CA-D-000757

OpenAI Data Processing Addendum

OpenAI
Last change detected June 6, 2026 Data processing addendum
SHA-256: a140b365afe4e3f2cfb… 3 versions captured 2 changes documented
Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at OpenAI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total
1 High severity
6 Medium severity
3 Low severity
Summary

This document establishes OpenAI's data processing terms for business customers who submit personal data through the OpenAI API. The agreement specifies that OpenAI processes personal data only according to documented instructions from the business customer and does not sell or disclose that data to third parties. The document further authorizes OpenAI to assist business customers in responding to data subject requests for access, deletion, and correction.

Technical / Legal Breakdown

This document is OpenAI's Data Processing Addendum (DPA), governing the processing of personal data by OpenAI as a data processor on behalf of business customers (operators) who use OpenAI's API and related services, with its legal basis rooted in GDPR Article 28 and equivalent data processor contractual requirements under UK GDPR, Swiss data protection law, and other applicable frameworks. The agreement states that OpenAI will process personal data only on documented instructions from the operator, will implement appropriate technical and organizational security measures, will assist operators in fulfilling data subject rights requests, and will delete or return personal data upon termination of services. The DPA authorizes OpenAI to engage sub-processors from a published list, requiring only that operators be given advance notice and an opportunity to object rather than affirmative consent, which is a standard but operationally significant mechanism that compliance teams should evaluate against their own vendor management obligations. The document engages GDPR (including Standard Contractual Clauses for international transfers), UK GDPR, the Swiss Federal Act on Data Protection, CCPA/CPRA (where OpenAI commits to not selling or sharing personal data and to processing it only for specified business purposes), and HIPAA (addressed through a separate Business Associate Agreement). Material compliance considerations include mapping operator instructions to lawful processing bases, maintaining sub-processor oversight, and ensuring that SCCs are properly incorporated for transfers of EU/EEA personal data to the United States.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

2 important changes detected

3 versions captured · Last updated: June 2026

June 6, 2026

low
What changed OpenAI removed the full language selector list from the header of their Data Processing Addendum on June 6, 2026, replacing it with a collapsed menu indicator ('...'). The document substance, effective date (January 1, 2026), and legal definitions remain unchanged. This is a formatting change to how the document is presented, not a modification of the data processing terms, rights, or obligations themselves.
Why this matters This change does not affect the substance of OpenAI's Data Processing Addendum or the terms governing data processing practices. The document language, legal definitions, obligations, and effective date remain identical. The change is limited to how the language selection interface is displayed on the webpage.
View full change record →

May 23, 2026

low
What changed OpenAI updated the language selection interface in their Data Processing Addendum on May 23, 2026. The change added five additional language options to the language selector menu (Armenian, Georgian, Icelandic, Maltese, and Somali) while keeping all substantive terms identical. This is a formatting and localization update with no change to the underlying data processing rights, obligations, or protections.
Why this matters This change does not alter any substantive terms of the Data Processing Addendum. The updated document now offers the agreement in five additional languages: Armenian, Georgian, Icelandic, Maltese, and Somali. The rights, obligations, and data processing authorizations remain identical across all language versions.
View full change record →

Recent Provision Changes Jun 6, 2026

10 provisions unchanged.

View full change record →
High — 1 provision
Medium — 6 provisions
Low — 3 provisions

Monitoring

OpenAI has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Customer Responsibility for Lawful Instructions and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

BIPA
Illinois, USA
View official text ↗
CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗

Related Analysis

Privacy · May 3, 2026
OpenAI Privacy Policy Update May 2026: New Terms Authorize Advertiser Data Sharing

OpenAI expanded its data sharing terms to include third-party marketing partners. The updated policy authorizes the use of personal data fo…

Dependency Governance · June 11, 2026
AI Dependency Governance: How API Terms Govern Every App Built on OpenAI, Anthropic, and Google

872 provisions across 8 AI platforms. The terms your AI provider sets become the terms your product operates under.

Platform Analysis · June 12, 2026
OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.

Archival ProvenanceSource & Archival Record
Last Captured June 6, 2026 00:06 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000757
Version ID CA-V-003482
Source URL https://openai.com/policies/data-processing-addendum/
Wayback Machine View external archival references →
SHA-256 a140b365afe4e3f2cfbea8fef1de46df25c7e28eabe33308405f9a4a629de32a
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans