// Trust & Security Report

    OpenAI logo

    OpenAI

    ChatGPT - AI conversational assistant available in multiple tiers: Free/Plus/Pro (consumer), Team/Business (team/organizational), Enterprise (large-scale), Edu (education), Healthcare (HIPAA-compliant), and API Platform (developer). All powered by latest GPT models with options for extended capabilities like voice, file upload, image generation, and code execution.

    Certifications held

    11

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    OpenAI's most recent SOC2 Report covers the period of January 1, 2025 to June 30, 2025 and covers controls relevant to Security, Availability, Confidentiality, and Privacy Trust Services Criteria for the API Platform, ChatGPT Enterprise, ChatGPT Edu, and ChatGPT Team.

    Verify on openai.com
    ISO 27001:2022
    HELD

    ISO/IEC 27001:2022 for OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu services, with control implementation also conforming to ISO/IEC 27017:2015, ISO/IEC 27018:2019, and ISO/IEC 27701:2019.

    Verify on openai.com
    ISO 27017:2015 (Cloud Security)
    HELD

    Control implementation conforming to ISO/IEC 27017:2015

    Verify on openai.com
    ISO 27018:2019 (PII Protection)
    HELD

    Control implementation conforming to ISO/IEC 27018:2019

    Verify on openai.com
    ISO 27701:2019 (Privacy Management)
    HELD

    Control implementation conforming to ISO/IEC 27701:2019

    Verify on openai.com
    ISO 42001:2023 (AI Management System)
    HELD

    OpenAI maintains an ISO/IEC 42001:2023 AI Management System covering OpenAI's consumer and business AI products and models.

    Verify on openai.com
    PCI-DSS
    HELD

    OpenAI maintains PCI-DSS compliance for the components of ChatGPT that support delegated payment processing.

    Verify on openai.com
    FedRAMP Moderate
    HELD

    OpenAI has achieved FedRAMP 20x Moderate authorization for ChatGPT Enterprise and API Platform.

    Verify on openai.com
    GDPR Compliance
    HELD

    OpenAI supports customers' compliance with privacy laws, including the GDPR, CCPA, HIPAA, and FERPA, and offers a Data Processing Addendum and Business Associate Agreement for customers.

    Verify on openai.com
    HIPAA Compliance
    HELD

    OpenAI is able to sign Business Associate Agreements (BAA) in support of customers' compliance with the Health Insurance Portability and Accountability Act (HIPAA). ChatGPT for Healthcare is a secure workspace designed to support HIPAA compliance.

    Verify on openai.com
    CCPA/CPRA Compliance
    HELD

    OpenAI contractually restricts itself from retaining, using, disclosing, or otherwise processing customer data except as necessary for business purposes specified in the agreement, when the data is subject to the CCPA. OpenAI does not 'sell' or 'share' personal data as those terms are defined by the CCPA.

    Verify on openai.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Available in 10+ regions: Europe, United Kingdom, United States, Canada, Japan, South Korea, Singapore, India, Australia, United Arab Emirates. Data residency can be selected for ChatGPT Enterprise, ChatGPT Edu, and API Platform customers.

    Training policy varies by tier. For Consumer plans (Free, Plus, Pro): Data is used for model improvement by default, but users can opt out via Settings > Data Controls > 'Do not train on my content'. For Business/Team/Enterprise/Edu plans: By default, OpenAI does not use inputs or outputs for training or improving models. ChatGPT for Healthcare explicitly does not train on data.

    // Security controls

    Encryption in Transit

    TLS 1.2 or higher between customer and OpenAI, and between OpenAI and service providers

    openai.com

    Encryption at Rest

    AES-256 for data at rest

    openai.com

    Enterprise Key Management (EKM)

    Customers can bring their own encryption keys for customer content stored at-rest, providing customer-managed encryption

    openai.com

    Data Residency

    Available in Europe, UK, US, Canada, Japan, South Korea, Singapore, India, Australia, UAE. Covers conversations, uploaded files, custom GPTs, and image generation artifacts.

    openai.com

    Access Controls

    Strict access controls to limit who can access customer data

    openai.com

    Audit Logs

    Available for enterprise customers to monitor and track access to workspace data

    openai.com

    Custom Data Retention

    Enterprise customers can configure custom data retention policies

    openai.com

    SOC 2 Type 2 Audit Scope

    Covers Security, Availability, Confidentiality, and Privacy Trust Services Criteria for API Platform, ChatGPT Enterprise, ChatGPT Edu, and ChatGPT Team

    trust.openai.com

    // Products & data scope

    ChatGPT Freeconsumer

    data: Personal conversations used for model training by default (opt-out available)

    Entry-level access to ChatGPT with limitations on model access and usage

    ChatGPT Plusconsumer

    data: Personal conversations used for model training by default (opt-out available)

    Monthly subscription ($20/mo) with access to advanced models and features

    ChatGPT Proconsumer

    data: Personal conversations used for model training by default (opt-out available)

    Premium monthly subscription ($200/mo) with highest usage limits and priority access

    ChatGPT Teamteam

    data: Team data NOT used for training by default. No training on workspace data.

    Shared workspace for small teams ($30/person/month) with centralized billing and admin controls

    ChatGPT Businessbusiness

    data: Business data NOT used for training by default. No training on workspace data.

    Organizational workspace with extended session length, custom controls, and admin management. Governed by OpenAI Business Terms.

    ChatGPT Enterpriseenterprise

    data: Enterprise data NOT used for training by default. No training on workspace data.

    Enterprise-grade security with advanced data privacy controls, custom data retention, encryption at rest and in transit, data residency options, audit logs, and unlimited usage

    ChatGPT Edueducation

    data: Educational data NOT used for training. No training on workspace data.

    Designed for educational institutions with data residency support and compliance features. Requires institutional sign-up.

    ChatGPT for Healthcarehealthcare

    data: Healthcare data NOT used for training. HIPAA-compliant secure workspace.

    Specialized version for healthcare organizations with Business Associate Agreement support, HIPAA compliance, data residency, audit logs, and customer-managed encryption keys

    OpenAI API Platformdeveloper

    data: API data NOT used for training by default (enterprise plan). Data residency available for eligible customers.

    Developer API with enterprise compliance, SOC 2 Type 2 coverage, ISO 27001 certification, and FedRAMP authorization

    // What to watch

    • Consumer plans (Free/Plus/Pro) train on user data by default with opt-out required. This is standard for free tiers but represents a privacy difference from paid business/enterprise products.
    • FedRAMP Moderate authorization is recent (March 2025) - may have limited government adoption yet as it's a new fast-track authorization pathway (FedRAMP 20x).
    • Identity verification: ChatGPT is unambiguously OpenAI's official product. All certificates and policies verified from openai.com domain. No conflation risk.

    // At a glance

    Pricing model

    Freemium with tiered subscriptions. Consumer: Free tier, Plus ($20/mo), Pro ($200/mo). Teams/Orgs: Team ($30/person/mo), Business (custom), Enterprise (custom). API: Pay-as-you-go plus enterprise plans.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on OpenAI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.openai.com

    > Browse all vendor trust reports