What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This document engages GDPR (including requirements for data processing agreements and standard contractual clauses for international transfers), CCPA (OpenAI asserts service provider status for enterprise customers, limiting its ability to sell or share data for cross-context behavioral advertising), and HIPAA (BAA availability is disclosed for API deployments involving protected health information). The relevant enforcement authorities include the EU data protection a…

How does OpenAI's OpenAI Enterprise Privacy affect users?

The document establishes that enterprise and API customers operate under data handling terms that exclude their inputs and outputs from model training by default, distinct from consumer ChatGPT terms. Under these terms, OpenAI acts as a data processor for enterprise customers, with data processing agreements available for GDPR compliance and BAAs available for HIPAA-relevant API use. You can contact OpenAI's privacy team at privacy@openai.com to request applicable data processing agreements or …

How often is OpenAI's OpenAI Enterprise Privacy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when OpenAI updates this document?

Yes. Monitor subscribers ($19/month) can add OpenAI to their watchlist and receive same-day email alerts whenever this document or any other OpenAI document changes.

CA-D-000825

OpenAI Enterprise Privacy

OpenAI

Last change detected June 1, 2026 Enterprise terms

SHA-256: b5e7bcba16cf57f2a85… 5 versions captured 4 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at OpenAI ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

2 High severity

4 Medium severity

1 Low severity

Summary

This is OpenAI's enterprise privacy information page covering ChatGPT Enterprise, ChatGPT Teams (Business), and the API Platform. The document states that by default, inputs, outputs, and conversation data from enterprise and API customers are not used to train OpenAI models, and that OpenAI offers GDPR-compliant data processing agreements including standard contractual clauses for EU data transfers. For customers handling health information, the document states that OpenAI can sign a Business Associate Agreement for applicable API deployments, enabling use under HIPAA-relevant contexts.

Technical / Legal Breakdown

This document is OpenAI's enterprise privacy disclosure page, governing data handling practices for ChatGPT Enterprise, ChatGPT Business (Teams), and the API Platform, operating under OpenAI's Terms of Use and applicable data processing agreements. The terms state that API and ChatGPT Enterprise customers' inputs and outputs are not used to train OpenAI models by default, that enterprise conversation data is not retained beyond the immediate session by default, and that OpenAI acts as a data processor on behalf of enterprise customers for purposes of applicable data protection law. The document asserts GDPR-compliant data processing terms including standard contractual clauses for international data transfers, SOC 2 Type 2 certification, and CCPA service provider status, though the operational scope of these commitments depends on the specific contract executed and product tier in use. The document engages GDPR, CCPA, and HIPAA-adjacent considerations, noting that OpenAI offers a Business Associate Agreement for applicable API use cases, with regulatory applicability varying by jurisdiction, industry, and product configuration. Material compliance considerations include verifying that executed DPAs align with the disclosures on this page, confirming BAA availability and scope for health-related deployments, and ensuring that enterprise administrators have configured data retention and training opt-out settings correctly.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

4 important changes detected

5 versions captured · Last updated: June 2026

June 1, 2026

low

What changed OpenAI updated three sentences in their Enterprise Privacy policy on June 1, 2026, removing spacing characters around hyperlinks in language describing Data Processing Agreements, Student Data Privacy Agreements for ChatGPT Edu and Teachers, and ChatGPT Business information. The changes are formatting adjustments to how hyperlinked references appear in the document text. No changes to substantive privacy terms, rights, obligations, or data handling practices were made.

Why this matters This change involves formatting adjustments to hyperlinks in OpenAI's Enterprise Privacy policy and does not modify any substantive privacy terms, data handling practices, or user rights. The updated language maintains identical language for Data Processing Agreements, Student Data Privacy Agreements, and ChatGPT Business references; only spacing around hyperlinks was adjusted. No action is required by users or organizations.

View full change record →

May 28, 2026

unknown

What changed OpenAI updated their OpenAI Enterprise Privacy on May 28, 2026. Change detected: 4 sentence(s) modified. Document contained 107 sentences after update.

View full change record →

May 22, 2026 low

OpenAI updated formatting in its Enterprise Privacy document on May 22, 2026 by modifying spacing around hyperlinks in three sentences. The changes involve adjusting whitespace before the opening parentheses in …

View change record →

May 19, 2026 low

OpenAI updated a hyperlink in its Enterprise Privacy document on May 19, 2026. The previous link text 'Learn more about ChatGPT Business' was modified to 'Learn more about ChatGPT Business …

View change record →

Recent Provision Changes Jun 1, 2026

7 provisions unchanged.

View full change record →

High — 2 provisions

GDPR Data Processing Agreement and Standard Contractual Clauses Compare →

The document states OpenAI offers a Data Processing Agreement incorporating EU Standard Contractual Clauses for enterprise and API customers, enabling international transfers of personal data from the EU/EEA to OpenAI's US-based infrastructure.

Added May 20, 2026 Standard Seen across 284 platforms
HIPAA Business Associate Agreement for API Deployments Compare →

The document states that OpenAI can execute a Business Associate Agreement with API customers who require HIPAA compliance coverage, enabling use of the API in contexts involving protected health information.

Added May 20, 2026 Standard Seen across 284 platforms

Medium — 4 provisions

No Model Training on Enterprise and API Data by Default Compare →

The document states that data submitted through the API and ChatGPT Enterprise, including inputs and outputs, is not used to train OpenAI's models by default, distinguishing enterprise terms from standard consumer ChatGPT terms.

Added May 20, 2026 Standard Seen across 284 platforms
CCPA Service Provider Designation Compare →

The document asserts that OpenAI is a CCPA service provider for enterprise and API customers, which under California law means OpenAI is contractually prohibited from using personal data for purposes other than performing the contracted services, and may not sell or share it for cross-context behavioral advertising.

Added May 20, 2026 Standard Seen across 284 platforms
Data Retention and Conversation Storage Practices Compare →

The document states that API conversation data is not retained beyond 30 days by default except for safety purposes, while ChatGPT Enterprise stores conversations with administrator-level controls for data management and deletion.

Added May 20, 2026 Standard Seen across 284 platforms
Sub-Processor Disclosure and Third-Party Data Sharing Compare →

The document states that OpenAI uses third-party sub-processors in delivering its services and maintains a sub-processor list, with a commitment to notify customers of additions or changes to sub-processors.

Added May 20, 2026 Standard Seen across 252 platforms

Low — 1 provision

SOC 2 Type 2 Certification Disclosure Compare →

The document discloses that OpenAI has obtained SOC 2 Type 2 certification, indicating that its security controls have been independently audited against the AICPA Trust Services Criteria for security, availability, and related categories.

Added May 20, 2026 Standard Seen across 284 platforms

Monitoring

OpenAI has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle GDPR Data Processing Addendum and Standard Contractual Clauses and similar clauses.

Compare across platforms →