// Trust & Security Report
Hangzhou DeepSeek Artificial Intelligence Co., Ltd.
DeepSeek LLM platform with consumer chat (chat.deepseek.com), open-source models, and API platform. Products include DeepSeek V4, V3.2, V3, Coder V2, R1, Math, and VL variants.
Certifications held
0
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 12 unconfirmed / not-held certifications
source: cdn.deepseek.comNo public evidence. Privacy policy and transparency documentation contain no mention of SOC 2 Type 1 certification.
source: cdn.deepseek.comNo public evidence. Privacy policy and transparency documentation contain no mention of SOC 2 Type 2 certification.
source: cdn.deepseek.comNo public evidence. Privacy policy and model disclosure documentation contain no mention of ISO 27001 certification.
source: cdn.deepseek.comVendor appoints an Article 27 representative: 'We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative.' Policy states data is stored in China ('we directly collect, process and store your Personal Data in People's Republic of China') and offers only a generic transfer safeguard ('Where required, we will use appropriate safeguards for transferring Personal Data outside of certain countries'); no Standard Contractual Clauses or specific adequacy mechanism is named. Held=false: appointing an EU representative does not by itself establish GDPR compliance, and no compliance claim is made.
source: cdn.deepseek.comNo public evidence. No Business Associate Agreement (BAA) offered. Company privacy policy makes no mention of HIPAA compliance.
source: fedramp.govNo public evidence. DeepSeek does not hold FedRAMP certification. (AWS Bedrock may be FedRAMP authorized separately, but this is not a DeepSeek certification.)
source: deepseek.comNo public evidence. Transparency documentation and model cards do not reference ISO 42001 certification.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
China
User input may be used during optimization training phase. Users can opt out of data usage for model training. When user data is incorporated, DeepSeek applies 'secure encryption, strict de-identification, and anonymization' to make it unlinked to specific individuals. Company states it does not use data for user profiling or personalized recommendations.
// Security controls
Data Protection Standards
Commercially reasonable technical, administrative, and physical security measures claimed. No specific standards or audit certifications documented.
cdn.deepseek.comEncryption
When user input is used for training, 'secure encryption' is applied along with de-identification and anonymization. Company acknowledges 'no Internet or email transmission is ever fully secure or error free.'
cdn.deepseek.comAPI Cache Isolation
Each user's cache is isolated and logically invisible to others. Unused cache entries automatically cleared after period.
api-docs.deepseek.comContent Moderation
Technical filters automatically remove hate speech, pornography, violence, spam, or potential infringement. Combined algorithmic and manual review to identify and reduce statistical biases.
cdn.deepseek.com// Products & data scope
data: Processes user prompts and chat history. Personal data collected: username, email, phone, date of birth, device/network info, keystroke patterns.
Web and mobile versions. Data stored in China. User has right to opt-out of training data usage.
data: Processes API requests and payloads. Same data residency and training policies as consumer product.
Context caching available. Each user's cache isolated. Designed for enterprise integration but no formal compliance certifications.
data: Model weights only; no data collection in self-hosted deployment. Users responsible for their own deployment security.
Available via HuggingFace and GitHub. Self-hosting eliminates data residency concerns but compliance responsibility falls on deploying organization.
// What to watch
- CRITICAL: GDPR non-compliance risk. Data stored in China, subject to China's National Intelligence Law (compels government data access without user consent or transparency). No Standard Contractual Clauses or explicit adequacy safeguards mentioned in privacy policy.
- Not suitable for regulated industries (healthcare/HIPAA, government/FedRAMP, financial/PCI DSS) due to lack of certifications and data residency in China.
- Zero formal security certifications (no SOC 2, ISO 27001, ISO 42001, or CSA STAR). Relies on unaudited 'commercially reasonable measures' claim.
- U.S. government restrictions: DeepSeek banned from some state networks and federal agencies due to geopolitical and security concerns.
- Training data practices: Users can opt-out but opt-out mechanism and implementation details not explicitly documented. Company states it can use user input for optimization training with anonymization.
- Transparency gaps: No published security audit reports, no third-party compliance verification, no trust center with detailed controls documentation.
// At a glance
Pricing model
Freemium (consumer) + pay-per-token API pricing. Significantly cheaper than OpenAI/Anthropic.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Hangzhou DeepSeek Artificial Intelligence Co., Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
cdn.deepseek.com