top of page

← Back to ImpactWorks

logo-impactworks.png

๐Ÿญ๐Ÿณ ๐—Ÿ๐—Ÿ๐—  ๐˜๐—ถ๐—ฒ๐—ฟ๐˜€. ๐Ÿฐ ๐—พ๐˜‚๐—ฒ๐˜€๐˜๐—ถ๐—ผ๐—ป๐˜€. ๐—ข๐—ป๐—น๐˜† ๐Ÿฏ ๐—ฝ๐—ฎ๐˜€๐˜€.

  • Writer: Christian Schulze
    Christian Schulze
  • May 21
  • 2 min read

I mapped every subscription tier from OpenAI, Anthropic, Google, and Mistral against four questions a pharma board needs answered before any AI procurement decision. The result is sobering.


๐—ง๐—ต๐—ฒ ๐Ÿฐ ๐—พ๐˜‚๐—ฒ๐˜€๐˜๐—ถ๐—ผ๐—ป๐˜€:


๐Ÿญ. Does the provider train on our inputs by default?

๐Ÿฎ. Can we lawfully process EU personal data on this tier (GDPR)?

๐Ÿฏ. Can we lawfully process US patient data on this tier (HIPAA)?

๐Ÿฐ. Is DPA + BAA + Zero Data Retention available on the same tier?


๐—ง๐—ต๐—ฒ ๐—ฟ๐—ฒ๐˜€๐˜‚๐—น๐˜: Out of 17 tier combinations, only 3 pass all four tests.


OpenAI Enterprise / Healthcare / API.

Anthropic Claude Enterprise / API.

Google Workspace Enterprise / Vertex AI.


That is it. Everything else fails at least one question. Most fail three.


๐—ช๐—ต๐—ฎ๐˜ ๐—บ๐—ผ๐˜€๐˜ ๐—ฐ๐—ผ๐—บ๐—ฝ๐—ฎ๐—ป๐—ถ๐—ฒ๐˜€ ๐—ด๐—ฒ๐˜ ๐˜„๐—ฟ๐—ผ๐—ป๐—ด:


ChatGPT Team? No HIPAA BAA, no ZDR. Fails questions 3 and 4.

Claude Pro? Consumer terms, opt-in training, US-only storage. Fails all four.

Gemini Pro? Same as free tier for training. Fails all four.

Mistral Enterprise? Strongest EU option, fully GDPR-native, no CLOUD Act exposure. But no HIPAA BAA. Fails question 3.


๐—ง๐—ต๐—ฒ ๐˜‚๐—ป๐—ฐ๐—ผ๐—บ๐—ณ๐—ผ๐—ฟ๐˜๐—ฎ๐—ฏ๐—น๐—ฒ ๐—บ๐—ฎ๐˜๐—ต: Most pharma companies are running AI on one of the 14 tiers that do not pass. Not because they made a risk decision. Because someone in the organization signed up, started working, and nobody asked the four questions.


This is not a technology failure. It is a governance gap. The real question behind this matrix is not "which LLM should we buy?" It is "does your organization know what data is touching AI right now?"


Samsung engineers pasted semiconductor source code into ChatGPT within 20 days of getting access. They were not malicious. They were trying to be productive. That is the pattern.


๐—ช๐—ต๐—ฎ๐˜ ๐˜๐—ผ ๐—ฑ๐—ผ ๐—ฎ๐—ฏ๐—ผ๐˜‚๐˜ ๐—ถ๐˜: Ban all consumer and Pro tiers for anything you would not post publicly. Migrate R&D, clinical, and regulatory staff to an approved Enterprise tenant. And before you choose a vendor, classify your workloads.


Want to find out where your organization stands? Take my free AI Readiness Assessment. Link in the comments.


Comments

bottom of page