OpenAI · OpenAI Sub-Processor List · View original document ↗

Scope Limited to Customer Data Under the DPA

Low severity High confidence Explicitdocumentlanguage Unique · 0 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity OpenAI recorded 14 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The sub-processor list applies specifically to Customer Data processed under the OpenAI Data Processing Agreement, meaning it governs API and enterprise service contexts rather than consumer-facing products such as ChatGPT for individual users.

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This scoping provision establishes that the sub-processor disclosure applies to business customers operating under the DPA and does not extend to personal data processed in the context of OpenAI's consumer products. Enterprise compliance teams should confirm that their use case falls within the DPA scope before relying on this list for their data protection assessments.

Consumer impact (what this means for users)

Under this clause, the sub-processor list and associated transparency obligations apply only to Customer Data submitted through API and enterprise services governed by the OpenAI DPA. Individual consumer users of ChatGPT and other consumer-facing products are not the intended audience of this document and should refer to OpenAI's consumer privacy policy for information about third-party data processing in that context.

Cross-platform context

See how other platforms handle Scope Limited to Customer Data Under the DPA and similar clauses.

Compare across platforms →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
sub-processors that may process Customer Data under the OpenAI Data Processing Agreement

— Excerpt from OpenAI's OpenAI Sub-Processor List

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: The DPA-scoped framing engages GDPR Article 28, which applies specifically to processor-controller relationships in business-to-business contexts. Consumer data processing under OpenAI's consumer terms of service is governed by a separate legal basis and privacy policy framework. The distinction between processor and controller roles is material to determining which regulatory obligations apply to each processing context. 2) GOVERNANCE EXPOSURE: Low. The scoping language clarifies the document's applicability and reduces ambiguity about which user populations and data types are covered. However, organizations that use both API and consumer-facing OpenAI products should ensure they have assessed sub-processor arrangements under both frameworks separately. 3) JURISDICTION FLAGS: EU and UK customers should confirm that their specific OpenAI product and contractual arrangement falls within the DPA scope before treating this list as their authoritative sub-processor disclosure. Organizations using OpenAI through third-party resellers or platform integrations should verify whether the DPA and this list apply to their specific data processing chain. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that executed OpenAI DPAs specifically incorporate this sub-processor list by reference or provide a mechanism for accessing the current list. The DPA itself should specify how sub-processor changes are communicated and what objection rights apply. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should document whether their OpenAI use case is covered by the DPA and therefore this sub-processor list, or whether it falls under a different contractual and privacy framework. This determination affects which data protection impact assessments, transfer mechanism reviews, and vendor risk assessments are applicable.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Provision details

Document information
Document
OpenAI Sub-Processor List
Entity
OpenAI
Document last updated
July 6, 2026
Tracking information
First tracked
July 6, 2026
Last verified
July 6, 2026
Record ID
CA-P-013420
Document ID
CA-D-00928
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
5136d77bb157f47a70bc7601c3723f123ed38c1ee13c125b18b02e539671b4ed
Analysis generated
July 6, 2026 23:01 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: OpenAI
Document: OpenAI Sub-Processor List
Record ID: CA-P-013420
Captured: 2026-07-06 23:01:36 UTC
SHA-256: 5136d77bb157f47a…
URL: https://conductatlas.com/platform/openai/openai-sub-processor-list/scope-limited-to-customer-data-under-the-dpa/
Accessed: July 7, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Low
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's Scope Limited to Customer Data Under the DPA clause do?

This scoping provision establishes that the sub-processor disclosure applies to business customers operating under the DPA and does not extend to personal data processed in the context of OpenAI's consumer products. Enterprise compliance teams should confirm that their use case falls within the DPA scope before relying on this list for their data protection assessments.

How does this clause affect you?

Under this clause, the sub-processor list and associated transparency obligations apply only to Customer Data submitted through API and enterprise services governed by the OpenAI DPA. Individual consumer users of ChatGPT and other consumer-facing products are not the intended audience of this document and should refer to OpenAI's consumer privacy policy for information about third-party data processing in that context.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.