The sub-processor list applies specifically to Customer Data processed under the OpenAI Data Processing Agreement, meaning it governs API and enterprise service contexts rather than consumer-facing products such as ChatGPT for individual users.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This scoping provision establishes that the sub-processor disclosure applies to business customers operating under the DPA and does not extend to personal data processed in the context of OpenAI's consumer products. Enterprise compliance teams should confirm that their use case falls within the DPA scope before relying on this list for their data protection assessments.
Under this clause, the sub-processor list and associated transparency obligations apply only to Customer Data submitted through API and enterprise services governed by the OpenAI DPA. Individual consumer users of ChatGPT and other consumer-facing products are not the intended audience of this document and should refer to OpenAI's consumer privacy policy for information about third-party data processing in that context.
Cross-platform context
See how other platforms handle Scope Limited to Customer Data Under the DPA and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"sub-processors that may process Customer Data under the OpenAI Data Processing Agreement— Excerpt from OpenAI's OpenAI Sub-Processor List
1) REGULATORY LANDSCAPE: The DPA-scoped framing engages GDPR Article 28, which applies specifically to processor-controller relationships in business-to-business contexts. Consumer data processing under OpenAI's consumer terms of service is governed by a separate legal basis and privacy policy framework. The distinction between processor and controller roles is material to determining which regulatory obligations apply to each processing context. 2) GOVERNANCE EXPOSURE: Low. The scoping language clarifies the document's applicability and reduces ambiguity about which user populations and data types are covered. However, organizations that use both API and consumer-facing OpenAI products should ensure they have assessed sub-processor arrangements under both frameworks separately. 3) JURISDICTION FLAGS: EU and UK customers should confirm that their specific OpenAI product and contractual arrangement falls within the DPA scope before treating this list as their authoritative sub-processor disclosure. Organizations using OpenAI through third-party resellers or platform integrations should verify whether the DPA and this list apply to their specific data processing chain. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that executed OpenAI DPAs specifically incorporate this sub-processor list by reference or provide a mechanism for accessing the current list. The DPA itself should specify how sub-processor changes are communicated and what objection rights apply. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should document whether their OpenAI use case is covered by the DPA and therefore this sub-processor list, or whether it falls under a different contractual and privacy framework. This determination affects which data protection impact assessments, transfer mechanism reviews, and vendor risk assessments are applicable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This scoping provision establishes that the sub-processor disclosure applies to business customers operating under the DPA and does not extend to personal data processed in the context of OpenAI's consumer products. Enterprise compliance teams should confirm that their use case falls within the DPA scope before relying on this list for their data protection assessments.
Under this clause, the sub-processor list and associated transparency obligations apply only to Customer Data submitted through API and enterprise services governed by the OpenAI DPA. Individual consumer users of ChatGPT and other consumer-facing products are not the intended audience of this document and should refer to OpenAI's consumer privacy policy for information about third-party data processing in that context.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.