AI Provider Trust Registry evidence verified as of 2026-07-05

Registry / DeepSeek API (first-party)

DeepSeek API (first-party)

developer: DeepSeek platform: DeepSeek category: first party

First-party API access to DeepSeek models via the DeepSeek Open Platform, operated by Hangzhou DeepSeek Artificial Intelligence Co., Ltd. Its privacy policy states personal data is collected, processed and stored in the People's Republic of China, and no public security certifications, trust center, DPA, or EU AI Act Code of Practice signature were found as of 2026-07-05.

Watch-outs 11

The cells where this offering is not a clean public yes. This is what to check before you sign.

Vendor trust
SOC 2 Type II Is a SOC 2 Type II report available for this offering?
No public evidence confidence: high · verified 2026-07-05

No SOC 2 Type II report, attestation announcement, or audit-report request channel was found on deepseek.com, in the DeepSeek Open Platform Terms of Service, or in the privacy policy. Web searches for "DeepSeek SOC 2" surface only third-party resellers of DeepSeek models that hold their own SOC 2 reports, which do not cover this first-party offering.

no public source

ISO 27001 Is there an ISO/IEC 27001 certification covering this offering?
No public evidence confidence: high · verified 2026-07-05

No ISO/IEC 27001 certificate, certificate number, or certification claim was found on deepseek.com or in DeepSeek's published policies. No accredited-registrar listing for Hangzhou DeepSeek Artificial Intelligence Co., Ltd. was located.

no public source

ISO 42001 Is there an ISO/IEC 42001 (AI management system) certification?
No public evidence confidence: high · verified 2026-07-05

No ISO/IEC 42001 (AI management system) certification claim was found in any DeepSeek public material.

no public source

Trust center Is there a maintained trust center / compliance portal?
No public evidence confidence: high · verified 2026-07-05

No trust center, security portal, or compliance-documentation page was found on deepseek.com or platform.deepseek.com. Public documentation is limited to legal policies hosted at cdn.deepseek.com/policies/ and API docs at api-docs.deepseek.com.

no public source

Data handling
HIPAA BAA Will they sign a HIPAA Business Associate Agreement covering this offering?
No public evidence confidence: high · verified 2026-07-05

Neither the DeepSeek Open Platform Terms of Service nor the privacy policy mentions HIPAA, PHI, or a Business Associate Agreement, and no BAA request channel was found. The Open Platform ToS is governed by the laws of the People's Republic of China (mainland), with disputes heard by courts at the registered office of Hangzhou DeepSeek Artificial Intelligence Co., Ltd.

no public source

GDPR DPA Is there a public DPA with SCCs and a published subprocessor list?
No public evidence confidence: high · verified 2026-07-05

No public Data Processing Agreement, Standard Contractual Clauses, or subprocessor list was found; the Open Platform Terms of Service (release date April 22, 2026) contain no GDPR/DPA/SCC provisions. The privacy policy (last update Feb 10, 2026) does include an EEA/UK/ Switzerland section with a legal-bases table and names Prighter Group as EU/UK representative. Separately, on 30 January 2025 the Italian DPA (Garante) imposed a limitation on processing of Italian users' data by Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence (Garante press release, docweb 10097450, https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10097450).

sccs_referenced: False · eu_representative: Prighter Group ([email protected]) · public_dpa_published: False · subprocessor_list_published: False

source · archived copy

No-training default Is there a public commitment not to train on customer API data by default?
No public evidence confidence: high · verified 2026-07-05

No public commitment NOT to train on customer data by default was found; the privacy policy states the opposite. It lists Prompts/Inputs ("text input, voice input, prompt, uploaded files, photos, feedback, chat history, or other content that you provide to our model and Services") as collected data and states they are used "to improve and develop the Services and to train and improve our technology, such as our machine learning models and algorithms." The policy's rights section lists "the right to opt-out of using your Personal Data for training our models or optimizing our technologies" for all users (not only the European Region). The Open Platform Terms of Service address customers' use of Inputs/Outputs (including distillation) but do not state whether DeepSeek trains on API data. The privacy policy states it applies to DeepSeek "apps, websites, software, and related services" that link to it, excluding downstream applications built by platform developers.

tier: self_serve · route: public · default: requires_config ·

opt_out_documented: True · policy_last_update: 2026-02-10 · trains_on_inputs_by_default: True

source · archived copy

Retention / ZDR Is retention documented, and is zero-data-retention available?
Partial confidence: medium · verified 2026-07-05

Retention is addressed only in general terms: "We retain Personal Data for as long as necessary to provide our Services and for the other purposes set out in this Privacy Policy." No numeric retention periods are published, and no zero-data-retention option, retention configuration, or enterprise ZDR channel was found in the Open Platform Terms of Service or API documentation. Graded partial because retention is documented (vaguely) but ZDR has no public evidence.

tier: self_serve · route: public ·

zdr_available: False · retention_period_specified: False

source · archived copy

Residency Can data be pinned to a region (especially the EU)?
No public evidence confidence: high · verified 2026-07-05

No region-pinning or EU-residency option exists. The privacy policy (last update Feb 10, 2026) states: "To provide you with our services, we directly collect, process and store your Personal Data in People's Republic of China." It also notes: "The Personal Data we collect from you may be stored on a server located outside of the country where you live." The Italian Garante's 30 January 2025 press release (docweb 10097450) records that DeepSeek's privacy policy showed personal data stored in China.

geography: stored in People's Republic of China per policy

storage_location: People's Republic of China · policy_last_update: 2026-02-10 · region_pinning_available: False

source · archived copy

EU AI Act
GPAI Code Is the model developer on the EC's GPAI Code of Practice signatory list?
No public evidence confidence: high · verified 2026-07-05

DeepSeek (Hangzhou DeepSeek Artificial Intelligence) does not appear on the European Commission's GPAI Code of Practice signatory list, in full or for any individual chapter, as of 2026-07-05. The EC page notes the list is continuously updated as signatures are confirmed. This is a model-developer obligation; developer and platform are the same entity for this first-party offering.

geography: EU

on_signatory_list: False

source · archived copy

Art. 53 summary Has the model developer published the Art. 53 training-data summary?
No public evidence confidence: medium · verified 2026-07-05

No Article 53(1)(d) public training-content summary using the EU AI Office template was found on deepseek.com, api-docs.deepseek.com, or in DeepSeek model release materials. Per the EC, models placed on the market before 2 August 2025 must publish the summary by 2 August 2027; technical reports DeepSeek has published for its models are not summaries in the EU template format.

geography: EU

ec_template_reference: https://digital-strategy.ec.europa.eu/en/news/commission-presents-template-general-purpose-ai-model-providers-summarise-data-used-train-their · ec_template_reference_archived: http://web.archive.org/web/20260626080157/https://digital-strategy.ec.europa.eu/en/news/commission-presents-template-general-purpose-ai-model-providers-summarise-data-used-train-their

no public source

Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.