// Trust & Security Report
Mistral AI
Frontier LLMs and AI platform: Le Chat (consumer + Enterprise), Studio / La Plateforme (API), Forge (custom model training), Vibe and Vibe for Code (agents), Compute (infrastructure), Mistral OCR, Voxtral
Certifications held
6
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.mistral.ai“Compliance: ISO 27001 ... Compliance Reports: Mistral AI - ISO/IEC 27001:2022 Official Certificate”
Verify on trust.mistral.ai“Compliance: ISO 27701 ... Compliance Reports: Mistral AI - ISO/IEC 27701:2019 Official Certificate”
Verify on trust.mistral.ai“Compliance: SOC 2 Type II ... Compliance Reports: Mistral AI - Letter of Attestation SOC 2 Type II. Mistral Help Center: "Mistral complies with both SOC 2 Type II and ISO 27001/27701 frameworks."”
Verify on trust.mistral.ai“Compliance Reports: Mistral AI - Letter of Attestation SOC 2 Type I”
Verify on trust.mistral.ai“Compliance: GDPR. Mistral AI is a French company incorporated in Paris ... We prioritize selecting providers within the European Union that strictly adhere to the GDPR ... we attach the most recent version of the European Commission's Standard Contractual Clauses to all such contracts.”
Verify on trust.mistral.ai“No HIPAA certification or BAA offering found on the Trust Center or legal pages; not listed among compliance frameworks.”
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
EU by default ("Our servers are hosted in the EU"). Self-hosted/on-prem and VPC options keep data in the customer environment. A US API region is available (subprocessor Google LLC, Netherlands/United States). International transfers covered by EU Standard Contractual Clauses under Article 46 GDPR.
Product-dependent. For consumer products (free Le Chat), Input and Output ARE used to train models by default, subject to an in-account opt-out: "Your Input and Output, subject to your opt-out." For business and enterprise tiers, training is OFF: "we do not use your Input and Output to train our artificial intelligence models when you use Le Chat Enterprise or the paid version of our APIs." In-app 'thumbs up/down' Feedback (plus associated Input/Output) is used for training as Controller regardless of tier. When Mistral acts as data processor for business customers, the Privacy Policy does not apply and the DPA governs.
// Security controls
Penetration testing
Performed (listed as a Product security control: "Penetration testing performed")
trust.mistral.aiEncryption
Data encryption utilized; encryption key access restricted; portable media encrypted (Trust Center controls)
trust.mistral.aiAccess control
Unique account authentication enforced; access control procedures established
trust.mistral.aiBusiness continuity / DR
Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained
trust.mistral.aiBug bounty / responsible disclosure
No public bug bounty (HackerOne/Bugcrowd) program found. Security contact trust@mistral.ai; security advisories published at docs.mistral.ai/resources/security-advisories.
docs.mistral.aiSubprocessor transparency
Public subprocessor list with email notifications (Microsoft/Azure EU, Google LLC, Stripe, GetLago, Merge); customers may object to new subprocessors within 10 days
legal.mistral.aiIncident disclosure (2026)
Mini Shai-Hulud third-party supply-chain attack (May 2026) compromised non-core code repos and poisoned npm/PyPI SDK packages (mistralai 2.4.6). Mistral states hosted services, managed user data, and research/testing environments were NOT compromised. Disclosed transparently with public incident report MAI-2026-002.
trust.mistral.aiZero data retention (ZDR)
Available on APIs; otherwise paid API Input/Output retained 30 rolling days for abuse monitoring unless ZDR activated
legal.mistral.ai// Products & data scope
data: Mistral is data controller. Input/Output used to train models BY DEFAULT, opt-out available in account. Memory feature may store sensitive Input (with explicit consent). Conversations kept until deleted or account deletion.
Personal-use tier under the Privacy Policy; not for processing data in a business context.
data: No model training on Input/Output. Mistral acts as processor under the DPA; customer is controller.
Suitable for business data; covered by DPA + SCCs.
data: Paid API: no model training. Input/Output retained 30 rolling days for abuse monitoring unless zero data retention enabled. Agents API retains until account termination; Fine-Tuning API retains tuning data until deleted.
EU-hosted by default; US API region available via Google subprocessor.
data: Train, align, evaluate custom models on proprietary data; customer-controlled.
Enterprise domain adaptation, RL/distillation, synthetic data.
data: Long-horizon agent with persistent memory and tool/connector access; connected third-party services are not used for model training.
Separate Vibe Terms of Service apply at chat.mistral.ai.
data: Self-hosted on VPC, edge, or on-premises: "Your data stays within your walls." No data leaves customer environment.
Highest control tier; also available via cloud partners (AWS, Azure, GCP, IBM, SAP, Snowflake, NVIDIA, Outscale).
// What to watch
- Consumer/free Le Chat trains on user Input/Output BY DEFAULT (opt-out exists); business, enterprise, and paid API tiers do NOT train. Directory should not present a single training answer for the whole vendor.
- In-app thumbs-up/down Feedback (plus associated Input/Output) is used for model training as Controller across tiers per the DPA.
- May 2026 third-party supply-chain incident (Mini Shai-Hulud) poisoned published npm/PyPI SDK packages (mistralai 2.4.6); Mistral states hosted services and user data were unaffected and disclosed it transparently.
- No public bug bounty (HackerOne/Bugcrowd) program identified; disclosure is via trust@mistral.ai and published advisories.
- No HIPAA / BAA offering found.
// At a glance
Pricing model
Freemium consumer (Le Chat free/Pro) + usage-based API pricing + enterprise/commercial contracts + self-managed compute
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mistral AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.mistral.ai