L LLM Cloud Hub
Compliance category

GDPR-compliant LLM APIs (with DPA)

LLM providers offering a Data Processing Addendum that satisfies GDPR Article 28.

Why this matters

Under GDPR, you (the controller) need a contractual DPA with each processor handling personal data. Most major LLM providers offer one; a few do not.

Badge legend EU EU-hosted: inference and logs run inside EU data centers. Glossary → US US-hosted: data residency in US data centers (often configurable per region). Glossary → HIPAA Provider signs a Business Associate Agreement enabling PHI traffic under HIPAA. Glossary → SOC 2 SOC 2 Type II report — controls audited as effective over a 6–12 month observation window. Glossary → ISO 27001 ISO/IEC 27001 — international information-security management standard. Often required by enterprise procurement. Glossary →

Matching providers

11 total
Amazon
/amazon
AWS Bedrock: not used for training, no retention beyond request
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Anthropic
/anthropic
Zero retention by default for API traffic
US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Cohere
/cohere
US SOC 2
Last reviewed 2026-05-09 · source on file
Google
/google
Configurable; zero retention available on Vertex AI
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Meta
/meta-llama
Open weights — self-hosting bypasses provider compliance entirely
US
Last reviewed 2026-05-09 · source on file
Microsoft
/microsoft
Azure OpenAI: prompts not used for training
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Mistral
/mistralai
EU-only data residency on La Plateforme
EU SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
NVIDIA
/nvidia
EU US SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
OpenAI
/openai
Zero retention available via API; 30 days otherwise
US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Perplexity
/perplexity
US SOC 2
Last reviewed 2026-05-09 · source on file
xAI
/x-ai
US SOC 2
Last reviewed 2026-05-09 · source on file

Compliance posture changes over time. The "last reviewed" date on each card is when a human last verified the corresponding flag against the provider's published security material. For a regulated workload, always confirm directly with the provider before sending production data.

Frequently asked questions

Which LLM providers offer gdpr-compliant llm apis (with dpa)?

11 providers in our catalog are flagged for GDPR-compliant LLM APIs (with DPA), including Amazon, Anthropic, Cohere, Google and Meta, and 6 more. The flags are based on the providers' own published documentation; verify with their legal/sales team before signing.

Why does GDPR-compliant LLM APIs (with DPA) matter for LLM workloads?

Under GDPR, you (the controller) need a contractual DPA with each processor handling personal data. Most major LLM providers offer one; a few do not.

How do I verify a provider really has GDPR-compliant LLM APIs (with DPA)?

Compliance flags on LLM Cloud Hub track whether providers publicly document the relevant attestation, BAA, or DPA — not whether *your* contract will include it. Always request a copy of the actual document from the provider before sending any regulated traffic. Pricing and compliance flags are refreshed nightly; the date of last review is shown on each provider page.

Keyboard shortcuts

?
Show this overlay
/
Focus the first form field
g h
Go to / (home)
g b
Go to /best-llm-for
g c
Go to /cost
g s
Go to /self-hosted
g x
Go to /compliance
Esc
Close any overlay

Inspired by Linear and GitHub conventions. The two-key sequences (g then h) work within ~1 second.