The document states that OpenAI uses third-party sub-processors in delivering its services and maintains a sub-processor list, with a commitment to notify customers of additions or changes to sub-processors.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
GDPR Article 28 requires processors to obtain controller authorization before engaging sub-processors and to impose equivalent data protection obligations on them. The sub-processor notification mechanism is operationally significant for enterprise customers who must evaluate whether new sub-processors affect their own compliance posture or require updated data transfer assessments.
Interpretive note: The document discloses the existence of a sub-processor list and notification commitment but does not specify the notification timeline or objection mechanism; these details depend on the executed DPA.
This addition provides transparency about third-party data processors and establishes a notification mechanism for changes, which is critical for compliance with data protection regulations like GDPR.
View full change record →Under this provision, enterprise customers are informed that OpenAI engages sub-processors and commits to maintaining and sharing a sub-processor list. Customers will receive notification of new sub-processors, which allows them to exercise any contractual objection rights specified in their DPA.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We may share your information with third-party vendors and service providers that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance. We may also share your information with third-party advertising p...
We may also share your personal information with third parties that assist us in providing our services, or where we are under an obligation to report to. But rest assured: we will only ever share your personal information in the limited circumstances described in this Policy.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We use sub-processors to help us provide our services. A list of our sub-processors is available, and we will notify customers of any new sub-processors.— Excerpt from OpenAI's OpenAI Enterprise Privacy
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 28(2), which requires a processor to obtain the controller's general or specific authorization before engaging sub-processors, and to impose contractually equivalent data protection obligations on sub-processors. Sub-processor changes also trigger re-evaluation of international transfer mechanisms where sub-processors are located outside the EU/EEA. (2) GOVERNANCE EXPOSURE: Medium. The notification commitment is disclosed on the enterprise privacy page, but the specific objection mechanism, notification timeline, and process for exercising objection rights depends on the executed DPA. Customers who have not reviewed their DPA's sub-processor terms may not know how to act on notifications. (3) JURISDICTION FLAGS: EU/EEA customers have the highest exposure because GDPR Article 28 creates affirmative obligations on both OpenAI as processor and the enterprise customer as controller. Where new sub-processors are located in third countries, updated SCCs or other transfer mechanisms may be required. US healthcare customers should verify that OpenAI's sub-processors are bound by equivalent BAA obligations. (4) CONTRACT AND VENDOR IMPLICATIONS: The DPA should specify the notification period for sub-processor changes (commonly 30 days under GDPR standard practice), the mechanism for notification (email, dashboard), and the process for raising objections. Procurement teams should subscribe to sub-processor update notifications and maintain a current copy of the sub-processor list. (5) COMPLIANCE CONSIDERATIONS: Data protection officers should maintain the sub-processor list as part of their Article 30 records and update their transfer impact assessments when new sub-processors are added. Teams should establish an internal process for reviewing sub-processor notifications within the contractual objection window to avoid waiving objection rights by inaction.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
GDPR Article 28 requires processors to obtain controller authorization before engaging sub-processors and to impose equivalent data protection obligations on them. The sub-processor notification mechanism is operationally significant for enterprise customers who must evaluate whether new sub-processors affect their own compliance posture or require updated data transfer assessments.
Under this provision, enterprise customers are informed that OpenAI engages sub-processors and commits to maintaining and sharing a sub-processor list. Customers will receive notification of new sub-processors, which allows them to exercise any contractual objection rights specified in their DPA.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.