Track 3 platforms and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is OpenAI's publicly published list of sub-processors, meaning the third-party companies that may handle Customer Data when businesses use OpenAI's API and enterprise products under the OpenAI Data Processing Agreement. The list identifies each sub-processor's name, country of operation, and the specific processing activity they perform, such as cloud infrastructure hosting, customer support tooling, or analytics. Business customers using OpenAI's API services can use this list to assess their own data flow obligations, including whether cross-border data transfers require additional safeguards under applicable law.
This document is OpenAI's Sub-processor List, published pursuant to the OpenAI Data Processing Agreement (DPA), identifying third-party entities that may process Customer Data on behalf of OpenAI in connection with its API and enterprise services. The document discloses the identities, locations, and processing activities of sub-processors engaged by OpenAI, fulfilling a transparency obligation commonly required under data processing agreements and applicable to business customers and API users operating under the DPA. The list is operationally significant for enterprise customers conducting vendor due diligence because it identifies the infrastructure and service providers through which Customer Data flows, including cloud infrastructure, analytics, and support tooling providers; the specific sub-processors named, their countries of operation, and their stated processing activities are the primary compliance reference points for downstream data mapping and transfer assessments. This document engages GDPR Article 28 obligations (which require controllers to be informed of sub-processor arrangements and permit objection rights), as well as analogous requirements under the UK GDPR and other data protection frameworks applicable to international data transfers; compliance exposure depends on the jurisdiction of the business customer and the nature of Customer Data processed. Enterprise customers subject to GDPR, UK GDPR, CCPA, or sector-specific regulations such as HIPAA should evaluate this list against their own data processing obligations, including cross-border transfer mechanisms, contractual flow-down requirements, and sub-processor change notification procedures.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Get ComplianceMonitoring
OpenAI has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Get ComplianceCross-platform context
See how other platforms handle Country of Operation Disclosure and similar clauses.
Compare across platforms →OpenAI expanded its data sharing terms to include third-party marketing partners. The updated policy authorizes the use of personal data fo…
872 provisions across 8 AI platforms. The terms your AI provider sets become the terms your product operates under.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
The bill does not regulate most AI startups directly. But it changes the companies they depend on. Here is what the first federal AI law wo…
Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.