Is a zero-data-retention promise from an AI vendor enough for regulated data?
No: a zero data retention promise is a contract, not a technical guarantee, and only an architecture that blocks egress satisfies a regulator.
No. A zero-data-retention promise is a contractual assurance, not a technical guarantee, and regulated data needs a guarantee. The promise says a vendor will delete your data after processing. It does not stop that data crossing the vendor boundary, being copied in transit or logs, or being compelled from the vendor by a foreign court. Only an architecture where regulated data never leaves the operator boundary, and where every action is cryptographically provable, satisfies a regulator.
This matters because procurement in 2026 increasingly treats a data-processing agreement and a zero-retention clause as sufficient diligence for regulated records. They are not. A clause is enforced after a breach, by litigation; an architecture prevents the breach before it can happen. As DORA, NIS2 and the EU AI Act push the burden of proof onto the buyer, the gap between what a vendor promises and what a buyer can prove becomes the whole of the risk.
What is the difference between a contractual promise and an architectural guarantee?
A contractual promise is a commitment about behaviour. The vendor agrees to delete your data, not to train on it, and to notify you of a breach. It depends on the vendor keeping its word, on its subprocessors keeping theirs, and on its jurisdiction not compelling otherwise.
An architectural guarantee is a property of the system. If regulated data physically cannot leave the operator boundary, retention is not a policy the vendor chooses to honour; it is a state the design makes impossible to violate. The test is simple: what happens if the vendor breaks the promise? With a clause, the data has already gone and you are left to sue. With a zero-egress architecture, there is nothing to send.
“A promise is a statement about future behaviour, whereas a guarantee is a property of the system that holds even when the promise is broken.”
Why is zero data retention not a technical guarantee?
Retention is only one moment in the data lifecycle, and a zero-retention clause governs only what happens after processing. It says nothing verifiable about what happened while your data sat in the vendor's memory, was written to a debug log, was replicated across regions, or was cached by an intermediary.
It also cannot bind a third party. Under the US CLOUD Act, a US-based provider can be compelled to produce data it holds, wherever that data physically sits, and regardless of a European contract. A deletion promise does not survive a lawful production order. This is the structural reason regulated buyers cannot route privileged or personal data through a public, hosted AI service, however strong the paper terms. The data has already crossed a boundary the buyer does not control.
What can an auditor actually check?
An auditor cannot inspect a promise. They can only inspect evidence. The questions that decide an audit are mechanical:
- Where did the data physically go, and can you prove it never left the boundary?
- Who or what invoked each action, and is that identity bound to hardware you control?
- Is the record tamper-evident, or could it have been edited after the fact?
- Can the whole chain be replayed offline, with no dependency on the vendor?
A zero-retention clause answers none of these. An architecture with an offline-verifiable, post-quantum signed audit ledger answers all of them. An auditor cares not about what you were told, but what you can show.
Which rules make architecture, not promises, necessary?
Several 2026 regimes move the burden of proof onto the operator. DORA, in force across EU financial entities since January 2025, requires firms to evidence operational resilience and to manage third-party ICT risk directly, not outsource it behind a supplier promise. NIS2 extends security and accountability duties across critical sectors. GDPR already makes the controller liable for transfers and for demonstrating a lawful basis, which a deletion clause does not establish.
The EU AI Act adds provable governance. Its high-risk Annex III obligations, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk systems moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that not as a reprieve but as a build window: the obligation to log, trace and prove is coming, and it rewards architectures that can already produce the evidence. ISO/IEC 42001, the AI management-system standard, points the same way.
How does an architecture make egress impossible rather than merely forbidden?
Mickai is a Sovereign Intelligence Operating System, a SIOS, and it treats this as a design problem rather than a contractual one. It runs offline on operator-owned hardware, and sovereign models execute inside the boundary, so regulated data is never transmitted to an external service for inference. Four properties turn a promise into a guarantee:
- A zero-egress inbound perimeter: the system is built to receive and process, not to phone home, so there is no outbound path for regulated data to take.
- Hardware-attested identity bound to the audit chain: every action is tied to a specific, attested device, so the actor cannot be forged.
- A post-quantum signed audit ledger: each entry is sealed with FIPS 204 (ML-DSA) signatures, so the record is tamper-evident today and resistant to a future quantum adversary.
- Cross-model consensus: high-stakes outputs are checked by more than one sovereign model, so a single model cannot silently determine an answer of record.
This architecture is the subject of 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD. These are filed applications, never granted or patented.
What should a regulated buyer ask an AI vendor?
Replace the clause questions with architecture questions:
- Does regulated data leave our boundary at any point? If yes, no retention promise closes the gap.
- Can you produce a tamper-evident, offline-verifiable record of every action, without your servers being involved?
- Is the identity behind each action bound to hardware we control?
- Under which jurisdiction could you be compelled to disclose our data, and what prevents it?
If the honest answer to the first question is that data does leave, the buyer is trusting a promise. For regulated data, a promise is the wrong thing to trust.
Frequently asked questions
Is a data-processing agreement enough to use a public AI service with regulated data?
No. A data-processing agreement sets out obligations and liability, but it does not stop your data crossing into the vendor's infrastructure and jurisdiction. For regulated data, the deciding question is not what the contract says, but whether the data ever leaves your boundary. If it does, the agreement is a remedy after the fact, not a safeguard.
Does zero data retention stop the CLOUD Act?
No. The US CLOUD Act lets authorities compel a US-based provider to produce data it holds, wherever that data sits and whatever the contract says. A retention promise governs deletion, not disclosure under lawful order. The only reliable defence is that the provider never holds the data, which is an architectural property, not a clause.
Is the EU AI Act high-risk deadline still 2 August 2026?
No. The high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk systems moving to 2 August 2028. The Article 50 transparency duties are largely unchanged. We treat the delay as a build window, not a reason to defer the audit-ready architecture.
What is the difference between zero data retention and zero egress?
Zero data retention is a promise to delete data after the vendor has processed it. Zero egress is a design in which regulated data never leaves the operator boundary in the first place. Retention is about deletion; egress is about whether the data was ever exposed at all. Only zero egress removes the vendor from the trust equation.




