TL;DR: Enterprise AI privacy documentation is scattered across vendor trust portals, legal policy pages, and help centers. This page collects the verified direct URLs for OpenAI, Anthropic, Google, and Microsoft — organized by what each URL covers so you can cite the right source in your vendor assessments, DPA reviews, and GDPR Article 28 analysis.
Every major AI vendor has published enterprise privacy documentation, but finding the right page — the one with the actual DPA, the actual training data commitments, the actual sub-processor list — requires knowing where to look. These pages move, get renamed, and multiply into help articles, blog posts, and landing pages that say the same thing in different ways.
This is the reference your legal and compliance team needs. Bookmark it, share it, update it when vendors change their URLs.
OpenAI
Core enterprise privacy pages
Enterprise privacy overview
openai.com/enterprise-privacy
The main landing page for ChatGPT Enterprise, ChatGPT Business, and API data commitments. Covers: no training on customer data (for enterprise/API tiers), data retention periods, encryption, access controls, and sub-processor disclosure.
Data Processing Addendum (DPA)
openai.com/policies/data-processing-addendum/
The GDPR Article 28 processor addendum. Covers standard contractual clauses (SCCs), data subject rights procedures, and breach notification obligations. Required reading if you need to sign a DPA with OpenAI.
Trust portal
trust.openai.com
Certifications (ISO 27001, SOC 2 Type II), penetration test summaries, security overview, and compliance documentation. Use this when your InfoSec team needs vendor security evidence.
Security and privacy overview
openai.com/security-and-privacy/
High-level summary of security practices, compliance certifications, and privacy commitments. Less technical than the trust portal — useful for executive summaries.
Business data commitments
openai.com/business-data/
Specific to API and enterprise tiers: confirms no training on business inputs/outputs, 30-day retention for abuse monitoring (API), and zero retention for enterprise plans by agreement.
Privacy center
privacy.openai.com
Consumer-facing privacy rights portal. Useful for handling data subject access requests (DSARs) from employees who use ChatGPT personal accounts.
Policies index
openai.com/policies/
Master index of all OpenAI policies including terms of service, usage policies, and privacy notices by region.
Key commitments (as of June 2026)
- ChatGPT Enterprise, ChatGPT Business, API platform: inputs and outputs not used for training
- API: 30-day retention for abuse monitoring, then deleted
- Enterprise: zero retention by agreement available
- GDPR: DPA with SCCs available; processes under customer instructions
- ISO 27001, ISO 27701, SOC 2 Type II certified
Anthropic
Core enterprise privacy pages
Trust center
trust.anthropic.com
Anthropic's primary compliance resource. Certifications, sub-processor list, security reports, and compliance questionnaire responses. Start here for vendor risk assessment.
Privacy center
privacy.anthropic.com
Legal-facing privacy documentation including DPA details, data subject rights, and policy updates.
DPA acceptance (commercial customers)
privacy.anthropic.com/en/articles/7996862-i-am-a-commercial-customer-how-do-i-view-your-data-processing-addendum-dpa
Explains that Anthropic's DPA with Standard Contractual Clauses is automatically incorporated when you accept their Commercial Terms of Service. No separate signature required for most tiers.
Zero data retention (API)
support.anthropic.com/en/articles/8956058-i-have-a-zero-retention-agreement-with-anthropic-what-products-does-it-apply-to
Details on zero-retention agreements: which products qualify, what "zero retention" means technically, and how to request it.
Privacy and legal collection
support.anthropic.com/en/collections/4078534-privacy-legal
Index of all privacy-related support articles: data handling, GDPR rights, third-party sharing, and enterprise-specific questions.
Policy index
anthropic.com/policy
Master index of Anthropic's published policies, commitments, and responsible scaling documentation.
Key commitments (as of June 2026)
- API and Claude for Work tiers: inputs/outputs not used for training
- Zero-retention agreements available for enterprise API customers (by approval)
- DPA with SCCs: automatically included in Commercial Terms
- Trust center: certifications, sub-processors, security FAQ published
Google (Workspace AI and Gemini)
Core enterprise privacy pages
Google Workspace AI Privacy Hub
knowledge.workspace.google.com/admin/generative-ai/generative-ai-in-google-workspace-privacy-hub
The authoritative source for Workspace AI (Gemini in Gmail, Docs, Meet, etc.) data handling. Covers: customer data classification, training data use, admin controls, and regional processing.
Cloud Data Processing Addendum (CDPA)
cloud.google.com/terms/data-processing-addendum/
Governs all Google Cloud services including Gemini API. The CDPA classifies AI prompts as "customer data" and commits Google to processing only under customer instructions.
Workspace DPA
workspace.google.com/terms/09242021/dpa_terms/
Workspace-specific DPA terms. Referenced for GDPR Article 28 compliance for organizations using Workspace AI features.
Gemini API terms
ai.google.dev/gemini-api/terms
Terms governing direct API access to Gemini models. Different from Workspace — read if you are building on the Gemini API directly rather than using it through Workspace apps.
Gemini Enterprise Agent Platform — zero data retention
docs.cloud.google.com/gemini-enterprise-agent-platform/resources/zero-data-retention
Documents zero data retention options for enterprise agent deployments.
Key commitments (as of June 2026)
- Workspace AI prompts: classified as customer data under CDPA, not used for training without permission
- Admin controls: organization admins can disable Gemini AI features, control data sharing
- Certifications: SOC 1/2/3, ISO 27001, ISO 27701, ISO 42001
- GDPR: CDPA includes SCCs, EU Data Boundary commitments
Microsoft (Copilot for Microsoft 365)
Core enterprise privacy pages
Microsoft 365 Copilot privacy documentation
learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy
The primary technical privacy documentation for Microsoft 365 Copilot. Covers data flows, retention, access controls, and compliance architecture.
Enterprise data protection overview
learn.microsoft.com/en-us/microsoft-365/copilot/enterprise-data-protection
Explains the enterprise data protection model: Copilot is covered by the Microsoft Data Protection Addendum (DPA) and Product Terms; Microsoft acts as data processor.
Microsoft 365 Copilot Chat privacy
learn.microsoft.com/en-us/copilot/privacy-and-protections
Covers the free/consumer tier Copilot Chat — different from M365 Copilot enterprise. Read both if your team uses both tiers.
Microsoft Trust Center
microsoft.com/trust-center
Certifications (ISO 27001, ISO 42001, HIPAA, FedRAMP, GDPR), compliance reports, and the Microsoft Data Protection Addendum. Use for vendor risk assessments and regulator inquiries.
Microsoft Data Protection Addendum (DPA) Available through your Microsoft volume licensing agreement or via the Trust Center. The DPA governs how Microsoft processes customer data across M365 services including Copilot.
Key commitments (as of June 2026)
- M365 Copilot prompts and responses: not used to train foundation models
- Honors existing Microsoft 365 data residency, retention, and access controls
- Governed by Microsoft DPA and Product Terms
- Certifications: ISO 27001, ISO 42001, SOC 2, HIPAA BAA available, FedRAMP
Quick-Reference Table
| Vendor | DPA / Data Terms | Trust Portal | Training Opt-Out |
|---|---|---|---|
| OpenAI (Enterprise/API) | openai.com/policies/data-processing-addendum/ | trust.openai.com | Default off for enterprise/API |
| Anthropic | Auto-included in Commercial Terms | trust.anthropic.com | Default off; zero-retention by request |
| Google Workspace | cloud.google.com/terms/data-processing-addendum/ | workspace.google.com privacy hub | Admin-controlled |
| Microsoft M365 Copilot | Via Microsoft DPA (Trust Center) | microsoft.com/trust-center | Default off for enterprise |
What to check in each vendor's DPA
When reviewing these documents for GDPR Article 28 compliance, confirm:
- Processor vs controller designation — the vendor should act as processor, not controller, for your business data
- Sub-processor list — each DPA should link to a current sub-processor list with notification rights
- Data transfer mechanisms — SCCs, adequacy decisions, or BCRs for cross-border transfers
- Breach notification timeline — GDPR requires 72-hour notification; confirm vendor's commitment
- Data subject rights — how the vendor supports DSARs, deletion requests, and objection rights
- Audit rights — your right to audit or receive third-party audit reports
Related Reading
- AI enforcement tracker: 22 real AI regulatory actions
- GDPR AI fines 2026: enforcement cases and what small teams must know
- Privacy-first AI APIs: no training on your data
- Vetting AI tools: what your vendor security review must cover
- ChatGPT Team vs Enterprise: the compliance differences
- AI vendor due diligence checklist 2026
- AI vendor contract red flags 2026
