openai.com Label
Open source policy · Back to Explore
OpenAI's Security and Privacy policy outlines comprehensive commitments to protecting customer and user data. The policy demonstrates strong security posture through SOC 2 Type 2 and CSA STAR Level 1 certifications, GDPR and CCPA compliance support, HIPAA compliance options with Business Associate Agreements, regular third-party penetration testing, and an active bug bounty program. The document provides transparency into data protection practices for both business and consumer users, with options for data sharing controls. Overall, the policy reflects industry-standard security practices and regulatory compliance.
Risks to You
Section 8
Why flagged: OpenAI maintains SOC 2 Type 2 compliance for API and business products, demonstrating industry-standard security controls
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
Our API, ChatGPT Enterprise, ChatGPT Business, and ChatGPT Edu products are covered in our SOC 2 Type 2 report
Section 18
Why flagged: CSA STAR Level 1 certification demonstrates commitment to cloud security best practices and transparency
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
ChatGPT business products and the API have been evaluated by the Cloud Security Alliance Security Trust Assurance and Risk (STAR) registry
Section 8
Why flagged: Support for GDPR and CCPA compliance demonstrates commitment to data protection regulations
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
OpenAI supports our customers' compliance with privacy laws, including the GDPR and CCPA
Section 21
Why flagged: HIPAA compliance with Business Associate Agreements available for eligible customers
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
OpenAI business products may support Business Associate Agreements (BAA) for HIPAA compliance
Section 1
Why flagged: Data Processing Addendum available for customers to ensure proper data handling
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
OpenAI offers a Data Processing Addendum for customers
Section 22
Why flagged: Active bug bounty program with safe harbor provisions encourages responsible vulnerability disclosure
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
The program offers safe harbor for good faith security testing and cash rewards for vulnerabilities based on their severity and impact
Section 10
Why flagged: Regular third-party penetration testing identifies security weaknesses before exploitation
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
The OpenAI API and ChatGPT business plans undergo regular third-party penetration testing
Section 1
Why flagged: compliance: N/A
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
SOC 2 Type 2 report covering API, ChatGPT Enterprise, ChatGPT Business, and ChatGPT Edu products
Section 6
Why flagged: data-handling: N/A
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
Customers can learn more about our commitments to securing business data at our Business data privacy page
Section 1
Why flagged: compliance: N/A
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
Supports compliance with privacy laws including GDPR and CCPA
Section 11
Why flagged: security: N/A
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
Regular third-party penetration testing to identify security weaknesses
Section 1
Why flagged: security: N/A
Risk: This clause may materially affect your legal position, remedies, data control, or contractual leverage.
Why important: Understanding this clause helps you evaluate business and compliance risk before relying on the service.
Bug Bounty Program offers safe harbor for good faith security testing and cash rewards for vulnerabilities
Protective Safeguards & Restrictions
No explicit protective or enforcement safeguards were highlighted.
Not Found or Unclear
- Data Sharing
- Data Sale / Monetization
- Retention / Deletion
- Tracking / Cookies
- Children's Data
- International Data Transfers