// Trust & Security Report

    OpenAI, OpCo, LLC (OpenAI) logo

    OpenAI, OpCo, LLC (OpenAI)

    Sora is OpenAI's AI video-generation product family: the Sora web/app consumer product (sora.chatgpt.com, iOS/Android) for text-to-video creation and a social feed, and the developer-facing Sora 2 / Sora 2 Pro API served through the OpenAI platform. As of this assessment, the consumer web/app experience has already been discontinued and the API is on a published sunset timeline (see flags).

    Certifications held

    1

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture / DPA availability)
    HELD

    OpenAI publishes a Data Processing Addendum rooted in GDPR Article 28, covering Standard Contractual Clauses for international transfers, UK GDPR, and the Swiss Federal Act on Data Protection, for business customers using OpenAI's API and related services. 'The DPA does not apply automatically, but must be actively concluded.'

    Verify on openai.com
    > Show 10 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    OpenAI's SOC 2 report covers the API Platform, ChatGPT Enterprise, ChatGPT Edu, and ChatGPT Team; consumer ChatGPT (free and Plus) is not covered under SOC 2. No vendor-domain documentation lists the Sora consumer app or the Sora API as in-scope for the SOC 2 report; the underlying OpenAI platform/API infrastructure Sora 2 API runs on is covered organizationally, but Sora itself is not named in any public scope statement found.

    source: trust.openai.com
    ISO/IEC 27001:2022
    NOT CONFIRMED

    OpenAI's ISO/IEC 27001 Certificate documents OpenAI's operation of an Information Security Management System for OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu services. Sora (consumer app or API) is not named in this scope statement, so it cannot be confirmed as covered; this is OpenAI-the-company's certification, not a Sora-specific one.

    source: trust.openai.com
    ISO/IEC 27017:2015 (cloud security)
    NOT CONFIRMED

    Listed among OpenAI's certifications ('conforms to additional control sets of ISO/IEC 27017:2015'), but no vendor page states Sora is within scope. No public evidence Sora specifically is covered.

    source: trust.openai.com
    ISO/IEC 27018:2019 (PII in public cloud)
    NOT CONFIRMED

    Listed among OpenAI's certifications, but not confirmed as scoped to include the Sora product line specifically. No public evidence Sora is named in scope.

    source: trust.openai.com
    ISO/IEC 27701:2019 (privacy information management)
    NOT CONFIRMED

    Listed among OpenAI's certifications ('extending coverage to include the PIMS requirements...of ISO/IEC 27701:2019'), but scope to Sora specifically is unconfirmed.

    source: trust.openai.com
    ISO/IEC 42001:2023 (AI management system)
    NOT CONFIRMED

    Listed on OpenAI's trust portal under compliance certifications as 'ISO/IEC 42001:2023', OpenAI's org-wide AI governance certification. Product-level scope (whether Sora specifically is included) is not stated on any vendor page found; treated as an OpenAI-level, not confirmed Sora-level, credential.

    source: trust.openai.com
    PCI DSS v4.0.1
    NOT CONFIRMED

    'OpenAI now maintains PCI-DSS compliance for the components of ChatGPT that support delegated payment processing.' This is scoped to ChatGPT payment processing, not stated to cover Sora.

    source: openai.com
    CSA STAR
    NOT CONFIRMED

    Listed on the OpenAI Trust Portal compliance section as a certification OpenAI holds, but no vendor text confirms Sora-specific scope; treated as unconfirmed for Sora.

    source: trust.openai.com
    FedRAMP 20x
    NOT CONFIRMED

    Listed on the OpenAI Trust Portal compliance section; this targets US government use of OpenAI's platform/ChatGPT Gov, not the Sora consumer/video product. No evidence Sora is in scope.

    source: trust.openai.com
    HIPAA (BAA availability)
    NOT CONFIRMED

    OpenAI states ChatGPT (Free, Plus, Pro, and Team plans) is NOT HIPAA compliant under any circumstances, and a BAA is only available for API Platform use meeting specific requirements (BAA requested via baa@openai.com). No vendor page confirms a BAA is offered for the Sora consumer app; third-party commentary about 'Sora Series' HIPAA use refers to the API under a signed BAA, not the consumer product.

    source: help.openai.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Not specified for Sora specifically on vendor pages found; OpenAI's general Data Processing Addendum references Standard Contractual Clauses / UK GDPR / Swiss DPA mechanisms for international transfers, implying no dedicated EU-only region guarantee for this product.

    OpenAI's help center states: 'Data controls offer you the ability to choose whether your content will be used to improve and train our models... To disable model training, navigate to your profile icon... Settings > Data Controls, and disable Improve the model for everyone. While this is disabled, new content won't be used to train our models.' This opt-out is confirmed to apply to the Sora app specifically via the dedicated 'Data Controls and Privacy on the Sora app' help article. By default, consumer-tier content (including Sora video generations) may be used for model improvement unless the user opts out; API/business customers under the enterprise privacy commitments are, per OpenAI's general policy, excluded from training by default. Historical training data used to build the original Sora video model included licensed and 'publicly available' content whose exact sourcing OpenAI has not fully disclosed (third-party reporting, not vendor-confirmed).

    // Security controls

    Content provenance / watermarking

    Every video generated with Sora embeds C2PA metadata plus visible and invisible provenance signals, and OpenAI provides reverse image/audio search tools to trace videos back to Sora.

    openai.com

    Content safety guardrails

    Guardrails check both prompts and outputs across multiple video frames and audio transcripts to block unsafe content (sexual material, terrorist propaganda, self-harm promotion) before generation.

    openai.com

    Organizational compliance program

    OpenAI (the parent org) maintains SOC 2 Type 2, ISO/IEC 27001:2022/27017/27018/27701, ISO/IEC 42001:2023, PCI DSS v4.0.1, CSA STAR and FedRAMP 20x programs, but public documentation scopes these to the API Platform, ChatGPT Enterprise, ChatGPT Edu and ChatGPT Team, not the Sora consumer product by name.

    trust.openai.com

    Data Processing Addendum

    Available to business/API customers on request (must be actively executed); covers GDPR Art. 28, UK GDPR, Swiss FADP, and includes audit rights.

    openai.com

    // Products & data scope

    Sora (consumer web/app)AI video generation (consumer)

    data: User prompts, uploaded images/video (cameo feature), generated videos; feed posts are public if the user chooses to publish them.

    Discontinued: per OpenAI's own help center article 'What to know about the Sora discontinuation,' the Sora web and app experience ended April 26, 2026. Users could export content at sora.chatgpt.com/sunset; remaining data is permanently deleted after the export window. Not covered by OpenAI's published SOC 2 / ISO scope statements. HIPAA BAA not available for this consumer tier.

    Sora 2 / Sora 2 Pro APIAI video generation (developer/API, via OpenAI platform)

    data: API request prompts, reference media, generated video outputs, billing/usage metadata.

    Runs on OpenAI's general API platform (subject to org-level SOC 2/ISO commitments per OpenAI's platform-wide scope, though Sora is not named explicitly in scope docs found). Per third-party reporting corroborated by OpenAI's own sunset article, the Sora 2 API is scheduled to be discontinued September 24, 2026. A BAA can be requested for HIPAA-relevant API use, subject to OpenAI's standard API BAA process, but no vendor page confirms this has been specifically extended to Sora media generation.

    // What to watch

    • PRODUCT SUNSET: The Sora consumer web/app was discontinued April 26, 2026 (before this review date) per OpenAI's own help center notice; the Sora 2 API is scheduled to be discontinued September 24, 2026. AIFOXX should not list this as an actively onboardable consumer product without a prominent 'discontinued / sunsetting' notice, since new customers cannot currently sign up for the consumer app.
    • HOST-VS-PRODUCT CERT AMBIGUITY: OpenAI (the parent org) holds SOC 2 Type 2, ISO 27001/27017/27018/27701, ISO 42001, PCI DSS, CSA STAR and FedRAMP, but every public scope statement found names the API Platform, ChatGPT Enterprise, ChatGPT Edu and ChatGPT Team as covered - not the Sora product by name. Because Sora runs on OpenAI's shared infrastructure, some of these controls likely apply in practice, but no vendor document explicitly confirms Sora is in-scope, so all certs are graded held=false to avoid over-claiming on the vendor's behalf.
    • AI training default: consumer Sora content may be used to train OpenAI's models unless the user opts out via Data Controls; this is a meaningful privacy consideration for any user-generated video/likeness content uploaded to Sora.
    • HIPAA is explicitly NOT available for ChatGPT consumer tiers per OpenAI's own guidance; by analogy the discontinued Sora consumer app should not be treated as HIPAA-eligible. Any HIPAA use of Sora capability would need to go through the API with an executed BAA.

    // At a glance

    Pricing model

    Consumer: bundled with ChatGPT Plus/Pro subscriptions plus a limited free daily quota (discontinued as of April 26, 2026). API: usage-based, priced per second of generated video (e.g., ~$0.10/sec Standard 720p, ~$0.30-$0.70/sec Pro tier depending on resolution), scheduled to sunset September 24, 2026.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on OpenAI, OpCo, LLC (OpenAI)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.openai.com

    > Browse all vendor trust reports