OpenAI can add new third-party suppliers to process your data by posting an update to its sub-processor list. You have a limited window to object, and if you do, OpenAI will try to find a workaround but may not be able to guarantee one.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision operates as a general authorization for sub-processor changes, meaning operators are deemed to consent unless they actively object within the specified window. Operators who do not monitor the sub-processor list may inadvertently accept new sub-processors without review.
Personal data submitted through an operator's API-based product may be processed by OpenAI's sub-processors, whose identities and locations are disclosed on a list that can be updated by OpenAI. The DPA does not guarantee that objections to new sub-processors will result in a resolution that satisfies the operator.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Customer provides a general authorization for OpenAI to engage sub-processors. OpenAI will notify Customer of any new sub-processors by updating its sub-processor list. Customer may object to a new sub-processor by notifying OpenAI in writing within the objection period specified in the sub-processor list. If Customer objects, OpenAI will use reasonable efforts to make available a change to the Services to avoid processing Customer Personal Data by the objected-to sub-processor.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: GDPR Article 28(2) permits general written authorization for sub-processors provided the controller is given the opportunity to object. This provision appears structured to meet that requirement. EU supervisory authorities may scrutinize whether the objection window is adequate and whether sub-processor contracts satisfy GDPR Article 28(4). UK GDPR and Swiss nFADT impose equivalent requirements. GOVERNANCE EXPOSURE: Medium. The general authorization model is common in cloud service contracts but requires operators to actively monitor the sub-processor list. Failure to track changes means operators may unknowingly accept sub-processors that create conflicts with their own data processing agreements, sectoral regulations, or data residency requirements. JURISDICTION FLAGS: EU/EEA operators have the clearest obligation to review sub-processor changes under GDPR Article 28. Operators in regulated sectors (healthcare, financial services, public sector) may face additional requirements around approving specific sub-processors. Data residency requirements in certain jurisdictions (Germany, France, public sector frameworks) may make specific sub-processors impermissible regardless of the objection mechanism. CONTRACT AND VENDOR IMPLICATIONS: Procurement and vendor management teams should establish a process to monitor OpenAI's sub-processor list for changes and trigger internal review when updates are posted. The provision states that OpenAI will use reasonable efforts to accommodate objections but does not commit to a guaranteed remedy, which may create service continuity risk if an objected-to sub-processor cannot be removed from the processing chain. COMPLIANCE CONSIDERATIONS: Operators should subscribe to notifications of sub-processor list changes, document their review of each update, and assess whether new sub-processors require amendments to their own customer-facing privacy notices or data processing agreements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision operates as a general authorization for sub-processor changes, meaning operators are deemed to consent unless they actively object within the specified window. Operators who do not monitor the sub-processor list may inadvertently accept new sub-processors without review.
Personal data submitted through an operator's API-based product may be processed by OpenAI's sub-processors, whose identities and locations are disclosed on a list that can be updated by OpenAI. The DPA does not guarantee that objections to new sub-processors will result in a resolution that satisfies the operator.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.