Zero data retention

Zero data retention is a contractual commitment that an AI vendor will not persist inputs or outputs beyond what is required to return the response.

What zero data retention means

"Zero data retention" (ZDR) is a contract term, not a technical guarantee. It typically means: inputs (prompts) and outputs (completions) are processed in memory to return the response, then discarded; no copy is written to persistent storage; no copy is used for evaluation, training, or product improvement; security logs may retain truncated metadata for abuse prevention but not the content itself. Major AI labs (OpenAI, Anthropic, Google) offer ZDR as a contract option for enterprise customers, often as part of a HIPAA or zero-trust deployment configuration.

What to verify

ZDR claims are common; ZDR enforcement is variable. Ask: what specifically is retained for security/abuse purposes and for how long, does the no-training clause flow down to sub-processors (frontier model API providers when the vendor is an integrator), what auditable evidence exists that ZDR is enforced (architectural diagrams, third-party audit observations, contractual remedies for breach), and what happens if law enforcement subpoenas the data the vendor claims not to retain.

ZDR for healthcare and finance

Healthcare and financial-services buyers commonly require ZDR as a contractual addendum. For HIPAA, ZDR is often the simplest way to make a vendor's service eligible for PHI processing — if nothing is retained, the surface area for breach is much smaller. For financial services, ZDR limits the scope of material non-public information that could be exposed in a sub-processor breach. Expect ZDR negotiations to add 2-6 weeks to procurement timelines for enterprise vendors who do not offer it as standard.