OpenAI · OpenAI Sub-Processor List · View original document ↗

Sub-processor Disclosure Obligation

Medium severity High confidence Explicitdocumentlanguage Rare · 1 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity OpenAI recorded 14 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The document identifies the third-party entities, referred to as sub-processors, that OpenAI may engage to process Customer Data submitted through its API and enterprise services, together with each sub-processor's country of operation and stated processing activity.

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision fulfills the transparency requirement under GDPR Article 28, which requires processors to make available information about sub-processor arrangements to controllers. Enterprise customers subject to GDPR or equivalent frameworks use this disclosure to satisfy their own vendor oversight and data transfer assessment obligations.

Consumer impact (what this means for users)

The agreement establishes that Customer Data submitted through OpenAI's API and enterprise services may be processed by the named third-party sub-processors in the countries and for the activities listed. Under this disclosure, business customers can identify which entities handle their Customer Data and assess whether applicable data protection obligations require additional contractual or technical safeguards.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Export Your Data
    Review the current sub-processor list at the OpenAI policies page and document the names, countries, and processing activities of all listed sub-processors for inclusion in your organization's data processing records and vendor risk register.

Cross-platform context

See how other platforms handle Sub-processor Disclosure Obligation and similar clauses.

Compare across platforms →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
View OpenAI's current list of sub-processors that may process Customer Data under the OpenAI Data Processing Agreement, including their processing activities.

— Excerpt from OpenAI's OpenAI Sub-Processor List

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28(2) and (3), which require data processors to not engage sub-processors without controller authorization and to impose equivalent data protection obligations on sub-processors. The UK GDPR contains substantially equivalent requirements. The relevant enforcement authorities are EU member state data protection authorities and the UK Information Commissioner's Office. Where the provision's scope of Customer Data processed by sub-processors intersects with health, financial, or educational data, HIPAA, Gramm-Leach-Bliley Act, or FERPA requirements may also engage. 2) GOVERNANCE EXPOSURE: Medium. The provision discloses sub-processor identities and locations, enabling controller-side compliance assessment, but does not itself specify the contractual instruments in place between OpenAI and each sub-processor or the transfer mechanisms applicable to cross-border sub-processing. Customers cannot fully assess transfer risk from this list alone without reference to the DPA and any associated transfer mechanism documentation. 3) JURISDICTION FLAGS: EU and EEA customers face the highest exposure, as GDPR Article 28 requires that controllers approve sub-processors and that transfers to non-adequate third countries be covered by appropriate safeguards. UK customers face equivalent obligations under UK GDPR. US customers in regulated sectors such as healthcare or financial services should assess sub-processor locations against sector-specific data residency or vendor management requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should verify that the OpenAI DPA requires OpenAI to impose GDPR-equivalent obligations on each named sub-processor via binding contracts, and should request or confirm the availability of those contracts or relevant summaries. The list triggers a vendor assessment obligation for customers who maintain third-party risk management programs, requiring each sub-processor to be reviewed against the customer's own vendor risk criteria. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should update their Records of Processing Activities to reflect the sub-processors named in this list. Any sub-processor located in a country without an EU adequacy decision requires identification of the applicable transfer mechanism. Teams should also review the DPA's sub-processor change notification procedure to ensure internal processes are in place to respond to additions or substitutions within the timeframe the DPA permits.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over unfair or deceptive data practices affecting US consumers and businesses, including representations made about data handling arrangements with third-party vendors.
    File a complaint →

Provision details

Document information
Document
OpenAI Sub-Processor List
Entity
OpenAI
Document last updated
July 6, 2026
Tracking information
First tracked
July 6, 2026
Last verified
July 6, 2026
Record ID
CA-P-013419
Document ID
CA-D-00928
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
5136d77bb157f47a70bc7601c3723f123ed38c1ee13c125b18b02e539671b4ed
Analysis generated
July 6, 2026 23:01 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: OpenAI
Document: OpenAI Sub-Processor List
Record ID: CA-P-013419
Captured: 2026-07-06 23:01:36 UTC
SHA-256: 5136d77bb157f47a…
URL: https://conductatlas.com/platform/openai/openai-sub-processor-list/sub-processor-disclosure-obligation/
Accessed: July 7, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's Sub-processor Disclosure Obligation clause do?

This provision fulfills the transparency requirement under GDPR Article 28, which requires processors to make available information about sub-processor arrangements to controllers. Enterprise customers subject to GDPR or equivalent frameworks use this disclosure to satisfy their own vendor oversight and data transfer assessment obligations.

How does this clause affect you?

The agreement establishes that Customer Data submitted through OpenAI's API and enterprise services may be processed by the named third-party sub-processors in the countries and for the activities listed. Under this disclosure, business customers can identify which entities handle their Customer Data and assess whether applicable data protection obligations require additional contractual or technical safeguards.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.