Grok (xAI / X): Privacy, Training & Output Ownership

Sensitive Data

Inputs are tied to your public social identity and platform usage data.

Training

Inputs and conversation history are used by default to train future xAI models.

In consumer tiers, X defaults to using user interactions, including queries and results, for the fine-tuning of Grok models. While an opt-out toggle exists in the 'Privacy and Safety' settings on the web version of X, the default posture remains extractive for the global user base.

Output Ownership

Users own outputs but grant X a broad, perpetual license to use the content.

The X Terms of Service state that users retain ownership of the content they create, but the platform is granted a worldwide, non-exclusive, royalty-free license to use, copy, and modify that content, including training AI models on the generated output. xAI's Enterprise Terms note that users should attribute generated work to Grok per xAI's Brand Guidelines.

Data Retention

Conversations are stored to provide history and context. Even if a conversation is deleted from the UI, metadata and anonymized versions of the text may remain in X's systems for model improvement or legal compliance purposes.

Security Measures

Security is based on standard social media platform protocols (2FA, encryption in transit), but lacks the SOC 2 or HIPAA-level guarantees required for professional confidential environments.

Your Rights & Control

Users in the EU and UK benefit from 'Grok-EU' variants which have stricter data processing rules due to GDPR, while US users have limited recourse beyond the manual opt-out toggle in account settings.

Special Considerations

The integration with X means that Grok may analyze your public posts and profile to personalize responses. In January 2026, xAI faced significant controversy over Grok-generated deepfake images, including CSAM concerns, which may affect enterprise adoption optics despite technical isolation of business tiers.

Sensitive Data

Designed for team use with SOC 2 compliance, no training on data, and administrative controls, but no BAA or customer-managed encryption.

Training

Customer data is explicitly excluded from model training under xAI's Enterprise Terms.

Under xAI's Enterprise Terms, data submitted through Grok Business is not used to train the base Grok models. xAI may offer free credits in exchange for opt-in training consent, but this is never the default.

Output Ownership

Business customers maintain proprietary rights over inputs and outputs.

xAI makes no claim to the intellectual property generated by business customers. The user retains copyright and proprietary interests in both the prompts and the resulting completions, though attribution to Grok is requested per Brand Guidelines.

Data Retention

Workspace data is stored to provide history and collaboration features. Admins have access to 90-day audit logs for administrative changes, API keys, and membership updates with on-demand export.

Security Measures

SOC 2 Type 2 compliance, GDPR and CCPA compliance, data encryption at rest (AES-256) and in transit (TLS 1.3), DPA auto-incorporated into Enterprise Terms when personal data is submitted. One-click connectors to Google Drive, SharePoint, GitHub, and Dropbox.

Your Rights & Control

Administrators can manage team settings, user access, and usage monitoring through the xAI console. Self-serve portal for onboarding.

Special Considerations

Suitable for small-to-medium teams needing non-training guarantees and SOC 2 compliance. However, lacks BAA support, customer-managed encryption keys, and the isolated Vault architecture available in the Enterprise tier.

Sensitive Data

Full enterprise-grade security with SOC 2 Type 2, DPA, BAA availability, ZDR, and optional Vault with customer-managed encryption keys and isolated data plane.

Training

Customer data sent via the API or Enterprise Vault is explicitly excluded from model training.

Under xAI's Enterprise Terms and API documentation, data submitted through the API or Enterprise tier is not used to train the base Grok models. The Vault deployment provides an isolated data plane completely separate from the shared consumer stack.

Output Ownership

Enterprise customers maintain full proprietary rights over all inputs and outputs.

xAI makes no claim to the intellectual property generated by enterprise customers. The user retains all copyright and proprietary interests in both the prompts and the resulting completions.

Data Retention

The API supports configurable retention settings, including zero data retention (ZDR) where data is processed in-memory and discarded immediately after the response is generated. Enterprise Vault data is encrypted with customer-managed keys and isolated from all other customers.

Security Measures

SOC 2 Type 2 certification, GDPR and CCPA compliance, data encryption at rest and in transit with customer-managed encryption keys (Vault tier), DPA auto-incorporated, and BAA available via xAI's BAA Questionnaire for HIPAA use cases. Data residency options available depending on SLA.

Your Rights & Control

Business users have the right to request data deletion at the organizational level and can enforce strict data residency requirements depending on the service level agreement (SLA).

Special Considerations

Enterprise Vault provides the highest security tier with an isolated data plane, customer-managed encryption, and complete separation from the shared consumer infrastructure. xAI has secured a Department of Defense GenAI.mil contract with IL5 security clearance. The xAI API is compatible with OpenAI and Anthropic SDKs, simplifying migration.

Sensitive Data

No training on API data by default. DPA auto-incorporated when personal data is submitted. Standard retention applies for abuse monitoring.

Training

xAI does not use API data to train Grok models by default. xAI may offer optional free credits in exchange for training consent, but this is never automatic.

Under xAI's Enterprise Terms (which govern API access), data submitted through the API is not used to train the base Grok models. xAI's FAQ explicitly states: 'We do not use your business data, including inputs (prompts) or outputs (answers), for training our models.' The company may offer free credits in exchange for opt-in training consent, but this is never the default.

Output Ownership

Developers retain full ownership of inputs and outputs under xAI's Enterprise Terms.

Developers retain full ownership of outputs. xAI requests attribution to Grok per Brand Guidelines but does not claim IP rights over generated content.

Data Retention

Standard abuse monitoring retention applies. Specific retention windows are governed by the Enterprise Terms and may vary by configuration.

Security Measures

SOC 2 Type 2 certified. GDPR and CCPA compliant. Data encrypted in transit (TLS 1.3) and at rest (AES-256). DPA auto-incorporated into Enterprise Terms when personal data is submitted. API compatible with OpenAI and Anthropic SDKs.

Your Rights & Control

Developers can manage data through the xAI developer portal. Standard GDPR/CCPA rights apply.

Special Considerations

Grok models offer the industry's largest context window (2 million tokens on Grok 4.1 Fast) at highly competitive pricing ($0.20/M input tokens). The API endpoints are US-based, so data crosses international borders unless regional instances are configured. Real-time X (Twitter) data access is a unique capability not available from other providers.

Sensitive Data

ZDR eliminates persistent storage. BAA available for HIPAA use cases via xAI's BAA Questionnaire.

Training

No training and no persistent storage of inputs or outputs.

ZDR mode processes data in-memory and discards it immediately after the response is generated. No data is written to persistent storage or used for any purpose beyond fulfilling the immediate request.

Output Ownership

Full developer ownership with no xAI claims.

Identical to standard API — full ownership by the developer.

Data Retention

Zero. Data is processed in-memory and not written to disk. Configurable retention settings available for enterprise customers who want selective logging.

Security Measures

All standard API security plus zero persistent storage. SOC 2 Type 2. BAA available via xAI's BAA Questionnaire (submit through xAI's legal/enterprise portal). DPA auto-incorporated. Data residency options available depending on SLA.

Your Rights & Control

Same as standard API with minimal data footprint.

Special Considerations

xAI's Enterprise FAQ states: 'Under some circumstances, we can support a customer's HIPAA compliance obligations.' BAA requests require completing xAI's BAA Questionnaire. The xAI API is a newer entrant compared to OpenAI and Anthropic APIs — organizations in highly regulated industries may want to verify the maturity of xAI's compliance program through direct engagement with their security team.