// Trust & Security Report

    Hangzhou DeepSeek Artificial Intelligence Co., Ltd. logo

    Hangzhou DeepSeek Artificial Intelligence Co., Ltd.

    DeepSeek LLM platform with consumer chat (chat.deepseek.com), open-source models, and API platform. Products include DeepSeek V4, V3.2, V3, Coder V2, R1, Math, and VL variants.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 12 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence. Privacy policy and transparency documentation contain no mention of SOC 2 Type 1 certification.

    source: cdn.deepseek.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence. Privacy policy and transparency documentation contain no mention of SOC 2 Type 2 certification.

    source: cdn.deepseek.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Privacy policy and model disclosure documentation contain no mention of ISO 27001 certification.

    source: cdn.deepseek.com
    ISO 27017
    NOT CONFIRMED

    No public evidence.

    source: cdn.deepseek.com
    ISO 27018
    NOT CONFIRMED

    No public evidence.

    source: cdn.deepseek.com
    ISO 27701
    NOT CONFIRMED

    No public evidence.

    source: cdn.deepseek.com
    GDPR Compliance
    NOT CONFIRMED

    Vendor appoints an Article 27 representative: 'We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative.' Policy states data is stored in China ('we directly collect, process and store your Personal Data in People's Republic of China') and offers only a generic transfer safeguard ('Where required, we will use appropriate safeguards for transferring Personal Data outside of certain countries'); no Standard Contractual Clauses or specific adequacy mechanism is named. Held=false: appointing an EU representative does not by itself establish GDPR compliance, and no compliance claim is made.

    source: cdn.deepseek.com
    HIPAA
    NOT CONFIRMED

    No public evidence. No Business Associate Agreement (BAA) offered. Company privacy policy makes no mention of HIPAA compliance.

    source: cdn.deepseek.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. DeepSeek does not hold FedRAMP certification. (AWS Bedrock may be FedRAMP authorized separately, but this is not a DeepSeek certification.)

    source: fedramp.gov
    PCI DSS
    NOT CONFIRMED

    No public evidence.

    source: cdn.deepseek.com
    ISO 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence. Transparency documentation and model cards do not reference ISO 42001 certification.

    source: deepseek.com
    CSA STAR for AI
    NOT CONFIRMED

    No public evidence.

    source: cloudsecurityalliance.org

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    China

    User input may be used during optimization training phase. Users can opt out of data usage for model training. When user data is incorporated, DeepSeek applies 'secure encryption, strict de-identification, and anonymization' to make it unlinked to specific individuals. Company states it does not use data for user profiling or personalized recommendations.

    // Security controls

    Data Protection Standards

    Commercially reasonable technical, administrative, and physical security measures claimed. No specific standards or audit certifications documented.

    cdn.deepseek.com

    Encryption

    When user input is used for training, 'secure encryption' is applied along with de-identification and anonymization. Company acknowledges 'no Internet or email transmission is ever fully secure or error free.'

    cdn.deepseek.com

    API Cache Isolation

    Each user's cache is isolated and logically invisible to others. Unused cache entries automatically cleared after period.

    api-docs.deepseek.com

    Content Moderation

    Technical filters automatically remove hate speech, pornography, violence, spam, or potential infringement. Combined algorithmic and manual review to identify and reduce statistical biases.

    cdn.deepseek.com

    Security Vulnerability Reporting

    Security contact available at security@deepseek.com

    deepseek.com

    // Products & data scope

    DeepSeek Chat (Consumer)Conversational AI / LLM

    data: Processes user prompts and chat history. Personal data collected: username, email, phone, date of birth, device/network info, keystroke patterns.

    Web and mobile versions. Data stored in China. User has right to opt-out of training data usage.

    DeepSeek API PlatformLLM API

    data: Processes API requests and payloads. Same data residency and training policies as consumer product.

    Context caching available. Each user's cache isolated. Designed for enterprise integration but no formal compliance certifications.

    Open-Source Models (V4, V3, Coder, R1, Math, VL)AI Models (Self-hosted)

    data: Model weights only; no data collection in self-hosted deployment. Users responsible for their own deployment security.

    Available via HuggingFace and GitHub. Self-hosting eliminates data residency concerns but compliance responsibility falls on deploying organization.

    // What to watch

    • CRITICAL: GDPR non-compliance risk. Data stored in China, subject to China's National Intelligence Law (compels government data access without user consent or transparency). No Standard Contractual Clauses or explicit adequacy safeguards mentioned in privacy policy.
    • Not suitable for regulated industries (healthcare/HIPAA, government/FedRAMP, financial/PCI DSS) due to lack of certifications and data residency in China.
    • Zero formal security certifications (no SOC 2, ISO 27001, ISO 42001, or CSA STAR). Relies on unaudited 'commercially reasonable measures' claim.
    • U.S. government restrictions: DeepSeek banned from some state networks and federal agencies due to geopolitical and security concerns.
    • Training data practices: Users can opt-out but opt-out mechanism and implementation details not explicitly documented. Company states it can use user input for optimization training with anonymization.
    • Transparency gaps: No published security audit reports, no third-party compliance verification, no trust center with detailed controls documentation.

    // At a glance

    Pricing model

    Freemium (consumer) + pay-per-token API pricing. Significantly cheaper than OpenAI/Anthropic.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Hangzhou DeepSeek Artificial Intelligence Co., Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    cdn.deepseek.com

    > Browse all vendor trust reports