AI Vendor Security & Compliance Brief

DeepSeek logo DeepSeek

Independent due-diligence summary · every fact links to the vendor's official source
4 source-cited facts
0 independently verified certs
3 legal documents tracked
Generated 2026-07-03
35/100
AI Governance Readiness

High-Risk

This vendor is rated High-Risk with a score of 35 out of 100. Verified strengths include no known breaches in Have I Been Pwned and enforced DMARC for email spoofing protection. A material security finding is CVE-2025-63872 (MEDIUM) with no fix listed, which was recently disclosed. The buyer should ask for the remediation timeline for CVE-2025-63872 and confirm their exposure, and request a Data Processing Agreement during procurement.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification No third-party audit report on file — only vendor-stated claims.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), HIPAA.
  • Customer-Data Training Vendor states it trains on customer data — review opt-out / enterprise terms.
  • Data Processing Agreement No public DPA located — request one during procurement.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure 1 known CVE(s); none currently in CISA KEV.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 3 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 4 open items

  • Independent CertificationRequest the current third-party audit report (SOC 2 Type II / ISO 27001 certificate).
  • Customer-Data TrainingConfirm in writing whether customer data is used for model training, and the opt-out path.
  • Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
  • Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
HIPAA Not publicly verified
BAA Available (HIPAA) Not publicly verified
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Data Residency People's Republic of China https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html
Trains on Customer Data key clause True https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Found 1
Vulnerabilities are usually disclosed after the vendor ships a fix, so most carry a patch. What matters for your risk is whether any are actively exploited (CISA KEV) and whether you run a patched version — patched entries below are a normal sign of an active security-response process, not an open exposure.
Vulnerability Disclosure Policy (security.txt) None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.

Security & Compliance Timeline authoritative · dated

Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Pricing https://api-docs.deepseek.com/quick_start/pricing
Privacy https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html
Tos https://cdn.deepseek.com/policies/en-US/deepseek-terms-of-use.html?locale=en_US

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Data Processing Addendum (DPA) On request / trust portal No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>).
Sub-processor List Trust portal / on request A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team.
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA.
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement.
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments.

Continuous Monitoring change-tracking active

2 legal & policy documents under change-monitoring since 2026-06-12. 3 tracked changes detected since baseline.

PrivacyTos
DetectedChangeDetail
2026-06-15 ToS Clause Change The Privacy Policy was substantially rewritten — 16 removed, 31 added. Review the current version.
What this means: This change to the Privacy Policy touches how your data is used or used for AI training and your privacy, data sharing or retention. Read 31 added and 16 removed passages in the current Privacy Policy to see whether it affects your obligations or risk.
Show exact changed text
@@ -1,192 +1,542 @@ DeepSeek Privacy Policy
-日本語 (ja-JP)
-DeepSeek Privacy Policy
-Last Update: February 14, 2025
+Last Update: Feb 10, 2026
 Welcome to DeepSeek!
 Introduction
-This privacy policy (“Privacy Policy”) applies to the personal information that DeepSeek processes in connection with DeepSeek apps, websites, software, and related services (the “Services”), that link to or reference this Privacy Policy. The Services enable you to create and interact with chatbots.
+This privacy policy (“Privacy Policy”) applies to the Personal Data (or
+other similar terms as defined by applicable data protection law)
+relating to you (“Personal Data”) that DeepSeek processes in connection
+with DeepSeek apps, websites, software, and related services (the
+“Services”), that link to or reference this Privacy Policy. The Services
+enable you to create and interact with chatbots.
 Data Controller: The Services are provided and controlled by
-Hangzhou DeepSeek Artificial Intelligence Co., Ltd.
-, with its registered address in China (“we” or “us”). If you have any questions about how we use your personal data, please contact
+Hangzhou DeepSeek Artificial Intelligence Co., Ltd.,
+with its registered address in China (“we” or “us”). If you have any
+questions about how we use your Personal Data, please contact
 privacy@deepseek.com
 or click the “Contact us” column on the website.
-Please be informed that the processing rules for personal information collected from end users when accessing downstream systems or applications developed by developers using our open platform services are not covered by this privacy policy. The developer operating the application, as the controller of the personal information processing activity, should disclose the relevant personal information protection policies to the end users.
-What Information We Collect
-We collect your information in three ways: Information You Provide, Automatically Collected Information, and Information From Other Sources. More detail is provided below.
-Information You Provide
-When you create an account, input content, contact us directly, or otherwise use the Services, you may provide some or all of the following information:
-Account information.
-We collect information that you provide when you set up an account, such as your date of birth (where applicable), username (where applicable), email address and/or telephone number, and password.
+Please be informed that the processing rules for Personal Data collected
+from end users when accessing downstream systems or applications
+developed by developers using our open platform services are not covered
+by this privacy policy. The developer operating the application, as the
+controller of the Personal Data processing activity, should disclose the
+relevant Personal Data protection policies to the end users. If you
+would like to learn more about our model mechanism or training methods,
+please refer to the
+Model Mechanism and Training Methods of DeepSeek
+.
+What Personal Data We Collect
+We collect your Personal Data in three ways: Personal Data You Provide,
+Automatically Collected Personal Data, and Personal Data From Other
+Sources. More detail is provided below.
+Personal Data You Provide
+When you create an account, input content, contact us directly, or
+otherwise use the Services, you may provide some or all of the following
+Personal Data:
+Account Personal Data.
+We collect Personal Data that you provide when you set up an account,
+such as your date of birth (where applicable), username (where
+applicable), email address and/or telephone number, and password.
 User Input.
-When you use our Services, we may collect your text input, prompt, uploaded files, feedback, chat history, or other content that you provide to our model and Services (“Prompts” or "Inputs"). We generate responses (“Outputs”) based on your Inputs.
-Information When You Contact Us.
-When you contact
2026-06-15 ToS Clause Change The Terms of Service was re-published with only formatting changes — no clause change.
What this means: The Terms of Service text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Terms of Service to confirm.
Show exact changed text
@@ -1,3 +1,2 @@-DeepSeek Terms of Use
 DeepSeek Terms of Use
 Last Update: March 27, 2026
2026-06-08 CVE / Security Incident 1 new CVE: CVE-2025-63872.
What this means: A newly disclosed vulnerability affects this vendor — ask for the remediation timeline and confirm your exposure.

View full DeepSeek change history →

Search the Legal Documents verbatim · cited

Search DeepSeek's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor DeepSeek — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment DeepSeek changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.