OpenAI commits to maintaining security protections for API customer data and to notifying the business customer promptly if there is a data breach affecting their data.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The breach notification commitment triggers the operator's own regulatory notification obligations under GDPR (72-hour notification to supervisory authority), UK GDPR, and state breach notification laws. The timeliness and scope of OpenAI's notification to the operator directly affects whether the operator can meet its own deadlines.
Interpretive note: The phrase 'without undue delay' is not defined with a specific timeframe in the publicly available DPA text, creating operational uncertainty about whether the notification window is sufficient for operators to meet their own GDPR 72-hour obligation.
If personal data processed through an OpenAI API-based product is involved in a security incident, OpenAI is committed to notifying the business customer, who is then responsible for notifying regulators and potentially affected individuals under applicable breach notification laws.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"OpenAI will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. OpenAI will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: GDPR Article 33 requires controllers to notify supervisory authorities of personal data breaches within 72 hours. GDPR Article 28(3)(f) requires processor contracts to include breach assistance obligations. US state breach notification laws (California, New York, and others) impose parallel notification requirements on operators. HIPAA requires breach notification for protected health information, but the DPA notes that HIPAA data requires a separate BAA. GOVERNANCE EXPOSURE: High for EU/EEA and UK operators due to the 72-hour GDPR notification window. The phrase 'without undue delay' in the DPA must be operationally short enough for operators to receive, assess, and act on breach notifications within their own regulatory deadlines. Operators should assess whether 'without undue delay' in practice provides sufficient lead time. JURISDICTION FLAGS: EU/EEA and UK operators face the tightest notification windows. US operators are subject to a patchwork of state breach notification laws with varying timelines and scope. Operators in financial services (GLBA) or healthcare (HIPAA) face sector-specific breach notification requirements in addition to state laws. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that OpenAI's breach notification commitments in the DPA align with the operator's internal incident response timelines. The DPA should be reviewed for any conditions on what constitutes a reportable breach and whether OpenAI's notification includes sufficient detail to support the operator's own regulatory filings. COMPLIANCE CONSIDERATIONS: Operators should update their incident response plans to include OpenAI as a processor, establish a documented escalation path for breach notifications received from OpenAI, and confirm that their own breach notification procedures account for the 72-hour GDPR window from the moment they receive notice from OpenAI.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The breach notification commitment triggers the operator's own regulatory notification obligations under GDPR (72-hour notification to supervisory authority), UK GDPR, and state breach notification laws. The timeliness and scope of OpenAI's notification to the operator directly affects whether the operator can meet its own deadlines.
If personal data processed through an OpenAI API-based product is involved in a security incident, OpenAI is committed to notifying the business customer, who is then responsible for notifying regulators and potentially affected individuals under applicable breach notification laws.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.