OpenRouter

Partial (EU + SCCs)gatewayopenrouter.ai ↗

API Docs ↗Report a change

GDPR Compliance

EU-only data residency

Inference stays in EUunknown

Data Processing Agreement ↗(online acceptance)

No training on customer data

Opt-out available

Standard Contractual Clauses

Adequacy decision (HQ country)

EU + SCCsDPANo Training

Data Handling

Regions

EU in-region routing (eu.openrouter.ai) is enterprise-only and not enabled by default. Standard accounts route globally through US infrastructure with no data-residency guarantee. Even with EU routing enabled, every request passes through OpenRouter's US gateway infrastructure, creating a mandatory cross-border transfer.

Retention Policy

OpenRouter layer: prompts not logged by default (ZDR mode). Opt-in prompt logging available. Upstream providers each have their own retention policies, which vary widely. ZDR flag restricts routing to zero-retention endpoints only.

Additional Details

Each of 60+ upstream providers is effectively a sub-processor with its own data handling policy. OpenRouter's own DPA covers only OpenRouter's layer, not upstream providers.

Sub-processors

✗Not disclosed

Certifications & EU AI Act

Certifications

SOC2

EU AI Act Status

unknown

Verification

Last verified2026-04-07

Verified byAI-assisted draft (pending review)

Pricing tierpay per use

Sources

Notes

Gateway routing to 300+ upstream models (GPT-4o, Claude, Gemini, Llama, DeepSeek, Mistral, etc.). Most complex GDPR posture in this directory: the gateway architecture makes every upstream provider a de facto sub-processor, none of which are formally listed. EU routing requires enterprise agreement. Illustrates the compliance gap created by gateway/aggregator services.

← Back to all providers