FAQ

Security

Does xAI train on customers' API requests?

xAI never trains on your API inputs or outputs without your explicit permission.

API requests and responses are temporarily stored on our servers for 30 days in case they need to be audited for potential abuse or misuse. This data is automatically deleted after 30 days.

For teams that require stricter data handling, see Zero Data Retention (ZDR) below.


What is Zero Data Retention (ZDR)?

Zero Data Retention (ZDR) is an enterprise feature that prevents xAI from storing any API request or response data. ZDR is exclusively available to enterprise accounts. When ZDR is enabled for your team, your prompts, completions, and associated metadata are processed in real time but never persisted to our servers; once a response is delivered, no record of the exchange remains.

For more information about ZDR and enterprise plans, please contact sales@x.ai.

How it works

  • No logging: API inputs and outputs are not written to any datastore. The 30-day audit retention described above does not apply to ZDR-enabled teams.
  • Moderation still runs: Safety and content moderation checks are performed in real time, but moderation results are not stored.
  • Response header: Every API response includes an x-zero-data-retention header set to "true" or "false", so your application can programmatically confirm that ZDR is active.

How to enable ZDR

ZDR is only available to enterprise accounts. To learn more or enable ZDR for your organization, please reach out to sales@x.ai. Once enabled, ZDR applies automatically to all API requests made with that team's API keys—no code changes are required.

You can verify ZDR is active for your team in the xAI Console team picker, which displays a "Zero Data Retention" label beneath your team name.

Considerations

  • No server-side conversation history: Because requests are not stored, features that rely on server-side state—such as the Responses API's automatic conversation threading via previous_response_id—are unavailable. You must manage conversation context client-side, e.g., by using use_encrypted_content for agentic tool-calling state.
  • No audit log entries for request content: Audit logs will still record administrative events (key creation, team changes, etc.), but the content of API requests and responses will not appear.

Is the xAI API HIPAA compliant?

To inquire about a Business Associate Agreement (BAA), please complete our BAA Questionnaire. A member of our team will review your responses and reach out with next steps.


Is xAI GDPR and SOC II compliant?

We are SOC 2 Type 2 compliant. Customers with a signed NDA can refer to our Trust Center for up-to-date information on our certifications and data governance.


Do you have Audit Logs?

Team admins are able to view an audit log of user interactions. This lists all of the user interactions with our API server. You can view it at xAI Console -> Audit Log.