Do I need a DPA to use an AI API under GDPR?

Yes, if you are sending any data about EU residents (names, emails, IP addresses, user prompts that identify people) to an AI API provider, you need a Data Processing Agreement (DPA). All major providers offer one: Anthropic, OpenAI, Azure, Google, Mistral. Without a signed DPA, you are in breach of GDPR Article 28 regardless of whether the provider trains on your data.

Does OpenAI API train on my data?

By default since March 2023, OpenAI does not train foundation models on API data. You still need a DPA for GDPR compliance. The opt-out from training applies automatically to API usage, but not to ChatGPT consumer products. Confirm via your API settings dashboard that training opt-out is active, and sign the DPA at platform.openai.com/privacy.

What data should never be sent to any AI API?

Special-category data under GDPR Article 9: health records, biometric identifiers, political opinions, racial or ethnic origin, religious beliefs, sexual orientation. This data requires explicit consent and has heightened obligations that most AI API DPAs do not cover. Also avoid: social security numbers, payment card data (PCI scope), and data about children under 13/16 depending on jurisdiction.

Is CCPA compliance different from GDPR for AI APIs?

CCPA focuses on sale and sharing of personal information. Sending data to an AI API is typically a 'service provider' relationship, not a sale, if you have a service provider agreement in place. Under CCPA, you need a written service provider contract that prohibits the provider from using the data for their own business purposes. Most enterprise AI API agreements include this. Key difference from GDPR: CCPA does not require a DPA by that name, but requires a service provider addendum with equivalent restrictions.

Privacy-First AI APIs: 5 That Won't Train o…

Q: Which AI APIs do not train on your data?

Anthropic Claude API does not train on prompts or outputs by default, confirmed in their usage policy. Azure OpenAI Service does not use customer data to train foundation models. Google Vertex AI (Gemini API via Vertex) does not train on customer data. OpenAI API does not train on API data by default since March 2023, but you must sign a DPA if you are processing EU personal data. Mistral AI's API (EU-hosted in France) does not train on customer data. Consumer-facing products (ChatGPT free, Claude.ai free) have different policies.

Server rack and data storage infrastructure, AI API data handling policies determine whether your prompts are used to train future models and how long your data is retained

Five AI APIs do not train on your data by default and provide GDPR-compliant Data Processing Agreements in 2026: Claude API (Anthropic), Azure OpenAI Service (Microsoft), Vertex AI (Google Cloud), OpenAI API (direct, since March 2023), and Mistral AI. All five offer self-serve DPA downloads, no sales contact required. For EU data residency with no Standard Contractual Clauses required, use Azure OpenAI or Mistral; data stays inside the EU.

Updated May 2026: Expanded DPA comparison table to include zero-retention options and SCCs status. Added CCPA service provider agreement section. Verified Anthropic 30-day retention policy and Mistral EU-native hosting status.

In short: A privacy-first AI API does not train on your prompts or outputs by default, provides a GDPR-compliant Data Processing Agreement, and gives you contractual control over data retention. In 2026, five providers meet all three criteria: Claude API, Azure OpenAI Service, Vertex AI (Google Cloud), OpenAI API, and Mistral AI.

Compare all 15 vendors interactively. This page covers the top five. The AI Vendor Scorecard lets you filter every major AI API by no-training default, EU data residency, retention window, and DPA availability, then build a shortlist for your own DPA requests. It is the fastest way to find the provider that fits your exact compliance constraints.

Five AI APIs that do not train on your data and meet GDPR requirements:

Provider	No training?	GDPR-safe by default?	EU hosting?	Self-serve DPA
Claude API (Anthropic)	✅ Yes	✅ Yes	❌ US + SCCs	privacy.anthropic.com/dpa
Azure OpenAI Service	✅ Yes	✅ Yes	✅ EU regions	Microsoft DPA
Vertex AI (Google Cloud)	✅ Yes	✅ Yes	✅ EU regions	Google Cloud DPA
OpenAI API (direct)	✅ Yes (since Mar 2023)	✅ Yes (sign DPA first)	❌ US + SCCs	platform.openai.com/privacy
Mistral AI API	✅ Yes	✅ Yes, EU-native, no SCCs needed	✅ France/EU	mistral.ai/terms/dpa

Avoid for any business data: ChatGPT (consumer), Claude.ai (free/Pro), and Google AI Studio train on data by default and offer no DPA.

When your team sends prompts to an AI API, you are a data controller. The provider is a data processor. GDPR and CCPA apply the moment any prompt contains information about an identifiable person. The question is not whether your API provider trains on your data, it is whether you have the right contracts, the right settings, and the right data hygiene in place.

This guide covers: Which AI APIs do not train on your data (with full comparison table) • Claude API, Azure OpenAI, OpenAI API, Mistral, Google Vertex AI, data handling details • The 3 contract clauses that determine GDPR compliance • CCPA service provider agreement requirements • Copy-paste DPA request email template • DPA checklist (10 items) • What data should never go into any AI API prompt • Quick decision guide for choosing your API

This guide maps the major AI APIs by default data-training behavior, lists the three contract clauses that matter, and gives you a DPA checklist you can use today.

Which AI APIs Do Not Train on Your Data by Default

The table below covers the major AI APIs in 2026. Save or bookmark it, this is the reference your team will check before signing up for a new provider.

Provider	Trains on API data?	GDPR DPA available?	EU hosting option	Zero-retention	Self-serve DPA
Anthropic Claude API	No	✅ Yes + SCCs	No (US + SCCs)	Yes (enterprise)	privacy.anthropic.com/dpa
Azure OpenAI Service	No	✅ Yes (MSDPA + SCCs)	✅ EU regions	0-day default	microsoft.com/licensing
Google Vertex AI (Gemini)	No	✅ Yes + SCCs	✅ EU regions	Yes	cloud.google.com/terms/dpa
OpenAI API (direct)	No (since Mar 2023)	✅ Yes + SCCs	No (US + SCCs)	0-day available	platform.openai.com/privacy
Mistral AI API	No	✅ Yes, no SCCs needed	✅ France/EU only	Yes	mistral.ai/terms/dpa
Amazon Bedrock	No	✅ Yes (AWS DPA)	✅ EU regions (eu-west-1, eu-central-1)	Configurable	aws.amazon.com/compliance/gdpr-center
Cohere API	No (enterprise tier)	⚠️ Enterprise only	✅ EU available	On request	Contact sales
AI21 Labs API	No	⚠️ Enterprise only	No (US only)	Not confirmed	Contact sales
Perplexity API	No	⚠️ Weak DPA	No (US only)	Not confirmed	Basic terms; review before use
Groq API	No	⚠️ Minimal, no SCCs	No (US only)	Not confirmed	Basic ToS only
Together AI API	No	⚠️ Enterprise only	No (US only)	Not confirmed	Enterprise DPA available
Replicate API	Unclear	⚠️ No enterprise DPA	No (US only)	Not confirmed	No DPA, avoid for personal data
Hugging Face Inference API	Unclear	⚠️ Enterprise only	✅ EU available	Enterprise only	huggingface.co/privacy
xAI / Grok API	Unclear	❌ No enterprise DPA	No (US only)	Not confirmed	No DPA, avoid for personal data
ChatGPT (consumer)	Yes (by default)	❌ No	N/A	N/A	Not available
Claude.ai (free/Pro)	May be used for safety	❌ No	N/A	N/A	Not available
Google AI Studio	Yes (by default)	❌ No	N/A	N/A	Not available
Perplexity.ai (consumer)	Yes (by default)	❌ No	N/A	N/A	Not available

Critical distinction: API and consumer products have completely different policies. A developer using the Claude API is in a different compliance position than an employee using Claude.ai in a browser tab. The API is the safe path for business data.

For EU teams with strict data residency needs: Azure OpenAI (EU regions) or Mistral AI are the strongest options, data never leaves the EU, no SCC transfer mechanism required.

Anthropic Claude API

Claude API does not use prompts or completions to train models. This is stated in Anthropic's API usage policy and backed by the DPA Anthropic provides for enterprise customers. Retention: Anthropic stores API inputs and outputs for up to 30 days for abuse detection, then deletes them. Zero-retention is available on request for enterprise agreements.

GDPR gap: Anthropic processes data in the US. If you send EU personal data, you need standard contractual clauses (SCCs) in addition to the DPA. The Anthropic DPA includes SCCs.

Azure OpenAI Service

Microsoft does not train OpenAI models or its own models on customer data submitted to Azure OpenAI. Data is processed within the Azure region you select. EU customers can choose EU-based regions (West Europe, North Europe, Sweden Central) for data residency.

GDPR advantage: As part of the Microsoft cloud, Azure OpenAI is covered by the Microsoft Products and Services DPA (MSDPA), which is GDPR Article 28 compliant and includes EU SCCs and UK IDTA. This is the most mature DPA structure of the major providers.

OpenAI API (direct)

Since March 2023, OpenAI does not train on API data by default. You do not need to opt out. However, OpenAI processes data in the US, and you must sign a DPA at platform.openai.com/privacy to be GDPR compliant. The DPA includes SCCs.

Practical step: Log into your OpenAI account, go to Settings > Privacy, confirm "Improve model for everyone" is disabled. This setting should be off for API users by default, but verify it.

Mistral AI API

Mistral is headquartered in Paris and operates infrastructure in the EU. API data is not used for training. For EU-based small teams, Mistral is often the cleanest option from a data residency standpoint since no SCC transfer mechanism is needed for EU-to-EU data flows.

Amazon Bedrock

Amazon Bedrock does not use customer data to train or improve the foundation models available in the service. This is stated in the AWS Customer Agreement and Bedrock service terms. Bedrock is available in EU regions (eu-west-1 Ireland, eu-central-1 Frankfurt), making it viable for teams with EU data residency requirements.

AWS GDPR DPA: Available at aws.amazon.com/compliance/gdpr-center. Covers all AWS services including Bedrock. If your organization already has an AWS account with the DPA in place, Bedrock is automatically covered.

Practical note: Bedrock hosts third-party foundation models (Anthropic Claude, Meta Llama, Mistral, Cohere) as well as Amazon's own models (Titan, Nova). The no-training policy applies to Bedrock's processing, the models themselves have their own training histories, but your API calls do not contribute to future training.

Google Vertex AI

Vertex AI (the enterprise route to Gemini models) does not train on customer data. This is separate from Google AI Studio, which has different terms. If your team is using the Gemini API, confirm they are going through Vertex AI under your Google Cloud account, not Google AI Studio with a personal Google account.

Data Retention Periods by Provider

The comparison table covers training policy. This one covers how long your data actually sits on each provider's servers before deletion.

Provider	Default retention	Zero-retention option	How to verify
Anthropic Claude API	30 days (inputs/outputs stored for trust & safety review)	Yes, available in enterprise DPA addendum	console.anthropic.com → Settings → Privacy
OpenAI API (direct)	0 days, API data is not retained after the response by default	N/A (already zero)	platform.openai.com → Settings → Data Controls
Azure OpenAI Service	0 days by default, prompts/completions not stored unless content logging enabled	N/A (already zero; logging opt-in only)	Azure Portal → Azure OpenAI → Deployments → Content Logging
Google Vertex AI	0 days for prompts, not stored after response	Configurable via Cloud Logging	Cloud Console → Vertex AI → Data Governance
Mistral AI API	Up to 30 days maximum (stated in DPA)	On request for enterprise contracts	mistral.ai account settings
Amazon Bedrock	0 days for model inference by default	Configurable per model invocation	AWS Bedrock console → Model Settings

The critical distinction on OpenAI: 0-day API retention applies only to the API product. The ChatGPT.com consumer product retains conversations by default. If your team uses both, the policies are different. Verify which product each team member is accessing.

Sub-Processor Disclosure: Who Your Data Actually Reaches

Under GDPR Article 28(2), you must know and approve every sub-processor your data processor uses. AI providers are required to disclose sub-processors and give advance notice of changes. Not all do this well.

Provider	Primary sub-processors	Sub-processor list	Change notice
Anthropic	Amazon Web Services (US hosting), Google Cloud (infrastructure)	anthropic.com/legal/privacy	10 days (DPA)
OpenAI API	Microsoft Azure (compute and storage), Oracle Cloud Infrastructure	openai.com/policies/subprocessors	30 days
Azure OpenAI	Microsoft affiliates only, no third-party AI infrastructure sub-processors	microsoft.com/licensing → DPA Appendix	6 months
Google Vertex AI	Google LLC, Google Ireland Ltd., Google Singapore Pte. Ltd.	cloud.google.com/terms/subprocessors	30 days
Mistral AI	OVHcloud (EU hosting), Scaleway (EU compute)	mistral.ai/terms	14 days
Amazon Bedrock	Amazon Web Services affiliates (entity varies by region)	aws.amazon.com/compliance/subprocessors	90 days

What to do: Subscribe to each provider's sub-processor change notification. Most offer an email list or RSS feed. When a new sub-processor is added, especially in a new jurisdiction, you have a defined window to review and object. If the new sub-processor is in a country without an EU adequacy decision and no alternative transfer mechanism is offered, that is a material change to your compliance posture.

Lock icon over a network diagram, sub-processor disclosure determines which third parties receive your data when you call an AI API

How to Verify Your Settings Are Correct

The table above tells you what the policy is. These steps verify your account settings are actually configured to match.

Anthropic Claude API

Log into console.anthropic.com
Go to Settings → Privacy & Data
Confirm usage feedback is disabled for your organization
Enterprise customers: verify the zero-retention addendum is part of your signed DPA (contact support if you are unsure)

OpenAI API

Log into platform.openai.com
Go to Settings → Organization → Data Controls
Confirm "Improve model for everyone" is OFF, this should be automatic for API users, but verify it
Optional: confirm conversation history is disabled under your organization's API settings

Azure OpenAI Service

Log into portal.azure.com → Azure OpenAI
Confirm your resource is deployed in an EU region if EU data residency is required (West Europe, North Europe, Sweden Central)
Open Azure OpenAI Studio → Deployments and confirm content logging is not enabled (it is off by default)
No training opt-out needed, Azure OpenAI does not retain inference data by default

Google Vertex AI

Log into console.cloud.google.com → Vertex AI
Confirm your project is in an EU region (europe-west1 Belgium, europe-west4 Netherlands)
Check Cloud Logging settings, Vertex AI logs prompt metadata for debugging by default; disable if your policy requires no log storage
Verify your project is billed under a Google Cloud account with a signed DPA (not Google AI Studio with a personal account)

Mistral AI API

Log into console.mistral.ai
Review account settings for any data retention toggles
Confirm no EU-to-non-EU data transfers in your API call routing (all Mistral infrastructure is EU-based)
DPA: confirm acceptance in account settings; the DPA auto-applies to commercial accounts

The Three Contract Clauses That Matter

When reviewing any AI API agreement for GDPR or CCPA compliance, look for these three clauses.

1. No secondary use for training

The agreement must state that the provider will not use your data to train, improve, or develop AI models. "Train" should be defined broadly to include fine-tuning, RLHF, and evaluation datasets. Generic phrases like "we may use data to improve services" are not sufficient.

Look for: "Provider will not use Customer Data to train, retrain, fine-tune, or improve foundation models."

2. Sub-processor list and notification obligation

GDPR requires you to know who your processor shares data with. The agreement must include a sub-processor list (or a link to a maintained list) and a notification period (typically 30 days) before new sub-processors are added.

Look for: "Provider will notify Customer at least 30 days before adding new sub-processors."

3. Deletion on request and at termination

You must be able to delete your data. The agreement must commit to deleting data within a reasonable period on request, and at contract termination.

Look for: "Provider will delete or return all Customer Data within 30 days of termination."

CCPA: Service Provider Agreement Requirement

Under CCPA, sending personal information to an AI API is typically classified as a disclosure to a service provider, not a sale. This avoids the "Do Not Sell" obligations. But you must have a written service provider agreement that prohibits the provider from:

Retaining, using, or disclosing the personal information for any purpose other than performing the service
Retaining, using, or disclosing the information for commercial purposes outside of providing the service
Selling the personal information

Most major AI API enterprise agreements include these prohibitions. Check that your agreement is for the API product, not the consumer product.

California residents test: If any of your prompts could contain information about California residents (including your own employees or customers in California), CCPA service provider requirements apply.

DPA Request Email Template (Copy-Paste Ready)

Compliance checklist on paper, use the DPA email template below before sending personal data to any AI API provider

Send this to your AI API vendor's sales or legal contact before you commit to any plan involving personal data. Replace the bracketed fields and send.

Subject: Data Processing Agreement Request, [Your Company Name]

Hello,

We are evaluating [Provider Name] API for use in our [describe use case: e.g., customer support automation / internal document processing / HR workflow].

Before we proceed, we need to confirm our data processing arrangements under GDPR and [CCPA / applicable state privacy law].

Please provide the following:

1. Data Processing Agreement (DPA) including:
   - Confirmation that you will not use our data to train, fine-tune, or improve AI models
   - Sub-processor list with names and locations
   - Data retention period and deletion timeline on request and at termination
   - EU Standard Contractual Clauses (if you process outside the EU) or equivalent transfer mechanism

2. Confirmation that our plan tier includes the DPA (some providers only offer DPAs on enterprise plans)

3. Your data residency options, specifically whether we can restrict processing to EU-based infrastructure

4. Zero-retention or short-retention options, whether we can reduce the standard retention window

We process data about [EU residents / California residents / employees / customers, describe your situation]. Our planned go-live is [date].

Please send the DPA and any related documentation to [your email], or direct us to your self-serve DPA process if available.

Thank you,
[Your name]
[Title]
[Company]

Where to find self-serve DPAs (no email needed):

Anthropic: privacy.anthropic.com/dpa
OpenAI: platform.openai.com → Settings → Privacy → Data Processing Agreement
Microsoft Azure: Microsoft Products and Services DPA at microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Google Cloud: admin.google.com → Account → Legal (for Workspace) or cloud.google.com/terms/data-processing-addendum

DPA Checklist for AI APIs

Before sending personal data to any AI API:

What Data Should Never Go into Any AI API Prompt

Regardless of which provider you use or how good their DPA is, avoid sending:

Always exclude:

Social Security Numbers or national ID numbers
Payment card numbers (PCI scope, separate obligation)
Health information covered by HIPAA or EU health data rules
Biometric data (voiceprints, facial recognition data)
Data about children under 13 (COPPA) or 16 (GDPR)

Handle with caution:

Full names combined with email addresses or job titles (identifiable)
IP addresses in system prompts (personal data under GDPR)
Employee performance data
Legal advice or attorney-client privileged material

The safest prompt engineering practice: replace personal identifiers with tokens before sending to the API, and map them back to real data after receiving the response.

Quick Decision Guide

If your team is EU-based and data residency is a hard requirement: Use Azure OpenAI (EU regions) or Mistral AI. Both process in the EU and have mature GDPR DPAs.

If your team is US-based and you want the simplest compliance path: Anthropic Claude API or OpenAI API with a signed DPA. Both have clean no-training policies and provide SCCs for EU data flows.

If you are processing health data or other special-category data: None of the standard AI API DPAs are designed for this. You need legal advice and likely a Business Associate Agreement (BAA) in the US, which only a handful of providers offer.

If you are using consumer products (ChatGPT, Claude.ai, Gemini): These are not compliant paths for processing personal data in a business context. Switch to the API or enterprise product.

Check your provider's DPA directly, terms change. Links: Anthropic DPA, OpenAI DPA, Azure DPA, Mistral DPA, Google Cloud DPA.