[nijave]

>and they can do so in secret

Is that really true? Zero Data Retention (ZDR) is standard language in enterprise contracts and it seems quite egregious a vendor would want to take on that amount of liability and ignore the contract terms.

On top of that, Anthropic is SOC2 and ISO27001 so they've had _some_ independent auditing (although they could still try to hide such logging/recording anyway)

With that in mind, they also have a hell of an incentive to _not_ secretly collect that data.

Of course ZDR oftentimes comes with contract minimums so individuals and small corps are locked out and subject to the whims of the provider.

[sidewndr46]

Remember that time that Amazon swore they weren't using data to outcompete people on their platform? Then they did that.

[Atotalnoob]

That was Amazon retail, which made no such promise.

AWS makes ZDR promises

[pigeons]

https://www.datacenterdynamics.com/en/news/does-aws-use-cust...

https://www.theregister.com/off-prem/2013/03/08/amazon-accus...

https://news.ycombinator.com/item?id=23929959

Also, elasticsearch, redis, etc

[eigencoder]

Every retailer does that

[mwarren]

Zero Data Retention does not mean zero information retention. First, this whole discussion regards AWS Bedrock's straightforward policy for users of OpenAI GPT-5.4 and GPT-5.5 models and Anthropic Claude Fable 5 saying "[inputs and outputs will be retained for up to 30 days](https://docs.aws.amazon.com/bedrock/latest/userguide/abuse-d... )." That's plenty of time for a model training run using those inputs/outputs and, once the information is encoded into model weights, the original training data can be deleted to meet the ZDR contract. For models without the 30-day retention clause, it's still possible for AWS to route inputs and outputs through a dynamic training system to encode the information into model tensors and then toss out the original "data".

Edit: linkify

[iririririr]

what an accountant audit help in this case? because that's literary all that's required for those.

I'm 100% certain they keep that for retraining. I've seen advertising pipelines promise the same thing and drown in data "because it's anonimized".

I'm certain same exact thing happens with Ai chatbots, even on top enterprise licenses.

[nijave]

SOC 2 and ISO27001 are definitely not accounting audits. Our auditors request policies, procedures, and evidence that we're following the policies and procedures. Oftentimes evidence is screenshots of the running environment (vomit) or audit logs. The auditor may or may not selectively request more information on demand (so you can't go in being sure you know what they're looking at)

If this is something you care about (compliance) your vendor due diligence process should include ensuring the company used a respected/trusted auditor.

[iririririr]

right. because everyone cares about compliance. sorry for the snarky tone, but it really unavoidable here.

it IS an accounting certification. That include a cursory look at (likely outdated, often creator for the audit and never read by anyone) documentation.

[ipnoipipme]

Yeah cause all these frontier labs totally followed all relevant copyright and ip protection laws, so of course they'll follow your little contract, and what will be the consequences when it turns out they lied (again)? Oh maybe a fine, something fair like 0.5% of profits, can't make it too high or too anti business.

[nijave]

>Oh maybe a fine, something fair like 0.5% of profits, can't make it too high or too anti business.

No, this would be a civil lawsuit not criminal. The plaintiff (the harmed party) could sue Anthropic for whatever they wanted. Put another way, they're at the mercy of big corp army of lawyers, not a paid off politician.