AI Vendor Security & Compliance Brief
DeepSeek
Independent due-diligence summary · every fact links to the vendor's official source
25/100
AI Governance Readiness
High-Risk
Material governance gaps: Independent Certification, Vendor-Stated Compliance.
Readiness Breakdown deterministic · evidence-only
- Independent Certification No third-party audit report on file — only vendor-stated claims.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), HIPAA.
- Customer-Data Training Vendor states it trains on customer data — review opt-out / enterprise terms.
- Data Processing Agreement No public DPA located — request one during procurement.
- Breach History 1 known breach(es) in HIBP — assess remediation.
- Vulnerability Exposure 1 known CVE(s); none currently in CISA KEV.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 3 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items
are shown but never silently counted against the vendor.
Ask This in Your Security Review 5 open items
- Independent CertificationRequest the current third-party audit report (SOC 2 Type II / ISO 27001 certificate).
- Customer-Data TrainingConfirm in writing whether customer data is used for model training, and the opt-out path.
- Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
- Breach HistoryAsk for breach-notification history and incident-response SLAs.
- Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| HIPAA | Not publicly verified | — |
| BAA Available (HIPAA) | Not publicly verified | — |
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Data Residency | People's Republic of China | https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html |
| Trains on Customer Data key clause | True | https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html |
Security Posture authoritative · cited
Known Vulnerabilities (CVE / CISA KEV)
Found
1
Vulnerability Disclosure Policy (security.txt)
None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC)
Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate
Valid
Data Breach History
Found
1
Supply-Chain Security (OpenSSF Scorecard)
Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening
None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05)
Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.
Security & Compliance Timeline authoritative · dated
Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.
- 2025-12-02 CVE CVE-2025-63872 disclosed (MEDIUM)
- 2025-01 Breach Infrastructure data exposure (wiz_research) — 1000000+ records
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Data Processing Addendum (DPA) | On request / trust portal | No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>). |
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. |
Continuous Monitoring change-tracking active
2 legal & policy documents under change-monitoring since 2026-06-12. 2 tracked changes detected since baseline.
PrivacyTos
| Detected | Change | Detail |
|---|---|---|
| 2026-06-08 | CVE / Security Incident | 1 new CVE: CVE-2025-63872. |
| 2026-05-25 | Compliance Cert Change | Compliance status updated — GDPR: DPA available, HIPAA: compliant, ISO 27001: certified, SOC 2: certified. |
Ask the Legal Documents grounded · cited
Ask a question about DeepSeek's captured Terms, DPA, Privacy Policy or sub-processor list. Answers are read only from the actual document text and always shown with the exact clause. If the documents don't cover it, we say so — we never guess.
The AI summary only restates the clauses below it and is verified against them — the verbatim clause is always the source of truth.
Monitor DeepSeek — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment DeepSeek changes something that affects your risk. Built for procurement & security teams.
Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal
pages and links to its source. This brief contains no scraped sentiment, forum chatter, or
AI-inferred opinion — only verifiable, deterministic facts. Verify each source before
procurement decisions.