// Trust & Security Report
OpenAI, Inc.
DALL-E 3 is OpenAI's state-of-the-art image generation model. Available via API, ChatGPT Plus, ChatGPT Enterprise, and ChatGPT Edu. Part of OpenAI's broader AI platform alongside GPT models and other services.
Certifications held
10
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.openai.com“OpenAI's most recent SOC 2 Report covers the period of January 1, 2025 to June 30, 2025 and is now available for viewing on the ChatGPT Business Products and API Trust Portal pages. This report covers controls relevant to the Security, Availability, Confidentiality, and Privacy Trust Services Criteria for the API Platform, ChatGPT Enterprise, ChatGPT Edu, and ChatGPT Team.”
Verify on openai.com“OpenAI maintains ISO/IEC 27001:2022 certification for the information security management systems supporting the OpenAI API, ChatGPT Enterprise, and ChatGPT Edu services.”
Verify on openai.com“OpenAI's data protection practices align with ISO/IEC 27017 certification for information security controls specific to cloud services.”
Verify on openai.com“OpenAI maintains ISO/IEC 27018 certification for the protection of personally identifiable information in cloud computing environments.”
Verify on openai.com“OpenAI maintains ISO/IEC 27701:2019 certification for privacy information management extending ISO 27001.”
Verify on openai.com“OpenAI maintains an ISO/IEC 42001:2023 AI Management System certification covering OpenAI's consumer and business AI products and models in its role as an AI producer and AI provider.”
Verify on openai.com“OpenAI maintains PCI-DSS compliance for the components of ChatGPT that support delegated payment processing.”
Verify on openai.com“ChatGPT and the API for FedRAMP are versions of ChatGPT Enterprise and the API platform that have achieved Federal Risk and Authorization Management Program (FedRAMP) Moderate accreditation through the FedRAMP 20x program.”
Verify on openai.com“OpenAI is able to execute a Data Processing Addendum (DPA) with customers for their use of ChatGPT Business, ChatGPT Enterprise, and the API in support of their compliance with GDPR and other privacy laws.”
Verify on help.openai.com“OpenAI offers a Business Associate Agreement (BAA) with OpenAI to ChatGPT Enterprise/Edu and API healthcare customers to support their HIPAA compliance requirements. Customers can email baa@openai.com to request a BAA.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multiple: EU (EEA + Switzerland), UK, US, Canada, Japan, South Korea, Singapore, India, Australia, UAE. Data residency available for eligible API customers and ChatGPT Enterprise/Edu customers.
By default, OpenAI does NOT use content submitted by API, ChatGPT Business, or ChatGPT Enterprise customers to improve model performance unless customers have explicitly opted in to share their data. For consumer services (ChatGPT Plus, free tier), OpenAI may use conversations to improve models unless users opt out. Artists can opt-out of having their publicly available work used in DALL-E 3 training via an online form.
// Security controls
Encryption in Transit
Yes - HTTPS/TLS encryption required for all API communication
developers.openai.comAccess Controls
Role-based access control (RBAC), API key management, organization-level controls
openai.comZero Data Retention
NOT available for DALL-E 3. Zero Data Retention compatible only with gpt-image-1, gpt-image-1.5, and gpt-image-1-mini models. For DALL-E 3, inputs/outputs may be retained for abuse monitoring and service improvement.
developers.openai.comAudit Logging
Yes - Audit logs available for enterprise customers; abuse monitoring logs with opt-out options
openai.comData Minimization
OpenAI shares the minimum amount of content needed with trusted service providers; service providers are subject to strict confidentiality and security obligations
openai.comCustomer-Managed Encryption Keys (CMEK)
Available for enterprise customers as part of data security controls
openai.com// Products & data scope
data: API customers can opt for data residency in multiple regions (EU, UK, US, Canada, Asia-Pacific). NOT zero-data-retention compatible. By default, customer data is not used for training unless opted in.
Supports GDPR DPA and HIPAA BAA (for eligible customers). FedRAMP compliance available. Data retention for abuse monitoring and service improvement applies by default.
data: Consumer service. OpenAI may use conversations to improve models unless user opts out. Not covered under enterprise certifications.
Consumer-grade privacy controls. Different data handling from API/business products.
data: Customer data is NOT used for training by default. Data residency available (EU, UK, US, etc.). Enterprise-grade controls available.
Covered under SOC 2 Type 2, ISO certifications, and FedRAMP. Eligible for HIPAA BAA and GDPR DPA.
data: Designed for educational institutions. Customer data NOT used for training by default.
Covered under enterprise certifications. Eligible for GDPR DPA and HIPAA BAA for healthcare education.
// What to watch
- DALL-E 3 is NOT zero-data-retention compatible, unlike some other OpenAI image models. Prompts and images may be retained for abuse monitoring and service improvement by default, even for business customers.
- HIPAA BAA eligibility requires prior approval from OpenAI and is not automatically available to all customers. Certain use cases may not pass OpenAI's evaluation.
- Data residency and inference residency require customers to be approved for abuse monitoring controls and execute a Zero Data Retention amendment for non-US regions.
- Consumer vs. Enterprise tier distinction is critical: free/Plus tier ChatGPT conversations may be used for training unless opted out; Enterprise/Edu/API customers have no default training use.
- FedRAMP certification applies to ChatGPT Enterprise and API via the FedRAMP 20x program (Moderate level); not all government use cases may qualify.
// At a glance
Pricing model
Pay-as-you-go API pricing per image generation; subscription tiers for ChatGPT Plus, Pro, Enterprise, Edu
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on OpenAI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.openai.com