6 Total
0 High severity
5 Medium severity
1 Low severity
Summary

This is OpenAI's publicly published list of sub-processors, meaning the third-party companies that may handle Customer Data when businesses use OpenAI's API and enterprise products under the OpenAI Data Processing Agreement. The list identifies each sub-processor's name, country of operation, and the specific processing activity they perform, such as cloud infrastructure hosting, customer support tooling, or analytics. Business customers using OpenAI's API services can use this list to assess their own data flow obligations, including whether cross-border data transfers require additional safeguards under applicable law.

Technical / Legal Breakdown

This document is OpenAI's Sub-processor List, published pursuant to the OpenAI Data Processing Agreement (DPA), identifying third-party entities that may process Customer Data on behalf of OpenAI in connection with its API and enterprise services. The document discloses the identities, locations, and processing activities of sub-processors engaged by OpenAI, fulfilling a transparency obligation commonly required under data processing agreements and applicable to business customers and API users operating under the DPA. The list is operationally significant for enterprise customers conducting vendor due diligence because it identifies the infrastructure and service providers through which Customer Data flows, including cloud infrastructure, analytics, and support tooling providers; the specific sub-processors named, their countries of operation, and their stated processing activities are the primary compliance reference points for downstream data mapping and transfer assessments. This document engages GDPR Article 28 obligations (which require controllers to be informed of sub-processor arrangements and permit objection rights), as well as analogous requirements under the UK GDPR and other data protection frameworks applicable to international data transfers; compliance exposure depends on the jurisdiction of the business customer and the nature of Customer Data processed. Enterprise customers subject to GDPR, UK GDPR, CCPA, or sector-specific regulations such as HIPAA should evaluate this list against their own data processing obligations, including cross-border transfer mechanisms, contractual flow-down requirements, and sub-processor change notification procedures.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Get Compliance
Medium — 5 provisions
Low — 1 provision

Monitoring

OpenAI has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Get Compliance

Cross-platform context

See how other platforms handle Country of Operation Disclosure and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

BIPA
Illinois, USA
View official text ↗
CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗

Related Analysis

Privacy · May 3, 2026
OpenAI Privacy Policy Update May 2026: New Terms Authorize Advertiser Data Sharing

OpenAI expanded its data sharing terms to include third-party marketing partners. The updated policy authorizes the use of personal data fo…

Dependency Governance · June 11, 2026
AI Dependency Governance: How API Terms Govern Every App Built on OpenAI, Anthropic, and Google

872 provisions across 8 AI platforms. The terms your AI provider sets become the terms your product operates under.

Platform Analysis · June 12, 2026
OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.

Regulatory Analysis · June 28, 2026
The Great American AI Act, Explained: What the First Federal AI Law Would Require

The bill does not regulate most AI startups directly. But it changes the companies they depend on. Here is what the first federal AI law wo…

Archival ProvenanceSource & Archival Record
Last Captured July 6, 2026 22:43 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000928
Version ID CA-V-004526
SHA-256 a031cf75d704b4e3de0cedb3ff0a622f189068f774fcde7f6f76c2a0b6251ac3
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans