Skip to content

Zero Data Retention (ZDR)

Zero Data Retention (ZDR) refers to a bundle of technical controls and contract terms ensuring customer content (prompts, outputs, files) is not stored at rest by a vendor. ZDR is the cornerstone requirement for enterprise adoption of LLMs in regulated sectors (Healthcare, Finance, Government).

Without ZDR, providers may retain data for model training or abuse monitoring (often for up to 30 days).

ZDR Postures by Provider

Providers take fundamentally different approaches to data retention.

Provider Default Retention ZDR Mechanism How to Enable Compliance
AWS Bedrock None (ZDR default) Default No action needed SOC 2, HIPAA, FedRAMP
Fireworks AI None (ZDR default) Default No action needed SOC 2, HIPAA
OpenAI 30 days (abuse) ZDR / MAM Sales approval → Dashboard SOC 2
Anthropic 7 days ZDR Arrangement Enterprise contract SOC 2, HIPAA (BAA)
Google Vertex AI 24h cache Abuse monitoring exception Support request / invoiced billing SOC 2, HIPAA, ISO 27001
Azure OpenAI 30 days (abuse) Abuse monitoring opt-out Support ticket (EA/MCA required) SOC 2, HIPAA, FedRAMP
Groq 30 days ZDR toggle Dashboard Data Controls SOC 2

Evaluation and Impact

ZDR eliminates provider-side risks, ensuring no training data leakage or third-party employee access. However, ZDR alone is not enough; it must be paired with proxy-based PII redaction and secure self-hosted environments for maximum security. For organizations with extreme privacy needs, self-hosting open-weight models (e.g., Llama, DeepSeek) remains the only fully trusted path.

Sources

Questions

  • TBD — How do emerging open-weight reasoning models (like DeepSeek-R1) change the break-even math for self-hosting versus relying on ZDR cloud APIs?
  • TBD — What are the performance impacts of strict proxy-based PII redaction on RAG latency?