ChatGPT Team vs Enterprise: DPA Terms, GDPR Data Processing, and Audit Logs Compared (2026)

The one-minute answer: Both plans include a GDPR DPA and no training on your data. The compliance gap is what Enterprise adds, custom data retention, SCIM automated deprovisioning, and extended audit logs. If you are not under HIPAA (neither plan includes a BAA), not processing EU data at scale, and your clients do not request vendor SOC 2 reports, ChatGPT Business is sufficient. Move to Enterprise when you hit the SCIM, audit log, or custom retention wall.

Updated May 2026: OpenAI renamed ChatGPT Team to ChatGPT Business on August 29, 2025. The plan, pricing, and compliance features are unchanged, only the name changed. All references to "ChatGPT Team" in this article apply to ChatGPT Business. Confirmed DPA auto-includes GDPR Article 28 coverage. Clarified SOC 2 access. Added decision framework for teams between 2-20 users.

The compliance gap between ChatGPT Team and Enterprise at a glance:

Both plans include a GDPR DPA. The difference is what you can produce as evidence when a client, auditor, or regulator asks. Team gives you the policy. Enterprise gives you the proof.

TL;DR: ChatGPT Team (renamed ChatGPT Business in August 2025; $25/month monthly, $20/month annual) and ChatGPT Enterprise both include OpenAI's DPA (GDPR and EU data transfers) and SOC 2 Type II access via trust.openai.com. Both plans now include SAML SSO. Critical correction: neither ChatGPT plan includes a HIPAA BAA, BAA requires ChatGPT for Healthcare or the OpenAI API. The gap that Enterprise adds over Business: custom data retention, SCIM automated deprovisioning, extended audit logs, and dedicated account support for security reviews. The move-to-Enterprise trigger is SCIM, audit logs, and custom retention, not HIPAA.

This article covers: What both plans share (the baseline) • The full compliance gap, 9 factors compared • Why the DPA covers both plans (but not equally) • The SOC 2 question, which plan gives you the audit report • HIPAA: why Team is not an option for healthcare teams • Data retention control differences • SSO and SCIM, what offboarding risk looks like without them • Decision framework: when to stay on Team vs. move to Enterprise • Personal ChatGPT.com accounts, the shadow AI problem

Most small teams land on ChatGPT Business, formerly called ChatGPT Team until August 2025 ($30/user/month for monthly billing, minimum 2 users), and assume the privacy protections are roughly equivalent to what Enterprise offers. They are not. The gap is not about training data, both plans exclude your conversations from model training by default. The gap is about what you can prove.

What Both Plans Share

Both ChatGPT Team and ChatGPT Enterprise offer:

• No training on your data: Conversations are not used to train OpenAI's models. This applies to both plans.
• Conversation history controls: Admins can control whether conversation history is retained for users.
• GPT-4o and advanced model access: Both plans include access to OpenAI's current models.
• Custom GPTs: Both allow creating and deploying custom GPTs within the workspace.
• Admin dashboard: Basic user management for both.

The shared "no training" commitment is real and enforceable under OpenAI's usage policies. The distinction is that Team's commitment is backed by usage policy; Enterprise's commitment is backed by a signed legal agreement with specific SLAs, audit rights, and remedies.

The Compliance Gap: What Enterprise Adds

The DPA: Both Plans Are Covered

OpenAI's Data Processing Agreement covers all paid business products, including ChatGPT Team. The DPA applies automatically; no separate negotiation is needed. It satisfies GDPR Article 28 processor obligations, includes standard contractual clauses for EU data transfers, and discloses OpenAI's sub-processors.

This means ChatGPT Team is a legally defensible choice for GDPR-regulated teams that process EU personal data in prompts, drafting emails about specific customers, analyzing contracts with identified parties, generating responses about named individuals. The legal framework exists for both plans.

What changes at Enterprise is not the DPA itself, it is what you can access and prove on top of it. Enterprise customers can request the SOC 2 Type II audit report under NDA. Team customers cannot. Enterprise contracts include HIPAA BAA availability, custom data retention settings, and extended audit logs. Team contracts do not.

Practical test: The right question is not "do I have a DPA?", you do on either plan. The question is "what can I produce when a client, auditor, or regulator asks for evidence of my AI vendor controls?"

The SOC 2 Question

When enterprise customers or regulators ask "what security controls does your AI vendor have?" the answer they are looking for is a SOC 2 Type II report, an independent third-party audit of the vendor's security practices over a period of time.

OpenAI's enterprise services are SOC 2 Type II certified. The report is now available via OpenAI's trust portal (trust.openai.com) to all paid plan customers, including ChatGPT Business (formerly Team), under a digital NDA. However, Enterprise customers receive additional dedicated access through their account management relationship, while Business/Team customers must self-serve through the trust portal. If you need to produce the SOC 2 report on demand for a client audit or regulator, verify your current access level at trust.openai.com before assuming it is unavailable.

This is not a hypothetical problem. ISO 27001 audits, SOC 2 audits of software companies, FedRAMP processes, and enterprise customer due diligence requests all commonly ask for vendor SOC 2 reports. If you cannot produce your AI vendor's SOC 2 report, you are operating with a documentation gap that audit-conscious customers will find.

HIPAA: Neither ChatGPT Plan Is an Option

Healthcare organizations cannot use any ChatGPT plan for processing protected health information. Full stop.

HIPAA requires a Business Associate Agreement with any vendor that handles PHI on your behalf. As of 2026, OpenAI does not offer a HIPAA BAA for ChatGPT Team, ChatGPT Business, or ChatGPT Enterprise. A BAA is available only via:

• ChatGPT for Healthcare, a separate product for qualifying clinical organizations (launched January 2026)
• OpenAI API, qualifying API customers can request a BAA via [email protected]

If you are building a healthcare product or your team uses ChatGPT to analyze patient-related information, you cannot use either ChatGPT plan. The path to a BAA-covered OpenAI product is the API or ChatGPT for Healthcare, not a standard ChatGPT plan upgrade.

Data Retention Control

By default, ChatGPT stores conversation history. Both plans allow users to disable conversation history. But custom retention policies, "delete all conversations after 30 days," "retain no conversation data beyond the session", are an Enterprise feature.

For organizations with data minimization obligations (GDPR's Article 5(1)(e), CCPA's data minimization principle, HIPAA's minimum necessary standard), the ability to configure and enforce data retention at the organizational level is a compliance control, not a convenience feature. ChatGPT Team does not provide it.

Identity and Access Management

SSO via SAML is available on both ChatGPT Business and Enterprise. SCIM (automated user provisioning/deprovisioning from your identity provider) is an Enterprise-only feature.

Why does this matter for compliance?

• Offboarding risk: Without SCIM, when an employee leaves, you must manually revoke ChatGPT access. While Business now includes SAML SSO, it lacks automated SCIM deprovisioning, you still need to manually remove users from the ChatGPT workspace when they leave. Automated offboarding via SCIM prevents ex-employees from retaining access.
• Audit trail for access: SSO integration creates a consistent identity trail across your systems. When an auditor asks "who had access to ChatGPT during the period in question," an SSO-integrated deployment gives you a verifiable answer.
• Phishing resistance: SSO with your corporate identity provider is more resistant to credential phishing than individual username/password logins.

For teams of 2-10 people where everyone knows each other, manual offboarding is manageable. For teams of 20+ with any employee turnover, manual access revocation is a compliance risk.

The Decision Framework

Stay on ChatGPT Team if:

• You need a DPA for GDPR compliance, Team includes one
• You do not have HIPAA obligations
• Your clients or auditors do not ask for vendor SOC 2 reports
• You have 20 or fewer users with low turnover
• Budget is the primary constraint

Move to ChatGPT Enterprise if:

• You process EU personal data in prompts and need custom data retention controls for GDPR Article 5(1)(e) compliance
• Clients, investors, or regulators need dedicated account support for security reviews beyond self-serve SOC 2 access
• You need custom data retention settings, Team/Business default cannot be overridden at the org level
• You have employee turnover that makes manual SCIM-less offboarding a compliance risk (Enterprise adds SCIM)
• You need extended audit logs for Annex III or regulated-industry audit purposes

Consider the OpenAI API or ChatGPT for Healthcare if:

• You handle PHI (neither ChatGPT plan includes a HIPAA BAA, API or ChatGPT for Healthcare required)
• You need maximum control over data processing terms

Consider the API instead of either plan if:

• You need maximum control over data processing terms
• You want to build custom data handling into your application
• Your team is technical enough to manage API integration
• You need to negotiate custom DPA terms beyond OpenAI's standard Enterprise agreement

The OpenAI API with a separate DPA agreement (available for API customers) may offer more flexibility than either ChatGPT plan for technically sophisticated teams.

What Compliance Evidence Looks Like in Practice

When a client's security team, an ISO 27001 auditor, or a GDPR supervisory authority asks about your AI vendor controls, the specific documents you need differ by sector. Here is what "evidence" means for the four most common contexts:

SaaS company being reviewed by an enterprise customer:

• Customer will ask for your security questionnaire or SIG (Standardized Information Gathering) form
• They want to know your AI vendor's data handling, specifically: is customer data processed by third-party AI, under what DPA, what retention period
• ChatGPT Business (Team): you can cite the DPA and zero-training policy. You can self-serve the SOC 2 report at trust.openai.com for your own use, but may not have dedicated support for customer audit requests.
• ChatGPT Enterprise: you can provide SOC 2 report with dedicated account support, DPA, and custom retention settings as documented evidence.

Financial services team under DORA or FCA AI guidance:

• Regulator wants third-party risk management documentation for any vendor that touches client data
• Required: vendor security assessment, evidence of data processing controls, incident reporting terms
• ChatGPT Team: DPA satisfies processor contract requirement; no SOC 2 for vendor security assessment.
• ChatGPT Enterprise: SOC 2 report available; custom SLAs cover incident reporting requirements.

Healthcare team handling patient data:

• HIPAA requires BAA before AI touches PHI, period
• ChatGPT Team/Business: no BAA available. Using it for PHI is a HIPAA violation.
• ChatGPT Enterprise: no BAA available on the standard Enterprise plan. BAA requires ChatGPT for Healthcare or the OpenAI API.
• Alternative: Azure OpenAI Service with Healthcare HIPAA BAA is the enterprise-grade path many clinical teams use.

Legal team with attorney-client privilege concerns:

• Privileged communications processed by cloud AI present jurisdictional confidentiality risks
• ChatGPT Enterprise's zero-retention policy (available on request) reduces but does not eliminate this risk
• Some law firms use on-premise or private-cloud AI deployments specifically to avoid third-party processing

Sector-Specific Compliance Matrix

EU AI Act: What It Means for ChatGPT Deployers

ChatGPT is a general-purpose AI model (GPAI) under EU AI Act Article 51. OpenAI, as the model provider, bears the transparency and documentation obligations under Article 53. But the organizations that deploy ChatGPT for specific tasks take on deployer obligations under Article 26, and these apply regardless of which plan you use.

How ChatGPT use cases map to EU AI Act risk levels:

Article 26 obligations for deployers, regardless of plan:

1. Use ChatGPT in accordance with OpenAI's published instructions for use
2. Implement measures to ensure human oversight of outputs where required
3. Inform individuals when consequential decisions about them involve AI assistance (Article 26(7))
4. For Annex III use cases: maintain logs for at least 6 months, conduct a DPIA, assign a named responsible person

Where the plan matters for EU AI Act compliance: ChatGPT Enterprise provides audit logs (required evidence for Annex III deployments) and custom data retention settings (required for GDPR Article 5(1)(e) data minimization). ChatGPT Business (Team) provides neither. For any high-risk AI use case, Team is not a compliant deployment path, not because of OpenAI's training policy, but because of the missing governance controls.

Sub-Processor Disclosure: What Both Plans Include

Under GDPR Article 28(2), you need to know and approve every sub-processor your data reaches. OpenAI's sub-processor list (openai.com/policies/subprocessors) applies to both ChatGPT Team and Enterprise:

OpenAI's primary sub-processors (both plans):

• Microsoft Azure, compute infrastructure, data storage
• Oracle Cloud Infrastructure, some services
• Stripe, billing and payment processing
• Salesforce / Zendesk, customer support tooling

What changes at Enterprise: The contract gives you 30-day advance notice of new sub-processors and a contractual right to object. Team users receive the same sub-processor list via the public disclosure page, but no contractual notice period.

Practical impact: If a new sub-processor is added that processes your prompts in a jurisdiction incompatible with your data policies, Enterprise gives you the contractual window to act. Team gives you the same information, but no remedy beyond terminating the account.

For EU teams with strict data residency requirements, note that OpenAI processes data in the US under Standard Contractual Clauses (SCCs). Azure OpenAI Service (a separate product, not ChatGPT) is the path to EU-only data processing using the same underlying GPT-4 models.

Alternatives to ChatGPT Team and Enterprise

For teams that find neither plan fits, three alternatives are worth comparing:

Anthropic Claude API (with DPA)

• DPA available for API customers (privacy.anthropic.com/dpa)
• Zero-retention mode available on request for enterprise API customers
• No training on customer data by default
• No ChatGPT-equivalent workspace UI, requires building or using a third-party frontend
• SOC 2 Type II: available to enterprise API customers
• HIPAA: BAA available for enterprise API contracts
• Cost: consumption-based; no per-seat minimum
• Best for: technical teams who need DPA and zero-retention without paying for ChatGPT Enterprise seat minimums

Google Workspace AI (Gemini for Workspace)

• Covered under Google Workspace DPA (GDPR Article 28 compliant)
• HIPAA BAA available for Google Workspace Enterprise
• SOC 2 Type II: Google Cloud SOC 2 covers Workspace AI
• SSO and SCIM: yes, via Google identity
• No training on Workspace data by default (since 2023)
• Cost: add-on to existing Workspace plan
• Best for: teams already standardized on Google Workspace who need integrated AI with existing identity management

Microsoft Azure OpenAI Service

• Full enterprise controls: custom data retention, VNet isolation, private endpoints
• HIPAA BAA available under Microsoft's Healthcare data protection agreement
• SOC 2 Type II, ISO 27001, FedRAMP: all available
• Same GPT-4 models as ChatGPT Enterprise, deployed in your Azure tenant
• Cost: consumption-based; no seat minimum
• Best for: healthcare, government, and regulated financial services that need the strongest data isolation guarantees

One More Thing: ChatGPT.com vs Your Organization's Deployment

This comparison assumes your team is using ChatGPT through an organizational workspace (Team or Enterprise plan). Employees using personal ChatGPT.com accounts, even paid individual accounts, fall outside both frameworks. Personal accounts have different data handling terms and are not covered by any organizational DPA or BAA.

If your employees are using personal ChatGPT accounts for work tasks, you have a shadow AI governance problem regardless of what plan your organization officially subscribes to. See our shadow AI policy guide for small teams for detection methods and a 3-tier classification system. An AI tool register and an acceptable use policy are the first steps.

Use the AI Vendor Scorecard to compare ChatGPT Team and Enterprise against your specific requirements, or run the Compliance Quiz to determine which compliance obligations apply before choosing.

References

1. OpenAI Enterprise Privacy: https://openai.com/enterprise-privacy
2. ChatGPT Team plan details: https://openai.com/chatgpt/team
3. ChatGPT Enterprise plan details: https://openai.com/chatgpt/enterprise
4. OpenAI Data Processing Agreement: https://openai.com/policies/data-processing-addendum, covers API, ChatGPT Team, Enterprise, and Edu
5. OpenAI SOC 2 Type II: available to all paid plan customers (including Business/Team) self-serve at trust.openai.com
6. OpenAI HIPAA: https://openai.com/security, verify BAA availability with OpenAI sales

Related Reading

• Anthropic vs OpenAI: GDPR compliance comparison 2026
• Claude vs ChatGPT compliance for small teams
• Privacy-first AI APIs: which don't train on your data
• AI data privacy for small teams, GDPR/CCPA
• AI vendor due diligence checklist
• AI acceptable use policy template
• AI tool register template
• Governing embedded AI in third-party tools
• ChatGPT Dreaming V3 memory governance: business privacy