there is no DPA. Perplexity’s standard terms allow use of data to improve services. If any personal data passes through Perplexity queries — even incidentally — you are processing personal data without an Article 28 DSGVO-compliant agreement. This is a GDPR violation that creates risk for German businesses.

Does Perplexity Process Personal Data in Search Queries?

This is the central GDPR risk question for Perplexity: do your search queries constitute personal data? Under GDPR Article 4(1), personal data means any information relating to an identified or identifiable natural person.

Perplexity queries can contain personal data in many common business scenarios:

  • HR research: Queries like “what are [employee name]‘s performance indicators for…” or background research on job candidates contain personal data.
  • Client research: Queries mentioning client names, company contacts, or matters contain personal data of third parties.
  • Competitive intelligence: Queries about named individuals at competitor companies constitute personal data.
  • Legal research: Queries mentioning parties in legal matters, case names with identifiable individuals, or named counterparties contain personal data.
  • General productivity: Many everyday business queries are anonymized and do not involve personal data — market research, technical questions, generic legal or regulatory questions.

The critical test: if the query can identify or relates to a specific natural person, it is personal data under GDPR. If your teams use Perplexity for general information research without including names or identifying details of individuals, the personal data risk is lower. If queries regularly include personal information, an Enterprise DPA is required.

Perplexity AVV for Germany

If you determine that your Perplexity use involves personal data, you must have an Enterprise plan and a signed AVV. Steps to establish a compliant data processing relationship:

  1. Upgrade to Perplexity Enterprise: Contact Perplexity’s sales team for an enterprise agreement. The free and Pro plans do not include a DPA.
  2. Sign the Data Processing Agreement: Execute the Perplexity DPA as the Auftragsverarbeitungsvertrag required under Article 28 DSGVO.
  3. Confirm SCCs for EU-US transfers: Verify that the DPA includes Standard Contractual Clauses (Controller-to-Processor, Module 2) for the transfer of EU personal data to Perplexity’s US infrastructure.
  4. Update your processing register: Add Perplexity to your Verzeichnis von Verarbeitungstätigkeiten (Article 30 DSGVO) for each relevant processing activity.
  5. Update privacy notices: Where Perplexity is used to process data about employees or customers, your privacy notices must disclose this processing and the international transfer.
  6. Implement usage guidelines: Train employees on what types of queries are permissible — specifically, whether they should include personal data in Perplexity searches.

Is Perplexity GDPR Compliant? Data Storage and Subprocessors

Perplexity is a US company headquartered in San Francisco. Like most US-based AI services, its standard infrastructure processes data in the United States. The GDPR compliance question for German businesses is whether adequate safeguards — primarily SCCs — are in place for EU-US data transfers.

What Perplexity publishes:

  • Privacy Policy: Describes data collected from users, including queries, usage patterns, device data, and account information.
  • Sub-processor list: Available for enterprise customers, listing infrastructure providers (primarily major cloud platforms).
  • Data retention: Standard accounts have shorter retention settings; enterprise agreements specify deletion timelines.

What requires independent assessment:

  • Transfer Impact Assessment (TIA): For formal GDPR compliance, you should assess whether US national security laws present risks to the data transferred, and whether SCCs provide sufficient protection — this is the Schrems II analysis.
  • Subprocessor risk: Review Perplexity’s sub-processor list to ensure no sub-processor introduces additional transfer or compliance concerns.
  • Data minimization: Consider whether your employees need to include personal data in Perplexity queries at all — in many cases, queries can be anonymized without affecting usefulness.

Perplexity Enterprise vs. Free Plan — GDPR Compliance Difference

FeatureFree / Pro PlanEnterprise Plan
DPA / AVV availableNoYes
Data used for trainingPotentiallyNo
EU-US SCC transfer mechanismNot providedYes
Data retention controlLimitedContractual
Sub-processor disclosureLimitedFull
GDPR-compliant for personal dataNoYes (with proper setup)
SSO / Access managementNoYes

Bottom line: Using Perplexity free or Pro for business queries that include personal data is not GDPR-compliant. For German businesses, the only path to GDPR-compliant Perplexity deployment is the Enterprise plan with a signed DPA.

Use Cases and Risk Assessment Under the EU AI Act

Perplexity is an AI-powered search and research tool. Under the EU AI Act (Regulation (EU) 2024/1689), it is primarily a limited-risk AI system for general research and productivity use cases.

However, deployer risk assessment is required when:

  • Perplexity outputs influence significant decisions: If outputs of Perplexity searches directly feed into decisions affecting individuals — hiring, credit, access to services — the deployer’s risk level increases.
  • Real-time information retrieval on individuals: Using Perplexity to research specific people and then making decisions based on that research is a higher-risk use case.
  • Customer-facing AI interactions: If Perplexity capabilities are integrated into customer-facing products, Article 52 EU AI Act disclosure requirements apply.

For internal research, competitive intelligence, legal research, and general productivity uses — where Perplexity provides information but humans make decisions — the AI Act compliance burden is low. Document your use cases and confirm no use falls into Annex III high-risk categories.

Compliance Checklist for German Businesses Using Perplexity

  • Use case assessment done: Confirmed whether business queries involve personal data (individuals’ names, client data, HR data)
  • Enterprise plan in place: Upgraded to Perplexity Enterprise if personal data is processed
  • DPA / AVV signed: Perplexity Data Processing Agreement executed before processing personal data
  • SCCs confirmed: Standard Contractual Clauses for EU-US data transfers included in DPA
  • Processing register updated: Perplexity added to Art. 30 DSGVO register for relevant processing activities
  • Legal basis documented: Art. 6(1) lawful basis identified for each Perplexity use case (typically f — legitimate interest for business research)
  • Privacy notices updated: Employee-facing privacy notices disclose Perplexity use and US data transfer where applicable
  • Sub-processor list reviewed: Perplexity sub-processors reviewed; privacy notices updated accordingly
  • Employee usage guidelines issued: Staff trained on which query types may and may not include personal data
  • Data minimization applied: Queries anonymized wherever possible; personal data included only when necessary
  • Transfer Impact Assessment: Schrems II analysis conducted for EU-US transfers to Perplexity if processing sensitive data
  • AI Act classification: Perplexity use cases assessed; confirm no use falls under Annex III high-risk categories
  • Works council consulted: Betriebsrat notified if Perplexity is deployed as a standard employee research tool under §87 BetrVG

Compound Law advises German businesses on AI tool compliance: DPA review, GDPR risk assessments, and employee data governance. See our compliance services for details.

Related guidance: AI search compliance, OpenAI API GDPR compliance, and the tools compliance hub.

Frequently Asked Questions

Is Perplexity GDPR compliant?

Perplexity can be used in a GDPR-compliant manner, but only through the Enterprise plan with a signed Data Processing Agreement. The free and standard Pro plans do not include a DPA, meaning personal data processed through those plans lacks the Article 28 DSGVO-required contractual framework. German businesses must also confirm that Standard Contractual Clauses are in place for the EU-US data transfer and update their Article 30 DSGVO processing register and privacy notices. Compliance depends on your implementation, not Perplexity’s product alone.

Does Perplexity have a DPA (Data Processing Agreement)?

Yes — but only for Enterprise customers. Perplexity provides a Data Processing Agreement for businesses on its Enterprise plan, which functions as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 DSGVO. The DPA includes provisions that prevent Enterprise query data from being used for model training. Free and standard Pro accounts do not come with a DPA, and Perplexity’s standard terms permit data use for service improvements.

Can I use Perplexity for business research under GDPR without an Enterprise plan?

If your business research queries do not include personal data — they are purely about topics, regulations, markets, or technical questions without naming individuals — the GDPR personal data threshold may not be triggered, and the absence of a DPA may be acceptable. However, most realistic business research scenarios carry some risk of personal data inclusion. The safest approach for any systematic business use of Perplexity is to use the Enterprise plan and execute a DPA. Using the free tier for business queries that include client names, employee details, or other personal data is not GDPR-compliant.

Where does Perplexity process data?

Perplexity is a US company and its infrastructure is primarily US-based. Search queries submitted to Perplexity are transferred to and processed on US servers. The Enterprise DPA includes Standard Contractual Clauses to cover this EU-US data transfer. There is currently no EU data center option for Perplexity. German businesses must factor this international transfer into their GDPR risk assessment and ensure SCCs are in place before processing personal data.

Do employees need to be informed that Perplexity is used in the workplace?

Yes. If Perplexity is deployed as a standard business tool for employees, your employee privacy notice (Datenschutzhinweise für Beschäftigte) must disclose its use and the associated data processing, including any transfer of query data to Perplexity’s US servers. Additionally, if Perplexity significantly affects employee work processes or could be used to monitor employee activities, the Betriebsrat has co-determination rights under §87(1) No. 6 BetrVG. Works council involvement should be sought before company-wide rollout.

Related Tool Guides

Claude Enterprise GDPR compliance review for companies in Germany
tools

Claude Enterprise in Germany: GDPR Compliance, DPA, SCCs & EU Hosting Guide

Can German companies use Claude Enterprise under GDPR? Covers DPA/AVV, SCCs, EU hosting options, data residency, and a compliance checklist before rollout.
GitHub Copilot DPA and GDPR compliance guide for German companies
tools

GitHub Copilot GDPR: DPA, IP & German Compliance Guide

GitHub Copilot is GDPR-compliant only on Business or Enterprise plans with a signed DPA. German companies: IP, Betriebsrat, and data residency checklist.
Notion DPA and GDPR compliance guide for German companies
tools

Notion DPA and GDPR: Can German Companies Use Notion Compliantly?

Notion DPA, GDPR compliance, EU data hosting, and AVV requirements for German companies. Practical guide for legal, privacy, and IT teams.
ChatGPT Enterprise GDPR and DPA compliance guide for Germany
tools

ChatGPT Enterprise GDPR & DPA: Compliance Guide for German Companies 2026

Is ChatGPT Enterprise GDPR compliant? OpenAI DPA, EU data residency, SOC 2, AI Act obligations, and works council requirements for German companies.
AI tools for lawyers Germany BRAO GDPR professional secrecy compliance
tools

AI APIs for Law Firms in Germany: BRAO, GDPR & Secrecy Guide

Can lawyers in Germany use AI tools like Claude or ChatGPT? BRAO §43a, GDPR Art. 28, and BRAK guidance explained — with a 7-point compliance checklist.
Make.com DPA and GDPR compliance for German companies
tools

Make.com DPA: Does Make Have a Data Processing Agreement? (GDPR Guide)

Make.com offers a DPA for paid plan customers. What German companies must verify for GDPR compliance — EU data residency, sub-processors, and BetrVG.

Browse More AI Tools

Frequently asked questions

Is Perplexity GDPR compliant?

Perplexity can be used in a GDPR-compliant manner, but only through the Enterprise plan with a signed Data Processing Agreement. The free and standard Pro plans do not include a DPA, meaning personal data processed through those plans lacks the Article 28 DSGVO-required contractual framework. German businesses must also confirm that Standard Contractual Clauses are in place for the EU-US data transfer and update their Article 30 DSGVO processing register and privacy notices. Compliance depends on your implementation, not Perplexity's product alone.

Does Perplexity have a DPA (Data Processing Agreement)?

Yes — but only for Enterprise customers. Perplexity provides a Data Processing Agreement for businesses on its Enterprise plan, which functions as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 DSGVO. The DPA includes provisions that prevent Enterprise query data from being used for model training. Free and standard Pro accounts do not come with a DPA, and Perplexity's standard terms permit data use for service improvements.

Can I use Perplexity for business research under GDPR without an Enterprise plan?

If your business research queries do not include personal data — they are purely about topics, regulations, markets, or technical questions without naming individuals — the GDPR personal data threshold may not be triggered, and the absence of a DPA may be acceptable. However, most realistic business research scenarios carry some risk of personal data inclusion. The safest approach for any systematic business use of Perplexity is to use the Enterprise plan and execute a DPA. Using the free tier for business queries that include client names, employee details, or other personal data is not GDPR-compliant.

Where does Perplexity process data?

Perplexity is a US company and its infrastructure is primarily US-based. Search queries submitted to Perplexity are transferred to and processed on US servers. The Enterprise DPA includes Standard Contractual Clauses to cover this EU-US data transfer. There is currently no EU data center option for Perplexity. German businesses must factor this international transfer into their GDPR risk assessment and ensure SCCs are in place before processing personal data.

Do employees need to be informed that Perplexity is used in the workplace?

Yes. If Perplexity is deployed as a standard business tool for employees, your employee privacy notice (Datenschutzhinweise für Beschäftigte) must disclose its use and the associated data processing, including any transfer of query data to Perplexity's US servers. Additionally, if Perplexity significantly affects employee work processes or could be used to monitor employee activities, the Betriebsrat has co-determination rights under §87(1) No. 6 BetrVG. Works council involvement should be sought before company-wide rollout.

Book Free Call