OpenAI commits to maintaining security protections for API customer data and to notifying the business customer promptly if there is a data breach affecting their data.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The breach notification commitment triggers the operator's own regulatory notification obligations under GDPR (72-hour notification to supervisory authority), UK GDPR, and state breach notification laws. The timeliness and scope of OpenAI's notification to the operator directly affects whether the operator can meet its own deadlines.
Interpretive note: The phrase 'without undue delay' is not defined with a specific timeframe in the publicly available DPA text, creating operational uncertainty about whether the notification window is sufficient for operators to meet their own GDPR 72-hour obligation.
If personal data processed through an OpenAI API-based product is involved in a security incident, OpenAI is committed to notifying the business customer, who is then responsible for notifying regulators and potentially affected individuals under applicable breach notification laws.
How other platforms handle this
American reserves the right to change this Privacy Policy at any time by posting the updated Policy here along with the date on which the Policy was changed. If we make material changes to this Privacy Policy that affect the way we collect, use and/or share your personal information, we will notify ...
We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date at the top of this page, unless another type of notice is legally required. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance o...
You are responsible for maintaining the confidentiality of your account and password and for restricting access to your computer, and you agree to accept responsibility for all activities that occur under your account or password. Amazon does sell products for children, but it sells them to adults, ...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"OpenAI will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. OpenAI will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: GDPR Article 33 requires controllers to notify supervisory authorities of personal data breaches within 72 hours. GDPR Article 28(3)(f) requires processor contracts to include breach assistance obligations. US state breach notification laws (California, New York, and others) impose parallel notification requirements on operators. HIPAA requires breach notification for protected health information, but the DPA notes that HIPAA data requires a separate BAA. GOVERNANCE EXPOSURE: High for EU/EEA and UK operators due to the 72-hour GDPR notification window. The phrase 'without undue delay' in the DPA must be operationally short enough for operators to receive, assess, and act on breach notifications within their own regulatory deadlines. Operators should assess whether 'without undue delay' in practice provides sufficient lead time. JURISDICTION FLAGS: EU/EEA and UK operators face the tightest notification windows. US operators are subject to a patchwork of state breach notification laws with varying timelines and scope. Operators in financial services (GLBA) or healthcare (HIPAA) face sector-specific breach notification requirements in addition to state laws. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that OpenAI's breach notification commitments in the DPA align with the operator's internal incident response timelines. The DPA should be reviewed for any conditions on what constitutes a reportable breach and whether OpenAI's notification includes sufficient detail to support the operator's own regulatory filings. COMPLIANCE CONSIDERATIONS: Operators should update their incident response plans to include OpenAI as a processor, establish a documented escalation path for breach notifications received from OpenAI, and confirm that their own breach notification procedures account for the 72-hour GDPR window from the moment they receive notice from OpenAI.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The breach notification commitment triggers the operator's own regulatory notification obligations under GDPR (72-hour notification to supervisory authority), UK GDPR, and state breach notification laws. The timeliness and scope of OpenAI's notification to the operator directly affects whether the operator can meet its own deadlines.
If personal data processed through an OpenAI API-based product is involved in a security incident, OpenAI is committed to notifying the business customer, who is then responsible for notifying regulators and potentially affected individuals under applicable breach notification laws.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.