> ## Documentation Index
> Fetch the complete documentation index at: https://docs.orq.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Data compliance and privacy

> Understand Orq.ai data handling, privacy practices, and compliance measures. GDPR, SOC 2, and enterprise security standards for AI application data.

## User-Controlled Model Integrations

Users integrate their own API keys and select the model providers they want to work with. As a result:

* Orq.ai does not require Data Processing Agreements (DPAs) with model providers nor is Orq.ai a subprocessor for the model providers.
* Whether a model trains on the data depends on settings configured on the provider's side. Most providers allow training to be disabled—this must be configured directly in the provider's platform by the user.

## No Model Training on Platform Data

No data that flows through **orq.ai** is ever used to train or fine-tune any models by **orq.ai**. Input and output data are processed but not retained.

## Privacy and Masking Controls

**orq.ai** includes features to help ensure data privacy and regulatory compliance:

#### Input Masking

Input variables can be flagged as Personally Identifiable Information (PII), which includes Personal Data. These are sent to the model but are not stored or shown in logs.

<Frame caption="Flag an input as PII in the Security tab of your variant. Once deployed, the value is sent to the model but never stored.">
  <img src="https://mintcdn.com/orqai/R7t6xmeUretxbcfc/images/variable-pii.png?fit=max&auto=format&n=R7t6xmeUretxbcfc&q=85&s=7b66c02cebefb3ccb499e95410e5cc34" alt="Variables panel showing the Question variable with a dropdown to set it as None or Personal Identifiable Information (PII)." width="758" height="194" data-path="images/variable-pii.png" />
</Frame>

#### Output Masking

Entire model responses can be masked. While tokens are still exchanged with the model, the content is never stored or displayed within **orq.ai**.

<Frame caption="Enable Output Masking to prevent generated responses from being stored in logs and traces.">
  <img src="https://mintcdn.com/orqai/55N7ogp78VJHeSpN/images/variant-output-masking.png?fit=max&auto=format&n=55N7ogp78VJHeSpN&q=85&s=2c5239c4d02963abfc4b9a71ae3af464" alt="Variables panel with city and date variables, and a Masking section with the Output Masking toggle enabled." width="545" height="259" data-path="images/variant-output-masking.png" />
</Frame>

These features allow models to function as intended while ensuring sensitive data remains confidential. Read more how to configure this in Orq here: [Deployment Security and Privacy](/docs/deployments/creating#security-and-privacy)

## Security and Compliance

* Compliance is maintained through Vanta, supporting both SOC 2 and GDPR standards.
* Security oversight is provided by an independent Chief Information Security Officer (CISO).
* All data stored within the platform resides in data centers located in the European Union.

## Data Retention

Data is retained only for the duration of the configured retention period. This allows users to review logs and traces for observability. After the retention period, data is automatically deleted.

## Real-Time Trust Status

For up-to-date security and compliance information, visit the real-time trust report: [trust.orq.ai](https://trust.orq.ai)