OpenAI will only process personal data in the way the business customer tells it to, unless a law requires otherwise. The business customer is responsible for making sure those instructions are lawful.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision places primary legal responsibility on the operator for the lawfulness of data processing instructions, meaning that if a business submits personal data to the API without a valid legal basis, the compliance burden rests with that business rather than OpenAI.
Individuals whose personal data is processed through an OpenAI-powered product are protected by the requirement that the business operating that product must give OpenAI documented, lawful instructions. If the business customer's instructions are unlawful, the DPA assigns that liability to the business customer, not OpenAI.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"OpenAI will process Customer Personal Data only on Customer's documented instructions, unless required to do so by applicable law. Customer instructs OpenAI to process Customer Personal Data to provide, maintain, and improve the Services, and as further specified in the Agreement and this DPA.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: This provision directly implements GDPR Article 28(3)(a), which requires that a processor act only on documented instructions from the controller. The relevant enforcement authorities are EU supervisory authorities, the UK ICO, and the Swiss FDPIC. Where a business customer's instructions lack a lawful basis under GDPR Article 6, the controller bears primary regulatory exposure. GOVERNANCE EXPOSURE: Medium. The provision creates a compliance obligation for operators to document their processing instructions and ensure those instructions are grounded in a lawful basis. Operators who deploy OpenAI's API without a formal records-of-processing-activities entry referencing OpenAI as a processor may face audit findings under GDPR Article 30. JURISDICTION FLAGS: EU/EEA and UK operators face the most direct exposure under GDPR and UK GDPR Article 28 requirements. Swiss operators are similarly affected under the nFADT. US-based operators without international data flows face lower immediate regulatory exposure but should still maintain documented instructions for CCPA service provider compliance. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that internal data processing records reference OpenAI as a sub-processor or processor and that the scope of permitted instructions is documented. Any expansion of use cases (e.g. adding new data types to API calls) should trigger a review of whether the documented instructions remain current. COMPLIANCE CONSIDERATIONS: Operators should maintain a written record of the instructions provided to OpenAI, conduct a lawful basis assessment for each category of personal data submitted via the API, and update data protection impact assessments where high-risk processing occurs.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision places primary legal responsibility on the operator for the lawfulness of data processing instructions, meaning that if a business submits personal data to the API without a valid legal basis, the compliance burden rests with that business rather than OpenAI.
Individuals whose personal data is processed through an OpenAI-powered product are protected by the requirement that the business operating that product must give OpenAI documented, lawful instructions. If the business customer's instructions are unlawful, the DPA assigns that liability to the business customer, not OpenAI.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.