// Trust & Security Report

    OpenAI, Inc. logo

    OpenAI, Inc.

    DALL-E 3 is OpenAI's state-of-the-art image generation model. Available via API, ChatGPT Plus, ChatGPT Enterprise, and ChatGPT Edu. Part of OpenAI's broader AI platform alongside GPT models and other services.

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    OpenAI's most recent SOC 2 Report covers the period of January 1, 2025 to June 30, 2025 and is now available for viewing on the ChatGPT Business Products and API Trust Portal pages. This report covers controls relevant to the Security, Availability, Confidentiality, and Privacy Trust Services Criteria for the API Platform, ChatGPT Enterprise, ChatGPT Edu, and ChatGPT Team.

    Verify on trust.openai.com
    ISO 27001:2022
    HELD

    OpenAI maintains ISO/IEC 27001:2022 certification for the information security management systems supporting the OpenAI API, ChatGPT Enterprise, and ChatGPT Edu services.

    Verify on openai.com
    ISO 27017 (Cloud Data Security)
    HELD

    OpenAI's data protection practices align with ISO/IEC 27017 certification for information security controls specific to cloud services.

    Verify on openai.com
    ISO 27018 (PII Protection in Cloud)
    HELD

    OpenAI maintains ISO/IEC 27018 certification for the protection of personally identifiable information in cloud computing environments.

    Verify on openai.com
    ISO 27701:2019 (Privacy Management)
    HELD

    OpenAI maintains ISO/IEC 27701:2019 certification for privacy information management extending ISO 27001.

    Verify on openai.com
    ISO 42001:2023 (AI Management System)
    HELD

    OpenAI maintains an ISO/IEC 42001:2023 AI Management System certification covering OpenAI's consumer and business AI products and models in its role as an AI producer and AI provider.

    Verify on openai.com
    PCI DSS
    HELD

    OpenAI maintains PCI-DSS compliance for the components of ChatGPT that support delegated payment processing.

    Verify on openai.com
    FedRAMP Moderate
    HELD

    ChatGPT and the API for FedRAMP are versions of ChatGPT Enterprise and the API platform that have achieved Federal Risk and Authorization Management Program (FedRAMP) Moderate accreditation through the FedRAMP 20x program.

    Verify on openai.com
    GDPR Compliance (DPA Available)
    HELD

    OpenAI is able to execute a Data Processing Addendum (DPA) with customers for their use of ChatGPT Business, ChatGPT Enterprise, and the API in support of their compliance with GDPR and other privacy laws.

    Verify on openai.com
    HIPAA Compliance (BAA Available)
    HELD

    OpenAI offers a Business Associate Agreement (BAA) with OpenAI to ChatGPT Enterprise/Edu and API healthcare customers to support their HIPAA compliance requirements. Customers can email baa@openai.com to request a BAA.

    Verify on help.openai.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multiple: EU (EEA + Switzerland), UK, US, Canada, Japan, South Korea, Singapore, India, Australia, UAE. Data residency available for eligible API customers and ChatGPT Enterprise/Edu customers.

    By default, OpenAI does NOT use content submitted by API, ChatGPT Business, or ChatGPT Enterprise customers to improve model performance unless customers have explicitly opted in to share their data. For consumer services (ChatGPT Plus, free tier), OpenAI may use conversations to improve models unless users opt out. Artists can opt-out of having their publicly available work used in DALL-E 3 training via an online form.

    // Security controls

    Encryption in Transit

    Yes - HTTPS/TLS encryption required for all API communication

    developers.openai.com

    Encryption at Rest

    Yes - Industry-standard encryption for stored data

    openai.com

    Access Controls

    Role-based access control (RBAC), API key management, organization-level controls

    openai.com

    Zero Data Retention

    NOT available for DALL-E 3. Zero Data Retention compatible only with gpt-image-1, gpt-image-1.5, and gpt-image-1-mini models. For DALL-E 3, inputs/outputs may be retained for abuse monitoring and service improvement.

    developers.openai.com

    Audit Logging

    Yes - Audit logs available for enterprise customers; abuse monitoring logs with opt-out options

    openai.com

    Data Minimization

    OpenAI shares the minimum amount of content needed with trusted service providers; service providers are subject to strict confidentiality and security obligations

    openai.com

    Customer-Managed Encryption Keys (CMEK)

    Available for enterprise customers as part of data security controls

    openai.com

    // Products & data scope

    DALL-E 3 APIImage Generation API

    data: API customers can opt for data residency in multiple regions (EU, UK, US, Canada, Asia-Pacific). NOT zero-data-retention compatible. By default, customer data is not used for training unless opted in.

    Supports GDPR DPA and HIPAA BAA (for eligible customers). FedRAMP compliance available. Data retention for abuse monitoring and service improvement applies by default.

    DALL-E 3 in ChatGPT Plus/ProConsumer AI Product

    data: Consumer service. OpenAI may use conversations to improve models unless user opts out. Not covered under enterprise certifications.

    Consumer-grade privacy controls. Different data handling from API/business products.

    DALL-E 3 in ChatGPT EnterpriseEnterprise AI Product

    data: Customer data is NOT used for training by default. Data residency available (EU, UK, US, etc.). Enterprise-grade controls available.

    Covered under SOC 2 Type 2, ISO certifications, and FedRAMP. Eligible for HIPAA BAA and GDPR DPA.

    DALL-E 3 in ChatGPT EduEducation AI Product

    data: Designed for educational institutions. Customer data NOT used for training by default.

    Covered under enterprise certifications. Eligible for GDPR DPA and HIPAA BAA for healthcare education.

    // What to watch

    • DALL-E 3 is NOT zero-data-retention compatible, unlike some other OpenAI image models. Prompts and images may be retained for abuse monitoring and service improvement by default, even for business customers.
    • HIPAA BAA eligibility requires prior approval from OpenAI and is not automatically available to all customers. Certain use cases may not pass OpenAI's evaluation.
    • Data residency and inference residency require customers to be approved for abuse monitoring controls and execute a Zero Data Retention amendment for non-US regions.
    • Consumer vs. Enterprise tier distinction is critical: free/Plus tier ChatGPT conversations may be used for training unless opted out; Enterprise/Edu/API customers have no default training use.
    • FedRAMP certification applies to ChatGPT Enterprise and API via the FedRAMP 20x program (Moderate level); not all government use cases may qualify.

    // At a glance

    Pricing model

    Pay-as-you-go API pricing per image generation; subscription tiers for ChatGPT Plus, Pro, Enterprise, Edu

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on OpenAI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.openai.com

    > Browse all vendor trust reports