Registry / DeepSeek API (first-party)
DeepSeek API (first-party)
First-party API access to DeepSeek models via the DeepSeek Open Platform, operated by Hangzhou DeepSeek Artificial Intelligence Co., Ltd. Its privacy policy states personal data is collected, processed and stored in the People's Republic of China, and no public security certifications, trust center, DPA, or EU AI Act Code of Practice signature were found as of 2026-07-05.
Watch-outs 11
The cells where this offering is not a clean public yes. This is what to check before you sign.
- SOC 2 Type II: No public evidence No SOC 2 Type II report available for this first-party offering.
- ISO 27001: No public evidence No ISO/IEC 27001 certification found.
- ISO 42001: No public evidence No ISO/IEC 42001 certification found in public materials.
- Trust center: No public evidence No public trust center or compliance documentation available.
- HIPAA BAA: No public evidence No BAA offered; governed by PRC law, not US HIPAA.
- GDPR DPA: No public evidence No public DPA, SCCs, or subprocessor list; Italian DPA limited processing for Italian users.
- No-training default: No public evidence API data may be used for model training unless opted out.
- Retention / ZDR: Partial ZDR not publicly documented; retention periods vague.
- Residency: No public evidence Data processed and stored in People's Republic of China.
- GPAI Code: No public evidence Developer not on EC GPAI Code of Practice signatory list.
- Art. 53 summary: No public evidence Art. 53 training-data summary not published per EU AI Office template.
No SOC 2 Type II report, attestation announcement, or audit-report request channel was found on deepseek.com, in the DeepSeek Open Platform Terms of Service, or in the privacy policy. Web searches for "DeepSeek SOC 2" surface only third-party resellers of DeepSeek models that hold their own SOC 2 reports, which do not cover this first-party offering.
no public source
No ISO/IEC 27001 certificate, certificate number, or certification claim was found on deepseek.com or in DeepSeek's published policies. No accredited-registrar listing for Hangzhou DeepSeek Artificial Intelligence Co., Ltd. was located.
no public source
No ISO/IEC 42001 (AI management system) certification claim was found in any DeepSeek public material.
no public source
No trust center, security portal, or compliance-documentation page was found on deepseek.com or platform.deepseek.com. Public documentation is limited to legal policies hosted at cdn.deepseek.com/policies/ and API docs at api-docs.deepseek.com.
no public source
Neither the DeepSeek Open Platform Terms of Service nor the privacy policy mentions HIPAA, PHI, or a Business Associate Agreement, and no BAA request channel was found. The Open Platform ToS is governed by the laws of the People's Republic of China (mainland), with disputes heard by courts at the registered office of Hangzhou DeepSeek Artificial Intelligence Co., Ltd.
no public source
No public Data Processing Agreement, Standard Contractual Clauses, or subprocessor list was found; the Open Platform Terms of Service (release date April 22, 2026) contain no GDPR/DPA/SCC provisions. The privacy policy (last update Feb 10, 2026) does include an EEA/UK/ Switzerland section with a legal-bases table and names Prighter Group as EU/UK representative. Separately, on 30 January 2025 the Italian DPA (Garante) imposed a limitation on processing of Italian users' data by Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence (Garante press release, docweb 10097450, https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10097450).
sccs_referenced: False · eu_representative: Prighter Group ([email protected]) · public_dpa_published: False · subprocessor_list_published: False
No public commitment NOT to train on customer data by default was found; the privacy policy states the opposite. It lists Prompts/Inputs ("text input, voice input, prompt, uploaded files, photos, feedback, chat history, or other content that you provide to our model and Services") as collected data and states they are used "to improve and develop the Services and to train and improve our technology, such as our machine learning models and algorithms." The policy's rights section lists "the right to opt-out of using your Personal Data for training our models or optimizing our technologies" for all users (not only the European Region). The Open Platform Terms of Service address customers' use of Inputs/Outputs (including distillation) but do not state whether DeepSeek trains on API data. The privacy policy states it applies to DeepSeek "apps, websites, software, and related services" that link to it, excluding downstream applications built by platform developers.
tier: self_serve · route: public · default: requires_config ·
opt_out_documented: True · policy_last_update: 2026-02-10 · trains_on_inputs_by_default: True
Retention is addressed only in general terms: "We retain Personal Data for as long as necessary to provide our Services and for the other purposes set out in this Privacy Policy." No numeric retention periods are published, and no zero-data-retention option, retention configuration, or enterprise ZDR channel was found in the Open Platform Terms of Service or API documentation. Graded partial because retention is documented (vaguely) but ZDR has no public evidence.
tier: self_serve · route: public ·
zdr_available: False · retention_period_specified: False
No region-pinning or EU-residency option exists. The privacy policy (last update Feb 10, 2026) states: "To provide you with our services, we directly collect, process and store your Personal Data in People's Republic of China." It also notes: "The Personal Data we collect from you may be stored on a server located outside of the country where you live." The Italian Garante's 30 January 2025 press release (docweb 10097450) records that DeepSeek's privacy policy showed personal data stored in China.
geography: stored in People's Republic of China per policy
storage_location: People's Republic of China · policy_last_update: 2026-02-10 · region_pinning_available: False
DeepSeek (Hangzhou DeepSeek Artificial Intelligence) does not appear on the European Commission's GPAI Code of Practice signatory list, in full or for any individual chapter, as of 2026-07-05. The EC page notes the list is continuously updated as signatures are confirmed. This is a model-developer obligation; developer and platform are the same entity for this first-party offering.
geography: EU
on_signatory_list: False
No Article 53(1)(d) public training-content summary using the EU AI Office template was found on deepseek.com, api-docs.deepseek.com, or in DeepSeek model release materials. Per the EC, models placed on the market before 2 August 2025 must publish the summary by 2 August 2027; technical reports DeepSeek has published for its models are not summaries in the EU template format.
geography: EU
ec_template_reference: https://digital-strategy.ec.europa.eu/en/news/commission-presents-template-general-purpose-ai-model-providers-summarise-data-used-train-their · ec_template_reference_archived: http://web.archive.org/web/20260626080157/https://digital-strategy.ec.europa.eu/en/news/commission-presents-template-general-purpose-ai-model-providers-summarise-data-used-train-their
no public source
Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.