Methodology

How we score

Every verdict on LLM Radar is an editorial judgement anchored in public documentation. Below is the rubric we apply — uniformly — to every entry.

Hosting

Green

Data resides in the EU by default, on infrastructure operated by the vendor or a European cloud (OVH, Scaleway, Clever Cloud, Aleph Alpha's own infra).

Amber

EU region available via a US hyperscaler (AWS, Azure, GCP). Data stays in Europe at rest, but control plane and operator are non-EU.

Red

Data leaves the EU by default. No EU region available, or opt-in only.

GDPR posture

Native

GDPR built into the product. Sub-processors list in the EU, training opt-out by default, full DPA offered.

DPA

DPA available on request, training opt-out available. Some sub-processors outside the EU.

Not compliant

No DPA, no opt-out, or terms incompatible with Article 28 of the GDPR.

Jurisdiction

EU member

Vendor incorporated in an EU member state. No conflicting extraterritorial laws.

Adequacy

Vendor incorporated in a country with a valid EU adequacy decision (UK, Switzerland, Canada, Japan, South Korea, …). Exposure depends on the country's own laws.

Non-adequate

Vendor incorporated in a country whose laws conflict with the GDPR (notably the US CLOUD Act and FISA 702, or China's data-access regime). May be disqualifying for regulated sectors.

AI Act status

Compliant

Vendor publishes the Article 53 information (training data summary, copyright compliance, risk management) expected of general-purpose AI providers.

Partial

Some obligations met, others unclear or forthcoming.

Not assessed

No public information, or vendor does not fall under the AI Act but operates in the EU.

Licence (open-weight models)

Permissive

Apache 2.0, MIT, BSD. No usage caps, no royalty, no acceptable-use clauses. Irrevocable.

Custom / community

Vendor-specific licence (Llama community, Gemma terms, etc.). Usually commercial-ok with caveats: MAU caps, acceptable-use lists, attribution requirements. Vendor can revise terms for new versions.

Research-only

Non-commercial licence. Not deployable in production.

Training-data disclosure

Documented

Full list of datasets, provenance, licensing, copyright posture.

Partial

High-level description, some datasets named, others aggregated.

Undisclosed

No public information on training data. AI Act Article 53 obligations not met.

Overall verdict

The overall verdict (green OK, amber Warn, red KO) synthesises the above into a single decision-useful signal:

  • OK — defensible for regulated EU deployments, including banking, healthcare and (where noted) defence.
  • Warn — deployable for non-sensitive use cases; material risks to document and mitigate for regulated sectors.
  • KO — not deployable for European personal data under current posture.

Process & accountability

  • Every entry cites at least one public source. No off-the-record claims.
  • Every entry shows last reviewed date and the reviewer's name.
  • Vendors may submit a right-of-reply; we publish it verbatim.
  • See the About page for the correction and takedown workflow.