Not all AI APIs are equal under GDPR. Hereβs the compliance status of every major provider.
The comparison
| Provider | EU data residency | DPA available | No training on data | GDPR verdict |
|---|---|---|---|---|
| Mistral | β Native (France) | β | β | β Best for EU |
| Google Vertex AI | β EU region option | β | β | β Good |
| Azure OpenAI | β EU region option | β | β | β Good |
| Anthropic API | β US only | β (Business) | β | β οΈ Needs SCCs |
| OpenAI API | β οΈ EU option available | β (Business) | β | β οΈ Check config |
| DeepSeek | β China | β Unknown | β Unknown | β Avoid for PII |
| OpenRouter | β US | β οΈ Limited | Varies by model | β οΈ Check per model |
What βGDPR compliantβ actually means
For an AI API to be GDPR compliant, you need:
- Legal basis for processing (legitimate interest or consent)
- Data Processing Agreement (DPA) with the provider
- Transfer mechanism if data leaves the EU (SCCs, adequacy decision)
- No training on your data (or explicit consent for it)
- Data retention limits that match your privacy policy
The safest path for EU companies
Tier 1 β Zero risk:
- Self-hosted models via Ollama
- No data transfer, no DPA needed, automatic compliance
Tier 2 β Low risk:
- Mistral API β EU-native, DPA included
- Google Vertex AI with EU region β established GDPR framework
Tier 3 β Medium risk (needs paperwork):
- Anthropic API with Business DPA + SCCs
- Azure OpenAI with EU region + DPA
Tier 4 β High risk (avoid for sensitive data):
- Consumer subscriptions (ChatGPT Plus, Claude Pro)
- Chinese providers without clear data policies
- Free tiers without business terms
For AI coding tools specifically
| Tool | Safest configuration |
|---|---|
| Aider | + Ollama (local) or + Mistral API |
| Continue.dev | + Ollama (local) |
| Claude Code | Enterprise plan with DPA |
| Cursor | Business plan with DPA |
| GitHub Copilot | Business plan (no code retention) |
Related: AI and GDPR for Developers Β· Where Does Your Code Go? Β· Self-Hosted AI for GDPR Β· What is Mistral AI?