Security

API requests and responses are temporarily stored on our servers for 30 days in case they need to be audited for potential abuse or misuse. This data is automatically deleted after 30 days.

For teams that require stricter data handling, see Zero Data Retention (ZDR) below.

Zero Data Retention (ZDR) is an enterprise feature that prevents xAI from storing any API request or response data. ZDR is exclusively available to enterprise accounts. When ZDR is enabled for your team, your prompts, completions, and associated metadata are processed in real time but never persisted to our servers; once a response is delivered, no record of the exchange remains.

For more information about ZDR and enterprise plans, please contact sales@x.ai.

• No logging: API inputs and outputs are not written to any datastore. The 30-day audit retention described above does not apply to ZDR-enabled teams.
• Moderation still runs: Safety and content moderation checks are performed in real time, but moderation results are not stored.
• Response header: Every API response includes an x-zero-data-retention header set to "true" or "false", so your application can programmatically confirm that ZDR is active.

ZDR is only available to enterprise accounts. To learn more or enable ZDR for your organization, please reach out to sales@x.ai. Once enabled, ZDR applies automatically to all API requests made with that team's API keys—no code changes are required.

You can verify ZDR is active for your team in the xAI Console team picker, which displays a "Zero Data Retention" label beneath your team name.

• No server-side conversation history: Because requests are not stored, features that rely on server-side state—such as the Responses API's automatic conversation threading via previous_response_id—are unavailable. You must manage conversation context client-side, e.g., by using use_encrypted_content for agentic tool-calling state.
• No audit log entries for request content: Audit logs will still record administrative events (key creation, team changes, etc.), but the content of API requests and responses will not appear.

To inquire about a Business Associate Agreement (BAA), please complete our BAA Questionnaire. A member of our team will review your responses and reach out with next steps.

We are SOC 2 Type 2 compliant. Customers with a signed NDA can refer to our Trust Center for up-to-date information on our certifications and data governance.

Team admins are able to view an audit log of user interactions. This lists all of the user interactions with our API server. You can view it at xAI Console -> Audit Log.

The admin can also search by Event ID, Description or User to filter the results shown. For example, this is to filter by description matching ListApiKeys:

You can also view the audit log across a range of dates with the time filter:

Treat your xAI API keys as sensitive information, like passwords or credit card details. Do not share keys between teammates to avoid unauthorized access. Store keys securely using environment variables or secret management tools. Avoid committing keys to public repositories or source code.

Rotate keys regularly for added security. If you suspect a compromise, log into the xAI console first. Ensure you are viewing the correct team, as API keys are tied to specific teams. Navigate to the "API Keys" section via the sidebar. In the API Keys table, click the vertical ellipsis (three dots) next to the key. Select "Disable key" to deactivate it temporarily or "Delete key" to remove it permanently. Then, click the "Create API Key" button to generate a new one and update your applications.

xAI partners with GitHub's Secret Scanning program to detect leaked keys. If a leak is found, we disable the key and notify you via email. Monitor your account for unusual activity to stay protected.