Loading the catalogue…
Loading the catalogue…
NVIDIA is a publicly-listed US technology company headquartered in Santa Clara, California, that designs AI chips and publishes AI models — including the open-weights Nemotron family — distributed under a mix of custom NVIDIA licences and proprietary terms. As a US-incorporated entity, it is fully exposed to CLOUD Act and FISA Section 702 compelled-disclosure obligations, which EU regulated-sector deployers must assess against their own data-sovereignty requirements. NVIDIA operates a dedicated AI Trust Center and holds ISO 27001, ISO 27017, ISO 27018, SOC, and TISAX certifications for its cloud services; however, an active US DOJ antitrust investigation and Chinese regulatory scrutiny represent ongoing governance risks that customers in regulated sectors should monitor.
NVIDIA is US-incorporated and US-headquartered, making it fully subject to CLOUD Act compelled-disclosure obligations and FISA Section 702. Any data processed through NVIDIA-hosted AI services (DGX Cloud, hosted NIM APIs at build.nvidia.com) is potentially accessible to US government agencies without EU customer notification.
NVIDIA's GPAI Code of Practice signatory status is unconfirmed. If NVIDIA has not signed the Code, it must demonstrate EU AI Act GPAI compliance via alternative means, which may involve greater regulatory scrutiny from the AI Office, particularly once full enforcement begins August 2026.
Active US DOJ antitrust investigation: the DOJ issued subpoenas to NVIDIA in September 2024 over allegations that NVIDIA penalises customers who do not exclusively use its AI chips and makes it harder to switch to competitors. No formal complaint has yet been filed.
China SAMR antitrust inquiry: China's antitrust regulators published a preliminary finding (September 2025) that NVIDIA's compliance with commitments made at the close of the Mellanox acquisition may be deficient, per NVIDIA's own 10-Q SEC filing. This represents concurrent multi-jurisdictional regulatory scrutiny.
2022 LAPSUS$ ransomware breach: approximately 1 TB of internal NVIDIA data was exfiltrated, including employee credentials and proprietary source code. NVIDIA has since substantially strengthened its security posture, but the incident demonstrated significant prior exposure.
No public DPA template for NVIDIA AI cloud inference services was found. EU enterprises in regulated sectors processing personal data through NVIDIA-hosted APIs need to request and execute a DPA with NVIDIA before using those services.
NVIDIA uses custom, non-standard licences (NVIDIA Open Model License) for most open-weights models; production deployment of NIM microservices requires a commercial NVIDIA AI Enterprise licence. This creates licence compliance obligations and commercial dependencies for EU regulated-sector deployers.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
NVIDIA's AI Trust Center confirms ISO 27001, ISO 27017, ISO 27018, ISO 50001, SOC (SSAE 18), SIG Lite, and TISAX certifications — a comprehensive and current set of third-party validated security controls, updated as recently as June 2026.
NVIDIA publishes open model weights, training data information, and model cards for the Nemotron family and other models on HuggingFace (huggingface.co/nvidia), providing meaningful transparency for open-weights models.
NVIDIA publishes a comprehensive, actively maintained privacy policy with EU-localised variants (en-eu) and a dedicated terms-of-service page, both hosted on its own canonical domain.
NVIDIA was the first company accredited by ANAB to establish the Halos AI Systems Inspection Lab, creating a certified framework for functional safety, cybersecurity, and AI compliance for physical AI deployments.
NVIDIA is a well-established, publicly listed US corporation with CEO Jensen Huang holding the role continuously since co-founding the company in 1993 — an exceptional leadership continuity record for a major technology organisation.
NVIDIA NIM microservices are deeply integrated with HuggingFace Inference Endpoints and support over 100,000 HuggingFace LLMs for rapid enterprise deployment, demonstrating broad community and ecosystem engagement.
NVIDIA's AI Trust Center (nvidia.com/en-us/ai-trust-center/) is a dedicated, publicly accessible compliance and trust resource that covers security certifications, responsible AI, and physical AI safety — updated as recently as June 2026.
Published safeguards & certifications
Privacy policy review
Creator profile
NVIDIA is a US-incorporated, publicly listed technology company headquartered in Santa Clara, California, making it fully subject to CLOUD Act and FISA Section 702 compelled-access obligations — a material consideration for EU regulated-sector deployments. Its AI model portfolio (the Nemotron family) spans genuinely open-weights releases under a permissive NVIDIA Open Model License with published training data and recipes, alongside proprietary NIM microservices requiring an enterprise licence. The 2022 Lapsus$ breach — which exposed over 70,000 employee credentials and proprietary source code — is the most significant security incident on record; NVIDIA has since invested in an AI Trust Center, SOC-audited controls, and a published product-security programme, but no ISO 27001 certification has been publicly confirmed for its AI services stack.
Stav editorial summary
NVIDIA is a United States entity. Training data and weights produced under United States-jurisdiction are covered by the CLOUD Act.
Exposed on training. Inference is unaffected when hosted on Stav infrastructure inside the EEA.
Stav compliance has not yet scored NVIDIA. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“NVIDIA Nemotron models aren't just open, but truly open source. NVIDIA publishes the training datasets, techniques, and model weights so the open...”
“SOC reports & certification are the output of an annual 3rd party external audit of security controls. The audits, reports and certification follo...”
Nvidia Corporation (/ɛnˈvɪdiə/ en-VID-ee-ə) is an American technology company headquartered in Santa Clara, California.
year): $4.9 · Sector: Information Technology · Industry: Semiconductors & Semiconductor Equipment · CEO: Mr. Jen-Hsun Huang · Headquarters: Santa Clar...
NVIDIA Nemotron models aren't just open, but truly open source. NVIDIA publishes the training datasets, techniques, and model weights so the open...
The release of Nemotron 3 Super under the Nvidia Open Model License Agreement (updated October 2025) provides a permissive framework for enterprise ad...
NVIDIA Nemotron is a family of open-source models with open weights, training data, and recipes, delivering leading efficiency and accuracy for buildi...
Beyond Nemotron, NVIDIA's broader open data catalog spans 200+ releases across Physical AI and robotics, autonomous vehicles, biology and drug di...
The Act entered into force on August 1, 2024, with enforceable GPAI obligations starting August 2, 2025.
“Any model trained using ≥10²⁵ FLOPs is presumed to have high-impact capabilities and may be classified as systemic-risk GPAI. ”
“year): $4.9 · Sector: Information Technology · Industry: Semiconductors & Semiconductor Equipment · CEO: Mr. Jen-Hsun Huang · Headquarters: Santa Clar...”
“After halting AI chip exports to China in April 2025, the Trump administration quietly reversed its policy just three months later in July 2025, assur...”
“The smuggling ring, they said, attempted to export at least $160 million worth of Nvidia H100 and H200 GPUs to China between October 2024 and May 2025...”
“NVIDIA Nemotron is a family of open-source models with open weights, training data, and recipes, delivering leading efficiency and accuracy for buildi...”
“The Act entered into force on August 1, 2024, with enforceable GPAI obligations starting August 2, 2025. ”
“Nvidia Corporation (/ɛnˈvɪdiə/ en-VID-ee-ə) is an American technology company headquartered in Santa Clara, California. ”
“NVIDIA Corporation’s ISS Governance QualityScore as of May 1, 2026 is 8. The pillar scores are Audit: 5; Board: 10; Shareholder Rights: 8; Compensatio...”
“Application Security , Data Breach Notification , Incident & Breach Response · Thousands of Employee Email IDs, NTLM Password Hashes Leaked Prajeet Na...”
“Beyond Nemotron, NVIDIA's broader open data catalog spans 200+ releases across Physical AI and robotics, autonomous vehicles, biology and drug di...”
“On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further ...”
“The release of Nemotron 3 Super under the Nvidia Open Model License Agreement (updated October 2025) provides a permissive framework for enterprise ad...”
Any model trained using ≥10²⁵ FLOPs is presumed to have high-impact capabilities and may be classified as systemic-risk GPAI.
SOC reports & certification are the output of an annual 3rd party external audit of security controls. The audits, reports and certification follo...
Application Security , Data Breach Notification , Incident & Breach Response · Thousands of Employee Email IDs, NTLM Password Hashes Leaked Prajeet Na...
On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further ...
After halting AI chip exports to China in April 2025, the Trump administration quietly reversed its policy just three months later in July 2025, assur...
The smuggling ring, they said, attempted to export at least $160 million worth of Nvidia H100 and H200 GPUs to China between October 2024 and May 2025...
NVIDIA Corporation’s ISS Governance QualityScore as of May 1, 2026 is 8. The pillar scores are Audit: 5; Board: 10; Shareholder Rights: 8; Compensatio...