DeepSeek R1 is a 671-billion-parameter model released under an MIT license. The weights are public. Anyone can download them. The file is byte-identical whether it lands on a rack in your data center, an AWS region in Northern Virginia, an isolated GovCloud partition, or a server in the People's Republic of China. The model is the same. The security posture is entirely a function of the address. When a buyer says "we're evaluating DeepSeek," your next sentence needs to pin down where. These four deployment locations cover the territory: local hardware, a commercial hyperscaler region (AWS Bedrock), a sovereign or government cloud, and the model provider's own API.
The Four Locations
Local Hardware
What it is: The model weights running on machines you own or lease, inside a network perimeter you control.
What it does: Inference happens on-premises. Prompts never leave your environment. No API call, no external network hop, no third-party telemetry. The full DeepSeek R1 needs roughly 376GB of VRAM at Q4 quantization, which means a multi-GPU cluster, not a workstation with a nice graphics card. The practical local path is a distilled variant: the 32B distill fits on a single RTX 4090 at about 20GB VRAM, and tools like Ollama reduce setup to one command. But a distilled model is a smaller, different model trained to mimic the full model's behavior. It learned from the original. It is not the original in a smaller box.
Who's behind it: You. The weights come from a public repository like HuggingFace. After download, the model provider has no involvement and no visibility into what you do with them.
What makes it distinct: Zero third-party data exposure. No external party touches your prompts, your outputs, or your usage patterns. You also own every operational problem: hardware, drivers, scaling, patching, and the expertise to manage all of it.
Commercial Hyperscaler Region (AWS Bedrock)
What it is: The model weights running inside a major cloud provider's managed inference service, in a standard commercial region.
What it does: You make an API call to AWS. Bedrock handles GPU allocation, scaling, and model serving. Your prompt travels over TLS to an AWS endpoint in a region you select (currently US East and US West for DeepSeek R1), gets processed, and the response comes back.
Who's behind it: AWS operates the infrastructure. Bedrock uses a Model Deployment Account: in each region, AWS maintains a dedicated AWS-owned account per model provider. AWS performs a deep copy of the model into that account. The model provider has no access to the deployment account, no access to Bedrock logs, and no access to customer prompts or completions. AWS states this plainly:
"Amazon Bedrock doesn't store customer input data and model output data, share the data with third-party model providers, or use the data to train models."
What makes it distinct: The model provider is architecturally locked out of the inference path. Your prompts go to AWS, not to DeepSeek. The data is governed by your AWS agreement, not DeepSeek's terms. You can tighten this further with AWS PrivateLink, keeping prompt traffic entirely off the public internet.
Sovereign / Government Cloud
What it is: The model weights running inside a cloud partition built to meet government security and compliance requirements, isolated from commercial regions.
What it does: Same managed inference concept as commercial Bedrock, but inside a boundary designed for regulated workloads. AWS GovCloud is physically and logically isolated from commercial partitions with no native interconnectivity, administered exclusively by U.S. citizens. Azure Government and Google Cloud Vertex AI have their own government partitions with different architectural approaches, but the GovCloud model is the clearest illustration of the pattern.
Who's behind it: The cloud provider, under a stricter set of controls. AWS GovCloud supports FedRAMP High. Accessing Bedrock models there requires initiating access through a linked standard account, agreeing to EULAs in a commercial region first, then enabling in GovCloud. The onboarding process is heavier by design.
What makes it distinct: The menu is shorter. Model availability lags behind commercial regions, sometimes by a generation. Claude and GPT-family models are authorized in GovCloud. DeepSeek R1 is not confirmed available in AWS GovCloud as of this writing. The security boundary is tighter, but the model you want may not be behind it yet, and the authorization timeline is not something anyone accelerates by asking nicely.
Provider API (api.deepseek.com)
What it is: The model weights running on infrastructure operated by the model's creator, accessed through their public API endpoint.
What it does: You send prompts over the internet to DeepSeek's servers. They process inference and return the response. DeepSeek's privacy policy states that data is stored "in secure servers located in the People's Republic of China." The policy covers collection of "text input, voice input, prompt, uploaded files, photos, feedback, chat history, or other content" provided to the service. The consumer product (chat.deepseek.com) and the developer API (api.deepseek.com) operate under different terms with different data handling provisions. That distinction gets lost constantly.
Who's behind it: DeepSeek, a Chinese AI company. The DeepSeek Open Platform Terms govern API usage specifically.
What makes it distinct: You're operating under the model provider's own legal and data-handling terms, with no intermediary between your prompts and their infrastructure. The consumer app terms (as published March 2026) allow DeepSeek to use inputs and outputs for service improvement, with an opt-out toggle. The Open Platform API terms do not contain an equivalent explicit opt-out mechanism in the current published text. That's a material gap. If your buyer's compliance team asks "can we opt out of training use on the API?" the honest answer today is: the terms don't clearly say.
Same assertion format, same XML schema, completely different trust outcomes depending on who operates the IdP. Model hosting follows the same pattern: identical weights, completely different trust posture based on who operates the inference. The analogy holds through the trust evaluation. It breaks at revocation — you can revoke federation trust in minutes; migrating off a model hosting location is an infrastructure project.
Four Dimensions That Surface in the Room
The structure here is trait-led, organized around the four questions public sector buyers actually raise when deployment location comes up. These questions surface individually and in unpredictable order, so each dimension needs to stand on its own. Every location appears against every dimension.
Who can see the prompts?
| Location | Prompt Visibility |
|---|---|
| Local hardware | Only personnel with access to the host machine. No external party. |
| Commercial hyperscaler | AWS operations staff, subject to AWS data protection commitments. DeepSeek is architecturally excluded via the Model Deployment Account (a dedicated AWS-owned account where the model runs, walled off from the model provider). AWS documents automated abuse detection with no human access to prompt data. |
| Sovereign cloud | Same as commercial hyperscaler, plus operational staff is restricted to U.S. citizens in GovCloud. Tighter personnel controls, same architectural isolation from the model provider. |
| Provider API | DeepSeek. Their privacy policy documents collection of all input content. Third-party code libraries, including one from ByteDance's cloud division (Volcengine), have been identified in the consumer app; whether the same integrations apply to raw API calls is undocumented. |
Where do the bytes physically travel?
| Location | Data Path |
|---|---|
| Local hardware | Nowhere. Stays on your network. |
| Commercial hyperscaler | To an AWS region you select. Bedrock offers three routing tiers: In-Region (single region, strictest), Geographic (within US or EU), and Global (any commercial region worldwide). You choose. |
| Sovereign cloud | To the government cloud partition. In AWS GovCloud, there is no native interconnectivity with commercial partitions. Traffic stays inside the isolated boundary. Not all government clouds are built the same way, though. Google Cloud layers compliance controls (Assured Workloads) on top of commercial infrastructure rather than maintaining a physically separate partition. Azure Government maintains its own separate authorization. The architectural difference matters for how your buyer's security team evaluates the boundary. |
| Provider API | Over the public internet to servers in China. The privacy policy also notes data "may be stored on a server located outside of the country where you live," leaving secondary locations unspecified. |
What legal envelope governs data handling?
| Location | Governing Framework |
|---|---|
| Local hardware | Your organization's data governance policies. No external terms apply post-download. The MIT license governs the weights, not your data. |
| Commercial hyperscaler | Your AWS customer agreement. AWS's published position: no storage of customer input/output, no sharing with model providers, no use for training. |
| Sovereign cloud | Your government cloud agreement plus the compliance framework of the partition (FedRAMP High, DoD IL4/5, etc.). Enforceable data handling requirements layered on top of commercial terms. |
| Provider API | DeepSeek's terms and privacy policy, governed by Chinese law. Data retention documented as lasting "for as long as you have an account." |
What operational burden falls on the customer?
| Location | Ops Burden |
|---|---|
| Local hardware | Everything. Hardware procurement, driver management, model updates, quantization choices (selecting how aggressively to compress the model to fit your hardware), scaling, monitoring, security patching. You need staff who know what vLLM and GGUF mean. |
| Commercial hyperscaler | Minimal. Bedrock is managed inference. You handle IAM policies, logging configuration, and cost management. AWS handles GPUs, scaling, and model serving. |
| Sovereign cloud | Moderate. Same managed inference, but the onboarding path is heavier. Accessing models requires initiating access through a linked standard account, agreeing to EULAs in a commercial region first, then enabling in GovCloud. Model availability gaps mean planning around what's actually there, not what you wish were there. |
| Provider API | Minimal, with a catch. You manage API keys and network configuration. DeepSeek manages everything else. The operational simplicity is real. The compliance exposure travels with it. |
You've had the "where does the directory live?" conversation a hundred times. Same protocol, same SCIM schema, completely different data residency answers depending on whether the user store is on-prem AD, Okta's cloud tenant, or a government-specific deployment. Model inference is the same pattern: same model, same prompt format, but the physical location of processing determines which jurisdiction's laws touch the data. The analogy holds cleanly. It breaks on auditability — directory data is relatively stable and inventoried; inference data (prompts and responses) is transient, high-volume, and much harder to account for after the fact.
How to Say This in the Field
| Don't say | Do say | Why it matters |
|---|---|---|
| "DeepSeek is a Chinese model, so it's a security risk." | "DeepSeek's weights are open and run anywhere. The risk profile is a function of where you host the inference." | Conflating model origin with hosting location is the most common error in these conversations. |
| "Bedrock is safe because it's AWS." | "Bedrock architecturally isolates the model provider from your prompts. AWS deep-copies the weights into an account DeepSeek can't access." | The mechanism earns confidence. A brand name is just a brand name. |
| "Just run it locally and you're fine." | "Local deployment eliminates third-party data exposure, but the full 671B model needs a multi-GPU cluster. The distilled variants fit on a single GPU, but they're smaller, different models." | Buyers who hear "run it locally" often picture a laptop. |
| "GovCloud has everything Bedrock has." | "GovCloud Bedrock is real, but model availability lags commercial regions. DeepSeek R1 isn't confirmed there today." | Overpromising GovCloud availability costs you credibility the moment the buyer checks. |
| "The provider API sends your data to China." | "DeepSeek's privacy policy documents that data is stored on servers in the PRC. Their API terms don't include a clear opt-out for training use of inputs." | Lead with the documented fact. The geopolitical framing adds heat without adding information. |
| "Open source means you can do whatever you want." | "The weights are MIT-licensed, so you can host them anywhere. But open weights means the model file is available. It doesn't say anything about what happens to your data wherever you choose to run it." | Buyers sometimes conflate open licensing with open data handling. |
| "We should avoid DeepSeek entirely." | "The model's capabilities are real. Whether you can use it depends on hosting it in a location where the data path and legal envelope meet your requirements." | Blanket avoidance sounds political. Hosting-specific analysis sounds technical. |
| "Sovereign cloud is just regular cloud with a compliance sticker." | "GovCloud is a physically isolated partition with no network path to commercial AWS. Not all government clouds are built the same way — Google layers compliance on commercial infrastructure, which is architecturally different." | The buyer's security team will know this distinction exists. |
| "Bedrock's cross-region inference means your data could go anywhere." | "Bedrock gives you three routing tiers. In-Region keeps data in one region. Geographic keeps it within the US or EU. Global routes anywhere for throughput. You pick the tier." | Specificity prevents the buyer from assuming the worst. |
| "The API terms say they won't train on your data." | "The consumer app terms have an opt-out toggle for training use. The API platform terms don't include an equivalent mechanism in the current published text. That gap matters for compliance review." | Getting this wrong in either direction damages trust. |
| "We're looking at DeepSeek" (without specifying which endpoint). | "Are you evaluating the API at api.deepseek.com, or hosting the open weights on your own infrastructure? Those are completely different conversations." | The consumer product and the developer API operate under different terms. Buyers don't always distinguish them. |
AWS's Model Deployment Account works like a federation broker or SAML proxy. The broker sits between the relying party and the identity provider; the downstream provider never sees the raw assertion attributes. Bedrock sits between your application and the model weights; the model provider never sees your prompts. Same architectural pattern: insert a trusted intermediary, cut the direct data path. Where it breaks: a federation broker is a well-understood, standards-based component with decades of operational history. The Model Deployment Account is an AWS-specific architecture with AWS-specific documentation. Your buyer's security team will want to read that documentation themselves, not take the analogy on faith.
The model is the same file at every address. The prompt path, the telemetry exposure, the legal envelope, and the operational weight all change based on where you run it. When your buyer brings up DeepSeek, or any open-weight model, the conversation that earns trust is the one about hosting, grounded in their specific deployment choice and their specific data path.
Things to follow up on...
- GovCloud model availability lag: AWS GovCloud Bedrock now offers OpenAI GPT OSS and NVIDIA Nemotron models alongside Claude, but DeepSeek R1 remains unconfirmed there, and the authorization timeline for new models is opaque by design.
- Google's different isolation architecture: Unlike AWS GovCloud's physical partition, Google Cloud uses Assured Workloads to layer compliance controls on top of commercial infrastructure, and generative AI models are not yet available under its ITAR control package.
- DeepSeek's exposed database incident: In January 2025, researchers found a publicly accessible ClickHouse database containing API secrets and chat logs, secured only after external notification, which underscores why the hosting location's security controls matter independently of the model provider's own practices.
- Bedrock AgentCore in GovCloud: AWS announced Bedrock AgentCore availability in GovCloud (US-West) in May 2026, bringing managed agentic AI infrastructure inside the government boundary for the first time.