What Actually Happens to Your Data When You Use a Hosted AI Service
Your request leaves your network, is processed on infrastructure you do not control, and falls under a jurisdiction reachable by extraterritorial law.
When you send a prompt to a hosted AI service, your request leaves your network and travels to infrastructure you do not control, where it can be decrypted, logged, retained and processed under that provider's jurisdiction. It may be read by provider staff, by subprocessors, and, under laws such as the US CLOUD Act, by a foreign government acting on a lawful order. The reason is architectural: once data crosses your perimeter, the only thing between your information and a third party is a contract, and a contract is a promise, not a technical control.
This matters more in 2026 than two years ago, as regulatory expectations around data location, auditability and resilience have hardened. Legal teams, regulators and insurers now ask not what a provider promises but what its architecture makes possible, and for most hosted services confidentiality rests on policy rather than on physics.
How does the processor chain actually work?
A hosted request passes through more hands than the interface suggests:
- Your client encrypts the request in transit and sends it to the provider's public endpoint.
- The endpoint terminates that encryption, so the request becomes readable in plaintext inside the provider's environment.
- The request is routed to inference infrastructure, often across several regions and availability zones.
- Load balancers, gateways and observability systems may record metadata, and sometimes content, along the way.
- Subprocessors, cloud hosts, safety filters and analytics services may touch the request.
- A response returns by the same route, and logs may persist after you close the session.
Every hop is a place where data can be observed, copied or retained. Encryption in transit protects the wire, not the data once the provider decrypts it to process it.
What gets logged, and how long is it kept?
Providers log for legitimate reasons: abuse prevention, debugging, safety and billing. The question is what is captured and for how long:
- Prompt and response content, sometimes retained for a fixed window even when training is disabled.
- Metadata such as timestamps, account identifiers, IP addresses, token counts and model versions.
- Trust and safety flags that route certain content to human review.
Retention windows vary and can change. Enterprise tiers often reduce or disable content retention, but the control is administrative: you are trusting that the setting is honoured, binds every subprocessor, and survives an internal incident or a lawful demand, none of which you can inspect from outside.
Whose law reaches your data once it leaves?
Data sits under the jurisdiction where it is processed and where the processing company is incorporated. Under the US CLOUD Act, a US-based provider can be compelled to produce data it controls even when that data is stored on servers outside the US, and comparable reach exists elsewhere. That is real exposure for UK and European organisations: a lawful order in one country can reach information generated in another, often without notice to the affected party. This is not an accusation against any provider; it describes how extraterritorial law and centralised hosting interact.
Why is a contractual promise not a technical guarantee?
A data processing agreement is enforceable, and reputable providers honour theirs. But a contract operates after the fact: it gives you a claim if something goes wrong, not a mechanism that prevents it. A no-retention clause does not stop a misconfigured log from capturing a prompt, and a confidentiality term does not override a valid legal order. The distinction that matters to an auditor is between a control you can verify and a promise you have to trust.
“Once your data leaves your perimeter, confidentiality becomes a matter of someone else's policy, and a policy is not a proof.”
Which rules make this a board-level question in 2026?
Several regimes now treat data location and auditability as operational obligations, not preferences.
- GDPR governs where personal data goes, requiring transfers outside the UK and EU to carry adequate protection.
- DORA, in force since January 2025, holds financial entities accountable for the resilience and oversight of their critical ICT third parties, including cloud and AI suppliers.
- NIS2 extends security and incident duties to a wider set of essential and important entities.
- ISO/IEC 42001 sets an auditable management standard for AI systems, pushing organisations towards evidence rather than assurances.
- The EU AI Act high-risk obligations under Annex III, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moved to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve.
None of these rules ban hosted AI. They raise the bar on what you must be able to show, which a design where sensitive data never leaves your control makes easier to evidence.
What does an architecture without the exposure look like?
The exposure above comes from one decision: sending data to a runtime you do not own. Remove it and the chain collapses. Mickai is a Sovereign Intelligence Operating System, a SIOS, that runs offline on operator-owned hardware, and its design addresses the same failure points directly:
- A zero-egress inbound perimeter, so requests and model outputs do not leave the operator's environment: no processor chain to audit and no foreign endpoint to reach.
- Hardware-attested identity bound to the audit chain, so every action is tied to a verified device and operator rather than a portable account credential.
- A post-quantum signed audit ledger, where every action is sealed with ML-DSA signatures under FIPS 204, so the record can be verified offline and cannot be altered afterwards.
- Cross-model consensus, where sovereign models check each other rather than a single opaque endpoint.
Confidentiality becomes a property of the architecture an auditor can test, rather than a clause they have to trust. This approach is the subject of 104 filed UK patent applications and approximately 2,340 claims, owned by Mickai LTD. These applications remain pending, not granted or patented. We describe how the design supports data-protection and resilience duties. We do not claim it certifies compliance, which remains a matter for each operator and its assessors.
Frequently asked questions
Does enterprise or zero-retention mode mean your data is safe?
It reduces exposure but does not remove it. Zero-retention is an administrative setting, so your data is still decrypted and processed on infrastructure you do not control. It is a promise you cannot inspect from outside, and may not bind every subprocessor.
Can a hosted AI provider be forced to hand over your data?
Yes, under the right legal order. Laws such as the US CLOUD Act can compel a provider to produce data it controls, even when stored abroad, and the affected organisation is often not notified. A confidentiality clause does not override a valid legal demand.
Is your prompt used to train the model?
It depends on the tier and settings, and it can change. Many enterprise tiers disable training on your content, but that is a policy control, not a technical barrier, and it does not stop content being logged for safety or debugging while you trust the setting to hold.
Does running AI on our own hardware remove these risks?
Running inference on operator-owned hardware with a zero-egress perimeter removes the processor chain that creates most of the exposure, because the data never leaves your control. It does not remove your duty to secure that environment, but confidentiality becomes something you verify locally rather than trust a third party to uphold.
Is using a hosted AI service against GDPR or DORA?
Not automatically. These regimes do not ban hosted AI, but they require you to demonstrate control over where data goes, who can reach it, and how the system is governed. A hosted service raises the evidence burden that an architecture keeping data in your control makes easier to meet.




