The document identifies the third-party entities, referred to as sub-processors, that OpenAI may engage to process Customer Data submitted through its API and enterprise services, together with each sub-processor's country of operation and stated processing activity.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision fulfills the transparency requirement under GDPR Article 28, which requires processors to make available information about sub-processor arrangements to controllers. Enterprise customers subject to GDPR or equivalent frameworks use this disclosure to satisfy their own vendor oversight and data transfer assessment obligations.
The agreement establishes that Customer Data submitted through OpenAI's API and enterprise services may be processed by the named third-party sub-processors in the countries and for the activities listed. Under this disclosure, business customers can identify which entities handle their Customer Data and assess whether applicable data protection obligations require additional contractual or technical safeguards.
Cross-platform context
See how other platforms handle Sub-processor Disclosure Obligation and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"View OpenAI's current list of sub-processors that may process Customer Data under the OpenAI Data Processing Agreement, including their processing activities.— Excerpt from OpenAI's OpenAI Sub-Processor List
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28(2) and (3), which require data processors to not engage sub-processors without controller authorization and to impose equivalent data protection obligations on sub-processors. The UK GDPR contains substantially equivalent requirements. The relevant enforcement authorities are EU member state data protection authorities and the UK Information Commissioner's Office. Where the provision's scope of Customer Data processed by sub-processors intersects with health, financial, or educational data, HIPAA, Gramm-Leach-Bliley Act, or FERPA requirements may also engage. 2) GOVERNANCE EXPOSURE: Medium. The provision discloses sub-processor identities and locations, enabling controller-side compliance assessment, but does not itself specify the contractual instruments in place between OpenAI and each sub-processor or the transfer mechanisms applicable to cross-border sub-processing. Customers cannot fully assess transfer risk from this list alone without reference to the DPA and any associated transfer mechanism documentation. 3) JURISDICTION FLAGS: EU and EEA customers face the highest exposure, as GDPR Article 28 requires that controllers approve sub-processors and that transfers to non-adequate third countries be covered by appropriate safeguards. UK customers face equivalent obligations under UK GDPR. US customers in regulated sectors such as healthcare or financial services should assess sub-processor locations against sector-specific data residency or vendor management requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should verify that the OpenAI DPA requires OpenAI to impose GDPR-equivalent obligations on each named sub-processor via binding contracts, and should request or confirm the availability of those contracts or relevant summaries. The list triggers a vendor assessment obligation for customers who maintain third-party risk management programs, requiring each sub-processor to be reviewed against the customer's own vendor risk criteria. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should update their Records of Processing Activities to reflect the sub-processors named in this list. Any sub-processor located in a country without an EU adequacy decision requires identification of the applicable transfer mechanism. Teams should also review the DPA's sub-processor change notification procedure to ensure internal processes are in place to respond to additions or substitutions within the timeframe the DPA permits.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision fulfills the transparency requirement under GDPR Article 28, which requires processors to make available information about sub-processor arrangements to controllers. Enterprise customers subject to GDPR or equivalent frameworks use this disclosure to satisfy their own vendor oversight and data transfer assessment obligations.
The agreement establishes that Customer Data submitted through OpenAI's API and enterprise services may be processed by the named third-party sub-processors in the countries and for the activities listed. Under this disclosure, business customers can identify which entities handle their Customer Data and assess whether applicable data protection obligations require additional contractual or technical safeguards.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.