What is the severity of this clause?

ConductAtlas classifies this International Data Transfers via Standard Contractual Clauses clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar International Data Transfers via Standard Contractual Clauses clauses across approximately 12 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

International Data Transfers via Standard Contractual Clauses — OpenAI

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity OpenAI recorded 5 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

ⓘ

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

SCCs are the primary legal mechanism enabling EU-to-US personal data transfers following the invalidation of Privacy Shield. The DPA's incorporation of SCCs is essential for EU and UK customers to lawfully transfer personal data to OpenAI's US-based infrastructure.

⚠

Interpretive note: The adequacy of SCCs for US transfers remains subject to ongoing regulatory interpretation, particularly regarding supplementary measures required after the Schrems II ruling, and individual supervisory authorities may apply differing standards.

Consumer impact (what this means for users)

This document primarily affects businesses using the OpenAI API rather than individual ChatGPT consumers, governing how personal data about individuals processed through those business products is handled. The agreement states that OpenAI will not sell or share personal data submitted via the API, will assist operators in responding to data subject access, deletion, and correction requests, and will delete or return personal data upon termination. You can contact the operator (the business whose product you use) to exercise data subject rights such as access or deletion, as the DPA assigns responsibility for handling those requests to the operator in the first instance.

How other platforms handle this

Upwork Medium

When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.

Unity Medium

Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...

Bluesky Medium

We may transfer, process, and store all personal information we collect anywhere in the world. Different countries have different data protection laws. If we transfer personal information from the European Economic Area, Switzerland, Brazil and/or the United Kingdom to a country that does not provid...

See all platforms with this clause type →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
To the extent that OpenAI processes Customer Personal Data protected by EU Data Protection Law in a country that has not been recognized as providing an adequate level of protection, the parties agree that the EU SCCs are incorporated into this DPA by reference. The applicable module of the EU SCCs will depend on the capacity in which Customer and OpenAI act with respect to the processing of Customer Personal Data.

— Excerpt from OpenAI's OpenAI Data Processing Addendum

Applicable regulations

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

FTC Act Section 5

United States Federal

GDPR

European Union

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

UK GDPR

United Kingdom

Universal Opt-Out Mechanism Expansion 2026

Provision details

Document information

Document

OpenAI Data Processing Addendum

Entity

OpenAI

Document last updated

May 11, 2026

Tracking information

First tracked

May 11, 2026

Last verified

May 12, 2026

Record ID

CA-P-010688

Document ID

CA-D-00757

Evidence Provenance

Source URL

https://openai.com/policies/data-processing-addendum/

Wayback Machine

View archived versions →

Content hash (SHA-256)

8ae5b556815e67cd00740a6c1b656c2b56a01dfecbb0b039a8fa2625f2c769ba

Analysis generated

May 11, 2026 13:05 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: OpenAI
Document: OpenAI Data Processing Addendum
Record ID: CA-P-010688
Captured: 2026-05-11 13:05:56 UTC
SHA-256: 8ae5b556815e67cd…
URL: https://conductatlas.com/platform/openai/openai-data-processing-addendum/international-data-transfers-via-standard-contractual-clauses/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Processor Instruction Requirement medium
Sub-Processor Authorization and Objection medium
International Data Transfer Mechanisms (SCCs) medium
CCPA No-Sale and Service Provider Commitment medium
Data Subject Rights Assistance medium
Security Measures and Breach Notification medium

Related Analysis

Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
23andMe Is Bankrupt. What Happens to Your DNA Now?
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's International Data Transfers via Standard Contractual Clauses clause do?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 12 platforms. See the full comparison.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.