Loading the catalogue…
Loading the catalogue…
Tencent is a China-headquartered internet and technology group that publishes AI models under the Hunyuan brand, with a mixed open/closed weights posture and a rapidly growing open-source release cadence. It is not CLOUD Act exposed (no US incorporation or US parent), but is subject to China's 2017 National Intelligence Law, which compels Chinese companies to cooperate with state intelligence agencies — a structurally analogous and, for EU regulated sectors, equally serious sovereignty risk. In January 2025 the US Department of Defense added Tencent to its Section 1260H list of Chinese Military Companies; Tencent disputes this designation and has initiated a formal reconsideration process, but the listing remains in force and signals elevated geopolitical scrutiny.
Tencent is a PRC-domiciled entity subject to China's 2017 National Intelligence Law, which legally obliges Chinese companies to cooperate with state intelligence agencies on request — with no independent judicial oversight mechanism. Personal data processed by Tencent servers in the PRC (as stated in their corporate privacy policy) may be subject to government access without notice.
In January 2025, the US Department of Defense designated Tencent as a 'Chinese Military Company' under Section 1260H of the NDAA. Tencent disputes the designation and has initiated reconsideration proceedings. The listing, while not a sanctions instrument, triggers enhanced due diligence obligations and signals elevated geopolitical exposure for enterprise customers in regulated sectors.
No EU AI Act compliance statement, GPAI Code of Practice participation, or EU-format training data summary has been identified for any Hunyuan model. As GPAI obligations became applicable in August 2025, Tencent's open-weight models distributed to EU deployers may face compliance gaps under Articles 53 and 55 of the AI Act.
Tencent's corporate privacy policy explicitly states that personal data is processed on servers located in the People's Republic of China. Even with EU SCCs in place, data transferred to Tencent's PRC-based infrastructure is potentially accessible by Chinese authorities under the National Intelligence Law, undermining the practical effectiveness of SCCs.
Hunyuan models are distributed under custom Tencent community licences rather than standard open-source licences (Apache 2.0, MIT). Licence conditions — including attribution requirements and redistribution terms — vary by model and require individual legal review before enterprise deployment.
A 2020 Foreign Policy report citing former CIA intelligence claimed Tencent received seed funding from China's Ministry of State Security. While unverified and disputed by Tencent, this allegation — alongside the DoD CMC listing — contributes to an overall elevated intelligence-access risk profile.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
Tencent Cloud holds an extensive portfolio of international security certifications including SOC 1/2/3, ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, ISO 22301, CSA STAR Gold, and NIST CSF. Tencent was the first cloud provider globally to obtain ISO 27701 certification.
Tencent Cloud publishes a GDPR-compliant Data Processing and Security Agreement (DPSA) that incorporates EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2) for transfers of personal data to third countries.
Tencent has appointed a designated Data Protection Officer (DPO) reachable at dataprotection@tencent.com and conducts regular Privacy Impact Assessments across its products.
Tencent operates a public bug bounty programme through its Security Response Centre, offering monetary rewards of $1,000–$10,000, and maintains a 24/7 emergency incident response mechanism.
The Hunyuan model series is actively open-sourced on HuggingFace, with accompanying arXiv technical reports, LoRA training code, and integration guides (Diffusers, ComfyUI). Tencent's open-source release cadence increased 8-9x between 2024 and early 2026.
Tencent maintains active community engagement through GitHub (Tencent-Hunyuan org), HuggingFace model repos, and responsive model update changelogs — including open-sourcing training code and publishing benchmark results.
Tencent is operating normally and actively investing in AI research. The Hunyuan model family spans text, video, image, 3D, and reasoning modalities, with sustained release cadence through 2025 and into 2026.
Published safeguards & certifications
Privacy policy review
Creator profile
Stav compliance has not yet scored Tencent. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“In September 2023, the model completed the filing process under the Interim Measures for the Management of Generative Artificial Intelligence Services...”
“The National Defense Authorization Act of 2024 bans the Defense Department from dealing with the designated companies beginning in June 2026. ”
In 2017, under Xi’s intensifying authoritarianism, Beijing promulgated a new national intelligence law that compels Chinese businesses to work with Ch...
Regulators, judicial authorities and law enforcement agencies, and other third parties for safety, security, or compliance with the law. There are cir...
On 7 January 2025, Tencent was added to a watchlist of companies allegedly working with China's military, along with CATL.
While this designation marked a significant escalation in U.S.-China tech tensions that could reshape the global gaming ecosystem, the company remains...
The National Defense Authorization Act of 2024 bans the Defense Department from dealing with the designated companies beginning in June 2026.
In September 2023, the model completed the filing process under the Interim Measures for the Management of Generative Artificial Intelligence Services...
2 August 2025 -- Obligations for providers of general-purpose AI (GPAI) models became applicable.
In 2017, under Xi’s intensifying authoritarianism, Beijing promulgated a new national intelligence law that compels Chinese businesses to work with Ch...
Regulators, judicial authorities and law enforcement agencies, and other third parties for safety, security, or compliance with the law. There are cir...
On 7 January 2025, Tencent was added to a watchlist of companies allegedly working with China's military, along with CATL.
While this designation marked a significant escalation in U.S.-China tech tensions that could reshape the global gaming ecosystem, the company remains...
The National Defense Authorization Act of 2024 bans the Defense Department from dealing with the designated companies beginning in June 2026.
In September 2023, the model completed the filing process under the Interim Measures for the Management of Generative Artificial Intelligence Services...
2 August 2025 -- Obligations for providers of general-purpose AI (GPAI) models became applicable.
“On 7 January 2025, Tencent was added to a watchlist of companies allegedly working with China's military, along with CATL. ”
“While this designation marked a significant escalation in U.S.-China tech tensions that could reshape the global gaming ecosystem, the company remains...”
“In 2017, under Xi’s intensifying authoritarianism, Beijing promulgated a new national intelligence law that compels Chinese businesses to work with Ch...”
“ByteDance and Tencent each increased releases by eight to nine times. ”
“2 August 2025 -- Obligations for providers of general-purpose AI (GPAI) models became applicable. ”
“Regulators, judicial authorities and law enforcement agencies, and other third parties for safety, security, or compliance with the law. There are cir...”
“b. in the case of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to data processor...”
“IM has passed SOC 1, SOC 2, and SOC 3 audits, meets the requirements of China's Cybersecurity Classified Protection 2.0 (Level 3), and is certified to...”
IM has passed SOC 1, SOC 2, and SOC 3 audits, meets the requirements of China's Cybersecurity Classified Protection 2.0 (Level 3), and is certified to...
b. in the case of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to data processor...
ByteDance and Tencent each increased releases by eight to nine times.
IM has passed SOC 1, SOC 2, and SOC 3 audits, meets the requirements of China's Cybersecurity Classified Protection 2.0 (Level 3), and is certified to...
b. in the case of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to data processor...
ByteDance and Tencent each increased releases by eight to nine times.