We update our customer terms and policies on an annual basis, driven by customer feedback, evolving legal standards, and product updates. A summary of the most recent and key updates is below. If you would like more information about our legal terms, please visit our website here. If you would like more information about our privacy and security practices, please visit our Trust Center.
Terms of Service - Subscription Agreement
In addition to making many of our terms clearer, we made the following key updates:
1. AI Data Retention Clarification (FAQ Section)
The document now explicitly states that AI-processed customer data is treated as transient and not stored by the inference provider, though Drata logs AI inputs/outputs internally for up to ninety (90) days for quality monitoring. Customer admins can toggle off all AI features at the account level
2. Extension of Rights to Affiliates (Section 1.6)
A new provision explicitly allows Customers to extend rights, benefits, and protections to their Affiliates and to contractors acting on their behalf, provided the Customer remains responsible for compliance. Affiliates may also directly purchase services via their own Order Forms.
3. New AI Features Section (Section 2.4)
A dedicated section on Artificial Intelligence Features was added. It covers opt-in availability, transient data processing (data not retained after generating a response), a firm prohibition on using Customer Data to train AI/ML models, and a disclaimer that AI outputs don't constitute legal or compliance advice.
4. Prepaid Limits and Overage Policy (Section 4.5)
New language was added establishing Prepaid Limits, defining Overages (consumption beyond those limits), and specifying that Overages trigger a Supplemental Order Form to replenish the prepaid balance at the rates set in the initial Order Form.
5. Tax Withholding Provisions (Sections 4.6.1 & 4.6.2)
Two new sub-sections were added addressing situations where Customers are legally required to withhold taxes. They detail the process for providing tax remittance receipts (within 90 days) and Drata's reimbursement obligations for incorrectly withheld taxes within the first year following payment.
6. Payment Portal Fees (Section 4.7)
A new clause states that if a Customer mandates Drata to use a vendor or compliance portal that charges fees (subscriptions or invoice percentages), Drata will invoice the Customer for those costs.
7. Security Incident Notification Timing (Section 6.3)
The agreement now specifies a concrete 48-hour notification window (or shorter if required by law) for security incident reporting, and requires both parties to notify each other before publishing any public notices or press releases that identify the other party by name.
Data Processing Addendum
The only change to our Data Processing Addendum (DPA) was in Annex 4, “Security Measures” where paragraph 6 was changed to reflect a fourteen (14) character password policy.
If you would like to review and execute our DPA, please see here.
Privacy Notice
The following are the key changes you our Privacy Notice effective June 2, 2026:
1. Privacy Center launches Privacy requests and marketing opt-outs now go through preferences.drata.com instead of email.
2. CCPA opt-out timing Changed from fifteen (15) business days to thirty (30) calendar days.
3. Streamlined sources of personal data Removed "employer/coworkers/friends" and "public sources" as listed data sources.
4. Scope clarification Explicitly states that our PrivacyNotice does not apply to customer data stored in Drata's products.
