← Back to Insights

GDPR

ChatGPT / OpenAI DPA Explained (2026): What the Data Processing Agreement Covers, How to Sign It, and What It Leaves to You

Michael K. Onyekwere··6 min read

If you want to run the OpenAI API on anyone's personal data and stay on the right side of GDPR, the Data Processing Addendum is the document that makes it lawful. It is the contract that turns OpenAI into your processor in the legal sense, and it is the first thing a regulator or an enterprise buyer asks to see. This is what it covers, how to put it in place, and the work it quietly leaves on your desk.

This is the contract-level companion to our can I use the ChatGPT API and stay GDPR compliant overview and the GDPR-compliant setup guide. For how OpenAI stacks up against the other providers, see the OpenAI vs Anthropic vs Google comparison.

Get articles like this. Compliance Engineering, practical AI compliance for engineers and founders, by a CIPP/E certified practitioner who builds these systems.

Why you need a DPA at all

Under Article 28 of the UK and EU GDPR, when someone else processes personal data on your behalf, you need a written contract that binds them to your instructions and sets out their obligations. Send a customer's name or email to the OpenAI API and OpenAI is processing personal data for you. That triggers Article 28, and the DPA is how you satisfy it. Without it, the processing has no lawful contractual basis, and that is the gap a regulator finds first.

How to put the OpenAI DPA in place

The mechanics are quick once you know where to look.

  1. Sign in to platform.openai.com from a business account. A personal or consumer login will not show you the right settings, and there is no DPA for consumer ChatGPT.
  2. Open Settings, then your Organization, and find the compliance or data controls area.
  3. The Data Processing Addendum lives at openai.com/policies/data-processing-addendum. You execute it by entering your legal entity name, the signatory's details, and a contact email.
  4. OpenAI returns a countersigned PDF. Save it with your compliance records. That PDF is your evidence the Article 28 contract exists.

That is the whole job, and it is free. The thinking happens next, when you actually read what you signed.

What the OpenAI DPA covers: the eight clauses that decide the risk

A DPA is only as good as the clauses inside it. These are the eight to read, and the same checklist applies to any AI vendor:

  1. Scope and instructions. The DPA must say OpenAI processes only on your documented instructions. Confirm it does.
  2. Training position. For API data, OpenAI does not train on your inputs and outputs by default. This is the clause that separates the API from the consumer product, and the one most worth checking.
  3. Retention and deletion. OpenAI's API default is to retain inputs and outputs for a limited window (around 30 days) for abuse monitoring, then delete them. Zero data retention is available, but it is approval-gated, not a self-serve toggle: you request it through the Compliance area or by emailing api-compliance@openai.com, and approval takes a few days.
  4. Sub-processors. Microsoft Azure provides the primary hosting, with others such as Cloudflare. The DPA should give you advance notice of changes and a right to object. Keep the current list.
  5. International transfers. The Standard Contractual Clauses are incorporated, and OpenAI is certified under the EU-US Data Privacy Framework.
  6. Security and certifications. Look for the technical and organisational measures and OpenAI's certifications (SOC 2 and similar).
  7. Assistance with your duties. The DPA should commit OpenAI to help you with data subject requests, breach notification, and DPIAs.
  8. Deletion or return at the end. On termination, the DPA should require deletion or return of the data.

CompanyScope keeps a current OpenAI compliance profile with the sub-processor list and DPA terms in one place if you want a second source to check against the version you signed.

One historical point worth knowing, because it confused a lot of teams in 2025: a US court order in the New York Times litigation temporarily required OpenAI to preserve API data that would otherwise have been deleted. That preservation order was wound down in late September 2025, so the standard retention and deletion position applies again. If your DPIA still references the litigation hold as a live risk, update it.

The filled-out version. The £15 OpenAI Data Processing Pack takes everything above off a blank page: an Article 28 review checklist, a controller-to-processor DPA template with OpenAI named as a sub-processor, an LLM DPIA-lite pre-filled with the current facts, a legitimate-interests assessment, and a ready-to-paste privacy-notice paragraph.

What the DPA does not do

Here is the part that catches people. The DPA is OpenAI's half of the deal. It says nothing about your half, and your half is where most of the compliance work actually sits. Signing the DPA does not give you:

  • A DPIA. You assess the risk of your processing before you go live. Our DPIA guide for AI systems covers the structure.
  • Data minimisation. Sending an entire customer record when the model needs a fragment is your failure, not OpenAI's. Build minimisation into the prompt.
  • A privacy notice that tells people you use an AI processor, what it does, and where the data goes.
  • A lawful basis for the processing, usually legitimate interest or contract.
  • An automated-decision check. If an output drives a significant decision about a person by solely automated means, the Article 22A to 22D safeguards apply.
  • The transfer record in your records of processing.

The DPA lowers the starting difficulty. It does not finish the job.

The bottom line

Executing the OpenAI DPA is a ten-minute task that a lot of teams skip, and skipping it is the cleanest way to be non-compliant while believing you are fine. Sign it from a business account, read the eight clauses, request zero retention if your data warrants it, record your sub-processors and transfers, and then do the controller work the DPA leaves to you. That combination is what turns "we use the OpenAI API" into something you can actually evidence.

Michael K. Onyekwere is a CIPP/E certified data protection professional and the founder of Janus Compliance. For a real answer on your DPA, transfers, retention, and DPIA, start with a £500 scoping review.

Current as at 26 June 2026. This is educational, not legal advice. Provider terms change; verify OpenAI's current DPA, retention, sub-processors, and certifications before you rely on them. See also: Can I use the ChatGPT API and stay GDPR compliant, the GDPR-compliant setup guide, OpenAI vs Anthropic vs Google.

Frequently Asked Questions

Where do I sign the OpenAI DPA?

Sign in to platform.openai.com from a business account, not a personal one. Open Settings, then your Organization, then the Compliance or Data Controls area. The Data Processing Addendum is published at openai.com/policies/data-processing-addendum, and you execute it by entering your entity name, signatory, and contact email. OpenAI returns a countersigned PDF. If you only see consumer settings, you are in the wrong account: there is no DPA for consumer ChatGPT.

Does the OpenAI DPA stop OpenAI training on my data?

On the API, OpenAI does not use your inputs and outputs to train its models by default, and the DPA and API terms reflect that. This is the opposite of the consumer ChatGPT product, where conversations can be used for training unless you turn it off. The DPA confirms the no-training position for API data in writing, which is exactly what a regulator or a procurement reviewer will want to see.

Does the OpenAI DPA cover international data transfers?

Yes. The DPA incorporates the Standard Contractual Clauses for transfers out of the EEA and UK, and OpenAI is certified under the EU-US Data Privacy Framework. Together those give you a valid transfer mechanism. You still have to record the transfer in your records of processing activities; the DPA provides the mechanism, and keeping the record is still your job.

Is the OpenAI DPA enough to be GDPR compliant?

No. The DPA is your Article 28 processor contract, and it covers OpenAI's side of the relationship. It does not do your side. You remain the controller, which means the DPIA, data minimisation in your prompts, the privacy notice, the lawful basis, the automated-decision check, and the transfer record are all still yours regardless of how good the DPA is.

Who are OpenAI's sub-processors?

OpenAI uses sub-processors to run the service, with Microsoft Azure as the primary hosting infrastructure and others such as Cloudflare. The current list is referenced in the DPA and on OpenAI's sub-processor page. Check it when you sign, note that the DPA gives you advance notice of changes and a right to object, and keep a copy of the list with your records.

Done-for-you templates

£15

ChatGPT / OpenAI API — Data Processing Pack

You have read the guide. This is the filled-out paperwork: the DPA, the DPIA, the privacy-notice wording, and the records, drafted by a CIPP/E practitioner so you can evidence it instead of starting from a blank page.

  • An Article 28 DPA review checklist, plus a controller-to-processor DPA template with OpenAI as a named sub-processor
  • An LLM-API DPIA-lite, pre-filled with the current OpenAI facts
  • A Legitimate Interest Assessment mini-template and a ready-to-paste privacy-notice paragraph
  • A configuration and go-live checklist plus a Records of Processing entry
  • Current as at June 2026: the 30-day retention default, approval-gated zero-retention, the DPF and SCCs transfer position, and the litigation-hold status
Get the pack for £15

Start with a £500 scoping review

If you need GDPR documentation, AI Act work, or a compliant AI build, the first step is a written scoping review. You get a real report, not a generic discovery call.

Book the £500 scoping reviewView AI compliance consultingSee sample deliverables

Related Articles

GDPR

GDPR-Compliant LLM APIs: OpenAI vs Anthropic vs Google (2026)

Which LLM API can you run on personal data and stay GDPR compliant: OpenAI, Anthropic, or Google? All three can be configured to comply on the right tier, and the differences are in the defaults: who trains on your data, the DPA, EU data residency, retention, and transfers. A side-by-side for 2026, plus where Mistral and self-hosting fit.

GDPR

Is the Gemini API GDPR Compliant? It Depends Which Gemini You Use (2026)

Google's Gemini has two front doors with very different data terms, and the GDPR answer turns on which one you use. The free Google AI Studio tier trains on your data and humans may read it. The paid Gemini API and Vertex AI do not train on your data, and Vertex AI gives you the Cloud Data Processing Addendum, EU data residency, and retention controls. Here is how to tell them apart and configure the compliant path: the DPA, residency, data minimisation, the DPIA, transfers, and where the EU AI Act lands.

GDPR

Is the Claude API GDPR Compliant? The 2026 Setup, Step by Step

Yes, the Claude (Anthropic) API can be run GDPR compliant, and the defaults start in a stronger place than most. The DPA is built into the Commercial Terms, API data is not used for training, and retention defaults to seven days. Here is exactly what to check and configure: the DPA, retention and zero-data-retention, data minimisation, the DPIA, international transfers, the Microsoft Copilot caveat, and where the EU AI Act lands.

OpenAI DPAChatGPT data processing agreementOpenAI data processing addendumArticle 28 DPA OpenAIOpenAI GDPR DPAChatGPT business DPAOpenAI sub-processorsOpenAI SCCs