API Evaluation — Regulated & Financial Data Contexts
Both Anthropic and OpenAI have opted commercial API customers out of model training by default. The meaningful differences are in retention windows, how policy-violation flags override those defaults, and how much contractual protection you get before you start building.
"By default, we will not use your inputs or outputs from our commercial products to train our models."
— Anthropic Privacy Center, "Is my data used for model training?""Retained data is never used for model training without your express permission. Only what is technically necessary for the API and feature to work is retained. Conversation content (your prompts and Claude's outputs) is not retained by default."
— platform.claude.com/docs/en/manage-claude/api-and-data-retention"Even with ZDR or HIPAA arrangements in place, Anthropic may retain data where required by law or to combat Usage Policy violations and malicious uses of Anthropic's platform. As a result, if a chat or session is flagged for such a violation, Anthropic may retain inputs and outputs for up to 2 years."
— Claude API Data Retention docs (ZDR Limitations)"For Anthropic API users, we automatically delete inputs and outputs on our backend within 30 days of receipt or generation."
— Anthropic Privacy Center, "How long do you store my organization's data?" (pre-Sept 2025 language, now superseded by 7-day standard)The 7-day default applies to the standard Claude Messages API. Several features carry their own longer retention: Batch API (29 days), Code Execution containers (30 days), Files API (until you delete them), and MCP Connector. If your integration touches any of these, the 7-day figure does not apply to those data paths. Audit each feature you use against the feature eligibility table.
store parameter is always treated as false. Requires prior OpenAI approval — not self-serve.ENTERPRISE
"data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in)"
— developers.openai.com/api/docs/guides/your-data"Abuse monitoring logs are generated by default for all API feature usage and retained for up to 30 days, unless longer retention is required by law, or is reasonably necessary to protect our services or any third party from harm. Abuse monitoring logs may contain certain customer content, such as prompts and responses, as well as metadata derived from that customer content, such as classifier outputs."
— OpenAI Platform, Data Controls documentation"Eligible customers may have their customer content excluded from these abuse monitoring logs, subject to the limitations below, by getting approved for the Zero Data Retention or Modified Abuse Monitoring controls. Currently, these controls are subject to prior approval by OpenAI and acceptance of additional requirements."
— OpenAI Platform, Data Controls documentationThe key distinction for OpenAI: opting out of training and opting out of logging are separate controls. A standard API key with no special arrangement means your prompts sit in abuse monitoring logs for up to 30 days regardless of training opt-out status. If 30-day log retention is unacceptable for your use case, you need explicit ZDR approval — which is not available to all customers or on all endpoints.
| Provision | Anthropic | OpenAI |
|---|---|---|
| Cardholder / PCI DSS data | No explicit prohibition in standard API terms. DPA and retention controls recommended for cardholder data workloads. | Explicitly prohibited in ChatGPT consumer inputs. App Developer Terms bar apps from processing "payment card data or other information regulated under the PCI DSS." |
| Protected Health Information (PHI) | HIPAA-ready API access available with signed BAA. PHI must not appear in JSON schema definitions, enum values, or regex patterns. | HIPAA BAAs available for eligible enterprise customers on supported endpoints. |
| GDPR / EU personal data | DPA with SCCs automatically incorporated into Commercial ToS. Module Two (Controller-to-Processor). Accepted on execution of commercial terms. | DPA available; SCCs incorporated. OpenAI acts as Data Processor under DPA. Sub-processors bound by comparable obligations. |
| Sector-specific financial clauses | Not available. Standard DPA only — no sector-specific provisions for financial services, banking, or regulated professional services. | Not available in standard terms. Enterprise contracts may negotiate additional terms; consult OpenAI account team. |
| Sensitive personal data categories | Privacy Policy covers payment info collected for billing. API customer data governed by commercial agreement, not consumer Privacy Policy. | App Developer Terms require express opt-in consent for "sensitive personal data as defined by applicable laws, including CCPA." |
| Sub-processor liability | DPA specifies equivalent data protection obligations passed to sub-processors. Notice-based mechanism for changes. | DPA: OpenAI enters contractual arrangements with sub-processors that impose "comparable data protection obligations." |
| Data residency | Data residency controls available via inference_geo parameter on Messages API. ZDR-eligible. Regions outside US require ZDR amendment. |
Data residency available. Non-US regions require approved abuse monitoring controls plus ZDR amendment execution. |
Neither provider offers a sector-specific financial services DPA or SOC 2 supplement covering banking regulatory requirements (e.g., GLBA, FFIEC, OCC guidance on third-party risk) in their standard commercial terms. If your application handles regulated financial data, you will need to negotiate bespoke data processing terms with both providers — and factor in that their default DPAs are general-purpose GDPR instruments, not compliance frameworks for financial institutions.
If you are building on the standard API with no special agreement: Anthropic's 7-day default retention is meaningfully shorter than OpenAI's 30-day abuse-monitoring window. For applications that touch PII, financial records, or customer-identifiable data, shorter default retention reduces exposure if you cannot get ZDR approved. Anthropic API data also never enters training pipelines by default — confirmed independently.
If you are pursuing Zero Data Retention: Both providers require enterprise approval. Neither is self-serve. Anthropic's ZDR scope is documented in detail (feature-by-feature eligibility table); OpenAI's ZDR eligibility list for supported endpoints is less granularly published. Either way, assume negotiation time and confirm per-feature coverage in the contract before building a compliance case on ZDR claims.
If you handle regulated financial data (GLBA, FFIEC, banking regulators): Neither provider's standard DPA addresses financial-sector regulatory requirements. Both DPAs are GDPR instruments. You will need to negotiate custom data processing terms. Budget for legal review of both DPAs against your specific regulatory obligations before proceeding.
If you handle PCI DSS cardholder data: OpenAI explicitly prohibits this in consumer-tier and App Developer terms. The prohibition is less explicit in Anthropic's standard commercial terms, but PCI DSS compliance is your obligation as the processor — neither provider is PCI-scoped for customer workloads by default. Do not send PAN, CVV, or track data to either API without a specific PCI-scoped arrangement, which does not currently exist in standard offerings.
The policy-violation override applies equally to both: If content in a prompt triggers either provider's trust and safety classifiers, it can be retained for up to 2 years regardless of your ZDR arrangement. This is a non-negotiable carve-out in both contracts. In a financial context, consider whether the nature of the data you send could be misidentified as policy-violating content (e.g., discussion of fraud patterns for detection purposes), and test that edge case before production deployment.
Primary Sources