// Trust & Security Report
xAI Corp
Grok (Chat, Build, Imagine, Voice, Grokipedia), xAI API, Grok for Business/Enterprise, Grok for Government
Certifications held
4
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.x.ai“Not asserted on xAI's public security FAQ or marketing pages reviewed. xAI directs GDPR/certification detail to its gated Trust Center (trust.x.ai), accessible only after a signed NDA, so additional certs cannot be confirmed from public sources.”
Verify on docs.x.ai“xAI offers a Business Associate Agreement Questionnaire at x.ai/legal/baa and reviews responses for HIPAA eligibility; a BAA path exists but HIPAA is not a certification and eligibility is gated/case-by-case.”
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Data residency options offered to enterprise customers (per xAI marketing); specific regions not publicly enumerated.
Training behavior differs sharply by product. API: 'xAI never trains on your API inputs or outputs without your explicit permission' and enterprise accounts can enable Zero Data Retention (ZDR) so prompts/completions are never persisted. Enterprise terms: xAI 'shall not use any User Content to train any foundation models, large language models, or other artificial intelligence systems.' Consumer grok.com: defaults to NOT using conversations for training (opt-in via Settings > Data > 'Improve the Model'); Private Chat mode is excluded from training and deleted within 30 days. Grok on X (X/Twitter integration): training is opt-IN by default, i.e. user content is used for model training automatically unless the user disables it in settings. Net: the consumer Grok-on-X surface trains on user data by default, while API/enterprise do not.
// Security controls
Bug bounty program
Yes, via HackerOne (hackerone.com/x); also accepts reports at vulnerabilities@x.ai. Scope covers Grok models, Grok integrations on X (web/mobile), and the xAI API (prompt injection, unauthorized data access, authN/authZ flaws). Payout tiers not publicly documented.
hackerone.comZero Data Retention (ZDR)
Enterprise feature that prevents xAI from storing any API request or response data; prompts, completions and metadata processed in real time but never persisted.
docs.x.aiSOC 2 Type 2
Self-asserted as SOC 2 Type 2 compliant; report available via gated Trust Center under NDA.
docs.x.aiEnterprise controls
Single sign-on (SSO), audit logging, data residency options, and billing via monthly invoices offered to enterprise/team customers.
x.aiPenetration testing
Not publicly confirmed; not stated on the public security FAQ. Likely covered under SOC 2 controls and the gated Trust Center but not independently verifiable from public sources.
docs.x.aiEncryption
Not explicitly quoted on public pages reviewed (encryption at rest/in transit not stated in the public security FAQ); detail is held in the gated Trust Center.
docs.x.ai// Products & data scope
data: Conversations stored; default does NOT use chats for training (opt-in). Private Chat excluded from training and deleted within ~30 days. Deleted data purged within ~30 days.
Lowest-trust-burden surface but consumer-grade terms.
data: User content and posts used for model training by DEFAULT (opt-out in settings).
Most aggressive default data use; relevant privacy flag for individuals.
data: Never trains on API inputs/outputs without explicit permission. By default API requests and responses are retained ~30 days for audit purposes then automatically deleted; Zero Data Retention (ZDR) available to enterprise accounts removes all storage (responses carry an x-zero-data-retention header).
Appropriate for business integration; ZDR is enterprise-gated.
data: Enterprise terms bar use of User Content for model training; SSO, audit logging, data residency options, DPA and BAA paths available.
Strongest contractual data protections.
data: Dedicated government offering; specific compliance scope not public.
Listed as a distinct solution on x.ai.
// What to watch
- Default data-training behavior conflicts across products: Grok-on-X trains by default (opt-out), while grok.com and the API do not (opt-in / explicit-permission). Directory should not show a single training answer for 'Grok'.
- Trust Center (trust.x.ai) is gated behind an access request / NDA, so ISO 27001, ISO 42001, encryption specifics, and pen-test cadence cannot be independently verified from public sources.
- SOC 2 Type 2 is self-asserted on the public security FAQ; the report itself is only available under NDA.
- HIPAA/BAA available but case-by-case via questionnaire; not a blanket certification.
// At a glance
Pricing model
Free tier plus usage-based API pricing; enterprise/custom contracts with custom rate limits and invoicing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on xAI Corp's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.x.ai