AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Alibaba Cloud

Qwen3

v3 · open-weights · Released April 28, 2025

Use with Caution

Updated June 27, 2026

Chinese-developed model. Open weights available globally. API service subject to Chinese data law jurisdiction. Open-weights self-hosting is the recommended path for regulated enterprise use.

Enterprise guidance

Qwen3 open weights are widely available and perform well for their size, making them viable for enterprise use when self-hosted. For any regulated workload, download the open weights and run inference in your own cloud infrastructure to eliminate the Alibaba Cloud vendor jurisdiction risk. If using third-party hosted Qwen3 inference, verify that data does not pass through Alibaba Cloud's China-based infrastructure.

Active Compliance Flags1

vendor_jurisdictionMediumJanuary 1, 2026

Developed by Alibaba Cloud, subject to Chinese data laws. API-based use routes data through Alibaba Cloud infrastructure. Open-weights deployment eliminates this risk.

Data handling

Default data retention

Alibaba Cloud API: varies by region; China-based infrastructure is possible depending on routing

Zero-retention available

No

Not reliably available via Alibaba Cloud API. Self-host open weights for full control.

API data used for training

Yes

Alibaba Cloud API terms vary by product and region. API-based processing may be subject to Chinese data laws depending on routing.

GDPR Data Processing Agreement

Available

HIPAA Business Associate Agreement

Not available

Not offered for Qwen3 specifically. Self-host and arrange a BAA with your cloud provider.

Data residency options

Alibaba Cloud API: depends on region selection; international regions available but verify routing. Self-hosted: your own infrastructure.

Vendor compliance certifications

Alibaba Cloud platform: ISO 27001, SOC 2, ISO 27017, CSA STAR (platform-level, not Qwen3-specific)

Key use restrictions

  • Alibaba Cloud API: subject to Chinese content regulations; outputs may be filtered per Chinese law
  • Self-hosted open weights: subject to Qwen License terms (permissive for most commercial uses)
  • Alibaba AUP prohibits: harmful content, illegal content, content violating applicable laws
  • Verify specific version license terms before commercial deployment of self-hosted weights

Safety documentation

Model card published
System card not published
Red-team report not published

Qwen3 technical report published May 2025. Safety benchmarks published alongside model release. Limited independent third-party red-team evaluation available.

Safety documentation →

Related governance resources

Governance controls

Cross-Border Data Transfer Controls for AI

Govern the international transfer of personal data through AI systems, including data sent to AI API providers, training pipelines, and cloud infrastructure in other jurisdictions.

AI Vendor Due Diligence

Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.

Self-Hosted Open-Weight AI Model Governance

Establish an intake policy and governance controls for AI model weights downloaded from public repositories and deployed in the organization's own infrastructure, addressing integrity verification, license compliance, safety evaluation before deployment, and ongoing update management distinct from vendor-hosted AI procurement.

National Security and Dual-Use AI Risk Assessment

Establish a risk assessment process for AI systems and AI research activities that could constitute dual-use technology — with applications in both commercial and national security or weapons contexts — addressing BIS export control obligations, ITAR compliance for defense applications, dual-use research of concern protocols, and foreign adversarial misuse monitoring.

AI Procurement Risk Assessment

Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.

Playbook guides

How do we ensure third-party AI vendors meet our standards?

Extending vendor due diligence to cover model transparency, data handling, bias testing, and contractual liability for AI outputs.

How do we maintain data privacy compliance when using AI?

Addressing training data sourcing, data minimization, cross-border transfers, and the right to explanation under GDPR and CCPA.

How are we managing third-party AI risks?

Governing the use of external AI APIs and vendor-embedded models, including data handling, documentation requirements, and ongoing monitoring.

← All tracked models