OpenAI commits that its staff and others who access API customer personal data are bound by confidentiality obligations, either by contract or by law.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision implements a standard GDPR Article 28(3)(b) requirement and provides operators with a contractual assurance that internal access to their data is subject to confidentiality controls. It does not specify the scope of access logging or auditing.
Personal data submitted through the API is accessed only by individuals who are contractually or legally obligated to keep it confidential, according to the terms of this DPA.
Cross-platform context
See how other platforms handle Confidentiality of Processing and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"OpenAI will ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: GDPR Article 28(3)(b) requires processor contracts to include confidentiality obligations for authorized persons. This provision satisfies that requirement. UK GDPR and Swiss nFADT impose equivalent obligations. GOVERNANCE EXPOSURE: Low. This is a standard processor contract requirement and does not create unusual compliance exposure. Operators may wish to request details about how OpenAI operationalizes this commitment (e.g. through employee agreements, access controls, or audit logging) as part of a security review. JURISDICTION FLAGS: Standard across GDPR, UK GDPR, and Swiss nFADT jurisdictions. No heightened jurisdictional exposure beyond standard processor contract requirements. CONTRACT AND VENDOR IMPLICATIONS: This provision is standard in cloud and AI service processor contracts. Procurement teams may request OpenAI's security documentation (SOC 2, ISO 27001 certifications, or equivalent) to confirm how confidentiality is operationally enforced beyond the contractual commitment. COMPLIANCE CONSIDERATIONS: Operators should include this DPA provision in their vendor security assessment documentation and may request copies of relevant certifications from OpenAI to support their own compliance records.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision implements a standard GDPR Article 28(3)(b) requirement and provides operators with a contractual assurance that internal access to their data is subject to confidentiality controls. It does not specify the scope of access logging or auditing.
Personal data submitted through the API is accessed only by individuals who are contractually or legally obligated to keep it confidential, according to the terms of this DPA.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.