How does OpenAI's OpenAI Data Processing Addendum affect users?

This document primarily affects businesses using the OpenAI API rather than individual ChatGPT consumers, governing how personal data about individuals processed through those business products is handled. The agreement states that OpenAI will not sell or share personal data submitted via the API, will assist operators in responding to data subject access, deletion, and correction requests, and will delete or return personal data upon termination. You can contact the operator (the business whos…

How often is OpenAI's OpenAI Data Processing Addendum updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when OpenAI updates this document?

Yes. Watcher subscribers ($9.99/month) can add OpenAI to their watchlist and receive same-day email alerts whenever this document or any other OpenAI document changes.

CA-D-000757

OpenAI Data Processing Addendum

OpenAI

Last change detected May 11, 2026 Data processing addendum

SHA-256: e635ac313ff85148ea4… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at OpenAI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

6 Medium severity

3 Low severity

Summary

This is OpenAI's formal data processing contract for businesses that build products using OpenAI's API, covering how OpenAI handles personal data that those businesses send through the API. The document states that OpenAI processes personal data only as instructed by the business customer, does not sell that data, and will help the business respond to requests from individuals about their personal data. If your company uses the OpenAI API to process customer or employee data, you should review this DPA and sign or confirm acceptance to ensure your own data protection obligations to individuals are covered.

Technical / Legal Breakdown

This document is OpenAI's Data Processing Addendum (DPA), governing the processing of personal data by OpenAI as a data processor on behalf of business customers (operators) who use OpenAI's API and related services, with its legal basis rooted in GDPR Article 28 and equivalent data processor contractual requirements under UK GDPR, Swiss data protection law, and other applicable frameworks. The agreement states that OpenAI will process personal data only on documented instructions from the operator, will implement appropriate technical and organizational security measures, will assist operators in fulfilling data subject rights requests, and will delete or return personal data upon termination of services. The DPA authorizes OpenAI to engage sub-processors from a published list, requiring only that operators be given advance notice and an opportunity to object rather than affirmative consent, which is a standard but operationally significant mechanism that compliance teams should evaluate against their own vendor management obligations. The document engages GDPR (including Standard Contractual Clauses for international transfers), UK GDPR, the Swiss Federal Act on Data Protection, CCPA/CPRA (where OpenAI commits to not selling or sharing personal data and to processing it only for specified business purposes), and HIPAA (addressed through a separate Business Associate Agreement). Material compliance considerations include mapping operator instructions to lawful processing bases, maintaining sub-processor oversight, and ensuring that SCCs are properly incorporated for transfers of EU/EEA personal data to the United States.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 1 provision

HIPAA Business Associate Agreement Carve-Out Compare →

OpenAI's standard API services are not set up for healthcare data protected under US law. If you want to use the API with patient health data, you must sign a separate legal agreement with OpenAI first.

Added May 12, 2026 Standard Seen across 198 platforms

Medium — 6 provisions

Processor Instruction Requirement Compare →

OpenAI will only process personal data in the way the business customer tells it to, unless a law requires otherwise. The business customer is responsible for making sure those instructions are lawful.

Added May 12, 2026 Standard Seen across 189 platforms
Sub-Processor Authorization and Objection Compare →

OpenAI can add new third-party suppliers to process your data by posting an update to its sub-processor list. You have a limited window to object, and if you do, OpenAI will try to find a workaround but may not be able to guarantee one.

Added May 12, 2026 Standard Seen across 189 platforms
International Data Transfer Mechanisms (SCCs) Compare →

When personal data about people in the EU, UK, or Switzerland is processed in the US or another country without equivalent privacy protections, OpenAI uses standard contractual clauses approved by regulators to make that transfer legal.

Added May 12, 2026 Standard Seen across 246 platforms
CCPA No-Sale and Service Provider Commitment

OpenAI commits that it will not sell personal data submitted by API business customers and will only use it to provide the contracted service, as required for CCPA service provider status.

Added May 12, 2026 Rare
Data Subject Rights Assistance

If someone asks OpenAI directly about their personal data, OpenAI will pass that request to the business customer who is responsible for responding. OpenAI will also help businesses technically respond to deletion, access, and correction requests.

Added May 11, 2026 Rare
Security Measures and Breach Notification Compare →

OpenAI commits to maintaining security protections for API customer data and to notifying the business customer promptly if there is a data breach affecting their data.

Added May 12, 2026 Standard Seen across 262 platforms

Low — 3 provisions

Data Deletion and Return on Termination Compare →

When the API service agreement ends, OpenAI will either return or delete the business customer's personal data, unless a law requires it to keep certain data.

Added May 12, 2026 Standard Seen across 223 platforms
Confidentiality of Processing

OpenAI commits that its staff and others who access API customer personal data are bound by confidentiality obligations, either by contract or by law.

Added May 12, 2026 Rare
Audit Rights

Business customers have the right to audit OpenAI's compliance with this DPA, either directly or through a third-party auditor, as long as they give reasonable notice and keep findings confidential.

Added May 12, 2026 Rare