Comparing LLM API privacy
Which LLM API actually keeps your prompts private? It’s easy to pick a model on cost and quality, then discover too late that the prompts you send for inference can be read by human reviewers, kept indefinitely, used to train the next model, and turned over to governments on request. This article compares the data-handling policies of every major LLM inference provider under a single Privacy Impact score. Every claim is sourced from the provider’s own legal terms with a verbatim quote, so you can verify it yourself — and a reusable prompt lets you score any provider not listed here.
Acronym glossary
- ZDR — Zero Data Retention. Provider stores no inputs or outputs at all; typically approval-gated.
- DPA — Data Processing Addendum. Contract addendum that names the provider as a GDPR “processor” acting on the customer’s instructions.
- SCCs — Standard Contractual Clauses. EU Commission-approved contract template for transferring personal data out of the EU/EEA.
- BAA — Business Associate Agreement. US HIPAA contract required before a provider may process protected health information.
- SOC 2 (Type II). Third-party audit attesting that a provider’s security/availability/confidentiality controls operated effectively over a period.
- ISO 27001 / 27701 / 42001. Certifications for information security management (27001), privacy information management (27701), and AI management systems (42001).
- CMEK / EKM — Customer-Managed Encryption Keys / Enterprise Key Management. Customer holds the encryption key; provider cannot decrypt at rest without it.
- GDPR. EU General Data Protection Regulation — defines the controller/processor model and cross-border transfer rules.
- PIPL. PRC Personal Information Protection Law (China’s GDPR equivalent).
- FISA (Section 702) / CLOUD Act. US statutes that compel US-incorporated providers to produce non-US persons’ data (FISA 702) and data stored anywhere globally (CLOUD Act).
- DSA. EU Digital Services Act — transparency-reporting obligations for online platforms operating in the EU.
Ranking
See the detailed comparison for per-attribute breakdown, or the scoring framework at the end of the article.
| Provider | Privacy Impact |
|---|---|
| DeepSeek API | AVOID24 |
| Gemini API (free tier) | AVOID22 |
| MiniMax Open Platform | RISKY14 |
| Cohere API | RISKY10 |
| Alibaba Cloud Model Studio | CAUTION6 |
| Z.ai Open Platform | CAUTION6 |
| xAI Grok API | CAUTION5 |
| Gemini API (paid tier) | CAUTION5 |
| Anthropic API | CAUTION5 |
| OpenAI API | CAUTION5 |
| Azure Direct Models | SAFE3 |
| Google Vertex AI | SAFE2 |
| Mistral AI Studio | SAFE2 |
| Amazon Bedrock | SAFE1 |
Comparison
Lower score = less the provider’s policy authorizes them to do with your prompts. The full scoring rubric is at the end of the article. Click any column header to re-sort.
| Provider | Data residency | Retention | Model retrain | Privacy Impact |
|---|---|---|---|---|
| DeepSeek API | China | Account lifetime | Yes (no opt-out) | AVOID24 |
| Gemini API (free tier) | Any Google region | Unspecified; used for training | Yes (no opt-out) | AVOID22 |
| MiniMax Open Platform | China / Singapore / EU endpoint optional | Account lifetime by default | Yes (opt-out) | RISKY14 |
| Cohere API | USA (GCP US-Central; no EU region) | 30 days; ZDR approval-gated | Yes (opt-out) | RISKY10 |
| Alibaba Cloud Model Studio | Selectable across 5 regions incl. Frankfurt | Not published | No (Model Studio); opt-out (Qwen Code OAuth) | CAUTION6 |
| Z.ai Open Platform | Singapore (parent in China) | Not stored | No | CAUTION6 |
| xAI Grok API | USA | ~30 days | No | CAUTION5 |
| Gemini API (paid tier) | Any Google region | Limited (abuse-prevention) | No | CAUTION5 |
| Anthropic API | USA | 30 days | No (API); opt-out (Claude Code) | CAUTION5 |
| OpenAI API | USA by default; 10 regions selectable for eligible Projects | 30 days (abuse logs) | No (API); opt-out (Codex, ChatGPT) | CAUTION5 |
| Azure Direct Models | Selectable per Azure region | 30 days (abuse logs); ZDR available | No | SAFE3 |
| Google Vertex AI | Selectable across 10 regions | 24h in-memory cache; ZDR available | No (Vertex); opt-out (Gemini CLI(Code Assist) free) | SAFE2 |
| Mistral AI Studio | EU primarily (SCCs for non-EU) | 30 days; ZDR available | No | SAFE2 |
| Amazon Bedrock | Selectable per AWS region | Not stored by default | No | SAFE1 |
Amazon Bedrock leads the comparison with the lowest privacy impact. Cloud providers post the strongest policy posture overall — the same model routed via a cloud provider consistently has a lower privacy impact than its direct API ( Anthropic API → Amazon Bedrock; Gemini API (paid) → Google Vertex AI; OpenAI API → Azure Direct Models). Mistral AI Studio is the notable direct-API exception, matching Vertex AI on score thanks to EU-primary hosting and no training on paid API data.
DeepSeek Developer API
Privacy Impact: AVOID24 — Do not use.
- Name: DeepSeek API — operated by Hangzhou DeepSeek Artificial Intelligence Co., Ltd. (深度求索); developer access via the DeepSeek Open Platform at
platform.deepseek.com - URL:
api.deepseek.com - Data residency: China OK+2
- Retention: Account lifetime; no specific period BAD+3
- Model retrain: Yes BAD+10
- Human content review: Routine; ToU §3.3 permits review of inputs and outputs BAD+3
- Government access: Broad, no user notification, no transparency report BAD+3
- Enterprise controls: None published (no DPA, no BAA, no SOC 2, no ZDR) BAD+3
Sources (Legal Framework)
DeepSeek operates a single legal framework covering both chat.deepseek.com and api.deepseek.com: the Privacy Policy [archive], the umbrella Terms of Use [archive], and the Open Platform Terms of Service [archive]. Open Platform ToS §5.3 incorporates the Privacy Policy by reference, and §2.1 confirms the web and API services share the same account. There is no separate API privacy regime.
Training on API data is the default. ToU §4.3 grants DeepSeek the right to use Inputs and Outputs to “provide, maintain, operate, develop or improve the Services or the underlying technologies.” The Privacy Policy additionally discloses internal corporate-group sharing for “foundation model training and optimization.” The opt-out toggle exists only in the consumer chat UI; for API-only developers, the documents are silent beyond a general right to opt out by emailing privacy@deepseek.com.
Data is stored in mainland China. Privacy Policy: “we directly collect, process and store your Personal Data in People’s Republic of China.” Controller: Hangzhou DeepSeek Artificial Intelligence Co., Ltd. Governing law is PRC mainland; jurisdiction is Hangzhou courts.
No enterprise tier. No published DPA, no BAA, no SOC 2 / ISO 27001 attestation, no SCCs for EU transfers beyond a generic “appropriate safeguards” clause, and no ZDR option. Liability is capped at the last twelve months of fees paid.
Content review is permitted. ToU §3.3 grants DeepSeek “the right to use technical means to review the behavior and information of users … including … reviewing inputs and outputs.” Open Platform ToS §7.1 requires DeepSeek to retain records and cooperate with PRC authorities for suspected violations.
Broad government access. Per the Privacy Policy, DeepSeek “may access, preserve, and share” personal data with “law enforcement agencies, public authorities, copyright holders, or other third parties” on a “good faith belief” standard. No transparency report, no commitment to notify users of government demands, no mechanism to challenge requests.
Gemini API (free tier)
Privacy Impact: AVOID22 — Do not use for sensitive data.
- Name: Gemini API (free / AI Studio) — direct path via Google AI Studio ; distinct from the paid tier and from Vertex AI
- URL:
generativelanguage.googleapis.com(via aistudio.google.com ) - Data residency: Any country where Google maintains facilities OK+2
- Retention: Used to develop Google products and ML; no documented deletion window BAD+3
- Model retrain: Yes, including human review BAD+10
- Human content review: Routine — human reviewers may read, annotate, and process input/output BAD+3
- Government access: US standard rule-of-law process GOOD+1
- Enterprise controls: None on free tier BAD+3
Warning — scope: This score covers the unpaid / free Gemini API at
generativelanguage.googleapis.comvia Google AI Studio — accounts without an active Cloud Billing project. If billing is attached, requests fall under the paid tier instead; for the enterprise data-governance regime on Google Cloud (regional pinning, ZDR, CMEK), see Google Vertex AI.
Sources (Legal Framework)
The Gemini API direct path is governed by the Gemini API Additional Terms of Service [archive], which split the world into “Paid Services” and “Unpaid Services” — this section covers the Unpaid path. Both are subject to the underlying Google Privacy Policy [archive] and Google APIs Terms of Service [archive]. Vertex AI on Google Cloud is governed separately by the Google Cloud Privacy Notice [archive] and is out of scope here.
The unpaid tier trains on your data and exposes it to human review. Under “How Google uses Your Data” for Unpaid Services: “Google uses the content you submit to the Services and any generated responses to provide, improve, and develop Google products and services and machine learning technologies.” And: “human reviewers may read, annotate, and process your API input and output.” The terms explicitly warn: “do not submit sensitive, confidential, or personal information to the Unpaid Services.”
“Paid” is account-state, not request-state. Google AI Studio counts as a Paid Service “as long as the account accessing it has a Cloud Project with an associated and active Cloud Billing account.” A default Google account using AI Studio is on the Unpaid tier — training applies. If you intend to be on the paid tier, verify the Cloud Billing setup before treating traffic as paid.
EEA / Switzerland / UK cannot use the free tier. Apps directed at EEA/Swiss/UK users may use only Paid Services — the free tier is contractually prohibited for that audience. See the paid tier for the terms that apply.
Gemini API (paid tier)
Privacy Impact: CAUTION5.
- Name: Gemini API (paid) — direct path via Google AI Studio once the account has a Cloud Project with active billing; distinct from the free tier and from Vertex AI
- URL:
generativelanguage.googleapis.com(via aistudio.google.com ) - Data residency: Any country where Google maintains facilities OK+2
- Retention: Limited, abuse-prevention only OK+1
- Model retrain: No GOOD0
- Human content review: None routine GOOD0
- Government access: US standard rule-of-law process GOOD+1
- Enterprise controls: Partial — Google publishes a DPA and SOC 2/ISO 27001, but no documented ZDR for the AI Studio direct path (ZDR is a Vertex AI feature) OK+1
Warning — scope: This score covers the paid Gemini API at
generativelanguage.googleapis.comvia Google AI Studio , once the account has a Cloud Project with active billing. Without active billing, requests fall under the free tier instead and train on your prompts; for regional pinning, ZDR, and CMEK on Google Cloud, see Google Vertex AI.
Sources (Legal Framework)
The Gemini API direct path is governed by the Gemini API Additional Terms of Service [archive], which split the world into “Paid Services” and “Unpaid Services” — this section covers the Paid path. Both are subject to the underlying Google Privacy Policy [archive] and Google APIs Terms of Service [archive]. Vertex AI on Google Cloud is governed separately by the Google Cloud Privacy Notice [archive] and is out of scope here — see the Vertex AI section for that regime.
No training, limited logging. Under “How Google uses Your Data” for Paid Services: “Google doesn’t use your prompts (including associated system instructions, cached content, and files such as images, videos, or documents) or responses to improve our products.” Logging is restricted: “Google logs prompts and responses for a limited period of time, solely for detecting and preventing violations of the Prohibited Use Policy.”
“Paid” is account-state, not request-state. Google AI Studio counts as a Paid Service “as long as the account accessing it has a Cloud Project with an associated and active Cloud Billing account.” If billing is not active, requests fall back to the unpaid terms and training applies. Verify the billing state on every project before treating traffic as paid.
Data residency is global. Even on the Paid path, the Additional ToS state: “This data may be stored transiently or cached in any country in which Google or its agents maintain facilities.” There is no region-pinning equivalent to OpenAI’s regional processing — for regional residency on Google Cloud, use Vertex AI.
EEA / Switzerland / UK are forced onto paid terms. From the Additional ToS: “the terms under ‘How Google uses Your Data’ in ‘Paid Services’ apply to all Services, including Google AI Studio and unpaid quota in the Gemini API” — but apps directed at EEA/Swiss/UK users may use only Paid Services; the free tier is contractually prohibited for that audience.
MiniMax Open Platform
Privacy Impact: RISKY14 — Avoid for sensitive data unless the EU endpoint + privacy settings + ZDR are explicitly enabled.
- Name: MiniMax Open Platform — international entity Nanonoble Pte. Ltd. (Singapore), R&D parent MiniMax / 稀宇科技 (Shanghai); consumer brand Hailuo AI (海螺) is the same company’s chat/video product
- URL:
platform.minimax.io(global) /api-eu.minimaxi.com(EU endpoint) - Data residency: Primary datacenters in mainland China, with optional EU endpoint for GDPR-bound apps OK+2
- Retention: Tied to account; ZDR (“zero-retention”) available as an opt-in OK+2
- Model retrain: Yes by default; “privacy settings” must be enabled to disable training use BAD+5
- Human content review: Not documented; conservative default OK+1
- Government access: PRC jurisdiction BAD+3
- Enterprise controls: Partial — EU endpoint, opt-in ZDR, AES-256/TLS 1.3, but no published SOC 2 / ISO 27001 attestation OK+1
Sources (Legal Framework)
The MiniMax API is governed by the MiniMax API Privacy Policy [archive], the MiniMax AI App and Web Privacy Policy [archive], and (for the audio product) the Minimax.io Audio Privacy Policy [archive]. The corporate entity behind the international platform is Nanonoble Pte. Ltd. (Singapore); the underlying R&D entity is Shanghai-based MiniMax.
Training is the default on the consumer-style flow, opt-out via “privacy settings.” Third-party security reviews of the M-series models report that “By default, MiniMax does not use customer data to train its models when privacy settings are enabled” — i.e. explicit configuration is required for the no-training state. Independent testing confirms: “with retention disabled, input data was not stored or used for training” — meaning the opt-out works, but the default state is permissive.
Data residency is China by default; EU endpoint exists for GDPR-bound deployments. “MiniMax is a Chinese company, and its primary data centers are likely located in China. This means data transmitted to MiniMax’s API may be processed and stored on servers in mainland China, subjecting the data to Chinese data protection laws and regulations.” The dedicated api-eu.minimaxi.com endpoint “ensures all data processing occurs within EU borders and provides legally compliant audit logging and data retention policies.”
Zero-retention is configurable. MiniMax “supports ‘zero-retention’ modes and opt-outs for data usage, meaning companies can choose not to have their prompts or content retained on MiniMax’s servers.” Extended retention is billed: “API call logging and extended data retention cost $0.50 per GB monthly as a supplementary charge.” Customers can also deploy in a private cloud / VPC.
Encryption. “TLS 1.3 encryption for data in transit and AES-256 encryption for data at rest.”
Government access. PRC-domiciled processing exposes data to the same regulatory regime as DeepSeek (Cybersecurity Law, Data Security Law, PIPL, Generative AI Provisions). MiniMax has no transparency report and no public commitment to notify users of state demands.
Cohere API
Privacy Impact: RISKY10 — Cohere is also available via Amazon Bedrock, where Cohere doesn’t see customer inputs or outputs and the Bedrock-level posture applies instead.
- Name: Cohere Platform (a.k.a. Cohere API) — direct REST API at
api.cohere.com; Cohere also distributes its models via Amazon Bedrock and Azure AI Foundry under separate “Channel Partner” terms where Cohere has no access to inputs or outputs - URL:
api.cohere.com - Data residency: USA only — GCP US-Central, no EU region selection on the SaaS Platform OK+1
- Retention: 30 days for logged prompts/generations; ZDR available but approval-gated OK+1
- Model retrain: Yes by default; dashboard toggle to opt out — the SaaS Agreement contractually licenses Cohere to use Customer Data to “improve and enhance the Services” BAD+5
- Human content review: Safety team may review flagged prompts/generations to enforce the Usage Policy OK+1
- Government access: Canadian entity, US data hosting; commitment to notify customers absent legal prohibition; no public transparency report OK+1
- Enterprise controls: SOC 2 Type II, ISO 27001, ISO 42001, UK Cyber Essentials; DPA available only under NDA; BAA limited to custom-model development (does not cover the SaaS Platform) OK+1
Sources (Legal Framework)
The Cohere API is governed by the Terms of Use [archive], the Software-as-a-Service Agreement [archive], the Privacy Policy [archive], the Enterprise Data Commitments [archive], and the Trust Center [archive]. The contracting entity is Cohere Inc., a Canadian corporation: “with its principal place of business located at 171 John Street, Suite 200, Toronto, Ontario M5T 1X3.” This regime applies only to the direct SaaS API — Cohere models routed via Amazon Bedrock or Azure AI Foundry are governed by separate Channel Partner agreements.
Training defaults to ON; opt-out is a dashboard toggle. From the Enterprise Data Commitments: “You can opt out from your prompts and generations being used to train Cohere models in your dashboard settings at any time.” The instruction continues: “Adjust the toggle to ‘Off’ to opt out” — i.e. the default state is opt-in. The underlying SaaS Agreement §3 grants Cohere a broad contractual licence to use Customer Data “to … (III) IMPROVE AND ENHANCE THE SERVICES AND COHERE’S OTHER OFFERINGS AND BENCHMARK THE FOREGOING, INCLUDING BY SHARING API DATA AND FINETUNING DATA WITH THIRD PARTIES.” The dashboard control is layered on top of that licence. This regime is scoped to the SaaS Platform only: “In third-party cloud AI/ML platforms and private deployment solutions, Cohere does not receive any customer inputs (prompts) or outputs (generations).”
30-day retention with approval-gated Zero Data Retention. From the Enterprise Data Commitments: “We automatically delete logged prompts and generations after 30 days, unless we need it to comply with a legal requirement or customer contract, or unless your usage is flagged as potentially violating our terms (e.g. abuse or misuse of our services).” And: “If you have been approved for zero data retention, Cohere does not log any customer prompts or generations.” ZDR is therefore not a self-service control — it must be requested and approved. Flagged content may be retained and reviewed beyond the 30-day window.
Data residency is US-only on the SaaS Platform. From the Trust Center FAQ: “Our hosting centers are on Google Cloud Platform servers located in US-Central. We do not use servers outside of the US.” No EU-region equivalent exists for direct API customers. EU customers transferring personal data rely on the Standard Contractual Clauses incorporated in the DPA.
Human review is flagged-abuse only. From the Enterprise Data Commitments: “If we detect possible misuse of our SaaS Platform, our safety and security teams may review user prompts, generations, and logs to enforce our customer agreements, including our Usage Policy, and secure our services from misuse.” Routine browsing of API traffic is not described.
Government access — customer-notify commitment, no transparency report. From the Trust Center FAQ: “Unless legally prohibited, Cohere commits to promptly notify customers of any communications received from a governmental agency requesting or purporting to compel the production of customer data that contains personal information so that the customer can work with the governmental agency directly to respond.” Cohere is incorporated in Canada but hosts data on US infrastructure, exposing it to US national-security process; no transparency report is published as of writing.
Enterprise compliance — strong attestations, weaker enterprise contracting. Per the Trust Center, Cohere holds SOC 2 Type II, ISO 27001, ISO 42001 (the AI Management System standard — few peers in this comparison are certified), and UK Cyber Essentials. The DPA is not freely published: “Yes, Cohere has a DPA. If you would like to receive a copy, we will need a signed NDA.” HIPAA coverage is narrowly scoped: “Cohere may execute a Business Associate Agreement (BAA) for custom model development engagements. Cohere’s BAA only covers engagements where Cohere develops a custom model on behalf of a customer. It does not cover Cohere hosted products and applications such as Cohere’s SaaS services. Enterprise customers should not submit Personal Health Information through the Cohere SaaS services.” No customer-managed encryption keys (CMEK/EKM) are documented for the SaaS API.
Alibaba Cloud Model Studio
Privacy Impact: CAUTION6 — Frankfurt EU deployment scope is available with GDPR-ready posture and C5 attestation; Chinese-parent corporate structure is the residual jurisdictional risk.
- Name: Alibaba Cloud Model Studio (formerly Bailian); hosts Qwen and third-party models via the DashScope API
- URL:
dashscope.aliyuncs.com/dashscope-intl.aliyuncs.com - Data residency: Selectable across 5 regions: Singapore, US (Virginia), Germany (Frankfurt / EU), China (Beijing), China (Hong Kong) GOOD0
- Retention: Inputs/outputs stored in the selected region; transient at cross-region compute nodes per Model Studio regions docs OK+2
- Model retrain: “Will never use your data for model training” per Model Studio docs GOOD0
- Human content review: Not stated OK+1
- Government access: Frankfurt EU deployment + GDPR-ready posture mitigate default exposure; Chinese-parent corporate structure remains the residual jurisdictional risk OK+2
- Enterprise controls: Partial — GDPR-ready, C5 / SOC / ISO certs, account deletion documented; no published BAA or Model Studio-specific ZDR addendum OK+1
Warning — scope: This score covers Alibaba Cloud Model Studio (DashScope) accessed with an Alibaba Cloud account. Qwen Code (the CLI) supports three authentication methods with different data regimes: (1) Alibaba Cloud Coding Plan — inherits this section’s no-training regime; (2) Qwen OAuth (
qwen.aiaccount) — falls under the Qwen Privacy Policy instead: de-identified user content is processed “to improve the accuracy and quality of our services (including our AI models)” under GDPR “legitimate interests” basis, with data stored in Singapore and Mainland China; (3) Bring your own API key — depends on the chosen provider.
Sources (Legal Framework)
Alibaba Cloud Model Studio (formerly Bailian / DashScope) hosts Qwen and third-party models. Governance: Model Studio overview [archive], DashScope API reference [archive], the Model Studio regions and deployment scope docs [archive], the Alibaba Cloud GDPR Trust Center [archive], and the Qwen Code Terms of Service & Privacy Notice [archive]. All inherit from the underlying Alibaba Cloud International Privacy Policy.
Explicit no-training claim. Model Studio documentation states: “Alibaba Cloud protects data privacy and will never use your data for model training. All data you transmit when building applications or training models is encrypted.” The Qwen Code documentation echoes this: “Qwen Code itself does not use your prompts, code, or responses for model training. Any data usage for training purposes would be governed by the policies of the AI service provider you authenticate with.”
Authentication path determines applicable terms. Per the Qwen Code docs: “When you authenticate using an API key from Alibaba Cloud, the applicable Terms of Service and Privacy Notice from Alibaba Cloud apply.” International users on the Singapore tenant fall under Alibaba Cloud International; mainland users fall under Alibaba Cloud (China).
Qwen OAuth authentication uses a separate privacy regime. The Qwen Code docs route Qwen OAuth users (logging in with a qwen.ai account) to the Qwen Privacy Policy [archive], operated by Alibaba Cloud (Singapore) Private Limited. Unlike the Model Studio commitment above, the Qwen Privacy Policy lists “to improve the accuracy and quality of our services (including our AI models)” among its processing purposes — relying on de-identified User Content + Feedback under the GDPR “legitimate interests” basis (not explicit opt-in). Data is stored in Singapore and Mainland China; users have GDPR-style rights to access, delete, and withdraw consent, but training is the default state for active accounts.
Telemetry is opt-out, not opt-in. Per the Qwen Code docs: “Qwen Code may collect anonymous usage statistics and telemetry data to improve the user experience and product quality. This data collection is optional and can be controlled through configuration settings.”
Data storage follows the selected region. The Model Studio regions docs document five supported regions — Singapore, US (Virginia), China (Beijing), China (Hong Kong), and Germany (Frankfurt) — and state: “Regardless of the service deployment scope you choose, your static data, including inputs and outputs, is always stored in the selected region.” For cross-region inference under the Global or International deployment scopes, the docs add: “Data generated during model invocation, such as prompt inputs and model outputs, is processed only transiently during inference and is not persistently stored in the region where the compute node resides. This data is encrypted throughout transmission.” No public retention window is published for stored data; specific retention defers to the Alibaba Cloud Privacy Policy.
Government access depends on the chosen region. PRC jurisdiction (Cybersecurity Law, Data Security Law, PIPL) applies to traffic that lands in the Beijing region. The Frankfurt deployment scope keeps data inside the EU, and Alibaba Cloud’s GDPR Trust Center declares the platform “GDPR-ready” effective May 25, 2018, with C5 attestation in Germany. The residual concern is corporate: Alibaba Cloud’s ultimate parent is in China, and PRC extraterritorial production demands under the Data Security Law remain a documented concern even where contractual safeguards exist for EU-region data.
Z.ai Open Platform
Privacy Impact: CAUTION6 — Singapore-fronted with a contractual DPA and ZDR for API content; the residual risk is the Chinese parent’s jurisdictional exposure.
- Name: Z.ai — international product of Zhipu AI / BigModel (智谱AI), serving the GLM model family; mainland endpoint operates as
open.bigmodel.cn - URL:
api.z.ai(international) /open.bigmodel.cn(mainland China endpoint, GLM via Zhipu) - Data residency: “Processed in Singapore” per DPA §3(a); mainland endpoint hosts data in China OK+2
- Retention: “do not store any of the content the Customer or its End Users provide or generate while using our Services” — DPA §4(b), contractual GOOD0
- Model retrain: No — Additional Terms §3.b: “We will not use End User Content to develop or improve Services, unless you explicitly agree” GOOD0
- Human content review: Not stated OK+1
- Government access: DPA §1(e) requires user notification of legal demands; PRC-parent jurisdictional exposure remains OK+2
- Enterprise controls: Partial — DPA + Additional Terms for API Services published; no SOC 2 / ISO 27001 / BAA OK+1
Sources (Legal Framework)
Z.ai is the international product of Zhipu AI / BigModel (智谱AI). Governance: the Z.ai Terms of Use [archive] (which contains the Additional Terms for API Services), the Z.ai Privacy Policy [archive] (which embeds the Data Processing Addendum for API Services), and the Z.ai Model API documentation [archive]. The mainland open.bigmodel.cn endpoint is governed by separate Zhipu / BigModel policies in Mandarin and is not interchangeable with the Z.ai international terms.
API content is excluded from the consumer Privacy Policy. “This Privacy Policy only applies to individual users and does not apply to content that we process on behalf of customers of our business offerings. If you are enterprises or developers using the API Services … please refer to the Data Processing Addendum for API Services.” The DPA — embedded in the Privacy Policy page — governs everything sent through the API.
No training on API content by default. Additional Terms for API Services §3.b: “We will not use End User Content to develop or improve Services, unless you explicitly agree to such use.” Training requires affirmative opt-in, matching the processor model used by xAI and Anthropic.
API content is contractually not stored. DPA §4(b): “The Company do not store any of the content the Customer or its End Users provide or generate while using our Services. This includes any texts, or other data you input. This information is processed in real-time to provide the Customer and End Users with the API Service and is not saved on our servers.” DPA §4(c) extends only to non-content “Customer Data” (e.g. account metadata), which is “temporarily” stored and deleted at termination.
Account-level personal data follows the Privacy Policy. Privacy Policy §7: “we retain it as long as you have an account.” This covers account info and login data, not API inputs.
Data residency is Singapore for the international tenant. Privacy Policy §8: “your personal data is generally processed in Singapore” and “Company generally provide the Services from Singapore.” DPA §3(a) restates this for API content. The mainland open.bigmodel.cn endpoint processes data in China under PRC law.
Government access includes a notification commitment. DPA §1(e): “Inform Customer if Company receives any legally binding request to disclose Customer Data to a law enforcement authority unless otherwise prohibited by laws.” This is a contractual notification clause — stronger than the Privacy Policy’s general disclosure language. The residual risk is jurisdictional: the parent (Zhipu AI) is incorporated in mainland China and is subject to PRC extraterritorial production demands under the Data Security Law, which the Singapore-side DPA cannot override.
Enterprise framework is partial. A published DPA and Additional Terms for API Services define the processor relationship and the no-storage commitment. No SOC 2 / ISO 27001 attestation, no BAA, and no third-party audit of the no-storage claim are published.
xAI Grok API
Privacy Impact: CAUTION5.
- Name: xAI API — official name on
docs.x.ai; Grok is the model family (Grok 4, etc.), not the brand of the API itself - URL:
api.x.ai - Data residency: USA GOOD+1
- Retention: Deletion within 30 days of request; consumer Private Chat is not retained beyond 30 days OK+1
- Model retrain: No on the API path — xAI acts as processor under the DPA GOOD0
- Human content review: “A limited number of authorized xAI personnel may review user conversations … for specific purposes” — flagged-content only GOOD+1
- Government access: US standard rule-of-law process; no public transparency report yet GOOD+1
- Enterprise controls: DPA published, GDPR/UK GDPR/Swiss FADP referenced, but SOC 2 / ISO 27001 not yet publicly attested for
api.x.aiOK+1
Sources (Legal Framework)
The xAI API is governed by the xAI Enterprise Terms [archive] and the xAI Data Processing Addendum [archive]. The consumer Grok product (grok.com, X app integration) is governed by the separate xAI Privacy Policy [archive] and Consumer Terms of Service — those terms do not apply to API traffic. Deletion requests can be filed via the xAI Privacy Portal [archive].
API data is not covered by the consumer Privacy Policy. Per the consumer Privacy Policy: “The xAI Privacy Policy does not apply to data that xAI processes on behalf of customers of its business offerings, such as the xAI API.” Instead the DPA governs: “This DPA sets out the terms that apply when xAI processes Personal Data on your behalf in connection with the Service, including any Personal Data that you provide to xAI through our API or other business services.”
xAI is the processor; the customer is the controller. Per the DPA: “xAI is a processor and the customer is a controller or processor of Personal Data, as applicable, under Applicable Data Protection Laws.” The DPA references “the General Data Protection Regulation 2016/679 (‘GDPR’), the UK GDPR, and the Swiss Federal Act on Data Protection Act of 2020 and its Ordinance (‘Swiss FADP’).”
Consumer-side training is opt-in (post-update); API typically excluded. Per the consumer Privacy Policy: “When logged into the Service, you can select whether or not you want xAI to use your Content to train its models and improve its services.” The DPA structure means API/enterprise customer content is not used for model training by default. xAI’s broader data-purposes paragraph still asserts a wide license: “to develop new product features, to train models, to identify usage trends, to operate and expand business activities.”
Deletion window is 30 days. Per the consumer Privacy Policy: “data is queued for deletion and generally removed from xAI systems within 30 days, unless necessary to retain for legal, compliance, or safety purposes.” Private Chat: “conversations do not appear in history, are not used for model training, and are deleted from systems within 30 days.”
Human review is limited, not routine. Per the consumer Privacy Policy: “A limited number of authorized xAI personnel may review user conversations (User Content, including prompts and outputs) for specific purposes, including improving model performance and product features, investigating security incidents, detecting potential misuse of the service, and complying with legal obligations. This review is not routine or comprehensive.”
De-identified retention may persist. Per the consumer Privacy Policy: “where permissible by law, xAI may collect and retain user content (prompts and outputs) on an anonymous basis. This de-identified data can be used for purposes such as model training, fine-tuning, service improvement, research.” Worth knowing if your threat model includes re-identification risk.
Anthropic API
Privacy Impact: CAUTION5.
- Name: Claude API (a.k.a. Anthropic API) — REST API at
api.anthropic.com, docs atdocs.anthropic.com/platform.claude.com, developer dashboard at the Anthropic Console (console.anthropic.com);claude.aiis the separate consumer product - URL:
api.anthropic.com - Data residency: USA GOOD+1
- Retention: 30 days (some sources say 7) OK+1
- Model retrain: No on the API; Claude Code via Pro / Max consumer plans defaults to training-on (opt-out toggle) OK+1
- Human content review: Flagged-content classifier only GOOD+1
- Government access: US standard rule-of-law process; transparency report published GOOD+1
- Enterprise controls: DPA/SCCs, SOC 2 Type II, BAA, ZDR (approval-gated) GOOD0
Warning — scope: This score covers
api.anthropic.comaccessed with a Commercial-Terms API key (Workbench, Console, Claude Code launched via API key). Claude Code on a Claude.ai consumer plan (Free / Pro / Max) falls under the Consumer Terms instead: training defaults to ON unless you disable Help Improve Claude in Privacy Settings, and opt-in retention extends to 5 years.
Sources (Legal Framework)
The Anthropic API is governed by the Commercial Terms of Service [archive], the Privacy Policy [archive], the Usage Policy [archive], and the privacy-center articles on API retention [archive] and Zero Data Retention [archive]. The Commercial Terms are distinct from the Consumer Terms covering Claude Free / Pro / Max — recent five-year consumer retention changes do not apply to the API.
30-day default retention on the API backend. From the commercial retention article: “we automatically delete inputs and outputs on our backend within 30 days of receipt or generation.” Exceptions: longer-retention services under user control (Files API), zero-data-retention agreements, Usage Policy enforcement, and legal compliance.
No training on API inputs/outputs by default. Anthropic’s Commercial Terms and Privacy Policy commit that prompts and completions submitted via the API are not used to train models absent explicit opt-in (e.g. flagged feedback). Trust & safety classifier scores are retained separately: “We retain inputs and outputs for up to 2 years and trust and safety classification scores for up to 7 years if your chat is flagged.”
Zero Data Retention is available for approved enterprise customers. From the ZDR article: “Anthropic does not store their inputs or outputs except where needed to comply with law or combat misuse,” and “The only products to which zero data retention applies are eligible Anthropic APIs, and Anthropic products that use your Commercial organization API key (including Claude Code).” Note: “Anthropic still retains User Safety classifier results in order to enforce our Usage Policy” even under ZDR.
Data residency is USA. Anthropic processes API traffic in the United States; there is no region-selection feature equivalent to OpenAI’s. EU-located customers rely on SCCs in the DPA addendum. Anthropic publishes SOC 2 Type II and offers a BAA for HIPAA-eligible deployments.
Claude Code spans two regimes. The Claude Code data-usage page [archive] confirms commercial users (Team, Enterprise, API, third-party platforms, Claude Gov) inherit the API regime — “Anthropic does not train generative models using code or prompts sent to Claude Code under commercial terms, unless the customer has chosen to provide their data.” Consumer-plan users (Free / Pro / Max) fall under the consumer training rules [archive] (training is enabled when Help Improve Claude is on, controlled per the privacy settings article [archive]) with 5-year retention for opted-in users versus 30 days otherwise. By contrast, the commercial training article [archive] confirms: “By default, we will not use your inputs or outputs from our commercial products … to train our models.”
OpenAI API
Privacy Impact: CAUTION5.
- Name: OpenAI Platform (also “OpenAI API Platform”) — developer surface at
platform.openai.comwith API atapi.openai.com; distinct from the ChatGPT consumer product - URL:
api.openai.com - Data residency: USA by default; eligible API customers can opt into 10 regions (US, EU, UK, JP, KR, SG, AU, IN, UAE, CA) by creating a new region-pinned Project — existing Projects cannot be migrated OK+1
- Retention: 30 days (abuse logs) OK+1
- Model retrain: No on the API; Codex / ChatGPT on Free / Plus / Pro consumer plans defaults to training-on (opt-out toggle) OK+1
- Human content review: Abuse-flagged only GOOD+1
- Government access: US standard rule-of-law process; transparency report published GOOD+1
- Enterprise controls: DPA, SOC 2, HIPAA/BAA, ZDR (approval-gated), EKM GOOD0
Warning — scope: This score covers
api.openai.comaccessed with an API key under the Services Agreement. Codex and ChatGPT on Free / Plus / Pro consumer plans fall under the consumer data rules: training defaults to ON unless you disable Improve the model for everyone in Data Controls (Codex has additional environment-level controls). ChatGPT Business / Enterprise / Edu and Codex routed through the API platform remain default-off.
Sources (Legal Framework)
The OpenAI API is governed by the Services Agreement [archive], the Enterprise Privacy commitments [archive], the Data controls guide [archive], and the data-usage policy [archive]. API and ChatGPT consumer products are under different legal regimes; this section covers the API only.
No training on API data by default. From OpenAI’s data-usage policy: “By default, we do not train on any inputs or outputs from our products for business users, including ChatGPT Team, ChatGPT Enterprise, and the API. We offer API customers a way to opt-in to share data with us, such as by providing feedback in the Playground.” The Data Controls guide reinforces this: “data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us).”
Abuse logs are kept for 30 days. From OpenAI’s Data Controls guide: “abuse monitoring logs are generated for all API feature usage and retained for up to 30 days, unless longer retention is required by law.”
Regional processing is gated to eligible Projects. The default for any new API account is processing in the United States. Region selection is described in OpenAI’s data-residency announcement [archive] and help center article [archive]: “Eligible API customers and new ChatGPT Enterprise/Edu customers can choose to have customer content stored at rest in supported countries.” And: “Eligible customers can enable European data residency by creating a new Project in the API Platform dashboard and selecting Europe as the region. API requests initiated through these Projects will be handled in-region by OpenAI with zero data retention … European residency can only be configured for new Projects—existing Projects cannot be updated to have European data residency after creation.” The same model now applies to ten regions: US, EU, UK, JP, KR, SG, AU, IN, UAE, and CA. Eligibility is determined by OpenAI Sales; pay-as-you-go API users without an eligible account remain in US-default processing.
Zero Data Retention exists for approved customers. From OpenAI’s Data Controls guide: “Zero Data Retention excludes customer content from abuse monitoring logs.” When ZDR is enabled, “the store parameter … will always be treated as false, even if the request attempts to set the value to true,” meaning stateful APIs (Responses, Assistants) effectively run stateless.
Enterprise compliance is documented. OpenAI is HIPAA-eligible (with BAA) for covered services, SOC 2 audited, and publishes a DPA for GDPR transfers. Enterprise Key Management (EKM) is available for customer-managed encryption keys.
Codex and ChatGPT consumer plans are a separate regime. Per the help-center data-usage article [archive]: “When you use our services for individuals such as ChatGPT and Codex, we may use your content to train our models. … Codex has separate controls for allowing training on full environments, which you can manage in the Codex Settings.” The Data Controls FAQ [archive] and history-without-training article [archive] document the opt-out toggle: “data sharing is enabled for you by default, however, you can opt out … navigate to Your Profile > Settings > Data Controls > Improve the model for everyone > Switch off the toggle.” Default state is training-on with opt-out — distinct from the API default-off regime above; ChatGPT Business / Enterprise / Edu inherit the API regime.
Azure Direct Models
Privacy Impact: SAFE3.
- Name: Azure Direct Models — the “Models sold directly by Azure” category within Microsoft Foundry ; formerly branded Azure OpenAI Service
- URL:
<resource>.openai.azure.com(in Microsoft Foundry) - Data residency: Selectable per Azure geography; DataZone / Global deployment types available for explicit residency control GOOD0
- Retention: 30 days for abuse-monitoring logs; encrypted at rest; auto-purged OK+1
- Model retrain: No — prompts/completions never used to train base models GOOD0
- Human content review: Flagged-content only; Modified Abuse Monitoring can remove human review for approved customers GOOD+1
- Government access: US/regional standard rule-of-law; Microsoft transparency report published GOOD+1
- Enterprise controls: Microsoft DPA, SOC, ISO, HIPAA/BAA, customer-managed keys, Modified Abuse Monitoring / ZDR (approval-gated) GOOD0
Sources (Legal Framework)
Azure OpenAI (now Azure Direct Models in Microsoft Foundry) is governed by the Microsoft Products and Services Data Protection Addendum [archive], the Data, privacy, and security for Azure Direct Models [archive] page, and the Microsoft Trust Center [archive]. The relevant data-flow is operated entirely by Microsoft; data does not transit OpenAI’s infrastructure.
Strict customer-data isolation, no training. Direct quote from the data-privacy page: “Your prompts (inputs) and completions (outputs), your embeddings, and your training data: are NOT available to other customers. are NOT available to OpenAI or other Azure Direct Model providers. are NOT used by Azure Direct Model providers to improve their models or services. are NOT used to train any generative AI foundation models without your permission or instruction. Customer Data, Prompts, and Completions are NOT used to improve Microsoft or third-party products or services without your explicit permission or instruction.”
Models are stateless on the inference path. From the data-privacy page: “The models are stateless: no prompts or completions are stored in the model. Additionally, prompts and completions are not used to train, retrain, or improve the base models.”
Data residency follows Azure geography. From the data-privacy page: “Prompts and responses are processed within the customer-specified geography (unless you are using a Global or DataZone deployment type), but may be processed between regions within the geography for operational purposes.” DataZone deployments restrict processing to a defined zone (e.g. all-EU for an EU-deployed resource).
30-day abuse-monitoring retention with logical isolation. From the data-privacy page: “The abuse monitoring data store where prompts and completions are stored for human review is logically separated by customer resource … A separate data store is located in each geography in which the Azure Direct Model is available, and a customer’s prompts and generated content are stored in the Azure geography where the customer’s Foundry resource is deployed.” For EEA deployments: “the authorized Microsoft employees are located in the European Economic Area.”
Modified Abuse Monitoring removes human review and data storage. From the data-privacy page: “If the customer has been approved for modified abuse monitoring, the data storage and human review process described above is not performed. However, automated review may still be conducted.” Approval is gated to EA / MCA customers (not pay-as-you-go). A ContentLogging=false flag is verifiable via the Azure portal or CLI.
Google Vertex AI
Privacy Impact: SAFE2.
- Name: Google Vertex AI — rebranded Gemini Enterprise Agent Platform at Cloud Next 2026 (April 22, 2026), consolidating Vertex AI and Agentspace; existing endpoints, SDKs, and privacy controls remain unchanged. Distinct from the Gemini API via Google AI Studio (see the free tier and paid tier)
- URL:
<region>-aiplatform.googleapis.com(e.g.us-central1-aiplatform.googleapis.com) - Data residency: Selectable across 10 countries (US, CA, JP, SG, KR, NL, FR, UK, DE, BE) GOOD0
- Retention: 24-hour in-memory cache only; abuse monitoring applies to pay-as-you-go only and can be opted out for invoiced accounts; ZDR available GOOD+1
- Model retrain: No — “won’t use your data to train or fine-tune any AI/ML models without your prior permission or instruction” GOOD0
- Human content review: None on enterprise-billed path GOOD0
- Government access: US/regional standard; Google publishes a transparency report GOOD+1
- Enterprise controls: Cloud DPA, SOC, ISO, HIPAA/BAA, CMEK, VPC Service Controls, Access Context Manager GOOD0
Warning — scope: This score covers Vertex AI accessed via
aiplatform.googleapis.comunder the Google Cloud Terms of Service. Gemini CLI and Gemini Code Assist Standard / Enterprise editions inherit this regime (both products share the Code Assist backend oncloudaicompanion.googleapis.com). Gemini CLI / Code Assist for individuals (free, signed in with a personal Google account) follows a separate privacy notice: training defaults to ON, human reviewers may read/annotate submitted code, and de-identified copies are retained for 18 months — opt-out available. Pro / Ultra subscriptions (via Google AI / Google One) follow consumer Google Terms instead.
Sources (Legal Framework)
Vertex AI is governed by the Google Cloud Platform Terms of Service [archive], the Cloud Data Processing Addendum [archive], the Vertex AI data-residency docs [archive], the Vertex AI Zero Data Retention docs [archive], and the Generative AI, Privacy, and Google Cloud whitepaper [archive]. This is a separate regime from the Gemini API direct path covered above (see the free tier and paid tier).
Training restriction is contractual. From Section 17 “Training Restriction” of the Service Specific Terms: “Google won’t use your data to train or fine-tune any AI/ML models without your prior permission or instruction.” For Vertex AI Search specifically: “customer data used in Vertex AI Search is not used to train foundation models.”
Caching is in-memory only and 24-hour-bounded. Per the Vertex AI ZDR docs: “By default, Google’s published Gemini models cache Customer Data (inputs, outputs, and derived data) in-memory to reduce latency and accelerate responses. This data is stored only in-memory (not at-rest), is isolated at the project level, and has a 24-hour TTL. Cached data … does not violate zero data retention. This feature can be disabled at the project level.”
Abuse monitoring is conditional. Per the Vertex AI ZDR docs: “Only customers whose use of Google Cloud is governed by the Google Cloud Platform Terms of Service and who don’t have an Invoiced Cloud Billing account are subject to prompt logging for abuse monitoring. If you are in scope for prompt logging for abuse monitoring and want zero data retention, you can request an exception for abuse monitoring.” Invoiced (enterprise-billed) accounts therefore avoid prompt logging by default.
Grounding services have specific 30-day retention. Per the Vertex AI ZDR docs: “For Grounding with Google Search, Google stores prompts and contextual information that customers may provide, and generated output for thirty (30) days for the purposes of creating grounded results. There is no way to disable the storage of this information if you use Grounding with Google Search. If you require zero data retention, Google recommends using Web Grounding for Enterprise.”
Data residency. Customer data at-rest can be pinned to “the U.S., Canada, Japan, Singapore, Korea, the Netherlands, France, the U.K., Germany, and Belgium” via regional or multi-regional APIs. The Cloud Data Processing Addendum and contractual data-residency commitments apply.
Fine-tuning isolation. Per the GenAI privacy whitepaper: “Your fine-tuning data is your data. In Google’s GenAI implementation for enterprise customers, the organization’s data remains in their own instance, whereas the LLM is frozen. The learning and fine-tuning of the model with customer’s data is stored separately.” Vertex AI creates a “separate tenant project for each customer project.”
Gemini CLI and Gemini Code Assist span three regimes. Per the Gemini CLI docs [archive], “Each Gemini Code Assist edition provides quotas for using the Gemini CLI” — the CLI is the terminal-facing client for the same Code Assist backend and inherits the same tier-dependent privacy split. The Gemini Code Assist privacy-notices index [archive] routes each edition to its governing terms. Standard and Enterprise editions are governed by the Google Cloud Terms of Service [archive] and the Cloud Code data-governance page [archive] — inheriting Vertex’s no-training contractual protection. Pro / Ultra subscriptions fall under the consumer Google Terms of Service [archive] plus Google One Additional Terms [archive]. Individuals (free) follows its own privacy notice [archive]: “Google collects your prompts, related code, generated output, code edits, related feature usage information, and your feedback to provide, improve, and develop Google products and services and machine learning technologies. … human reviewers may read, annotate, and process the data collected above. … storing those disconnected copies for up to 18 months.” Opt-out is available but training defaults to ON.
Mistral AI Studio
Privacy Impact: SAFE2.
- Name: Mistral AI Studio (formerly La Plateforme) — developer surface at
console.mistral.ai, API atapi.mistral.ai. The consumer chat product Le Chat is governed by separate consumer terms with different retention. Mistral models are also distributed via Amazon Bedrock and Azure AI Foundry - URL:
api.mistral.ai - Data residency: EU by default; non-EU processing only as an exception and covered by Standard Contractual Clauses GOOD0
- Retention: 30 rolling days for abuse monitoring; Zero Data Retention available OK+1
- Model retrain: No on the paid API and Le Chat Enterprise — explicitly carved out in the Privacy Policy GOOD0
- Human content review: Automated moderation only per the DPA; no routine human review described in published terms GOOD0
- Government access: France/EU jurisdiction; DSA transparency report published; DPA commits to notify customer of legal demands absent legal prohibition GOOD0
- Enterprise controls: DPA/SCCs (published, no NDA required), SOC 2 Type II, ISO 27001, ISO 27701; no published HIPAA/BAA or customer-managed keys OK+1
Sources (Legal Framework)
The Mistral AI API is governed by the Commercial Terms of Service [archive], the Privacy Policy [archive], the Data Processing Addendum [archive], and the Usage Policy [archive]. The contracting entity is Mistral AI, a French société par actions simplifiée headquartered in Paris (15 rue des Halles, 75001), registered under number 952 418 325 — placing it outside the FISA / CLOUD Act perimeter that applies to US-incorporated providers. Mistral models routed via Amazon Bedrock or Azure AI Foundry fall under those platforms’ terms instead.
No training on paid API data. From the Privacy Policy: “Please note that we do not use your Input and Output to train our artificial intelligence models when you use Le Chat Enterprise or the paid version of our APIs.” The Commercial Terms §4.2 further scopes training: it applies only to free subscriptions, Le Chat Pro, Le Chat Teams (where opt-out is available), explicit feedback submissions, automated moderation flags, or experimental “Labs Models” (which are opt-in-only and prefixed labs — “If you do not want your data or outputs used for training, do not use Labs Models.”).
30-day retention with Zero Data Retention available. From the Privacy Policy: “we keep your Input and Output for the period necessary to generate the Output and then for thirty (30) rolling days to monitor abuse (unless zero data retention is activated).” Le Chat conversations are retained until the user deletes them or the account — a distinct regime from the API.
EU-first hosting with SCCs for any exceptions. From the Privacy Policy: “We prioritize selecting providers within the European Union that strictly adhere to the GDPR. However, in exceptional cases, we may opt for non-EU providers” — in which case “we attach the most recent version of the European Commission’s Standard Contractual Clauses to all such contracts.” The Help Center adds: “encrypted backups and seamlessly replicated across multiple EU zones.” There is no explicit region-selection feature comparable to Vertex’s 10-region menu, but EU-default is the published practice and any non-EU transfer is contractually wrapped.
Government access — French/EU jurisdiction, customer-notification commitment. From the DPA §3.1: “Mistral AI shall promptly inform Customer of such legal requirement, unless prohibited to do so by applicable law and/or on important grounds of public interest.” Customer is the Data Controller; Mistral is the Processor. A DSA Transparency Report is published annually, and the EU point of contact for authorities is dsa-official@mistral.ai.
Compliance attestations. From Mistral’s Help Center: “Mistral AI complies with both SOC 2 Type II and ISO 27001/27701 frameworks.” The DPA is published (no NDA gate) and the up-to-date subprocessor list is maintained on the Trust Center at trust.mistral.ai. There is no public HIPAA/BAA program, no customer-managed encryption keys (CMEK / EKM), and no ISO 42001 (AI management system) certification as of writing.
Amazon Bedrock
Privacy Impact: SAFE1.
- Name: Amazon Bedrock — AWS’s fully-managed foundation-model service offering a unified API across providers (Anthropic, OpenAI, DeepSeek, Meta, Mistral, Amazon Nova, etc.); models are addressed via provider-prefixed IDs like
anthropic.claude-sonnet-4-... - URL:
bedrock-runtime.<region>.amazonaws.com(e.g.bedrock-runtime.eu-west-1.amazonaws.com) - Data residency: Selectable per AWS region; data stays in the chosen region GOOD0
- Retention: “Doesn’t store customer input data and model output data” by default GOOD0
- Model retrain: No — neither AWS nor third-party model providers receive customer data GOOD0
- Human content review: None — abuse detection is fully automated, no human review GOOD0
- Government access: US standard; AWS publishes an information request report GOOD+1
- Enterprise controls: AWS DPA, SOC, ISO, HIPAA/BAA, GDPR, CSA STAR Level 2, KMS / customer-managed keys, IAM, VPC endpoints GOOD0
Sources (Legal Framework)
Amazon Bedrock is governed by the AWS Service Terms [archive], the AWS Customer Agreement [archive], the AWS GDPR DPA [archive], and the Bedrock-specific Data protection [archive], Security, privacy, and responsible AI [archive], and Amazon model privacy [archive] pages. Notably, third-party models (Anthropic, Meta, Mistral, etc.) hosted on Bedrock are governed by Bedrock terms — not by each provider’s direct-API terms.
No retention, no training, no provider access. From the Bedrock Data protection page: “Amazon Bedrock doesn’t store customer input data and model output data, share the data with third-party model providers, or use the data to train models. As part of data protection, Amazon Bedrock uses a dedicated model deployment account for each model provider and deploys models within AWS. Model invocation communications stay in the AWS network. Model providers can’t access the model deployment accounts.”
Customer guarantees regardless of model. From the Bedrock Security, privacy, and responsible AI page: “No Training — Amazon Bedrock doesn’t use your prompts and completions to train any AWS models; No Distribution — AWS doesn’t distribute them to third parties; Encryption — All data is encrypted in transit using TLS 1.2.” For Amazon’s own foundation models: “prompts that AWS customers enter into Amazon FMs and outputs produced in response to Amazon FM prompts are not used to train the underlying Amazon FMs, unless a customer consents.”
Abuse detection is fully automated, no human in the loop. From the Bedrock Data protection page: “Amazon Bedrock does not store customer input data or model output data as part of its standard operations or abuse detection process … this classification and detection process is fully automated and does not involve human review or storage of user inputs or model outputs.” Exception: in extreme cases involving suspected CSAM, Bedrock may block the request and report to authorities.
Customer-controlled logging. From the Bedrock Data protection page: “You can use AWS CloudTrail to monitor API activity … You can also choose to store the metadata, requests, and responses in your Amazon Simple Storage Service (Amazon S3) bucket, as well as to Amazon CloudWatch Logs.” Logging is opt-in to the customer’s own account; Bedrock itself does not persist content.
Compliance. From the Bedrock Security, privacy, and responsible AI page: “Amazon Bedrock is in scope for common compliance standards such as Service and Organization Control (SOC), International Organization for Standardization (ISO), is HIPAA eligible, and customers can use Amazon Bedrock in compliance with the General Data Protection Regulation (GDPR). Amazon Bedrock is CSA Security Trust Assurance and Risk (STAR) Level 2 certified.”
Encryption. From the Bedrock Data protection page: “Your data in Amazon Bedrock is always encrypted in transit and at rest, and you can optionally encrypt the data using your own keys.”
Privacy Impact Framework
Lower score = less impact on your data. “Impact” rather than “Risk” because the score measures the consequence the provider’s policy authorises, not the probability of any single incident — once you send a prompt, the policy defines what may happen to it.
- Data residency: Selectable / EU (0); USA only or single Western jurisdiction (+1); Global, any country (+2); High-surveillance jurisdiction, e.g. China or Russia (+2)
- Retention of inputs/outputs: ZDR available or ≤7 days (0); ≤30 days (+1); ≤90 days (+2); >90 days, indefinite, or fed into training corpora (+3)
- Model retraining on your data: No (0); Opt-in only (+1); Yes by default with opt-out available (+5); Yes by default with no opt-out (+10)
- Human content review: None / automated abuse detection only (0); Flagged-content review only (+1); Routine review of all traffic permitted (+3)
- Government / legal access: Published transparency report + commitment to notify users (0); Standard rule-of-law process (+1); Broad authority access, no notification, no challenge mechanism (+3)
- Enterprise controls (DPA, SOC 2 / ISO 27001, BAA, ZDR option): All published (0); Partial (+1); None published (+3)
Bands: SAFE0–3 CAUTION4–8 RISKY9–14 AVOID15+
Audit a provider yourself
Paste this prompt into your research AI of choice (Perplexity, ChatGPT with web search, Claude with web search, etc.) to score any provider not listed here against the same rubric. The prompt is self-contained — it inlines the full rubric and the output format, so no additional context is needed.
Prompt
You are auditing the data-handling policies of an LLM API provider against a fixed privacy rubric. Goal: produce a section in the same format as the existing entries in this article.
Target provider: <FILL IN — e.g. "Mistral AI">
API endpoint: <FILL IN — e.g. api.mistral.ai>
For the target provider, find and quote (verbatim, with working URLs) the relevant text from its own published legal documents covering each rubric dimension below. If a document does not address a dimension, write "not addressed in published terms" — do not guess.
# 1. Locate the governing legal documents
List each with its full URL and last-updated date:
- Terms of Service / Customer Agreement / Master Subscription Agreement
- Privacy Policy
- Data Processing Addendum (DPA) — note if published vs. available only on request
- Sub-processors list
- Any AI-specific data-handling / trust / compliance page
- Any tier-dependent regime (free / trial / paid / enterprise / on-prem) — each may differ
# 2. Score each rubric dimension with a verbatim quote
For every dimension below, return: (a) the score per the rubric, (b) a verbatim quote from the provider's docs, (c) the source URL.
- Data residency: Selectable / EU (0); USA-only or single Western jurisdiction (+1); Global, any country (+2); High-surveillance jurisdiction, e.g. China or Russia (+2)
- Retention of inputs/outputs: ZDR available or ≤7 days (0); ≤30 days (+1); ≤90 days (+2); >90 days, indefinite, or fed into training corpora (+3)
- Model retraining on customer data: No (0); Opt-in only (+1); Yes by default with opt-out available (+5); Yes by default with no opt-out (+10)
- Human content review: None / automated abuse detection only (0); Flagged-content review only (+1); Routine review of all traffic permitted (+3)
- Government / legal access: Published transparency report + commitment to notify users (0); Standard rule-of-law process (+1); Broad authority access, no notification, no challenge mechanism (+3)
- Enterprise controls (DPA, SOC 2 / ISO 27001, BAA, ZDR option): All published (0); Partial (+1); None published (+3)
Privacy Impact bands: 0–3 LOW; 4–8 MEDIUM; 9–14 HIGH; 15+ CRITICAL.
# 3. Output format
Return a section in this structure:
## <Provider name>
**Privacy Impact:** <BAND> <total score> — <one-sentence verdict>
- **Name:** <legal entity, brand, country of incorporation>
- **URL:** <api hostname>
- **Data residency:** <one-line summary> [score]
- **Retention:** <one-line summary> [score]
- **Model retrain:** <one-line summary> [score]
- **Human content review:** <one-line summary> [score]
- **Government access:** <one-line summary> [score]
- **Enterprise controls:** <one-line summary> [score]
Followed by a "Legal Framework" subsection: one paragraph naming the governing documents with links, then 4–6 short paragraphs, each led by a bold one-line claim and supported by a verbatim quote with inline source attribution ("From the DPA: ...", "Per the Privacy Policy: ...", etc.).
# 4. Rules
- Only verbatim quotes from the provider's own documents. No paraphrase, no third-party assessments substituted in place of a quote.
- Every quote must include a working URL.
- If a document does not address a dimension, write "not addressed in published terms". Do not guess.
- Note the last-updated date for each document.
- Flag tier-dependent or jurisdiction-dependent differences (free vs paid, EU vs US endpoint, on-prem vs cloud).
- If the provider is an aggregator / meta-API (e.g. OpenRouter, AIHubMix), score the aggregator's own data handling and note that the effective impact = max(aggregator's own posture, chosen downstream provider's posture).