AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

DeepSeek

DeepSeek V3

vV3 · open-weights · Released December 26, 2024

Use with Caution

Updated June 27, 2026

Chinese-developed model. Open weights available globally. API routes data through Chinese servers, subject to Chinese data laws. Self-hosted deployment recommended for regulated enterprise use.

Enterprise guidance

For any regulated enterprise use, deploy DeepSeek V3 as self-hosted open weights — do not use the DeepSeek API. DeepSeek's API routes data through China-based infrastructure subject to China's National Intelligence Law, which requires organizations to cooperate with state intelligence agencies on request and without notification. Self-hosted deployment via AWS, Azure, or GCP running the open weights eliminates this risk. Confirm that your chosen cloud host does not transmit data back to DeepSeek's own servers.

Active Compliance Flags2

vendor_jurisdictionHighJanuary 15, 2025

Developed by a Chinese company. API service subject to Chinese National Intelligence Law (Art. 7). Self-hosting open weights removes API data residency risk.

Data ResidencyMediumJanuary 15, 2025

DeepSeek API routes data through China-based servers. Financial services, healthcare, and defense organizations should use self-hosted deployment only.

Data handling

Default data retention

API: stored on China-based servers under PRC jurisdiction

Zero-retention available

No

Not available via DeepSeek API. Self-host open weights for full data control.

API data used for training

Yes

DeepSeek's privacy policy indicates data may be used to improve services. No enterprise data processing agreement or opt-out is published for China-based API processing.

GDPR Data Processing Agreement

Not available

HIPAA Business Associate Agreement

Not available

Not available. Self-host and arrange a BAA with your cloud infrastructure provider.

Data residency options

API: People's Republic of China. Self-hosted: your own infrastructure.

Vendor compliance certifications

None published for international regulatory markets

Key use restrictions

  • API: data subject to Chinese National Intelligence Law — not suitable for sensitive or regulated data
  • Self-hosted open weights: MIT-like license; suitable for most commercial use cases
  • DeepSeek AUP prohibits: harmful content, illegal content, content violating Chinese regulations
  • API outputs may be filtered to comply with Chinese government content requirements

Safety documentation

Model card published
System card not published
Red-team report not published

DeepSeek-V3 technical report published December 2024. Limited independent safety evaluation available. No published third-party red-team results.

Safety documentation →

Related governance resources

Governance controls

Cross-Border Data Transfer Controls for AI

Govern the international transfer of personal data through AI systems, including data sent to AI API providers, training pipelines, and cloud infrastructure in other jurisdictions.

AI Vendor Due Diligence

Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.

Self-Hosted Open-Weight AI Model Governance

Establish an intake policy and governance controls for AI model weights downloaded from public repositories and deployed in the organization's own infrastructure, addressing integrity verification, license compliance, safety evaluation before deployment, and ongoing update management distinct from vendor-hosted AI procurement.

National Security and Dual-Use AI Risk Assessment

Establish a risk assessment process for AI systems and AI research activities that could constitute dual-use technology — with applications in both commercial and national security or weapons contexts — addressing BIS export control obligations, ITAR compliance for defense applications, dual-use research of concern protocols, and foreign adversarial misuse monitoring.

AI Procurement Risk Assessment

Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.

Playbook guides

How do we ensure third-party AI vendors meet our standards?

Extending vendor due diligence to cover model transparency, data handling, bias testing, and contractual liability for AI outputs.

How do we maintain data privacy compliance when using AI?

Addressing training data sourcing, data minimization, cross-border transfers, and the right to explanation under GDPR and CCPA.

How are we managing third-party AI risks?

Governing the use of external AI APIs and vendor-embedded models, including data handling, documentation requirements, and ongoing monitoring.

Status history

January 15, 2025· green to yellow

Elevated regulatory scrutiny of Chinese AI vendor jurisdiction risk following national security reviews in Western jurisdictions.

← All tracked models