Skip to main content
The Provider Trust Registry contains compliance information for all AI providers available through Case.dev. Use this data to configure governance policies that meet your regulatory requirements.
Verification Required: We aggregate compliance information from provider documentation, but you should verify certifications directly with providers for your specific regulatory requirements.

Provider Compliance Matrix

Most Trusted Providers

Full enterprise compliance with SOC 2 Type II, HIPAA, BAA, and Zero Data Retention.
ProviderSOC 2HIPAABAAZDRHQData Residency
AnthropicYesYesYesYesUSUS, EU
OpenAIYesYesYesYesUSUS, EU
Azure OpenAIYesYesYesYesUSUS, EU, UK
Google (Vertex AI)YesYesYesYesUSUS, EU
AWS BedrockYesYesYesYesUSUS, EU

Trusted Providers

Good compliance posture, may lack some certifications.
ProviderSOC 2HIPAABAAZDRHQData Residency
GroqYesYesYesYesUSUS
DeepInfraYesYes-YesUSUS, EU
FireworksYesYes-YesUSUS
Together AIYesYes-YesUSUS
MistralYes--YesFREU
CohereYesYesYesYesCAUS, EU

Untrustworthy Providers

China-based or subject to national security laws. Always blocked by default.
ProviderSOC 2HIPAABAAZDRHQRisk
DeepSeek----CNNational security laws
Baidu----CNNational security laws
Alibaba Cloud----CNNational security laws
ByteDance----CNNational security laws
China-Based Providers: Under Chinese national security laws, companies can be compelled to provide data to the government. We block these providers by default for all organizations.

Query Provider Registry

Get provider compliance data programmatically. 
curl https://api.case.dev/admin/provider-registry \
  -H "Authorization: Bearer sk_case_xxx"
Response
{
  "providers": [
    {
      "slug": "anthropic",
      "name": "Anthropic",
      "trustTier": "most_trusted",
      "headquarters": "US",
      "compliance": {
        "soc2": true,
        "hipaa": true,
        "baa": true,
        "zdr": true,
        "iso27001": true,
        "gdpr": true
      },
      "dataResidency": ["US", "EU"],
      "models": ["claude-sonnet-4-20250514", "claude-3-5-haiku-20241022"]
    },
    {
      "slug": "openai",
      "name": "OpenAI",
      "trustTier": "most_trusted",
      "headquarters": "US",
      "compliance": {
        "soc2": true,
        "hipaa": true,
        "baa": true,
        "zdr": true,
        "iso27001": true,
        "gdpr": true
      },
      "dataResidency": ["US", "EU"],
      "models": ["gpt-4o", "gpt-4o-mini", "o1", "o3-mini"]
    }
  ]
}

Filter by Compliance

curl "https://api.case.dev/admin/provider-registry?compliance=soc2,hipaa" \
  -H "Authorization: Bearer sk_case_xxx"

Filter by Trust Tier

curl "https://api.case.dev/admin/provider-registry?trustTier=most_trusted" \
  -H "Authorization: Bearer sk_case_xxx"

Provider Registry Schema

TypeScript Types
interface Provider {
  slug: string;                    // Unique identifier (e.g., "anthropic")
  name: string;                    // Display name (e.g., "Anthropic")
  trustTier: TrustTier;            // Trust tier classification
  headquarters: string;            // Country code (e.g., "US", "CN")
  compliance: ComplianceFlags;     // Compliance certifications
  dataResidency: string[];         // Available data regions
  models: string[];                // Available models
}

type TrustTier = 
  | "most_trusted"    // Full enterprise compliance
  | "trusted"         // Good compliance, some gaps
  | "sketchy"         // Limited compliance info
  | "untrustworthy";  // China-based or high-risk

interface ComplianceFlags {
  soc2: boolean;      // SOC 2 Type II certified
  hipaa: boolean;     // HIPAA compliant
  baa: boolean;       // BAA available
  zdr: boolean;       // Zero Data Retention
  iso27001: boolean;  // ISO 27001 certified
  gdpr: boolean;      // GDPR compliant
  dpdp: boolean;      // India DPDP compliant
}

Certification Details

SOC 2 Type II

SOC 2 Type II certification demonstrates that a provider has implemented controls for:
  • Security: Protection against unauthorized access
  • Availability: System availability for operation and use
  • Processing Integrity: System processing is complete, valid, accurate, timely
  • Confidentiality: Information designated as confidential is protected
  • Privacy: Personal information is collected, used, retained, and disclosed appropriately

HIPAA Compliance

HIPAA compliance indicates the provider can handle Protected Health Information (PHI):
  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Policies and procedures
HIPAA + BAA Required: HIPAA compliance alone is not sufficient. You must also execute a Business Associate Agreement (BAA) with the provider to use them for PHI.

Business Associate Agreement (BAA)

A BAA is a contract required by HIPAA when a covered entity shares PHI with a business associate:
  • Defines permitted uses of PHI
  • Requires appropriate safeguards
  • Specifies breach notification requirements
  • Allows termination if terms are violated

Zero Data Retention (ZDR)

Zero Data Retention means the provider:
  • Does not store request/response data beyond processing
  • Does not use your data for model training
  • May still log metadata for abuse prevention
  • Typically requires enterprise agreement

Data Residency

Some regulations require data to remain in specific geographic regions:
RegionCommon Requirements
USHIPAA, SOX, FERPA
EUGDPR, EU-US Data Privacy Framework
UKUK GDPR, UK-US Data Bridge
APACPDPA (Singapore), DPDP (India), PIPL (China)
Data Residency Policies: Use providerAllowlist in your governance policy to restrict to providers with specific data residency options.

Next Steps

Policy Configuration

Create policies using provider compliance data.

Audit Logging

Track which providers are used in your requests.