Which AI APIs do not train on your data?

Major API providers including OpenAI, Anthropic, Google (Vertex AI), and Azure OpenAI do not train on API inputs by default. The consumer apps (ChatGPT, Gemini, Claude.ai in a browser) have different policies. Use the selector above to filter by no-training plus DPA, zero-retention, and EU residency.

Do I need a DPA to use an AI API under GDPR?

Yes. If you send personal data to an AI API, the provider is your processor and you need a signed Data Processing Agreement under GDPR Article 28. Most major providers offer one. CCPA similarly requires a service-provider contract to keep the provider out of sale/sharing rules.

What is zero data retention for an AI API?

Zero data retention means the provider does not store your prompts or outputs after processing the request. It is offered by some providers as an opt-in configuration, often for eligible enterprise customers, and is the strongest privacy posture for sensitive data.

Tools · Privacy-First AI API Selector

Which AI APIs don't train on your data?

Filter API providers by the privacy terms that actually matter for GDPR and CCPA — no training, signable DPA, zero retention, EU residency, deletion on request. Verified from provider docs.

Filter by privacy requirement

7 of 7 API providers match

Anthropic (Claude API)

Claude 3.5 and Claude 4 via API. Strong safety focus, used widely for enterprise reasoning tasks.

verified 2026-04-10

No training: Yes
DPA: Yes
Zero retention: No
EU residency: No
Delete on request: Yes
Retention: 30 days

API prompts and outputs are not used for training by default. No HIPAA BAA currently offered.

AWS Bedrock

Access to multiple foundation models (Claude, Titan, Mistral, Llama) via AWS with enterprise security controls.

verified 2026-04-10

No training: Yes
DPA: Yes
Zero retention: Yes
EU residency: Yes
Delete on request: Yes
Retention: None (0 days)

Model provider data policies vary — check per-model docs. HIPAA BAA available under AWS BAA.

Microsoft Azure OpenAI

OpenAI models hosted on Microsoft Azure with enterprise data controls. Best for orgs already in Azure.

verified 2026-04-10

No training: Yes
DPA: Yes
Zero retention: Yes
EU residency: Yes
Delete on request: Yes
Retention: None (0 days)

Your data is not used to train OpenAI or Microsoft models by default.

Cohere

Enterprise-focused embeddings and generation models. Strong on retrieval and RAG use cases.

verified 2026-04-10

No training: Yes
DPA: Yes
Zero retention: No
EU residency: Yes
Delete on request: Yes
Retention: 30 days

Specialises in enterprise search and RAG pipelines. HIPAA BAA available for enterprise customers.

Google (Gemini API)

Gemini 1.5 and 2.0 via Vertex AI or AI Studio. Deep integration with Google Cloud.

verified 2026-04-10

No training: Yes
DPA: Yes
Zero retention: Yes
EU residency: Yes
Delete on request: Yes
Retention: None (0 days)

EU data residency and HIPAA BAA available via Vertex AI with region selection.

Mistral AI (API)

European-built foundation models via API. Strong EU data residency story as a French company.

verified 2026-04-10

No training: Yes
DPA: Yes
Zero retention: No
EU residency: Yes
Delete on request: Yes
Retention: 30 days

Headquartered in Paris — EU data residency by default. SOC 2 and ISO 27001 status not publicly confirmed.

OpenAI (API)

GPT-4o, o1, and DALL·E via API. The most widely deployed foundation model provider.

verified 2026-04-10

No training: Yes
DPA: Yes
Zero retention: Yes
EU residency: No
Delete on request: Yes
Retention: 30 days

Zero data retention available via API with opt-in header. HIPAA BAA available for eligible API customers.

Read the full privacy-first API guide →Full vendor scorecard →

Choosing an AI API that respects data privacy

The single most important distinction is between an API and a consumer app. A developer calling the OpenAI or Anthropic API is in a different privacy position than an employee typing into ChatGPT or Claude.ai in a browser tab. Since March 2023, the major providers do not train on API data by default, but consumer products often do unless you opt out.

For GDPR or CCPA compliance, three terms matter most: whether the provider trains on your data, whether a signable Data Processing Agreement is available, and whether you can configure zero data retention for sensitive inputs. The selector above filters live, verified data on each of these so you can shortlist providers in seconds rather than reading a dozen privacy policies.

For the full explanation of each term, the three contract clauses to insist on, and provider-by-provider detail, read the privacy-first AI API guide.

Choosing an AI API that respects data privacy

For the full explanation of each term, the three contract clauses to insist on, and provider-by-provider detail, read the privacy-first AI API guide.

Which AI APIs don't train on your data?

Filter by privacy requirement

Anthropic (Claude API)

AWS Bedrock

Microsoft Azure OpenAI

Cohere

Google (Gemini API)

Mistral AI (API)

OpenAI (API)

Get notified when a provider changes its data policy

Choosing an AI API that respects data privacy

Which AI APIs don't train on your data?

Filter by privacy requirement

Anthropic (Claude API)

AWS Bedrock

Microsoft Azure OpenAI

Cohere

Google (Gemini API)

Mistral AI (API)

OpenAI (API)

Get notified when a provider changes its data policy

Choosing an AI API that respects data privacy