Does OpenAI store my data?

OpenAI's data retention depends on which product you use. The API (without zero data retention) retains inputs and outputs for 30 days. ChatGPT stores conversations by default. Enterprise plans offer zero data retention options. Check your account settings and review the Data Processing Agreement before processing sensitive data.

Which AI vendors are HIPAA compliant?

As of 2026, vendors offering HIPAA Business Associate Agreements (BAAs) include Microsoft Azure OpenAI, AWS Bedrock, and Google (Vertex AI / Workspace). OpenAI and Anthropic offer BAAs on Enterprise plans. Standard ChatGPT, Claude.ai, and consumer tiers do not cover HIPAA. Always sign a BAA before processing protected health information.

What is a Data Processing Agreement (DPA) and do I need one?

A Data Processing Agreement (DPA) is a contract between you and an AI vendor that governs how they handle personal data you submit. Under GDPR and UK GDPR, a DPA is legally required before you process personal data through a third-party AI tool. Most major vendors offer a standard DPA — check the vendor's legal or privacy portal.

Can I use AI tools if my team is subject to the EU AI Act?

Yes, but your obligations depend on how you use the AI. If you deploy a vendor's AI in a high-risk context (hiring, credit, healthcare, education) you take on compliance obligations under the EU AI Act. Using AI for internal drafting or summarisation is generally low-risk. Review each vendor's EU AI Act / GPAI compliance status before deploying in high-risk scenarios.

What does 'training opt-out' mean for AI vendors?

Training opt-out means the vendor will not use your inputs and outputs to train or improve their models. This is important for confidentiality — without opt-out, content you submit could theoretically surface in another user's output. API usage typically defaults to opt-out. Consumer products (ChatGPT free, Claude.ai free) may default to training-on unless you disable it in settings.

Tools · Vendor Scorecard

AI Vendor Governance Scorecard

Compare 15 AI vendors across 11 governance dimensions — data retention, SOC 2, HIPAA BAA, ISO 27001, EU residency, and more. Filter by vendor type, use case, and compliance requirements.

Filters

Vendor type

Use case

Minimum green checks

15 vendors

✓ = confirmed · ✗ = not available · ? = unknown

OpenAI (API)

Foundation Model

GPT-4o, o1, and DALL·E via API. The most widely deployed foundation model provider.

8/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Zero data retention available via API with opt-in header. HIPAA BAA available for eligible API customers.

Verified Apr 2026

Anthropic (Claude API)

Foundation Model

Claude 3.5 and Claude 4 via API. Strong safety focus, used widely for enterprise reasoning tasks.

5/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA✗

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

API prompts and outputs are not used for training by default. No HIPAA BAA currently offered.

Verified Apr 2026

Google (Gemini API)

Foundation Model

Gemini 1.5 and 2.0 via Vertex AI or AI Studio. Deep integration with Google Cloud.

9/10

Data retentionNone

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

EU data residency and HIPAA BAA available via Vertex AI with region selection.

Verified Apr 2026

Mistral AI (API)

Foundation Model

European-built foundation models via API. Strong EU data residency story as a French company.

5/10

Data retention30d

Training opt-out✓

EU data residency✓

SOC 2✗

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA?

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

Headquartered in Paris — EU data residency by default. SOC 2 and ISO 27001 status not publicly confirmed.

Verified Apr 2026

Cohere

Foundation Model

Enterprise-focused embeddings and generation models. Strong on retrieval and RAG use cases.

7/10

Data retention30d

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✓

ISO 27001✓

On-prem / self-host?

Data deletion on request✓

Specialises in enterprise search and RAG pipelines. HIPAA BAA available for enterprise customers.

Verified Apr 2026

Microsoft Azure OpenAI

API Platform

OpenAI models hosted on Microsoft Azure with enterprise data controls. Best for orgs already in Azure.

9/10

Data retentionNone

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Your data is not used to train OpenAI or Microsoft models by default.

Verified Apr 2026

AWS Bedrock

API Platform

Access to multiple foundation models (Claude, Titan, Mistral, Llama) via AWS with enterprise security controls.

8/10

Data retentionNone

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Model provider data policies vary — check per-model docs. HIPAA BAA available under AWS BAA.

Verified Apr 2026

ChatGPT (Consumer)

App

OpenAI's consumer chat product. Widely used by individuals and small teams for everyday AI tasks.

7/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Disable chat history in Settings to stop conversation storage. Not HIPAA-eligible — use API or Enterprise instead.

Verified Apr 2026

Claude.ai (Consumer)

App

Anthropic's consumer chat interface. Distinct governance terms from the Anthropic API.

5/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA✗

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

Consumer plan conversations may be used to improve models unless opted out. No HIPAA BAA for consumer tier.

Verified Apr 2026

Microsoft 365 Copilot

App

AI assistant integrated into Word, Excel, Teams, and Outlook. Enterprise-grade data controls.

8/10

Data retention?

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

EU Data Boundary available. Data is not used to train foundation models. Requires Microsoft 365 E3/E5 licence.

Verified Apr 2026

Cursor

App

AI-native code editor built on VS Code. Privacy Mode prevents code from being stored or used for training.

5/10

Data retention?

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✓

HIPAA BAA✗

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

Enable Privacy Mode in Settings → General to prevent code from leaving your machine for storage.

Verified Apr 2026

Notion AI

App

AI writing and Q&A features built into Notion workspaces. Add-on to existing Notion plans.

6/10

Data retention?

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

EU data hosting available. AI content is not used to train third-party foundation models. No HIPAA BAA.

Verified Apr 2026

Grammarly

App

AI writing assistant for grammar, style, and tone. Widely used across browser, desktop, and Office integrations.

5/10

Data retention?

Training opt-out✗

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Text you write may be used to improve Grammarly's models. EU data processing available via DPA. No HIPAA.

Verified Apr 2026

GitHub Copilot

App

AI code completion and chat in your IDE. Built on OpenAI models, integrated into GitHub.

5/10

Data retention?

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Org admins can disable telemetry and code snippet sharing. No HIPAA BAA.

Verified Apr 2026

Perplexity

App

AI-powered search and research assistant. Answers questions with cited web sources in real time.

1/10

Data retention90d

Training opt-out✗

EU data residency✗

SOC 2?

DPA available?

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✗

On-prem / self-host✗

Data deletion on request✓

Queries may be used to improve models. No SOC 2, DPA, or HIPAA BAA currently available.

Verified Apr 2026

Data reflects publicly available vendor documentation as of the verified date shown on each card. Verify directly with vendors before procurement decisions. See vendor analysis posts →

Tools · Vendor Scorecard

AI Vendor Governance Scorecard

Compare 15 AI vendors across 11 governance dimensions — data retention, SOC 2, HIPAA BAA, ISO 27001, EU residency, and more. Filter by vendor type, use case, and compliance requirements.

Filters

Vendor type

Use case

Minimum green checks

15 vendors

✓ = confirmed · ✗ = not available · ? = unknown

OpenAI (API)

Foundation Model

GPT-4o, o1, and DALL·E via API. The most widely deployed foundation model provider.

8/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Zero data retention available via API with opt-in header. HIPAA BAA available for eligible API customers.

Verified Apr 2026

Anthropic (Claude API)

Foundation Model

Claude 3.5 and Claude 4 via API. Strong safety focus, used widely for enterprise reasoning tasks.

5/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA✗

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

API prompts and outputs are not used for training by default. No HIPAA BAA currently offered.

Verified Apr 2026

Google (Gemini API)

Foundation Model

Gemini 1.5 and 2.0 via Vertex AI or AI Studio. Deep integration with Google Cloud.

9/10

Data retentionNone

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

EU data residency and HIPAA BAA available via Vertex AI with region selection.

Verified Apr 2026

Mistral AI (API)

Foundation Model

European-built foundation models via API. Strong EU data residency story as a French company.

5/10

Data retention30d

Training opt-out✓

EU data residency✓

SOC 2✗

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA?

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

Headquartered in Paris — EU data residency by default. SOC 2 and ISO 27001 status not publicly confirmed.

Verified Apr 2026

Cohere

Foundation Model

Enterprise-focused embeddings and generation models. Strong on retrieval and RAG use cases.

7/10

Data retention30d

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✓

ISO 27001✓

On-prem / self-host?

Data deletion on request✓

Specialises in enterprise search and RAG pipelines. HIPAA BAA available for enterprise customers.

Verified Apr 2026

Microsoft Azure OpenAI

API Platform

OpenAI models hosted on Microsoft Azure with enterprise data controls. Best for orgs already in Azure.

9/10

Data retentionNone

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Your data is not used to train OpenAI or Microsoft models by default.

Verified Apr 2026

AWS Bedrock

API Platform

Access to multiple foundation models (Claude, Titan, Mistral, Llama) via AWS with enterprise security controls.

8/10

Data retentionNone

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✓

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Model provider data policies vary — check per-model docs. HIPAA BAA available under AWS BAA.

Verified Apr 2026

ChatGPT (Consumer)

App

OpenAI's consumer chat product. Widely used by individuals and small teams for everyday AI tasks.

7/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✓

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Disable chat history in Settings to stop conversation storage. Not HIPAA-eligible — use API or Enterprise instead.

Verified Apr 2026

Claude.ai (Consumer)

App

Anthropic's consumer chat interface. Distinct governance terms from the Anthropic API.

5/10

Data retention30d

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA✗

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

Consumer plan conversations may be used to improve models unless opted out. No HIPAA BAA for consumer tier.

Verified Apr 2026

Microsoft 365 Copilot

App

AI assistant integrated into Word, Excel, Teams, and Outlook. Enterprise-grade data controls.

8/10

Data retention?

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant✓

Zero retention option✗

HIPAA BAA✓

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

EU Data Boundary available. Data is not used to train foundation models. Requires Microsoft 365 E3/E5 licence.

Verified Apr 2026

Cursor

App

AI-native code editor built on VS Code. Privacy Mode prevents code from being stored or used for training.

5/10

Data retention?

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✓

HIPAA BAA✗

ISO 27001?

On-prem / self-host✗

Data deletion on request✓

Enable Privacy Mode in Settings → General to prevent code from leaving your machine for storage.

Verified Apr 2026

Notion AI

App

AI writing and Q&A features built into Notion workspaces. Add-on to existing Notion plans.

6/10

Data retention?

Training opt-out✓

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

EU data hosting available. AI content is not used to train third-party foundation models. No HIPAA BAA.

Verified Apr 2026

Grammarly

App

AI writing assistant for grammar, style, and tone. Widely used across browser, desktop, and Office integrations.

5/10

Data retention?

Training opt-out✗

EU data residency✓

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Text you write may be used to improve Grammarly's models. EU data processing available via DPA. No HIPAA.

Verified Apr 2026

GitHub Copilot

App

AI code completion and chat in your IDE. Built on OpenAI models, integrated into GitHub.

5/10

Data retention?

Training opt-out✓

EU data residency✗

SOC 2✓

DPA available✓

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✓

On-prem / self-host✗

Data deletion on request✓

Org admins can disable telemetry and code snippet sharing. No HIPAA BAA.

Verified Apr 2026

Perplexity

App

AI-powered search and research assistant. Answers questions with cited web sources in real time.

1/10

Data retention90d

Training opt-out✗

EU data residency✗

SOC 2?

DPA available?

GPAI compliant?

Zero retention option✗

HIPAA BAA✗

ISO 27001✗

On-prem / self-host✗

Data deletion on request✓

Queries may be used to improve models. No SOC 2, DPA, or HIPAA BAA currently available.

Verified Apr 2026

Data reflects publicly available vendor documentation as of the verified date shown on each card. Verify directly with vendors before procurement decisions. See vendor analysis posts →