// Trust & Security Report

    xAI Corp logo

    xAI Corp

    Grok (Chat, Build, Imagine, Voice, Grokipedia), xAI API, Grok for Business/Enterprise, Grok for Government

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    We are SOC 2 Type 2 compliant.

    Verify on docs.x.ai
    ISO 27001
    HELD

    Not asserted on xAI's public security FAQ or marketing pages reviewed. xAI directs GDPR/certification detail to its gated Trust Center (trust.x.ai), accessible only after a signed NDA, so additional certs cannot be confirmed from public sources.

    Verify on docs.x.ai
    ISO 42001
    HELD

    Not mentioned in any public xAI page reviewed.

    Verify on docs.x.ai
    HIPAA (via BAA)
    HELD

    xAI offers a Business Associate Agreement Questionnaire at x.ai/legal/baa and reviews responses for HIPAA eligibility; a BAA path exists but HIPAA is not a certification and eligibility is gated/case-by-case.

    Verify on docs.x.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Data residency options offered to enterprise customers (per xAI marketing); specific regions not publicly enumerated.

    Training behavior differs sharply by product. API: 'xAI never trains on your API inputs or outputs without your explicit permission' and enterprise accounts can enable Zero Data Retention (ZDR) so prompts/completions are never persisted. Enterprise terms: xAI 'shall not use any User Content to train any foundation models, large language models, or other artificial intelligence systems.' Consumer grok.com: defaults to NOT using conversations for training (opt-in via Settings > Data > 'Improve the Model'); Private Chat mode is excluded from training and deleted within 30 days. Grok on X (X/Twitter integration): training is opt-IN by default, i.e. user content is used for model training automatically unless the user disables it in settings. Net: the consumer Grok-on-X surface trains on user data by default, while API/enterprise do not.

    // Security controls

    Bug bounty program

    Yes, via HackerOne (hackerone.com/x); also accepts reports at vulnerabilities@x.ai. Scope covers Grok models, Grok integrations on X (web/mobile), and the xAI API (prompt injection, unauthorized data access, authN/authZ flaws). Payout tiers not publicly documented.

    hackerone.com

    Zero Data Retention (ZDR)

    Enterprise feature that prevents xAI from storing any API request or response data; prompts, completions and metadata processed in real time but never persisted.

    docs.x.ai

    SOC 2 Type 2

    Self-asserted as SOC 2 Type 2 compliant; report available via gated Trust Center under NDA.

    docs.x.ai

    Enterprise controls

    Single sign-on (SSO), audit logging, data residency options, and billing via monthly invoices offered to enterprise/team customers.

    x.ai

    Penetration testing

    Not publicly confirmed; not stated on the public security FAQ. Likely covered under SOC 2 controls and the gated Trust Center but not independently verifiable from public sources.

    docs.x.ai

    Encryption

    Not explicitly quoted on public pages reviewed (encryption at rest/in transit not stated in the public security FAQ); detail is held in the gated Trust Center.

    docs.x.ai

    // Products & data scope

    Grok consumer (grok.com / iOS / Android)Consumer AI assistant

    data: Conversations stored; default does NOT use chats for training (opt-in). Private Chat excluded from training and deleted within ~30 days. Deleted data purged within ~30 days.

    Lowest-trust-burden surface but consumer-grade terms.

    Grok on X (X/Twitter integration)Social-platform AI assistant

    data: User content and posts used for model training by DEFAULT (opt-out in settings).

    Most aggressive default data use; relevant privacy flag for individuals.

    xAI API (developer platform)LLM API

    data: Never trains on API inputs/outputs without explicit permission. By default API requests and responses are retained ~30 days for audit purposes then automatically deleted; Zero Data Retention (ZDR) available to enterprise accounts removes all storage (responses carry an x-zero-data-retention header).

    Appropriate for business integration; ZDR is enterprise-gated.

    Grok for Business / EnterpriseEnterprise AI

    data: Enterprise terms bar use of User Content for model training; SSO, audit logging, data residency options, DPA and BAA paths available.

    Strongest contractual data protections.

    Grok for GovernmentPublic-sector AI

    data: Dedicated government offering; specific compliance scope not public.

    Listed as a distinct solution on x.ai.

    // What to watch

    • Default data-training behavior conflicts across products: Grok-on-X trains by default (opt-out), while grok.com and the API do not (opt-in / explicit-permission). Directory should not show a single training answer for 'Grok'.
    • Trust Center (trust.x.ai) is gated behind an access request / NDA, so ISO 27001, ISO 42001, encryption specifics, and pen-test cadence cannot be independently verified from public sources.
    • SOC 2 Type 2 is self-asserted on the public security FAQ; the report itself is only available under NDA.
    • HIPAA/BAA available but case-by-case via questionnaire; not a blanket certification.

    // At a glance

    Pricing model

    Free tier plus usage-based API pricing; enterprise/custom contracts with custom rate limits and invoicing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on xAI Corp's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.x.ai

    > Browse all vendor trust reports