When a compliance team asks "is ChatGPT GDPR-compliant?" the honest answer starts with two URLs: trust.openai.com and openai.com/enterprise-privacy. Together they contain the certifications, data processing terms, and privacy commitments that determine whether your organization can deploy ChatGPT legally. This guide walks through what each page actually covers and what that means for your compliance posture.
TL;DR: trust.openai.com hosts SOC 2 Type 2, ISO 27001/27017/27018/27701, ISO 42001:2023, and CSA STAR Level 1, but only for Enterprise/Business and API tiers. openai.com/enterprise-privacy covers the no-training commitment, DPA availability, EU data residency, and zero data retention options. The no-training guarantee is a policy for Team and API, a contract for Enterprise only. GDPR teams need a signed DPA before processing EU personal data.
What trust.openai.com is
trust.openai.com is OpenAI's compliance portal, built on SafeBase. It is the single place to download or request OpenAI's security and compliance documentation, including the SOC 2 Type 2 report, ISO certificates, and compliance FAQs.
The portal is gated: some documents (like the full SOC 2 report) require signing an NDA and submitting a request. Others, such as the ISO certificate summaries and the compliance FAQ, are publicly accessible.
What trust.openai.com contains:
- SOC 2 Type 2 report (available on request with NDA)
- ISO 27001 (information security management)
- ISO 27017 (cloud security controls)
- ISO 27018 (protection of PII in the cloud)
- ISO 27701 (privacy information management)
- ISO 42001:2023 (AI management systems)
- CSA STAR Level 1 (cloud security self-assessment)
- PCI-DSS compliance documentation (applies to payment processing components only)
- Penetration test summary
- Privacy and security FAQ
Critical scope limitation: These certifications apply to ChatGPT Enterprise, ChatGPT Business, and the OpenAI API Platform. They do not apply to ChatGPT Free or ChatGPT Plus. If employees in your organization are using personal ChatGPT Free accounts for work, the trust portal documentation is irrelevant to those sessions.
Certifications by product tier
Before relying on any OpenAI compliance documentation, confirm which product tier you are procuring. The table below maps key compliance features to each tier:
| Tier | No training | DPA | Audit logs | Data retention control | EU residency | SOC 2 / ISO |
|---|---|---|---|---|---|---|
| Free/Plus | No | No | No | No | No | No |
| Team | Yes (policy) | Yes | No | No | No | Yes |
| Enterprise | Yes (contract) | Yes (negotiated) | Yes (Compliance API) | Yes (90-day minimum) | Yes (opt-in) | Yes |
| API Platform | Yes (policy) | Yes (on request) | No | ZDR on select endpoints | Yes (opt-in) | Yes |
The most important distinction: for Team and API, the no-training commitment is a policy commitment, OpenAI states it will not train on your data, but it is not a separately negotiated contractual obligation with specific remedies. For Enterprise, the no-training commitment is a contractual obligation in the Master Service Agreement. For organizations in regulated industries or processing sensitive data, the contractual version provides meaningfully stronger protection.
The no-training commitment: what it covers
OpenAI's enterprise-privacy page states that data submitted through the API, ChatGPT Team, and ChatGPT Enterprise is not used to train OpenAI models by default. "By default" is important here: for consumer ChatGPT accounts, training opt-out requires an explicit setting change in account preferences. Enterprise tiers have it off by default.
What "no training" means:
- Your inputs (prompts) and outputs (completions) are not used to train, fine-tune, or improve OpenAI's base models
- This includes fine-tuning and RLHF training pipelines
- Safety monitoring may still occur, OpenAI retains the right to review content for abuse or safety violations, which is distinct from training
What "no training" does not mean:
- OpenAI does not retain data at all (see data retention section below)
- OpenAI cannot access your content under any circumstances (the retention window allows limited safety review)
- Your fine-tuned models are protected from use by other customers (fine-tuned models are logically isolated per customer, but the base model weights are shared)
For teams handling confidential business information, client data, or regulated data categories, the contractual version available through Enterprise is the appropriate path. The policy-level commitment for Team and API is sufficient for many use cases but does not provide the same legal standing in the event of a dispute.
DPA mechanics: satisfying GDPR Article 28
GDPR Article 28 requires a written data processing agreement between a controller (your organization) and a processor (OpenAI, when processing your users' personal data). Without a signed DPA, deploying ChatGPT or the API in contexts that involve EU personal data is a GDPR violation regardless of OpenAI's underlying practices.
How to get the DPA:
- Team plan: A DPA is included in the Team plan terms. Verify at openai.com/policies that you have accepted the current version.
- API Platform: Request through OpenAI's privacy portal at openai.com/policies. The DPA is available for organizations using the API commercially.
- Enterprise: The DPA is negotiated as part of the Enterprise contract. Enterprise customers can request specific amendments, additional clauses, or jurisdiction-specific addenda.
What the DPA covers:
- Defines OpenAI as a data processor acting on your instructions
- Specifies data retention and deletion obligations
- Covers sub-processor disclosures (OpenAI uses Microsoft Azure as a sub-processor for infrastructure)
- Includes standard contractual clauses (SCCs) for international data transfers from the EU
- Addresses data subject rights requests (your obligation to respond, OpenAI's obligation to assist)
OpenAI updated its DPA terms in early 2026. For current terms, check openai.com/policies directly before relying on any summaries, including this one.
EU data residency: what it actually means
OpenAI launched EU data residency in February 2025. In January 2026, it expanded to include in-region GPU inference, which means model processing (not just storage) happens on infrastructure within the EU.
What EU data residency means in practice:
- Your prompts and completions are processed on EU-based Azure infrastructure
- Data does not flow outside the EU for inference during active sessions
- Audit logs and account management data may still be processed on US infrastructure
- Sub-processor infrastructure is Microsoft Azure EU regions
What it does not mean:
- OpenAI's headquarters and legal entity remain in the US, cross-border data flows still occur for some operational purposes
- EU data residency does not by itself satisfy all GDPR obligations, you still need a DPA and need to conduct a legitimate-interest or consent analysis for your specific use case
- Not all models or features are available in the EU residency configuration
EU data residency is available for ChatGPT Enterprise and eligible API configurations. It is not available for Team or consumer tiers. To enable it, raise it during Enterprise procurement or contact OpenAI's API sales team.
Zero data retention: who qualifies
Standard OpenAI API calls retain input and output data for up to 30 days. This retention window supports OpenAI's abuse monitoring and trust-and-safety operations, after which the data is deleted.
Zero data retention (ZDR) eliminates this window: once a response is returned, no copy is retained by OpenAI. This is relevant for organizations processing:
- Attorney-client privileged communications
- Medical information that cannot be retained by third parties
- Financial data subject to strict retention controls
- Regulated government or defense information
ZDR is available for select API endpoints in qualifying enterprise contexts. It is not available for ChatGPT Team or Enterprise in the conversational product, it applies to the API. To check eligibility, review the current criteria at platform.openai.com or work with OpenAI's enterprise sales team during procurement.
What trust.openai.com does NOT cover
Several significant limitations are worth flagging explicitly:
Consumer tiers. If employees are using personal ChatGPT Free or Plus accounts for work, even occasionally, nothing on trust.openai.com protects that data. BYOD and shadow AI policies need to address this explicitly. A compliance program built on ChatGPT Enterprise means nothing if the same employees can access ChatGPT Free on their phones.
Marketing and product analytics. OpenAI's main privacy policy, separate from the enterprise DPA, covers data collected through account management, marketing, and product improvement purposes. The DPA covers data processing on your behalf; the privacy policy covers data OpenAI collects about you as a customer. Both apply simultaneously and should both be reviewed.
Plugin and third-party integrations. ChatGPT's plugin ecosystem and GPT Store integrations involve third-party sub-processors not covered by OpenAI's core DPA. Each integration creates a separate data flow that requires its own compliance review.
OpenAI's own fine-tuning jobs. If your organization uses OpenAI's fine-tuning API to train custom models on proprietary data, that training data is subject to its own retention and use terms, which are distinct from the inference DPA.
Compliance checklist before deploying ChatGPT Enterprise or API
- Confirm the product tier you are procuring matches the compliance coverage you need (Team vs Enterprise vs API)
- Obtain and sign the DPA before processing any EU personal data, do not go live without it
- Verify the no-training commitment: policy (Team/API) or contractual (Enterprise)
- Confirm whether EU data residency is required and enable it during procurement if so
- Check whether your use case qualifies for zero data retention (API only, select endpoints)
- Document sub-processors: Microsoft Azure is OpenAI's primary infrastructure sub-processor
- Review OpenAI's privacy policy (openai.com/policies) separately from the DPA, both apply
- Establish a shadow AI control: prevent employees from using personal ChatGPT Free/Plus for work data
- Download or request the SOC 2 Type 2 report from trust.openai.com for your vendor security review
- Set a calendar reminder to re-review DPA terms annually or when OpenAI publishes updates
For a comparison of how OpenAI's approach compares to Anthropic, Google, and Azure OpenAI on no-training commitments and DPA availability, see the privacy-first AI APIs comparison. For a direct head-to-head on GDPR compliance between Anthropic and OpenAI, see Anthropic vs OpenAI GDPR compliance.
For teams managing multiple AI vendor relationships, the AI vendor DPA tracker provides a framework for tracking DPA status, renewal dates, and sub-processor lists across vendors.
Related Reading
- ChatGPT Team vs Enterprise: compliance comparison for 2026
- Privacy-First AI APIs: Which Don't Train on Your Data (GDPR & CCPA, 2026)
- GDPR-Compliant AI Assistants: Comparison for 2026
- AI Vendor DPA Tracker 2026
- Anthropic vs OpenAI GDPR Compliance 2026
- AI Data Privacy for Small Teams: GDPR and CCPA Guide
