Loading the catalogue…
Loading the catalogue…
Apple is a publicly traded, US-incorporated technology company headquartered in Cupertino, California, making it unambiguously subject to CLOUD Act and FISA Section 702 jurisdiction — a material, unresolvable data-sovereignty risk for EU regulated deployments. Its AI portfolio is split between proprietary Apple Intelligence foundation models (served exclusively through its own Private Cloud Compute infrastructure, with no third-party-accessible API or EEA-sovereign hosting path) and selectively open-weight research artefacts (OpenELM, DCLM-7B) published via HuggingFace. Apple holds strong security credentials — ISO/IEC 27001, ISO/IEC 27018, FIPS 140-2/-3, and an industry-leading bug bounty programme — but faces compounding EU regulatory exposure: a €500M DMA fine under active appeal, no verified participation in the EU AI Act GPAI Code of Practice (Commission enforcement powers activated 2 August 2026), a CEO succession effective 1 September 2026, and a documented feature-parity gap for EU users of Apple Intelligence.
Apple is incorporated and headquartered in the United States and is unambiguously subject to the CLOUD Act and FISA Section 702. US authorities can compel Apple to produce data — including EU user data processed via iCloud, Private Cloud Compute, or any Apple service — regardless of physical storage location. There is no EEA-sovereign inference path available for Apple Intelligence. EU regulated customers cannot avoid this exposure when using Apple AI services.
EU AI Act GPAI obligations have been in force since August 2, 2025, and Commission enforcement powers activated August 2, 2026. No verified evidence of Apple signing the GPAI Code of Practice or publishing a formal Article 53 training data summary in EU AI Office template format has been found. Non-signatories face heightened scrutiny and fines up to €15M or 3% of global annual turnover — at Apple's scale, the 3% cap is the binding constraint.
Apple was fined €500M by the European Commission in April 2025 for breaching DMA anti-steering obligations (App Store). Apple is contesting the decision. Additional active DMA investigations cover interoperability, app distribution, and browser engine restrictions. This pattern of regulatory friction — the largest single enforcement action against Apple by EU authorities — signals adversarial rather than cooperative EU compliance posture.
Apple agreed a $95M US class-action settlement in December 2024 over Siri inadvertently recording private conversations without user knowledge between 2014 and 2024. Settlement requires deletion of pre-October 2019 audio recordings. Demonstrates a decade-long privacy incident affecting tens of millions of users, including potentially EU data subjects.
iOS 18.1 'Enhanced Visual Search' feature (October 2024) was enabled by default, sending anonymised photo data to Apple servers for landmark matching without explicit user opt-in. This auto-enrolment approach raises GDPR consent compliance concerns under Articles 6 and 7 and was not reversed proactively by Apple.
Apple is undergoing simultaneous senior leadership transitions: CEO succession (Cook to Ternus, effective September 1, 2026) and AI leadership restructuring (December 2025, prior AI head replaced by a Google veteran). While the CEO transition is board-approved and planned, concurrent changes at both CEO and AI-head levels during a critical period of EU regulatory engagement and GPAI compliance enforcement activation introduce governance continuity risk for EU enterprise customers.
Apple Intelligence features have been delayed or made unavailable in the EU market due to DMA regulatory uncertainty. EU enterprise customers cannot rely on parity of AI feature availability between Apple's EU and non-EU deployments, creating a reliability and vendor-lock-in risk for regulated-sector use cases.
Apple does not publicly advertise a named Data Protection Officer (DPO) or provide a direct DPO contact address on its website, as required by GDPR Article 37(7). Data subject enquiries are routed through a generic portal, creating a minor but verifiable compliance transparency gap.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
Apple holds ISO/IEC 27001 and ISO/IEC 27018 certifications with annual independent attestation by Coalfire, plus FIPS 140-2/-3 and Common Criteria certifications — one of the strongest public security certification portfolios among AI model creators.
Apple operates one of the most mature bug bounty programmes in the technology industry, with rewards up to $2M per exploit chain and a $5M+ maximum with bonuses (confirmed live on security.apple.com/bounty/ as of 2026). The programme is open to all researchers with a 90-day resolution target and CVE crediting.
Apple announced Memory Integrity Enforcement (MIE) in November 2025, a hardware-software architectural security upgrade combining Apple Silicon with OS security for always-on memory safety protection — demonstrating proactive, infrastructure-level security investment relevant to AI model integrity.
Apple publishes detailed foundation model technical reports via its Machine Learning Research portal (machinelearning.apple.com), including the 2024 and 2025 Apple Intelligence Foundation Language Models papers, providing architecture, training process, and benchmark data to the public.
Apple's Private Cloud Compute architecture is designed so that user inference data is not retained server-side after processing, with cryptographic attestation used to enforce this guarantee — a stronger privacy-by-design commitment than most cloud AI providers, and relevant for minimising data retention exposure.
Apple maintains an active HuggingFace presence (huggingface.co/apple), publishing research models including OpenELM (efficient LLM family, April 2024), DCLM-7B, FLAIR (federated learning dataset), DataCompDR, and 20+ CoreML models — demonstrating meaningful open-source research contribution since 2024.
Privacy policy review
Creator profile
Apple is a US-incorporated public technology company headquartered in Cupertino, California, making it fully subject to CLOUD Act and FISA Section 702 jurisdiction — a material data-sovereignty risk for EU regulated deployments. Its AI portfolio spans proprietary on-device and server foundation models (Apple Intelligence) and selectively open-weighted research artefacts released via HuggingFace, with model cards published for some but not all releases; no explicit EU AI Act GPAI compliance statement has been verified. Apple carries strong privacy and security brand equity supported by ISO/IEC 27001, ISO/IEC 27018, and FIPS 140-2/-3 certifications and an industry-leading bug bounty programme, but faces active EU regulatory exposure via a 2025 DMA fine and a US Siri privacy class-action settlement, and is navigating a significant CEO succession effective September 2026.
Stav editorial summary
Apple is a United States entity. Training data and weights produced under United States-jurisdiction are covered by the CLOUD Act.
Exposed on training. Inference is unaffected when hosted on Stav infrastructure inside the EEA.
Stav compliance has not yet scored Apple. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“CUPERTINO, CALIFORNIA Apple announced that Tim Cook will become executive chairman of Apple’s board of directors and John Ternus, senior vice presiden...”
“For Ternus, perhaps the most critical aspect of his new job will be pushing the company deeper into artificial intelligence, where it's lagged many of...”
CUPERTINO, CALIFORNIA Apple announced ... of Hardware Engineering, will become Apple’s next chief executive officer effective on September 1, 2026.......
Mr. Ternus, 50, joined Apple in 2001 and assumed his current position in 2021.
From 2 August 2026, the Commission’s enforcement powers enter into application. The Commission will enforce compliance with the obligations for provid...
In particular, the AI Office will be able to impose fines of up to 3% global annual turnover or €15 million (whichever is higher), under Art. 101 EU A...
For signatories, the Commission will focus their enforcement activities on monitoring adherence to the Code, show these increased trust, and may take ...
In April 2024, Apple publicly shared a series of four Open Source Efficient LLMs (OpenELMs), and did so via the collaborative platform, Hugging Face.
Apple Computer, Inc. was incorporated in Cupertino, California, on January 3, 1977, without Wayne, who had left and sold his share of the company back...
CUPERTINO, CALIFORNIA Apple announced that Tim Cook will become executive chairman of Apple’s board of directors and John Ternus, senior vice presiden...
On 22 April 2025, the European Commission (EC) finalised its non-compliance procedures against gatekeepers Meta and Apple for DMA infringements. The e...
Apple has publicly stated that it intends to appear against the decision. The Commission has conducted and continues to pursue other investigations of...
Apple’s $95 million settlement addresses privacy claims involving Siri’s inadvertent recordings of private conversations.
July 29, 2024research area Speech and Natural Language Processing · We present foundation language models developed to power Apple Intelligence featur...
Apple maintains a comprehensive, multi-language privacy policy (available for EU/EEA jurisdictions at apple.com/legal/privacy/en-ww/) and has Apple Distribution International (Cork, Ireland) as the designated EU data controller, establishing a clear GDPR accountability chain for European data subjects.
Apple reported strong quarterly financial performance in Q2 2026, and the CEO transition to John Ternus is unanimously board-approved following a long-term succession planning process — indicating financial stability and orderly governance continuity despite leadership change.
Published safeguards & certifications
“Apple’s $95 million settlement addresses privacy claims involving Siri’s inadvertent recordings of private conversations. ”
“Apple Computer, Inc. was incorporated in Cupertino, California, on January 3, 1977, without Wayne, who had left and sold his share of the company back...”
“On 22 April 2025, the European Commission (EC) finalised its non-compliance procedures against gatekeepers Meta and Apple for DMA infringements. The e...”
“July 29, 2024research area Speech and Natural Language Processing · We present foundation language models developed to power Apple Intelligence featur...”
“Apple has publicly stated that it intends to appear against the decision. The Commission has conducted and continues to pursue other investigations of...”
“Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards — up to $2 million for sophisticated...”
“Apple maintains certifications in compliance with the ISO/IEC 27001 and ISO/IEC 27018 standards to enable Apple customers to address their regulatory ...”
I am really excited to introduce DataComp for Language Models (DCLM), our new testbed for controlled dataset experiments aimed at improving language m...
The release of OpenELM models aims to empower and enrich the open research community by providing access to state-of-the-art language models. Trained ...
As executive chairman, Cook will assist with certain aspects of the company, including engaging with policymakers around the world.
Apple maintains certifications in compliance with the ISO/IEC 27001 and ISO/IEC 27018 standards to enable Apple customers to address their regulatory ...
Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards — up to $2 million for sophisticated...
For Ternus, perhaps the most critical aspect of his new job will be pushing the company deeper into artificial intelligence, where it's lagged many of...