Loading the catalogue…
Loading the catalogue…
DeepSeek releases its flagship models (R1, V3-series, V4-Pro, V4-Flash) as MIT-licensed open weights, enabling self-hosted EEA deployment that entirely severs the Chinese-server data path — the only operationally viable route for EU regulated enterprises. Any use of DeepSeek's own API or consumer service routes all data to servers in the People's Republic of China, where Chinese national security, cybersecurity, and data-security laws can compel disclosure to authorities without judicial review; Italy's Garante issued a definitive ban in January 2025, Berlin DPA escalated to Apple and Google app stores under DSA Article 16 in June 2025 characterising the app as 'illegal content', and formal GDPR investigations span at least seven EU member states as of mid-2026. DeepSeek has published no EU AI Act compliance statement, participates in no GPAI Code of Practice, and has no named DPO — direct API or consumer-service use must be treated as high-risk without additional mitigations.
All user data processed via DeepSeek's infrastructure is stored in the People's Republic of China. Chinese National Security Law (2017), Cybersecurity Law, and Data Security Law can compel DeepSeek to disclose data to Chinese authorities without judicial review, user notification, or EU-equivalent legal safeguards. The Berlin Commissioner confirmed in June 2025 that 'Chinese authorities have extensive access rights to personal data within the sphere of influence of Chinese companies' and that 'DeepSeek users in China do not have enforceable rights and effective legal remedies as guaranteed in the European Union'. This is the functional analogue of CLOUD Act exposure but under Chinese law, with substantially less legal recourse for EU enterprises.
Italy's Garante issued an immediate definitive ban on processing Italian users' data (January 30, 2025) after DeepSeek initially claimed GDPR does not apply and provided a response deemed 'totally insufficient'. Berlin DPA escalated to Apple/Google under DSA Article 16 in June 2025, characterising DeepSeek as 'illegal content', coordinated with four German DPAs. Active formal GDPR investigations span at least seven EU member states. No SCCs, adequacy decision, GDPR Art. 27 EU representative, or DPA template for enterprise API customers have been put in place.
January 2025: Wiz Research found a publicly accessible, unauthenticated ClickHouse database exposing 1M+ log entries with plaintext chat history, API secrets, and backend infrastructure data. Full database control and privilege escalation was possible. The iOS app was separately found to use deprecated 3DES encryption with hardcoded keys and App Transport Security globally disabled. DeepSeek-R1 showed a 91% jailbreak failure rate and 86% prompt injection failure rate in independent security tests. No SOC 2, ISO 27001, or bug bounty programme has been identified.
Dozens of DeepSeek researchers have or have had affiliations with PLA laboratories and the Seven Sons of National Defence per NYT reporting. Hardcoded connections to China Mobile (US DoD-designated Chinese military company) found in consumer app code by Feroot Security. Parent company High-Flyer is a designated member of China's national AI strategy. CEO personally engaged by Premier Li Qiang and met President Xi Jinping at a February 2025 symposium. At least 20 Chinese state-owned enterprises integrated DeepSeek models under a government 'AI+' programme.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
Flagship models (R1, V3, V3.2, V4-Pro, V4-Flash) released under MIT licence with full model weights on HuggingFace. MIT licence permits commercial use, derivative works, and distillation without restriction — explicitly confirmed in Terms of Use Section 4.2. Enables self-hosted EEA deployment that entirely eliminates the Chinese-server data path.
Detailed technical reports and arXiv preprints published for all major model releases; DeepSeek-R1 paper subsequently published in Nature (September 2025); V4 technical report released April 2026. Academic-quality disclosure of model architecture, training methodology, and benchmark results is a genuine strength.
Privacy policy updated February 10, 2026 to include an EEA/Switzerland/UK supplemental clause mapping processing purposes to GDPR legal bases and listing EU data subject rights. Terms of Use updated March 27, 2026 with an improved in-app opt-out toggle for model training ('Improve the model for everyone') — an improvement from prior email-only opt-out, though it has not resolved enforcement actions.
Responded promptly to Wiz Research's responsible disclosure of the ClickHouse database exposure, securing the unauthenticated database within approximately one hour of notification — demonstrating incident-response capability even in the absence of a formal CVD programme.
Active open-source community with 34+ GitHub repositories and a prolific HuggingFace presence. V4-Pro accumulated 174K+ downloads in its first week post-release; NVIDIA released an NVFP4 quantized variant in May 2026, signalling broad institutional adoption. Open-weights approach enables independent security research, red-teaming, and academic study.
Operationally active and releasing new models as of April–May 2026, with V4-Pro (the largest open-weights model at the time of release) and V4-Flash launched April 24, 2026 under MIT licence. High-Flyer's financial backing from quantitative trading provides an unusual degree of independence from external commercial pressure.
Privacy policy review
Creator profile
DeepSeek is a privately held Chinese AI research organisation, founded in 2023 and headquartered in Hangzhou, whose models (R1, V3-series, V4) are released under the MIT licence as open weights. While not CLOUD Act exposed, all user data is processed and stored in China, making it subject to Chinese national security and cybersecurity laws that can compel government access — a critical concern for EU regulated enterprises. The organisation has faced a formal Italian DPA ban, active GDPR investigations across multiple EU member states, a major unauthenticated database exposure, documented links between its researchers and PLA-affiliated institutions, and hardcoded connections to China Mobile in its consumer app code; EU enterprises should evaluate these risks carefully before deploying any DeepSeek API or consumer-facing service, though local self-hosted deployment of the open weights may substantially mitigate the data-sovereignty risk.
Stav editorial summary
Stav compliance has not yet scored DeepSeek. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“Based in Hangzhou, Zhejiang, DeepSeek is owned and funded by High-Flyer, a Chinese hedge fund. ”
“On 30 January 2025, the Italian Data Protection Authority (Garante or Authority) imposed, as a matter of urgency and with immediate effect, a definiti...”
The company launched an eponymous chatbot alongside its DeepSeek-R1 ... Hangzhou DeepSeek Artificial Intelligence Basic Technology Research Co., Ltd....
“Chinese authorities have extensive access rights to personal data within the sphere of influence of Chinese companies. DeepSeek users in China do not...
The AI Act entered into force on 1 August 2024, and will be fully applicable 2 years later on 2 August 2026, with some exceptions: prohibited AI pract...
Italy’s Garante ordered DeepSeek’s app removed from Italian app stores. It took this step after receiving what it termed a “totally insufficient” resp...
After concluding that DeepSeek’s service processes extensive user data (prompts/chat histories, uploads, device/network and location data) and stores/...
Cloud security firm Wiz uncovered an unprotected DeepSeek database, giving full control over database operations and access to internal data, includin...
Perhaps most concerning, the DeepSeek-R1 model showed alarming failure rates in security tests: 91% for jailbreaking and 86% for prompt injection atta...
Based in Hangzhou, Zhejiang, DeepSeek is owned and funded by High-Flyer, a Chinese hedge fund.
Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, inclu...
On 30 January 2025, the Italian Data Protection Authority (Garante or Authority) imposed, as a matter of urgency and with immediate effect, a definiti...
No EU AI Act compliance statement published. No GPAI Code of Practice signature or AI Office engagement. No training data summary meeting EU Commission template standards. No named DPO. GPAI obligations under EU AI Act Article 53 became applicable August 2, 2025; chatbot transparency rules take effect August 2026. Non-compliance risks fines up to €35M or 7% of global turnover for the most serious AI Act violations.
User chat inputs are used to train models with a settings opt-out (improved from prior email-only opt-out in Terms of Use updated March 27, 2026). GDPR requires a clear legal basis and meaningful consent architecture. No Data Processing Agreement template is available for EU enterprise API users. The EEA supplemental clause added in February 2025 has not resolved EU DPA enforcement actions.
Czech Republic banned DeepSeek from public administration devices (July 2025) citing NÚKIB warnings that data handling practices 'may allow unauthorised access by Chinese state authorities'. Czech, Italian, and German enforcement signals growing EU public-sector consensus risk. EU enterprises in regulated sectors — especially public sector, healthcare, and defence-adjacent — face specific procurement restrictions and reputational risk.
Published safeguards & certifications
“Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, inclu...”
On April 24, 2026, DeepSeek shipped two production-ready models — DeepSeek V4-Pro and DeepSeek V4-Flash — both available immediately via the DeepSeek ...
You can self-host commercially without contacting DeepSeek.