Registry / Mistral La Plateforme
Mistral La Plateforme
Mistral AI's first-party API platform (La Plateforme / AI Studio) for serving and fine-tuning Mistral models. French provider with EU hosting by default, a public DPA with SCCs and subprocessor list, SOC 2 Type II / ISO 27001 attestations gated behind its trust center, and full GPAI Code of Practice signatory status.
Watch-outs 7
The cells where this offering is not a clean public yes. This is what to check before you sign.
- SOC 2 Type II: Yes, sales-gated Report requires sales engagement; audit scope/period not public.
- ISO 27001: Yes, sales-gated ISO 27001 scope & certificate require Trust Center access.
- ISO 42001: No public evidence No ISO/IEC 42001 certification evidence found.
- HIPAA BAA: No public evidence No public evidence they sign HIPAA BAA for shared API.
- No-training default: Partial Free-tier API usage is opted in for training by default.
- Retention / ZDR: Yes, sales-gated ZDR requires Scale plan, support request, and Mistral approval for stateless endpoints only.
- Art. 53 summary: Unclear Art. 53 summary not publicly verifiable; IP protection limits disclosure.
Help center states Mistral "complies with SOC 2 Type II and ISO 27001/27701 frameworks"; the report itself is not public and must be requested via the Trust Center (trust.mistral.ai/resources). Exact audit scope/period not publicly stated.
tier: self_serve · route: trust_center_nda ·
Same help-center source claims ISO 27001/27701 compliance; certificate and scope statement gated behind Trust Center document request. Certificate body and scope not publicly visible.
tier: self_serve · route: trust_center_nda ·
also_claimed: ISO 27701
No ISO/IEC 42001 claim found on help.mistral.ai, trust.mistral.ai, or mistral.ai as of verification date. Only SOC 2 Type II and ISO 27001/27701 are claimed.
no public source
Maintained trust center exists (SafeBase-style portal, JS-rendered). Portal is public; compliance documents (SOC 2 report etc.) require an access request. Referenced from the DPA and help center as the canonical source for security posture and subprocessors.
tier: self_serve · route: public ·
resources: https://trust.mistral.ai/resources · subprocessor_list: https://trust.mistral.ai/subprocessors
No public statement that Mistral will sign a HIPAA BAA covering La Plateforme, and no HIPAA article in the help-center compliance collection. Marketing (mistral.ai/solutions) mentions "HIPAA-compliant solutions" for healthcare without specifying deployment mode; this most plausibly refers to on-premise/private-cloud deployments, not the shared API.
no public source
Public DPA covering all "Mistral AI Products" (includes La Plateforme API), incorporating EU SCCs and linking a published subprocessor list with email change notifications. French entity, natively subject to GDPR.
tier: self_serve · route: public · default: enabled ·
sccs: incorporated (DPA sect. 8.2 references SCC Module 4 for customers in restricted countries) · subprocessor_list: https://trust.mistral.ai/subprocessors · subprocessor_change_notice: 10-day objection window via subscription · post_termination_deletion_days: 30
Not a blanket no-training commitment for the whole platform: paid (Scale) API customers are opted out of training by default, but free-tier API usage is opted IN by default and requires a manual console toggle to opt out. DPA confirms Mistral acts as controller for training unless the customer opted out or uses a product opted out by default.
tier: self_serve · route: public · default: requires_config ·
free_api_tier: data used to improve services by default; opt-out toggle in Admin Console (Privacy > Anonymous improvement data) · paid_scale_plan: opted out of training by default
Retention is publicly documented (30 rolling days for stateless API abuse monitoring). ZDR exists but is gated: Scale plan only, request via support with justification, approved at Mistral's discretion, and covers only stateless endpoints, stateful features remain out of ZDR scope even after approval. Approved status is visible in Admin Console Privacy settings.
tier: enterprise_only · route: sales_contract · default: requires_approval ·
zdr_plan: Scale plan only · zdr_scope: stateless endpoints only (chat/fim completions, embeddings, moderations, classifications, OCR, audio) · zdr_excluded: stateful products (agents, conversations, libraries, batch, Files API, Le Chat) · retention_basis: rolling abuse-monitoring window for inputs/outputs (help article 347628) · agents_api_retention: inputs/outputs kept until account termination · fine_tuning_retention: kept until customer deletes or terminates account · default_retention_days: 30
EU hosting is the default (no configuration needed), a genuine differentiator for a first-party API. Caveats: specific EU country/cloud provider not named, and data may be temporarily transferred to non-EU subprocessors (listed in Trust Center) under SCCs; enterprise customers can disable certain features involving non-EU transfers.
tier: self_serve · route: public · default: enabled · geography: EU default, optional US endpoint
us_option: explicit US API endpoint hosts data in the United States · default_region: European Union
Mistral AI appears on the European Commission's GPAI Code of Practice signatory list with no chapter limitation. Mistral was among the first signatories (July 2025). Developer-level obligation; applies to Mistral as GPAI model provider.
route: public · geography: EU
chapters: all (no qualifying notation, unlike xAI's Safety-and-Security-only entry)
Mistral runs an AI Governance hub with per-model documentation (downloadable zip per model, e.g. Mistral Large 3.0), positioned as its AI Act compliance hub. However, no public web page matching the EC Art 53(1)(d) training-content summary template was directly verifiable, and a help-center article (347390) states Mistral does not disclose its training datasets to protect IP. The template summary may be inside the downloadable model documentation, but this could not be confirmed from page content. Needs human verification of the zip contents.
route: public · geography: EU
governance_hub: https://legal.mistral.ai/ai-governance/models
Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.