Registry / xAI API
xAI API
xAI's first-party API for the Grok model family. Publicly claims SOC 2 Type 2 compliance and a no-training-by-default policy for API data, with a 30-day default retention window and enterprise-only zero-data-retention; formal reports sit behind an NDA-gated trust center, and EU AI Act engagement is limited to the Safety and Security chapter of the GPAI Code of Practice.
Watch-outs 8
The cells where this offering is not a clean public yes. This is what to check before you sign.
- SOC 2 Type II: Yes, sales-gated Report access requires a signed NDA.
- ISO 27001: No public evidence No public ISO/IEC 27001 certification evidence.
- ISO 42001: No public evidence No ISO/IEC 42001 certification found in public materials.
- HIPAA BAA: Unclear BAA signing is not guaranteed; an inquiry path exists.
- Retention / ZDR: Yes, sales-gated ZDR requires an enterprise account.
- Residency: Partial Data is processed in-region, not guaranteed at-rest residency.
- GPAI Code: Partial xAI's signatory status is limited to the Safety and Security chapter.
- Art. 53 summary: No public evidence Art. 53(1)(d) summary not published for Grok models.
xAI's API security FAQ states "We are SOC 2 Type 2 compliant." The report itself is not public: the FAQ directs customers with a signed NDA to the trust center (trust.x.ai) for certification details. Compliance claim is public; the Type II report is NDA-gated.
tier: self_serve · route: trust_center_nda ·
No ISO/IEC 27001 claim found on x.ai/security, the API security FAQ, or in web searches as of 2026-07-05. The FAQ lists SOC 2 Type 2, GDPR and CCPA but no ISO certifications. Could exist behind the NDA-gated trust center, but there is no public evidence.
no public source
No ISO/IEC 42001 (AI management system) claim found anywhere in xAI public materials as of 2026-07-05.
no public source
"xAI Trust Center" exists at trust.x.ai and is linked from the API security FAQ. The portal exists publicly, but per the FAQ, certification and governance documents require a signed NDA ("Customers with a signed NDA can refer to our Trust Center").
tier: self_serve · route: trust_center_nda ·
The API security FAQ tells customers to "complete our BAA Questionnaire" to inquire about HIPAA compliance and a Business Associate Agreement. A BAA intake process publicly exists, but there is no public commitment that xAI will sign a BAA, no list of HIPAA-eligible services, and no HIPAA configuration documentation. Graded unclear rather than yes: an inquiry path is not evidence of willingness to sign.
tier: enterprise_only · route: sales_contract · default: requires_approval ·
Public DPA covering Personal Data submitted via the API. Incorporates EU SCCs (Module 2 controller-to-processor / Module 3 processor-to-processor, governed by Irish law) with the UK Addendum and Swiss FADP modifications. A public subprocessor list is maintained at x.ai/legal/subprocessor-list with 15 days' advance notice of changes. Note: x.ai serves HTTP 403 to automated fetchers; content verified via search-indexed page text and a Wayback snapshot exists.
tier: self_serve · route: public ·
subprocessor_list: https://x.ai/legal/subprocessor-list · subprocessor_change_notice_days: 15
API security FAQ: "xAI never trains on your API inputs or outputs without your explicit permission." No-training is the default for API traffic; opt-in is required for training use. (Consumer Grok products have different defaults; this cell covers the API offering only.)
tier: self_serve · route: public · default: enabled ·
Default retention is publicly documented: "API requests and responses are temporarily stored on our servers for 30 days" before automatic deletion. "Zero Data Retention (ZDR) is an enterprise feature that prevents xAI from storing any API request or response data" and is "exclusively available to enterprise accounts", hence yes_sales_gated: retention is documented publicly, but ZDR requires an enterprise relationship and is not on by default.
tier: enterprise_only · route: sales_contract · default: requires_approval ·
zdr_tier: enterprise_only · default_retention_days: 30
Regional endpoints are publicly documented: the default api.x.ai routes to the lowest-latency region, and requests can be pinned to a region via https://<region-name>.api.x.ai (e.g. eu-west-1 for Europe). This is in-region request processing, not a full at-rest residency guarantee: for stricter requirements (data at rest in a specific region) the docs direct customers to [email protected], with possible additional cost. Direct fetch of the docs page was blocked (verified via search-indexed text and Wayback snapshot), hence medium confidence. [source updated 2026-07-05] The dedicated regions doc page (docs.x.ai/developers/regions) now returns 404 after a docs restructure; the eu-west-1.api.x.ai endpoint remains live (confirmed) and the evidence is retained in the archived snapshot. Live source repointed to the docs root pending the relocated page URL.
tier: self_serve · route: public · default: requires_config · geography: EU endpoint available (eu-west-1)
eu_endpoint: https://eu-west-1.api.x.ai
xAI appears on the European Commission's GPAI Code of Practice signatory list, but only for the Safety and Security chapter. Per the EC page: "xAI signed up to the Safety and Security Chapter; this means that it will have to demonstrate compliance with the AI Act's obligations concerning transparency and copyright via alternative adequate means." Applies to xAI as model developer (provider obligation).
route: public · geography: EU
chapters_signed: ['safety_and_security'] · chapters_not_signed: ['transparency', 'copyright']
No public training-data summary using the EC's Article 53(1)(d) template (published July 2025) was found for Grok models as of 2026-07-05. xAI did not sign the Transparency chapter of the GPAI Code of Practice, and in December 2025 sued to invalidate California's Training Data Transparency Act, arguing training-data disclosure reveals trade secrets, consistent with no EU summary being published. Grok model cards (e.g. data.x.ai Grok 4 model card) describe training data only at a high level and do not follow the EU template.
geography: EU
no public source
Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.