Enterprise procurement matrix
The questions a procurement review actually asks, answered from each provider's own trust and legal pages. "not published" means we could not verify a public claim; ask the provider directly before relying on it.
| Provider | SLA | SOC 2 | ISO 27001 | HIPAA/BAA | GDPR DPA | Data residency | Invoicing | Support |
|---|---|---|---|---|---|---|---|---|
| RunPod | not published | Type II | not published | claimed | claimed | multi-region | not published | not published |
| Lambda | not published | Type II | claimed | not published | not published | multi-region | invoice/PO available | not published |
| Hyperstack | not published | not published | not published | not published | claimed | US+EU | not published | business tiers |
| CoreWeave | not published | claimed | claimed | not published | not published | US+EU | not published | business tiers |
| Nebius | not published | not published | not published | not published | not published | multi-region | not published | not published |
| DataCrunch | not published | not published | not published | not published | not published | US+EU | not published | business tiers |
| Voltage Park | not published | not published | not published | not published | not published | US only | not published | business tiers |
| Crusoe | not published | not published | not published | not published | not published | multi-region | not published | 24/7 |
| Jarvislabs | not published | not published | not published | not published | not published | not published | card only | community |
| OVHcloud | 99.9% w/ credits | not published | not published | not published | claimed | multi-region | invoice/PO available | business tiers |
| Spheron | not published | not published | not published | not published | not published | US+EU | not published | not published |
| Microsoft Azure | 99.9% w/ credits | Type II | claimed | claimed | claimed | multi-region | invoice/PO available | 24/7 |
| AWS | 99.99% w/ credits | Type II | claimed | claimed | claimed | multi-region | invoice/PO available | 24/7 |
| Together AI | not published | Type II | not published | claimed | not published | not published | not published | business tiers |
| fal | not published | not published | not published | not published | not published | not published | not published | business tiers |
| Modal | not published | not published | not published | not published | not published | multi-region | card only | business tiers |
| Vultr | not published | not published | not published | not published | not published | multi-region | card only | business tiers |
| Massed Compute | not published | not published | not published | not published | not published | not published | not published | business tiers |
Verified cells link to their source. Compliance status changes; treat this as a shortlisting tool, then confirm with the vendor. Corrections: [email protected].
Reading the matrix
Big clouds (AWS, Azure) publish the deepest compliance portfolios but cost 2-4x more per GPU-hour (see the live table). Specialist clouds increasingly carry SOC 2 Type II and GDPR DPAs at a fraction of the price; the gap is usually invoicing terms and support depth, not certifications. Pair this with the hidden-fees matrix for the full procurement picture.