L LLM Cloud Hub
Compliance category

SOC 2 Type II LLM APIs

LLM providers with a current SOC 2 Type II report available under NDA.

Why this matters

The de-facto baseline for B2B procurement — a SOC 2 Type II report covers security, availability, and confidentiality controls audited over a 6–12 month observation window.

Badge legend EU EU-hosted: inference and logs run inside EU data centers. Glossary → US US-hosted: data residency in US data centers (often configurable per region). Glossary → HIPAA Provider signs a Business Associate Agreement enabling PHI traffic under HIPAA. Glossary → SOC 2 SOC 2 Type II report — controls audited as effective over a 6–12 month observation window. Glossary → ISO 27001 ISO/IEC 27001 — international information-security management standard. Often required by enterprise procurement. Glossary →

Matching providers

11 total
Amazon
/amazon
AWS Bedrock: not used for training, no retention beyond request
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Anthropic
/anthropic
Zero retention by default for API traffic
US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Cohere
/cohere
US SOC 2
Last reviewed 2026-05-09 · source on file
Google
/google
Configurable; zero retention available on Vertex AI
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Microsoft
/microsoft
Azure OpenAI: prompts not used for training
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Mistral
/mistralai
EU-only data residency on La Plateforme
EU SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
NVIDIA
/nvidia
EU US SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
OpenAI
/openai
Zero retention available via API; 30 days otherwise
US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Perplexity
/perplexity
US SOC 2
Last reviewed 2026-05-09 · source on file
Qwen
/qwen
Alibaba Cloud International default policy
SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
xAI
/x-ai
US SOC 2
Last reviewed 2026-05-09 · source on file

Compliance posture changes over time. The "last reviewed" date on each card is when a human last verified the corresponding flag against the provider's published security material. For a regulated workload, always confirm directly with the provider before sending production data.

Frequently asked questions

Which LLM providers offer soc 2 type ii llm apis?

11 providers in our catalog are flagged for SOC 2 Type II LLM APIs, including Amazon, Anthropic, Cohere, Google and Microsoft, and 6 more. The flags are based on the providers' own published documentation; verify with their legal/sales team before signing.

Why does SOC 2 Type II LLM APIs matter for LLM workloads?

The de-facto baseline for B2B procurement — a SOC 2 Type II report covers security, availability, and confidentiality controls audited over a 6–12 month observation window.

How do I verify a provider really has SOC 2 Type II LLM APIs?

Compliance flags on LLM Cloud Hub track whether providers publicly document the relevant attestation, BAA, or DPA — not whether *your* contract will include it. Always request a copy of the actual document from the provider before sending any regulated traffic. Pricing and compliance flags are refreshed nightly; the date of last review is shown on each provider page.

Keyboard shortcuts

?
Show this overlay
/
Focus the first form field
g h
Go to / (home)
g b
Go to /best-llm-for
g c
Go to /cost
g s
Go to /self-hosted
g x
Go to /compliance
Esc
Close any overlay

Inspired by Linear and GitHub conventions. The two-key sequences (g then h) work within ~1 second.