Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Hugging Face

Hugging Face

PartialEU: AvailableOpt-out AvailableCustomMulti-region

Business Plan Price

Pro: $9/mo, Team: $20/user, Enterprise: $50/user - billed in USD

Enterprise Features

EU storage regions (Team + Enterprise), DPA, SSO, audit logs, Inference Providers

Last Updated

March 23, 2026

Purpose & Context

This overview evaluates Hugging Face and specifically HuggingChat for GDPR compliance and data privacy in EU business contexts. Hugging Face is an AI collaboration platform offering model hosting, inference APIs, and HuggingChat (an open-source chatbot interface).

Target audience: EU-based procurement, legal, compliance, and IT teams evaluating Hugging Face services for processing personal or business-sensitive data.

🏒 Company & Service Overview

Company: Hugging Face, Inc. (Delaware, USA)[1]

Headquarters: New York, USA with strong European presence and partnerships

Key differentiator: Open-source AI platform with community-driven model repository. Selected by French Data Protection Agency (CNIL) for Enhanced Support Program in May 2023.[2]

Services:

  • Hub: Model & dataset repository
  • Inference API: Serverless model inference
  • HuggingChat: Open-source chatbot interface (free & Pro)
  • Inference Endpoints: Dedicated enterprise deployments
  • Spaces: AI app hosting platform

πŸ“Š Service Tiers Comparison

Feature Free Pro ($9/month) Team ($20/user/month) Enterprise (custom)
HuggingChat Access βœ… Basic models βœ… Advanced models, web search βœ… Team features βœ… Full features
EU Storage Regions ❌ ❌ βœ… Available βœ… Available[3]
DPA Available ❌ ❌ βœ… Likely βœ… Yes[4]
SSO/SAML ❌ ❌ ❌ βœ… Yes
Audit Logs ❌ ❌ ❌ βœ… Yes
Conversation Deletion βœ… Manual βœ… Manual βœ… Manual βœ… Manual

βœ… GDPR Compliance Assessment

Strengths

🟒 CNIL Partnership

  • Selected for French Data Protection Agency Enhanced Support Program (May 2023)[2]
  • Working directly with EU regulators on GDPR compliance
  • Demonstrates commitment to EU data protection framework

🟒 Data Processing Agreement

  • DPA available for business customers[4]
  • Standard Contractual Clauses (SCCs) included
  • Covers GDPR Article 28 processor requirements

🟒 EU Infrastructure Available

  • Storage regions feature now available on Team ($20/user/month) and Enterprise tiers[3]
  • US πŸ‡ΊπŸ‡Έ and EU πŸ‡ͺπŸ‡Ί regions supported; Asia-Pacific region still "coming soon"
  • Multiple EU inference providers: Scaleway (France), Nebius (Netherlands), Nscale (UK), Public AI (Switzerland)[5]
  • H200 GPU access added to Pro inference tier

🟒 Inference Providers Marketplace

  • Inference Providers marketplace launched; Pro plan includes $2/month in usage credits
  • Allows routing to multiple compute providers including EU-based options

🟒 Inference API Data Handling

  • "Hugging Face does not store any user data for training purposes"[6]
  • "We do not store the request body or response" for Inference Providers[6]
  • Zero retention for API inference requests

Gaps & Concerns

🟑 HuggingChat Training Policy Ambiguity

  • Historical "opt-out" toggle for sharing conversations with model authors appears removed[7]
  • Current policy states "privacy by design" but lacks clear opt-out mechanism[7]
  • Community confusion about whether conversations are used for training[7]
  • Inference runs through multiple third-party providers depending on model availability[8]

🟑 Data Retention Transparency

  • HuggingChat: Conversations stored until manually deleted by user[8]
  • Unclear if deletion is permanent or if backups retain data
  • No automated retention limits disclosed

🟑 Limited Certification Visibility

  • SOC 2 compliance mentioned in context but not prominently certified on security pages
  • ISO 27001 not confirmed in official documentation
  • Less transparency than enterprise vendors

πŸ”΄ Security Incident: June 2024

  • Unauthorised access to Spaces platform detected[9]
  • Subset of Spaces secrets (tokens, API keys) potentially compromised[10]
  • Company revoked tokens and notified affected users[11]
  • Incident highlights supply chain risks in AI platforms[12]

🟑 Security Partnership: Protect AI

  • Protect AI partnership: 4.47 million model versions scanned for security vulnerabilities
  • Proactive supply chain security monitoring across the Hub

🟑 Free/Pro Tier Limitations

  • No EU storage region selection for non-Enterprise tiers
  • No DPA for individual Pro users
  • Infrastructure location not user-controllable

πŸ” Data Protection Framework

Legal Basis

  • Privacy Policy effective March 28, 2023 - not updated since then (notable gap as of March 2026)[1]
  • Terms of Service effective September 15, 2022[13]
  • Content Policy effective April 10, 2025[14]
  • HuggingChat Privacy updated September 15, 2025[8]

Data Processing

  • Controller: Hugging Face, Inc. (US company)
  • Processor role: Available for business customers via DPA
  • Sub-processors: Multiple inference providers (varies by model)
  • Transfer mechanism: SCCs for EU-US transfers (Enterprise)

User Rights (GDPR Articles 15-22)

  • Access, rectification, erasure: Contact privacy@huggingface.co[8]
  • Conversation deletion: Available in UI at any time[8]
  • Data portability: Not clearly documented
  • Objection to processing: Requires contacting support

🌍 Infrastructure & Data Residency

Storage Regions (Team and Enterprise)

  • US Region πŸ‡ΊπŸ‡Έ: Default for most users
  • EU Region πŸ‡ͺπŸ‡Ί: Now available for Team ($20/user/month) and Enterprise organisations[3]
  • Asia-Pacific Region 🌏: Still "coming soon" - not yet available
  • Region selection controls where models and datasets are stored
  • Does not control inference processing location

Inference Providers (HuggingChat)

  • Multi-provider routing: Model availability determines provider[8]
  • EU providers available: Scaleway (France), Nebius (Netherlands), Nscale (UK), Public AI (Switzerland)[5]
  • US providers: Also in rotation depending on model
  • User control: Limited - cannot select specific provider for HuggingChat

Gap: Processing Location Transparency

⚠️ While storage regions are configurable (Enterprise), the actual inference/processing location for HuggingChat is provider-dependent and not user-controllable.

πŸ“ Training Data Policy

Inference API & Endpoints

βœ… No training on user data[6]

βœ… No request/response storage[6]

βœ… Zero retention for API calls

HuggingChat: Ambiguous

🟑 Current status (Oct 2025):

  • Historical opt-out toggle for "sharing with model authors" removed[7]
  • Official stance: "Privacy by design"[7]
  • Community reports confusion: "Is conversation data sent to model authors?"[7]
  • No clear training opt-out visible in current UI

🟑 Inference provider variability:

  • HuggingChat routes to multiple providers[8]
  • Each provider may have different data policies
  • Hugging Face states they don't store data, but provider policies may differ

Recommendation

❗ For sensitive business use: Request written confirmation from Hugging Face about HuggingChat training policies and require DPA with explicit "no training" clause.

πŸ”’ Security & Compliance

Security Features

  • Malware scanning: For uploaded models and datasets[15]
  • Access tokens: Fine-grained permissions (read/write)
  • Private repositories: Available for paid users
  • SSO/SAML: Enterprise only
  • Audit logs: Enterprise only[16]
  • Resource groups: Granular access control (Enterprise)[16]

Certifications

🟑 Limited public certification disclosure:

  • PCI Compliant (per third-party security profile)[17]
  • GDPR Compliant (self-declared, CNIL partnership)[17]
  • SOC 2 / ISO 27001: Not prominently featured in official docs

Security Incidents

πŸ”΄ June 2024: Spaces Platform Breach[9]

  • Unauthorised access to Spaces secrets (API keys, tokens)
  • Subset of user secrets potentially compromised
  • Hugging Face revoked affected tokens and notified users
  • No evidence of model/dataset compromise, limited to Spaces platform

Impact: Demonstrates supply chain risks in open AI ecosystems. Hugging Face responded transparently and promptly.

βš–οΈ Legal & Regulatory Context

French CNIL Partnership (2023)

βœ… Hugging Face selected for Enhanced Support Program[2]

  • 1 of 3 companies chosen from 40+ applicants
  • Direct regulatory guidance on GDPR compliance
  • Focus on AI-specific data protection challenges
  • Positive signal for EU regulators' view of Hugging Face

EU AI Act Considerations

  • Hugging Face published position paper on EU AI Act[18]
  • Advocates for open ML model approach
  • Engaged with policymakers on regulation

πŸ’° Pricing for Business Use

Plan Price EU Storage DPA Best For
Free €0 ❌ ❌ Public research, experimentation
Pro $9/month ❌ ❌ Individual power users
Team $20/user/month βœ… Yes (added) βœ… Yes Small teams, private repos
Enterprise $50/user/month (confirmed) βœ… Yes βœ… Yes EU business with compliance needs

Source: Pricing information from Hugging Face website and third-party analyses[16][19]

❓ EU Procurement Q&A

Q1: Can we use HuggingChat for processing personal data under GDPR?

A: Conditional Yes for Enterprise tier with DPA and EU storage region. Not recommended for Free/Pro tiers due to:

  • No DPA availability
  • No EU storage region selection
  • Ambiguous training policy for HuggingChat
  • Inference routing through multiple providers

For Inference API with DPA: Yes - explicit no-training, no-retention policy.

Q2: Where is our data stored and processed?

A:

  • Storage: Configurable for Team ($20/user/month) and Enterprise (US or EU region)[3]
  • Processing (HuggingChat): Multi-provider routing - may include US, EU, or other providers depending on model availability[8]
  • Gap: Processing location not user-controllable for HuggingChat
  • Asia-Pacific: Storage region still "coming soon"

Q3: Is there a Data Processing Agreement?

A: Yes - DPA available for Team and Enterprise customers[4]

  • Includes Standard Contractual Clauses
  • GDPR Article 28 compliant
  • Not available for Free or Pro individual users

Q4: Will our conversations be used to train AI models?

A: Ambiguous for HuggingChat:

  • Inference API: No - explicit no-training policy[6]
  • HuggingChat: Unclear - historical opt-out removed, current policy states "privacy by design" but community reports confusion[7]
  • Recommendation: Request written confirmation and explicit DPA clause for business use

Q5: What about the June 2024 security incident?

A: Spaces platform breach exposed subset of API tokens/secrets.[9] Impact:

  • Limited to Spaces platform (app hosting)
  • No evidence of model/dataset compromise
  • Transparent disclosure and prompt remediation
  • Does not affect core HuggingChat or Inference API
  • Consider in overall risk assessment

Q6: How does Hugging Face compare to ChatGPT for GDPR?

A:

  • Hugging Face advantages: EU storage option, CNIL partnership, open-source transparency, explicit no-training for API
  • Hugging Face disadvantages: Less mature enterprise features, HuggingChat training policy ambiguity, multi-provider routing complexity
  • ChatGPT advantages: Clearer training opt-out, more mature compliance program, single-provider simplicity
  • Verdict: Hugging Face Inference API (with DPA) potentially better for EU. HuggingChat on par or slightly behind ChatGPT due to training policy ambiguity.

βœ… EU Business Rollout Checklist

Before Deployment

  • Upgrade to Enterprise tier if processing personal data
  • Sign Data Processing Agreement with Hugging Face
  • Select EU storage region in organisation settings
  • Request written confirmation of training policy for HuggingChat
  • Map inference providers - understand which providers may process data
  • Conduct DPIA (Data Protection Impact Assessment) if high-risk processing
  • Review sub-processor list in DPA
  • Configure audit logging (Enterprise feature)
  • Implement access controls using resource groups (Enterprise)
  • Document data flows for GDPR Article 30 records

During Deployment

  • User training on conversation deletion and data sensitivity
  • Restrict Spaces platform usage (if concerned about June 2024 incident)
  • Use Inference API (not HuggingChat) for highest GDPR certainty
  • Monitor audit logs for unauthorised access
  • Regular DPA reviews as Hugging Face updates services

Post-Deployment

  • Quarterly compliance review of Hugging Face updates
  • User data minimisation - delete old conversations
  • Vendor risk assessment including security incident history
  • Alternative provider evaluation (quarterly)

πŸ”„ Recommended Alternatives

If Hugging Face HuggingChat doesn't meet requirements:

For EU-First Chatbots

  1. Mistral AI (France) - French AI company, EU-based, strong GDPR focus
  2. Aleph Alpha (Germany) - German sovereign AI, explicit EU data residency
  3. Self-hosted open models - Via Hugging Face models on your infrastructure (full control)

For Enterprise AI with Strong GDPR

  1. ChatGPT Enterprise - DPA, opt-out training, Azure EU hosting option
  2. Claude Enterprise (Anthropic) - DPA available, clear training opt-out
  3. Google Gemini Enterprise - DPA, EU data residency, no training on business data

For Open-Source Self-Hosting

  1. LM Studio - Run models locally, zero cloud dependency
  2. Ollama - Open-source model runtime, on-premises deployment
  3. Hugging Face models on EU cloud - Deploy Hugging Face models on Scaleway/OVH (France)

πŸ“š Key Documentation & References

Official Hugging Face Legal Docs

  • Privacy Policy (Mar 2023): https://huggingface.co/privacy
  • DPA Template: https://cdn-media.huggingface.co/landing/assets/Data+Processing+Agreement.pdf

Security Incidents

  • June 2024 Spaces Breach (Official): https://huggingface.co/blog/space-secrets-disclosure
  • The Hacker News Coverage: https://thehackernews.com/2024/06/ai-company-hugging-face-notifies-users.html
  • TechTarget Analysis: https://www.techtarget.com/searchsecurity/news/366587535/Hugging-Face-tokens-exposed-attack-scope-unknown
  • LinkedIn Supply Chain Analysis: https://www.linkedin.com/pulse/hugging-face-secrets-leak-highlights-ai-supply-chain-risk-h5a2e

Community & Transparency

  • Training Policy Discussion: https://huggingface.co/spaces/huggingchat/chat-ui/discussions/482
  • Data Privacy Forum Thread: https://discuss.huggingface.co/t/sensitive-data-privacy-gathering/134541#post_3
  • EU Inference Providers: https://www.silicon.fr/Thematique/cloud-1370/Breves/hugging-face-ajoute-options-europeennes-inference-485472.htm

Third-Party Assessments

  • Nudge Security Profile: https://www.nudgesecurity.com/security-profile/huggingface-co
  • Common Sense Privacy Report: https://privacy.commonsense.org/privacy-report/Hugging-Face

πŸ“‹ Verdict Summary

Overall GDPR Rating: 🟑 Partial Compliance

Best for:

  • βœ… API-driven inference with Enterprise DPA (high GDPR confidence)
  • βœ… Research and development with public models
  • βœ… Teams already using Hugging Face ecosystem
  • βœ… Organisations valuing open-source and EU regulatory partnerships

Not recommended for:

  • ❌ Personal data processing on Free/Pro tiers (no DPA, no EU region control)
  • ❌ Use cases requiring guaranteed EU-only processing (HuggingChat routing is multi-provider)
  • ❌ Organisations requiring mature compliance certifications (SOC 2/ISO 27001 not prominently disclosed)
  • ⚠️ HuggingChat for sensitive conversations without written training policy confirmation
  • ⚠️ Organisations concerned that the core Privacy Policy has not been updated since March 2023

Key Decision Factors

Factor Status Impact
DPA Availability βœ… Yes (Enterprise) High
EU Storage Regions βœ… Yes (Team + Enterprise) High
Training Policy (API) βœ… No training High
Training Policy (HuggingChat) 🟑 Ambiguous High
CNIL Partnership βœ… Enhanced Support Medium
Security Incident History 🟑 June 2024 breach Medium
Inference Provider Control ❌ Multi-provider Medium
Compliance Certifications 🟑 Limited visibility Low

Final Recommendation

For EU business use:

  1. Inference API with Enterprise DPA: βœ… Recommended - Strong GDPR alignment
  2. HuggingChat with Enterprise DPA: 🟑 Use with caution - Request written training policy confirmation first
  3. Free/Pro tiers: ❌ Not for personal data - Lack DPA and EU controls

Action: If proceeding, upgrade to Enterprise, sign DPA, enable EU region, and request explicit HuggingChat training policy documentation.

Last updated: March 2026

Next review: May 2026 (quarterly)

Document owner: Wouter van Haaften | WAIMAKERS B.V.

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Hugging Face services in production environments. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

Compliance & Infrastructure

  • CNIL Partnership Announcement: https://huggingface.co/blog/cnil
  • Storage Regions Documentation: https://huggingface.co/docs/hub/en/storage-regions
  • EU Inference Providers: https://www.silicon.fr/Thematique/cloud-1370/Breves/hugging-face-ajoute-options-europeennes-inference-485472.htm

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique Β· Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast β†—

Β© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy