// Trust & Security Report

    Mistral AI logo

    Mistral AI

    Frontier LLMs and AI platform: Le Chat (consumer + Enterprise), Studio / La Plateforme (API), Forge (custom model training), Vibe and Vibe for Code (agents), Compute (infrastructure), Mistral OCR, Voxtral

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    Compliance: ISO 27001 ... Compliance Reports: Mistral AI - ISO/IEC 27001:2022 Official Certificate

    Verify on trust.mistral.ai
    ISO/IEC 27701:2019
    HELD

    Compliance: ISO 27701 ... Compliance Reports: Mistral AI - ISO/IEC 27701:2019 Official Certificate

    Verify on trust.mistral.ai
    SOC 2 Type II
    HELD

    Compliance: SOC 2 Type II ... Compliance Reports: Mistral AI - Letter of Attestation SOC 2 Type II. Mistral Help Center: "Mistral complies with both SOC 2 Type II and ISO 27001/27701 frameworks."

    Verify on trust.mistral.ai
    SOC 2 Type I
    HELD

    Compliance Reports: Mistral AI - Letter of Attestation SOC 2 Type I

    Verify on trust.mistral.ai
    GDPR
    HELD

    Compliance: GDPR. Mistral AI is a French company incorporated in Paris ... We prioritize selecting providers within the European Union that strictly adhere to the GDPR ... we attach the most recent version of the European Commission's Standard Contractual Clauses to all such contracts.

    Verify on trust.mistral.ai
    HIPAA
    HELD

    No HIPAA certification or BAA offering found on the Trust Center or legal pages; not listed among compliance frameworks.

    Verify on trust.mistral.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    EU by default ("Our servers are hosted in the EU"). Self-hosted/on-prem and VPC options keep data in the customer environment. A US API region is available (subprocessor Google LLC, Netherlands/United States). International transfers covered by EU Standard Contractual Clauses under Article 46 GDPR.

    Product-dependent. For consumer products (free Le Chat), Input and Output ARE used to train models by default, subject to an in-account opt-out: "Your Input and Output, subject to your opt-out." For business and enterprise tiers, training is OFF: "we do not use your Input and Output to train our artificial intelligence models when you use Le Chat Enterprise or the paid version of our APIs." In-app 'thumbs up/down' Feedback (plus associated Input/Output) is used for training as Controller regardless of tier. When Mistral acts as data processor for business customers, the Privacy Policy does not apply and the DPA governs.

    // Security controls

    Penetration testing

    Performed (listed as a Product security control: "Penetration testing performed")

    trust.mistral.ai

    Encryption

    Data encryption utilized; encryption key access restricted; portable media encrypted (Trust Center controls)

    trust.mistral.ai

    Access control

    Unique account authentication enforced; access control procedures established

    trust.mistral.ai

    Business continuity / DR

    Continuity and Disaster Recovery plans established and tested; cybersecurity insurance maintained

    trust.mistral.ai

    Bug bounty / responsible disclosure

    No public bug bounty (HackerOne/Bugcrowd) program found. Security contact trust@mistral.ai; security advisories published at docs.mistral.ai/resources/security-advisories.

    docs.mistral.ai

    Subprocessor transparency

    Public subprocessor list with email notifications (Microsoft/Azure EU, Google LLC, Stripe, GetLago, Merge); customers may object to new subprocessors within 10 days

    legal.mistral.ai

    Incident disclosure (2026)

    Mini Shai-Hulud third-party supply-chain attack (May 2026) compromised non-core code repos and poisoned npm/PyPI SDK packages (mistralai 2.4.6). Mistral states hosted services, managed user data, and research/testing environments were NOT compromised. Disclosed transparently with public incident report MAI-2026-002.

    trust.mistral.ai

    Zero data retention (ZDR)

    Available on APIs; otherwise paid API Input/Output retained 30 rolling days for abuse monitoring unless ZDR activated

    legal.mistral.ai

    // Products & data scope

    Le Chat (consumer / free + Pro)Consumer AI assistant

    data: Mistral is data controller. Input/Output used to train models BY DEFAULT, opt-out available in account. Memory feature may store sensitive Input (with explicit consent). Conversations kept until deleted or account deletion.

    Personal-use tier under the Privacy Policy; not for processing data in a business context.

    Le Chat EnterpriseEnterprise AI assistant

    data: No model training on Input/Output. Mistral acts as processor under the DPA; customer is controller.

    Suitable for business data; covered by DPA + SCCs.

    Studio / La Plateforme (API)Developer API platform

    data: Paid API: no model training. Input/Output retained 30 rolling days for abuse monitoring unless zero data retention enabled. Agents API retains until account termination; Fine-Tuning API retains tuning data until deleted.

    EU-hosted by default; US API region available via Google subprocessor.

    ForgeCustom model training / alignment

    data: Train, align, evaluate custom models on proprietary data; customer-controlled.

    Enterprise domain adaptation, RL/distillation, synthetic data.

    Vibe / Vibe for CodeAutonomous AI agents

    data: Long-horizon agent with persistent memory and tool/connector access; connected third-party services are not used for model training.

    Separate Vibe Terms of Service apply at chat.mistral.ai.

    Compute / Self-hosted StudioInfrastructure / on-prem deployment

    data: Self-hosted on VPC, edge, or on-premises: "Your data stays within your walls." No data leaves customer environment.

    Highest control tier; also available via cloud partners (AWS, Azure, GCP, IBM, SAP, Snowflake, NVIDIA, Outscale).

    // What to watch

    • Consumer/free Le Chat trains on user Input/Output BY DEFAULT (opt-out exists); business, enterprise, and paid API tiers do NOT train. Directory should not present a single training answer for the whole vendor.
    • In-app thumbs-up/down Feedback (plus associated Input/Output) is used for model training as Controller across tiers per the DPA.
    • May 2026 third-party supply-chain incident (Mini Shai-Hulud) poisoned published npm/PyPI SDK packages (mistralai 2.4.6); Mistral states hosted services and user data were unaffected and disclosed it transparently.
    • No public bug bounty (HackerOne/Bugcrowd) program identified; disclosure is via trust@mistral.ai and published advisories.
    • No HIPAA / BAA offering found.

    // At a glance

    Pricing model

    Freemium consumer (Le Chat free/Pro) + usage-based API pricing + enterprise/commercial contracts + self-managed compute

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mistral AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.mistral.ai

    > Browse all vendor trust reports