faq/security.md +34 −12
8>8>
9> xAI never trains on your API inputs or outputs without your explicit permission.9> xAI never trains on your API inputs or outputs without your explicit permission.
10 10
1111API requests and responses are temporarily stored on our servers for 30 days in case they need to be audited for potential abuse or misuse. This data is automatically deleted after 30 days.By default, all API requests and responses are stored on our servers (encrypted at rest) for 30 days for auditing purposes in the event of suspected abuse or misuse. xAI does not train on this data, and it is automatically deleted after 30 days.
12 12
13For teams that require stricter data handling, see [Zero Data Retention (ZDR)](#what-is-zero-data-retention-zdr) below.13For teams that require stricter data handling, see [Zero Data Retention (ZDR)](#what-is-zero-data-retention-zdr) below.
14 14
15## What is Zero Data Retention (ZDR)?15## What is Zero Data Retention (ZDR)?
16 16
1717Zero Data Retention (ZDR) is an enterprise feature that prevents xAI from storing any API request or response data. ZDR is exclusively available to enterprise accounts. When ZDR is enabled for your team, your prompts, completions, and associated metadata are processed in real time but never persisted to our servers; once a response is delivered, no record of the exchange remains.> [!WARNING]
18>
19> **For most customers, we do not recommend enabling ZDR**. ZDR disables important API features that depend on stored data, including the stateful Responses API, Files and Collections, and the Batch API (see the full list below). Because content deleted under ZDR can never be recovered or produced by xAI, only enable it when your compliance requirements truly demand it. For most teams, the default 30-day retention is the better choice.
20
21* **No storage of prompts:** ZDR ensures that API request inputs (i.e., your prompt) and outputs (i.e., the tokens generated by the LLM) are never persisted to disk. The 30-day audit retention described above does not apply to ZDR-enabled teams.
22* **Applied at a team level:** If enabled, ZDR is team-wide. There is no ability to enable ZDR for specific API keys.
23* **Self-serve:** Where available, a team admin can turn it on or off directly from the [xAI Console](https://console.x.ai/team/default/settings/team). When enabled, it applies to every API key on the team.
18 24
1925For more information about ZDR and enterprise plans, please contact [sales@x.ai](mailto:sales@x.ai).### Features not supported with ZDR
20 26
2127### How it worksAny capability that relies on xAI storing data is unavailable while ZDR is enabled:
22 28
2329* **No logging:** API inputs and outputs are not written to any datastore. The 30-day audit retention described above does not apply to ZDR-enabled teams.| Feature | Why it is unavailable under ZDR |
2430* **Moderation still runs:** Safety and content moderation checks are performed in real time, but moderation results are not stored.| --- | --- |
2531* **Response header:** Every API response includes an `x-zero-data-retention` header set to `"true"` or `"false"`, so your application can programmatically confirm that ZDR is active.| **Per-API-key request logging** | Recording the full request and response for each API key so you can review them in the Console. Under ZDR, request and response logs are not retained, and any existing per-key request-logging flags are cleared when ZDR is enabled. |
32| **[Stateful Responses API](/developers/model-capabilities/text/generate-text#chaining-the-conversation)** | A mode where xAI stores your conversation server-side so you can continue it later by referencing a previous response. That history cannot be stored under ZDR (`store_messages`, `previous_response_id`), so the client must store conversation history on the client side instead. Please remember to enable `use_encrypted_content` for [agentic tool-calling state](/developers/tools/advanced-usage#append-the-encrypted-agentic-tool-calling-states). |
33| **[Files API](/developers/files)** | Lets you upload a file to xAI once and reference it by `file_id` across later requests. Uploaded files are stored server-side, so under ZDR new uploads and `file_id` attachments are blocked. Existing files can still be viewed and deleted. |
34| **[Collections API](/developers/files/collections)** | Stores your documents on xAI so Grok can search and retrieve from them (RAG). Those documents must be stored to be retrieved, which ZDR does not allow. Existing collections can still be viewed and deleted. |
35| **[Batch API](/developers/advanced-api-usage/batch-api)** | Processes large sets of requests asynchronously at a discounted price. Batched requests are stored until they are processed, so the Batch API is unavailable under ZDR. |
36| **[Deferred completions](/developers/advanced-api-usage/deferred-chat-completions)** | Return a request ID right away and let you fetch the result later instead of holding the connection open. That result is stored until you retrieve it, which ZDR does not permit. Concurrent client-side requests (for example via `AsyncClient`) are unaffected. |
37| **Stored [image](/developers/model-capabilities/images/generation) and [video](/developers/model-capabilities/video/generation) outputs** | Image and video generation can have xAI host the generated media and return it as a `file_id` or URL. Under ZDR there is no xAI-side output storage: no `file_id` inputs, no stored outputs, and no URL-format image results. For images, return base64 only. For video, you must supply your own `output.upload_url` (xAI uploads the result to your URL). Image generation is also limited to `grok-imagine` models and excludes agentic image generation. Video generation in the Console playground is unavailable for the same reason. |
38| **Voice agent conversation history** | Voice agent conversations are not persisted when ZDR is enabled. |
26 39
27### How to enable ZDR40### How to enable ZDR
28 41
2942ZDR is only available to enterprise accounts. To learn more or enable ZDR for your organization, please reach out to [sales@x.ai](mailto:sales@x.ai). Once enabled, ZDR applies automatically to all API requests made with that team's API keys—no code changes are required.Team admins can enable or disable ZDR from the Console:
43
441. Sign in to the [xAI Console](https://console.x.ai/) as a team admin and select the team you want to change in the team picker.
452. Delete any existing [Files](/developers/files) and [Collections](/developers/files/collections) for that team. The Console blocks Enable while stored files or collections remain.
463. Open **Team Settings** and find the **Zero Data Retention (ZDR)** row, then click **Enable**.
474. Review the acknowledgments in the confirmation dialog, including that deleted User Content cannot be recovered, and accept the Enterprise Terms and Privacy Policy. Click **Enable** to confirm.
48
49Once enabled, ZDR applies automatically to all API requests made with that team's API keys—no code changes are required. To turn it off later, use the same **Zero Data Retention (ZDR)** row and choose **Disable**.
30 50
3151You can verify ZDR is active for your team in the [xAI Console](https://console.x.ai/) team picker, which displays a "Zero Data Retention" label beneath your team name.If you do not see the ZDR option, you may not be a team admin, self-serve ZDR may not be enabled for your environment yet, or your team may be on a negotiated Enterprise Customer Agreement that governs retention separately—contact [sales@x.ai](mailto:sales@x.ai) in that case.
32 52
3353### Considerations### How to check that ZDR is enabled
34 54
3555* **No server-side conversation history:** Because requests are not stored, features that rely on server-side state—such as the Responses API's automatic conversation threading via `previous_response_id`—are unavailable. You must manage conversation context client-side, e.g., by using `use_encrypted_content` for [agentic tool-calling state](/developers/tools/advanced-usage#append-the-encrypted-agentic-tool-calling-states).* **Team Settings:** the **Zero Data Retention (ZDR)** row shows an **Active** badge.
3656* **No audit log entries for request content:** Audit logs will still record administrative events (key creation, team changes, etc.), but the content of API requests and responses will not appear.* **Team picker:** the [xAI Console](https://console.x.ai/) team picker shows a **ZDR** badge next to your team name (tooltip: Zero Data Retention).
57* **Response header:** every API response includes an `x-zero-data-retention` header set to `"true"` or `"false"`, so your application can programmatically confirm whether ZDR is active.
58* **Audit logs:** administrative events (key creation, team changes, etc.) still appear in the Console audit log, but the content of API requests and responses does not.
37 59
38## Is the xAI API HIPAA compliant?60## Is the xAI API HIPAA compliant?
39 61