Skip to main content
OpenAI

Updated: December 1, 2025

OpenAI Data Processing Addendum

Download PDF(opens in a new window)

Effective: January 1, 2026

(View previous data processing addendum)

This OpenAI Data Processing Addendum (“DPA”) supplements, and is incorporated into, the OpenAI Services Agreement (“Agreement”) governing use of the Services and is entered as of the Effective Date between the customer identified above (“Customer”) and OpenAI OpCo, LLC, on its behalf and on behalf of its Affiliates, as appropriate, unless Customer is based within a European Economic Area country or Switzerland, in which case it is entered into with OpenAI Ireland Ltd., on its behalf and on behalf of its Affiliates, as appropriate (“OpenAI”). Capitalized terms not defined in the DPA have the meanings provided in the Agreement. In this DPA, OpenAI and Customer are each referred to as a “Party” and collectively as the “Parties.” Customer represents it is lawfully able to enter into this Agreement and, if it is entering into the Agreement for an entity, that it has legal authority to bind that entity. By clicking “I agree,” accepting the Order Form, or using the Services, Customer agrees to this Agreement.

1. Details.

  • 1.1 Scope and Roles. As part of providing the Services to the Customer under the Agreement, OpenAI may Process Customer Data on behalf of Customer. OpenAI acts as a Data Processor on the Customer’s behalf, and this DPA governs such Processing.
  • 1.2 Details of Processing. OpenAI will only Process Customer Data for the purposes of delivering the Services to Customer pursuant to the Agreement and this DPA. Details regarding the nature, duration, as well as the types of Customer Data and categories of Data Subjects involved, are set out in Schedule 1 (Details of Processing) to this DPA. OpenAI and Customer each agree to comply with their respective obligations under Data Protection Laws in connection with the Services.

2. OpenAI Obligations.

  • 2.1 Customer Instructions. The Parties agree that this DPA, the Agreement (including the Order Form), and any instructions provided via the configuration tools and other tools within the Services made available by OpenAI within the Services, constitute Customer’s documented instructions regarding OpenAI’s processing of Customer Data (“Customer Instructions”). OpenAI will process Customer Data only in accordance with Customer Instructions, unless required to do so by applicable law to which OpenAI is subject, in which case OpenAI will inform Customer of this requirement prior to processing unless legally prohibited from doing so.
  • 2.2 Notices to Customer. OpenAI will promptly inform Customer in writing if, in OpenAI’s opinion, a Customer Instruction violates Data Protection Laws. OpenAI will, to the extent legally permitted, inform Customer if OpenAI receives a legally binding request for disclosure of Customer Data by a law enforcement authority.
  • 2.3 Confidentiality. OpenAI will ensure that all persons authorized by OpenAI to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • 2.4 Data Subject Requests. OpenAI will, to the extent legally permitted, inform Customer if OpenAI receives a request to exercise data subject rights pursuant to Data Protection Laws (“Data Subject Request”) in respect of Customer Data.  OpenAI will not respond to any such request without Customer’s prior written authorization, except that Customer authorizes OpenAI to redirect Data Subject Requests as necessary to allow Customer to respond directly. Taking into account the nature of the processing, OpenAI will assist Customer by implementing appropriate technical and organizational measures, in so far as this is possible, to allow Customer to respond to Data Subject Requests.
  • 2.5 Security. OpenAI will implement and maintain reasonable and appropriate organizational and technical security measures to protect Customer Data, as set forth in the Agreement.
  • 2.6 Assistance to Customer. OpenAI will, taking into account the nature of the processing and the information available to OpenAI, provide reasonable assistance to Customer to help Customer comply with its obligations under Data Protection Laws including, where appropriate, the preparation of data protection impact assessments with respect to OpenAI’s processing of Customer Data and, where necessary, the Customer consulting with a supervisory authority with jurisdiction over such processing, if such consultation is required by Data Protection Laws.
  • 2.7 Personal Data Breaches. OpenAI will notify Customer without undue delay after becoming aware of any Personal Data Breach. OpenAI will provide reasonable assistance to Customer to help Customer comply with its obligations under Data Protection Laws in respect of such Personal Data Breach.
  • 2.8 Assessing Compliance. OpenAI will, on Customer’s reasonable written request and to the extent required by Data Protection Laws: (i) no more than once per year, provide Customer with OpenAI’s privacy and security policies and other such information necessary to demonstrate compliance with OpenAI’s obligations under this DPA;  and (ii) provided that the Parties have an appropriate confidentiality agreement in place, allow for and contribute to audits or inspections by, or on behalf of, Customer at Customer’s sole expense.  Such audit or inspection must be: (A) conducted in a manner that is minimally disruptive to OpenAI’s business; (B) necessary to confirm that OpenAI is processing Customer Data in a manner consistent with this DPA; and (C) occur no more than once per year. Where permitted by Data Protection Laws, OpenAI may instead make available to Customer a summary of the Audit Reports relevant to OpenAI’s compliance with this DPA. Such results and documentation, including the results of any audits or inspections, shall be the Confidential Information of OpenAI.
  • 2.9 Engagement of Sub-processors. Customer hereby provides a general authorization to OpenAI to engage the Sub-Processors listed in the Sub-Processor List to process Customer Data in connection with the Services. OpenAI will notify Customer of any changes to the Sub-Processor List via blog post, notification within the Services or other reasonable means, or via email if Customer subscribes to email notifications on the Sub-Processor List site. Customer may object to the use of such additional Sub-processor within 30 days of receiving notice of the change by following the instructions set forth in the Sub-Processor List or by contacting privacy@openai.com. In such case, OpenAI will work with Customer to address its concerns and offer commercially reasonable alternatives or solutions. If none of the alternatives or solutions are commercially feasible, in OpenAI’s reasonable judgment, or if the objections have not been resolved to the satisfaction of the Parties within 30 days of OpenAI’s receipt of Customer’s objection notice, then either Party may terminate the Agreement or any Order Forms or usage regarding the Services that cannot be provided without the use of the new Sub-Processor. In such case, Customer will be refunded any applicable pre-paid fees to the extent they cover periods or terms following the date of such termination.
  • 2.10 Sub-processor obligations. OpenAI shall enter into contractual arrangements with each Sub-Processor that imposes on them obligations comparable to those imposed on OpenAI under this DPA. Subject to the limitations of liability included in the Agreement, OpenAI will remain liable for the acts and omissions of its Sub-Processors to the same extent OpenAI would be liable under this DPA if it performed such acts or omissions itself.
  • 2.11 Data Return or Deletion. Following expiry or termination of the Agreement, OpenAI will, at Customer’s instruction, return or delete Customer Data, and existing copies unless retention of Customer Data is required under applicable laws, in which case OpenAI will isolate and protect it from any further processing except to the extent required by applicable laws.

3. Customer Obligations.

  • 3.1 Notices and authorizations. Customer represents, warrants and covenants that it has provided all necessary notices, and has and shall maintain throughout the Term all necessary rights, consents and authorizations, to the extent required under Data Protection Laws, to provide the Customer Data to OpenAI and to authorize OpenAI to process Customer Data in connection with the Agreement, including this DPA.
  • 3.2 Cooperation. Customer shall reasonably cooperate with OpenAI to assist OpenAI in performing any of its obligations under applicable Data Protection Laws.
  • 3.3 Configurations. Without prejudice to OpenAI’s security obligations in Section 2.5 of this DPA, Customer acknowledges and agrees that it is responsible for certain configurations and design decisions for the Services and for implementing such configurations and design decisions (e.g., retention periods, deletion, etc.) in a manner that complies with applicable Data Protection Laws.

4. International Data Transfers.

  • 4.1 EEA and Swiss Data. Customer Data processed by OpenAI under this DPA may fall within the scope of the Data Protection Laws of the European Economic Area or Switzerland (“EEA and Swiss Data”). Regardless of the OpenAI applicable contracting Party under this DPA, Customer hereby instructs OpenAI Ireland Limited to process any EEA and Swiss Data in compliance with this DPA. To the extent OpenAI Ireland Limited transfers EEA and Swiss Data to other OpenAI Affiliates or third parties outside the European Economic Area or Switzerland to provide the Services, it will do so on the basis of agreements containing SCCs that ensure appropriate safeguards for the protection of Customer Data are in place or an adequacy decision issued by the European Commission under Article 45 GDPR.
  • 4.2 UK Data. Customer Data processed by OpenAI under this DPA may fall within the scope of the Data Protection Laws of the United Kingdom (“UK Data”). Regardless of the OpenAI applicable contracting Party under this DPA, Customer hereby instructs OpenAI OpCo, LLC to process any UK Data in compliance with this DPA and with the SCCs as amended by the UK Addendum, which are deemed entered into (and incorporated into this DPA by this reference) and completed as described in Schedule 1.

5. Further Requirements.

To the extent U.S. Privacy Laws apply:

  • 5.1 OpenAI agrees to (a) not provide Customer with monetary or other valuable consideration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by U.S. Privacy Laws) Customer Data to OpenAI; (b) not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) Personal Data; (c) to the extent that Customer permits or instructs OpenAI to process Customer Data subject to U.S. Privacy Laws in a de-identified form as part of the Services, OpenAI shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such deidentified data in that form and not attempt to re-identify the information, except as may be permitted by U.S. Privacy Laws; and (iii) before sharing de-identified data with any other party, including Sub-Processors, contractually obligate any such recipients to comply with the requirements of this provision (c)(i)-(iii); and (d) where the Customer Data is subject to the CCPA (i) not retain, use, disclose, or otherwise process Customer Data except as necessary for the business purposes specified in the Agreement, including without limitation as set out in Schedule 1 of this DPA; (ii) not retain, use, disclose, or otherwise process Customer Data in any manner outside of the direct business relationship between OpenAI and Customer; (iii) not combine any Customer Data with Personal Data that OpenAI receives from or on behalf of any other third party or collects from OpenAI’s own interactions with individuals, provided that OpenAI may so combine Customer Data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA; (iv) notify Customer without undue delay if OpenAI determines that it can no longer meet its obligations under the CCPA; and (v) if Customer reasonably believes that OpenAI’s Processing of Customer Data is not consistent with the requirements of the CCPA and upon Customer’s reasonable notification of the same to OpenAI, the Parties will work together in good faith to remedy the issue, or, if after working together Customer reasonably determines that the issue cannot be remedied, OpenAI will stop Processing the affected Customer Data upon written instruction from Customer.
  • 5.2 Customer agrees to not take any action that would (a) render the provision of Customer Data to OpenAI a “sale” under U.S. Privacy Laws or a “share” under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render OpenAI not a “service provider” under the CCPA or “processor” under U.S. Privacy Laws.

6. Definitions.

Customer Data” means Personal Data processed by OpenAI on behalf of Customer to provide the Services.

Data Controller” has the meaning assigned to the term “controller” (or another analogous term) under Data Protection Laws.

Data Processor” has the meaning assigned to the term “processor” (or another analogous term) under Data Protection Laws.

Data Protection Laws” means data privacy and data protection laws applicable to OpenAI’s processing of Customer Data in connection with the Services. 

Data Subject” has the meaning assigned to the term “data subject” (or another analogous term) under Data Protection Laws.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

Personal Data” has the meaning assigned to the term “personal data” or “personal information (or another analogous term) under Data Protection Laws.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data stored, transmitted or otherwise processed by OpenAI, its Sub-Processors, or any other third parties acting on OpenAI’s behalf.

Processing” has the meaning assigned to the term “processing” (or another analogous term) under Data Protection Laws.

SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the EU Commission on June 4, 2021 (as may be amended, updated or replaced from time to time).

Sub-Processors” means the sub-processors engaged by OpenAI to process Customer Data in connection with the Services, listed in the Sub-Processor List.

Sub-Processor List” means the list available at the following address https://platform.openai.com/subprocessors(opens in a new window).

UK Addendum” means the UK addendum to the EU SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.

U.S. Privacy Laws” means the subset of Data Protection Laws applicable to residents of the United States, including without limitation the California Consumer Privacy Act (“CCPA”).

Schedule 1

Details of Processing

1. Nature and Purpose:

The performance of the Services under the Agreement.

2. Duration:

The Term and such time required thereafter for the Parties to perform their applicable obligations following the end of the Term, including data deletion.

3. Categories of Customer Data:

Customer may submit Personal Data to the Services, the categories of which will depend upon Customer’s use of the Services which is determined and controlled by Customer in its sole discretion, but it may include, but is not limited to names, contact information, demographic information, or any other information provided by Customer’s End Users in unstructured data.

4. Categories of data subjects:

The data subjects may include, but are not limited to Customer’s employees, customers, suppliers and generally End Users.

5. Sensitive data transferred (if applicable):

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data

6. Frequency:

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis depending on Customer’s use of the Services

7. Transfers to Sub-Processors:

As per Article 2.9 of the DPA, Sub-Processors will Process Customer Data as necessary to perform the Services. Such Processing will be for the duration of the Agreement, unless otherwise agreed in writing.

8. SCCs information for the transfer of UK Data under Section 4.2:

  • 8.1 Module Two (Controller to Processor) of the SCCs apply when Customer is a Data Controller and OpenAI is processing Customer Data as a Data Processor. Module Three (Processor to Sub-Processor) of the SCCs apply when Customer is a Data Processor and OpenAI is processing Customer Data as a sub-processor.
  • 8.2 For each module of the SCCs, where applicable, the following applies: (i) The optional docking clause in Clause 7 does not apply; (ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 2.9 of the DPA; (iii) In Clause 11, the optional language does not apply; (iv) All square brackets in Clause 13 are hereby removed; (v) In Clause 17 (Option 1), the SCCs will be governed by the laws of England and Wales; (vi) In Clause 18(b), disputes will be resolved before the courts of England and Wales; (vii) This Schedule 1 contains the information required in Annex I and Annex III of the SCCs; (viii) Section 2.5 (Security) of the DPA contains the information required in Annex II of the SCCs, (ix) the competent supervisory authority is the Information Commissioner’s Office (“ICO”).
  • 8.3 Data exporter(s): the Customer under the Agreement; Data importer(s): OpenAI OpCo, LLC, 1455 3rd Street, San Francisco, CA 94158, Data Protection Officer, privacy@openai.com.

Execute Data Processing Agreement(opens in a new window)