OpenAI can add new third-party suppliers to process your data by posting an update to its sub-processor list. You have a limited window to object, and if you do, OpenAI will try to find a workaround but may not be able to guarantee one.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision operates as a general authorization for sub-processor changes, meaning operators are deemed to consent unless they actively object within the specified window. Operators who do not monitor the sub-processor list may inadvertently accept new sub-processors without review.
Personal data submitted through an operator's API-based product may be processed by OpenAI's sub-processors, whose identities and locations are disclosed on a list that can be updated by OpenAI. The DPA does not guarantee that objections to new sub-processors will result in a resolution that satisfies the operator.
How other platforms handle this
Mistral AI will provide reasonable notice to the Customer of any changes to the list of Subprocessors prior to engaging such Subprocessor. The Customer may only object in writing to Mistral AI's appointment of a new Subprocessor within ten (10) days of such notice by providing a written objection to...
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
We collect information you provide when you compose, send, or receive messages through the Platform's messaging functionalities and the associated metadata, subject to applicable laws. They include messages you send or receive through our chat functionality when communicating with sellers who sell g...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Customer provides a general authorization for OpenAI to engage sub-processors. OpenAI will notify Customer of any new sub-processors by updating its sub-processor list. Customer may object to a new sub-processor by notifying OpenAI in writing within the objection period specified in the sub-processor list. If Customer objects, OpenAI will use reasonable efforts to make available a change to the Services to avoid processing Customer Personal Data by the objected-to sub-processor.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: GDPR Article 28(2) permits general written authorization for sub-processors provided the controller is given the opportunity to object. This provision appears structured to meet that requirement. EU supervisory authorities may scrutinize whether the objection window is adequate and whether sub-processor contracts satisfy GDPR Article 28(4). UK GDPR and Swiss nFADT impose equivalent requirements. GOVERNANCE EXPOSURE: Medium. The general authorization model is common in cloud service contracts but requires operators to actively monitor the sub-processor list. Failure to track changes means operators may unknowingly accept sub-processors that create conflicts with their own data processing agreements, sectoral regulations, or data residency requirements. JURISDICTION FLAGS: EU/EEA operators have the clearest obligation to review sub-processor changes under GDPR Article 28. Operators in regulated sectors (healthcare, financial services, public sector) may face additional requirements around approving specific sub-processors. Data residency requirements in certain jurisdictions (Germany, France, public sector frameworks) may make specific sub-processors impermissible regardless of the objection mechanism. CONTRACT AND VENDOR IMPLICATIONS: Procurement and vendor management teams should establish a process to monitor OpenAI's sub-processor list for changes and trigger internal review when updates are posted. The provision states that OpenAI will use reasonable efforts to accommodate objections but does not commit to a guaranteed remedy, which may create service continuity risk if an objected-to sub-processor cannot be removed from the processing chain. COMPLIANCE CONSIDERATIONS: Operators should subscribe to notifications of sub-processor list changes, document their review of each update, and assess whether new sub-processors require amendments to their own customer-facing privacy notices or data processing agreements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision operates as a general authorization for sub-processor changes, meaning operators are deemed to consent unless they actively object within the specified window. Operators who do not monitor the sub-processor list may inadvertently accept new sub-processors without review.
Personal data submitted through an operator's API-based product may be processed by OpenAI's sub-processors, whose identities and locations are disclosed on a list that can be updated by OpenAI. The DPA does not guarantee that objections to new sub-processors will result in a resolution that satisfies the operator.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.