This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision operationalizes the data controller-processor relationship required under data protection regulations. It establishes the legal framework under which OpenAI processes personal data and requires that processing occur only pursuant to documented instructions, creating an audit trail for compliance with data protection obligations.
This provision requires that personal data processing be limited to purposes documented in customer instructions and for providing and improving the Services. Customers, as data controllers, formally instruct OpenAI to process personal data within these specified parameters, establishing the scope of authorized processing activities.
How other platforms handle this
When our business customers use certain Services, we generally process and store limited personal information on their behalf as a data processor. For certain products such as Docusign's Contract Lifecycle Management (CLM) and Identity products, we may act as a processor and as a controller in certa...
Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contac...
Mixpanel acts as a data processor on behalf of its customers (the controllers) when processing end user data through the Mixpanel analytics platform, and as a data controller with respect to data it collects about its own website visitors and account holders.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"OpenAI will process Customer Personal Data only in accordance with Customer's documented instructions, unless required to do so by applicable law. Customer, as the data controller (or processor acting on behalf of a controller), instructs OpenAI to process Customer Personal Data to provide and improve the Services in accordance with the Agreement.— Excerpt from OpenAI's OpenAI Data Processing Addendum
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision operationalizes the data controller-processor relationship required under data protection regulations. It establishes the legal framework under which OpenAI processes personal data and requires that processing occur only pursuant to documented instructions, creating an audit trail for compliance with data protection obligations.
This provision requires that personal data processing be limited to purposes documented in customer instructions and for providing and improving the Services. Customers, as data controllers, formally instruct OpenAI to process personal data within these specified parameters, establishing the scope of authorized processing activities.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.