Loading the catalogue…
Loading the catalogue…
Moonshot AI is a privately held Chinese AI lab headquartered in Beijing, operating under China's Data Security Law, Cybersecurity Law, and national intelligence obligations — meaning data processed via its hosted API is subject to Chinese government access. Its recent Kimi K2 / K2.5 / K2.6 models are released as open weights under a modified MIT licence, making self-hosted EU deployment possible but requiring careful supply-chain due diligence. The lab carries two significant reputational incidents: Anthropic's February 2026 public accusation that Moonshot ran an industrial-scale campaign of over 3.4 million fraudulent API exchanges to distil Claude's capabilities, and an ongoing investor arbitration from co-founders' prior venture.
Moonshot AI is headquartered in Beijing, China, and subject to China's National Intelligence Law, Cybersecurity Law, Data Security Law, and PIPL. Chinese law requires organisations to cooperate with government security requests, including intelligence access. Data processed via the Kimi API is processed in China with no EU data residency option confirmed.
The Kimi API privacy policy lacks key GDPR compliance elements: no DPO contact, no SCC or adequacy-decision references for international transfers, no explicit opt-out from model training, and no DPIA documentation. Multiple European AI security advisories explicitly flag Kimi API usage as GDPR-critical for enterprise customers.
In February 2026, Anthropic publicly accused Moonshot AI of orchestrating 3.4 million fraudulent API interactions against Claude via hundreds of fake accounts to distil capabilities into its own models. Anthropic attributes the campaign to senior Moonshot staff. This represents a serious compliance and ethics signal: willingness to use deceptive data acquisition at industrial scale.
Moonshot AI models likely qualify as GPAI with systemic risk under the EU AI Act (1T parameters, ~15.5T token training corpus). No EU AI Act compliance statement, GPAI registration, Code of Practice participation, or systemic risk self-assessment has been published. EU GPAI obligations have been in force since August 2025.
Alibaba holds a ~36% equity stake in Moonshot AI. Alibaba is itself subject to significant Chinese government influence. This creates a dual-layer government-adjacent ownership structure that may affect decision-making independence and data governance.
An HKIAC arbitration case (filed November 2024, unresolved as of May 2026) brought by five investors from co-founders' prior venture (Recurrent AI) alleges Yang Zhilin and Zhang Yutao raised funds and founded Moonshot AI without obtaining required investor waivers. Ongoing legal uncertainty at the founder level is a governance risk.
An independent safety evaluation (arXiv April 2026) found Kimi K2.5 matches frontier models on CBRNE dual-use capabilities while refusing harmful requests significantly less often, and with no ability to monitor, restrict, or revoke open-weight access. This raises dual-use risk in regulated sectors.
No confirmed SOC 2, ISO 27001, or equivalent security certification for the Kimi API platform. Platform mentions 'SLA-backed reliability with data compliance and privacy protections' without verifiable certification evidence. Harmonic Security enterprise monitoring found Kimi has 'minimal data handling transparency'.
The modified MIT licence for Kimi K2 / K2.5 includes a commercial attribution requirement (>100M MAU or >$20M/month revenue). EU enterprises deploying these weights at scale may need to display 'Kimi K2.5' branding, as illustrated by the Cursor enforcement precedent (March 2026).
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
The catalogue lists every family Stav knows about — including families we don’t yet host, so the picture stays authoritative.
Families served on Stav
Kimi K2 and K2.5 are released as open weights with published technical reports, enabling independent inspection, evaluation, and self-hosted deployment — which is the recommended path for EU enterprise customers.
Moonshot AI won the USENIX FAST 2025 Best Paper Award for the Mooncake serving architecture paper, demonstrating credible peer-reviewed research output.
Active GitHub presence with 38 public repositories and an active HuggingFace org (10,217 followers, models with millions of downloads). Community engagement is genuine and technically substantive.
Rapid, consistent model release cadence (K2 to K2.6 in under 12 months) and well-funded by major investors indicates organisational capacity to maintain and update models in the Stav catalogue.
The Kimi K2.5 modified MIT licence includes an explicit commercial attribution mechanism designed to ensure downstream transparency — a positive step toward licence governance in the open-weight ecosystem.
Published safeguards & certifications
Privacy policy review
Creator profile
Stav compliance has not yet scored Moonshot AI. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“'Dark Side of the Moon') is an artificial intelligence (AI) company based in Beijing, China. It has been dubbed one of China's "AI...”
“... No link to a Data Protection Officer (DPO) under GDPR — only generic email. ”
'Dark Side of the Moon') is an artificial intelligence (AI) company based in Beijing, China. It has been dubbed one of China's "AI...
For DACH enterprises, we recommend exclusively self-hosting in your own EU infrastructure. With API usage, data is processed in China, which is GDPR-c...
Our services are provided and controlled by MOONSHOT AI PTE. LTD. (“we”or”Moonshot AI”) in Singapore through web pages.
Anthropic dropped a bombshell on the artificial intelligence industry Monday, publicly accusing three prominent Chinese AI laboratories — DeepSeek, Mo...
... No link to a Data Protection Officer (DPO) under GDPR — only generic email.
'Dark Side of the Moon') is an artificial intelligence (AI) company based in Beijing, China. It has been dubbed one of China's "AI...
For DACH enterprises, we recommend exclusively self-hosting in your own EU infrastructure. With API usage, data is processed in China, which is GDPR-c...
Our services are provided and controlled by MOONSHOT AI PTE. LTD. (“we”or”Moonshot AI”) in Singapore through web pages.
Anthropic dropped a bombshell on the artificial intelligence industry Monday, publicly accusing three prominent Chinese AI laboratories — DeepSeek, Mo...
... No link to a Data Protection Officer (DPO) under GDPR — only generic email.
“For DACH enterprises, we recommend exclusively self-hosting in your own EU infrastructure. With API usage, data is processed in China, which is GDPR-c...”
“Our services are provided and controlled by MOONSHOT AI PTE. LTD. (“we”or”Moonshot AI”) in Singapore through web pages.”
“Anthropic dropped a bombshell on the artificial intelligence industry Monday, publicly accusing three prominent Chinese AI laboratories — DeepSeek, Mo...”
As classified under Regulation (EU) 2024/1689.
Provider of GPAI model with systemic risk (>10^25 FLOPs).