Loading the catalogue…
Loading the catalogue…
Amazon Web Services is a US-headquartered, publicly listed cloud and AI company — a subsidiary of Amazon.com — and is subject to full CLOUD Act and FISA Section 702 jurisdiction. Its first-party foundation models (the Amazon Nova family) are proprietary, closed-weights, and only accessible via Amazon Bedrock; Bedrock explicitly commits not to use customer data for training and encrypts all data in transit and at rest. Amazon signed the EU GPAI Code of Practice in August 2025, holds a published EU AI Act compliance blog post, and maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, ISO 27701, HIPAA, and FedRAMP High certifications — making it one of the more robustly credentialled hyperscale AI providers for EU regulated sectors, albeit with irreducible US jurisdiction risk.
Amazon/AWS is a US entity subject to full CLOUD Act and FISA Section 702 jurisdiction. US authorities can compel access to data held by AWS regardless of where it is physically stored or processed. This is the primary residual risk for EU regulated sector customers even when using EU-region Bedrock infrastructure.
Deep US government contracting relationships (CIA, NSA, DoD) create a potential dual-use concern. EU customers in government or defence-adjacent sectors should assess whether their data workloads could conflict with AWS's US government obligations.
Amazon has not publicly disclosed training compute (FLOPs) for Nova models. If any Nova model exceeds the 10^25 FLOPs systemic risk threshold, additional EU AI Act obligations (adversarial testing, incident reporting, cybersecurity measures) apply. This cannot be independently verified.
Third-party vendor-related incidents (MOVEit 2024, Codefinger credential abuse January 2025) demonstrate that the extended AWS supply chain carries credential-theft risk. AWS core systems were not directly compromised, but customer credential management hygiene is critical.
Amazon Nova model weights are fully proprietary and not available for independent inspection, security testing, or deployment outside AWS Bedrock. EU regulated customers cannot perform independent model audits on Nova internals.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
Amazon is a confirmed signatory of the EU GPAI Code of Practice (August 2025), granting a presumption of conformity with EU AI Act GPAI obligations and subjecting Amazon to EU AI Office oversight.
Bedrock holds SOC 1/2/3, ISO 27001/27017/27018/27701, HIPAA eligibility, FedRAMP Moderate and FedRAMP High, and CSA STAR Level 2 certifications — among the broadest certification coverage of any AI foundation model platform.
Amazon explicitly commits that customer data processed via Bedrock is never used to train or improve base models and is not shared with third-party model providers — a strong contractual data protection guarantee.
Bedrock supports EU data residency via In-Region and Geographic (EU) routing options, enabling EU customers to keep inference data within EU boundaries — a meaningful operational control for regulated sector deployments.
Amazon published the Nova Family Technical Report and Model Card via amazon.science and the amazon-agi HuggingFace page, providing benchmark results, model architecture information, and safety testing documentation.
Active product scaling trajectory: Nova 2 (December 2025), Nova Forge (December 2025), Bedrock AgentCore (May 2026), and OpenAI model hosting on Bedrock (2026) all confirm sustained investment in the AI model creator role.
Formal AWS-HuggingFace partnership covering SageMaker deep learning containers, inference toolkit, and joint developer resources — indicating sustained open ecosystem engagement alongside the proprietary Nova product line.
Privacy policy review
Creator profile
Amazon is a United States entity. Training data and weights produced under United States-jurisdiction are covered by the CLOUD Act.
Exposed on training. Inference is unaffected when hosted on Stav infrastructure inside the EEA.
Stav compliance has not yet scored Amazon. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“Amazon Bedrock is in scope for common compliance standards such as Service and Organization Control (SOC), International Organization for Standardizat...”
“Bedrock never stores or uses your data to train models, ensuring complete security and privacy, with encryption of data in transit and at rest, as wel...”
Current signatories include Amazon, Anthropic, Google, Mistral AI, and OpenAI.
Among U.S.-based technology companies, Amazon, Anthropic, Google, IBM, Microsoft, and OpenAI have signed the GPAI CoP.
Amazon Bedrock is in scope for common compliance standards such as Service and Organization Control (SOC), International Organization for Standardizat...
AWS does not provide raw model weights, and Forge models are not portable outside Bedrock today.
Amazon and AWS have never experienced a data breach. Still, they have been connected with various third-party data breaches.
Indeed, within weeks of the Code’s publication, dozens of tech firms – including Amazon, Google, Microsoft, OpenAI, Anthropic and others – had volunta...
Bedrock never stores or uses your data to train models, ensuring complete security and privacy, with encryption of data in transit and at rest, as wel...
Current signatories include Amazon, Anthropic, Google, Mistral AI, and OpenAI.
Among U.S.-based technology companies, Amazon, Anthropic, Google, IBM, Microsoft, and OpenAI have signed the GPAI CoP.
Amazon Bedrock is in scope for common compliance standards such as Service and Organization Control (SOC), International Organization for Standardizat...
AWS does not provide raw model weights, and Forge models are not portable outside Bedrock today.
Amazon and AWS have never experienced a data breach. Still, they have been connected with various third-party data breaches.
Indeed, within weeks of the Code’s publication, dozens of tech firms – including Amazon, Google, Microsoft, OpenAI, Anthropic and others – had volunta...
Bedrock never stores or uses your data to train models, ensuring complete security and privacy, with encryption of data in transit and at rest, as wel...
AWS published a dedicated EU AI Act compliance blog and is actively engaging with customers on their GPAI obligations, including releasing an open-source FLOPs Meter toolkit on SageMaker to help customers determine their own GPAI regulatory status.
Published safeguards & certifications
“Current signatories include Amazon, Anthropic, Google, Mistral AI, and OpenAI. ”
“AWS CLI: Run aws bedrock list-foundation-models to get the model ID, then aws bedrock list-foundation-model-agreement-offers --model-id <model-id> to ...”
“Among U.S.-based technology companies, Amazon, Anthropic, Google, IBM, Microsoft, and OpenAI have signed the GPAI CoP. ”
“Amazon and AWS have never experienced a data breach. Still, they have been connected with various third-party data breaches. ”
“Indeed, within weeks of the Code’s publication, dozens of tech firms – including Amazon, Google, Microsoft, OpenAI, Anthropic and others – had volunta...”
“AWS does not provide raw model weights, and Forge models are not portable outside Bedrock today. ”
AWS CLI: Run aws bedrock list-foundation-models to get the model ID, then aws bedrock list-foundation-model-agreement-offers --model-id <model-id> to ...
AWS CLI: Run aws bedrock list-foundation-models to get the model ID, then aws bedrock list-foundation-model-agreement-offers --model-id <model-id> to ...