// Trust & Security Report

    OpenAI OpCo, LLC (contracting as OpenAI Ireland Ltd. for EEA/Swiss customers) logo

    OpenAI OpCo, LLC (contracting as OpenAI Ireland Ltd. for EEA/Swiss customers)

    Whisper is OpenAI's speech-to-text (ASR) technology, distributed in three distinct forms with different security postures: (1) the open-source Whisper model/weights (MIT license, self-hosted, no data sent to OpenAI), (2) the hosted Whisper endpoints on the OpenAI API platform (audio transcription/translation, pay-per-use), and (3) Whisper-family models powering voice features inside ChatGPT (Free/Plus/Team/Enterprise/Edu). The vendor entity behind all three is OpenAI.

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Our products are covered in our SOC 2 Type 2 report and have been evaluated by an independent third-party auditor to confirm that our controls align with industry standards for security, confidentiality, privacy and availability.

    Verify on trust.openai.com
    SOC 3
    HELD

    SOC 3 (badge listed in the trust portal's certifications section, public-facing summary counterpart to the SOC 2 report).

    Verify on trust.openai.com
    ISO/IEC 27001:2022
    HELD

    This certificate documents OpenAI's operation an Information Security Management System that conforms to the requirements of ISO/IEC 27001:2022 for OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu services.

    Verify on trust.openai.com
    ISO/IEC 27017:2015 (cloud security controls)
    HELD

    Control implementation also conforms to additional control sets of ISO/IEC 27017:2015 and ISO/IEC 27018:2019.

    Verify on trust.openai.com
    ISO/IEC 27018:2019 (PII in public clouds)
    HELD

    Control implementation also conforms to additional control sets of ISO/IEC 27017:2015 and ISO/IEC 27018:2019.

    Verify on trust.openai.com
    ISO/IEC 27701:2019 (privacy information management)
    HELD

    ...extending to include the PIMS requirements, control implementation guidance, and additional control set of ISO/IEC 27701:2019.

    Verify on trust.openai.com
    ISO/IEC 42001:2023 (AI management system)
    HELD

    ISO/IEC 42001:2023 (listed as a certification badge in the trust portal's compliance section; separate AI-governance-specific standard, distinct from ISO 27001).

    Verify on trust.openai.com
    GDPR posture (DPA with SCCs)
    HELD

    This OpenAI Data Processing Addendum ("DPA")... OpenAI acts as a Data Processor on the Customer's behalf... To the extent OpenAI Ireland Limited transfers EEA and Swiss Data to other OpenAI Affiliates or third parties outside the European Economic Area or Switzerland to provide the Services, it will do so on the basis of agreements containing SCCs that ensure appropriate safeguards for the protection of Customer Data are in place or an adequacy decision issued by the European Commission under Article 45 GDPR.

    Verify on cdn.openai.com
    PCI DSS v4.0.1
    HELD

    OpenAI now maintains PCI-DSS compliance for the components of ChatGPT that support delegated payment processing.

    Verify on trust.openai.com
    CSA STAR
    HELD

    CSA STAR (badge listed in the trust portal's certifications/compliance section).

    Verify on trust.openai.com
    FedRAMP 20x
    HELD

    FedRAMP 20x (badge listed in the trust portal's compliance section). Scope on the public overview page is not broken out per-product; FedRAMP authorizations at OpenAI have historically applied to government-specific offerings rather than the general-availability API.

    Verify on trust.openai.com
    TX-RAMP
    HELD

    TX-RAMP (badge listed in the trust portal's compliance section; Texas state government risk and authorization management program).

    Verify on trust.openai.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence on OpenAI's own trust portal: HIPAA does not appear as a certification badge on https://trust.openai.com/ (confirmed on two separate fetches). Secondary/independent reporting states OpenAI offers a Business Associate Agreement (BAA) for API and 'ChatGPT for Healthcare' customers on a case-by-case basis via compliance@openai.com, but this could not be confirmed directly on a vendor-owned page (openai.com/business-data and openai.com/enterprise-privacy both returned HTTP 403 to automated fetch during this assessment).

    source: trust.openai.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Self-hosted open-source Whisper: fully user-controlled, no data leaves user infrastructure. API/ChatGPT: processed on OpenAI's cloud infrastructure; OpenAI Ireland Ltd. is the contracting/processing entity for EEA and Swiss data with Standard Contractual Clauses governing onward transfers; no Whisper-specific regional data-residency option was found in public documentation.

    Training posture differs by product tier. API platform (which hosts the Whisper transcription/translation endpoints) and ChatGPT Team/Enterprise/Edu: per the executed DPA, OpenAI processes Customer Data only per customer instructions and multiple independent secondary sources consistently report API/business data is not used to train models unless the customer explicitly opts in; this specific 'no training by default' wording could not be independently re-verified on a vendor page during this assessment because openai.com/business-data and openai.com/enterprise-privacy both returned HTTP 403 to automated fetch. Free/Plus ChatGPT (which also surfaces Whisper-based voice features) has a different, less protective default and historically may use conversations to improve models unless the user opts out in settings - do not apply the 'no training' claim to that tier. The open-source Whisper model is run entirely on the user's own infrastructure, so no OpenAI training-on-your-data question applies at all. Flag: third-party reporting (Basil AI, Nov 2025) alleges the Whisper API's 'zero data retention' marketing claim is inconsistent with an actual ~30-day retention window for abuse monitoring; this specific vendor wording could not be directly verified due to the same 403 blocks, so it is not graded here but is called out for advisor review.

    // Security controls

    Independent audit coverage

    SOC 2 Type II and SOC 3 reports cover OpenAI's API platform, ChatGPT Enterprise, and ChatGPT Edu; free/Plus ChatGPT is explicitly excluded per independent secondary reporting (not itemized on the trust portal overview itself).

    trust.openai.com

    ISMS certification

    ISO/IEC 27001:2022 Information Security Management System certified for OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu services, extended with ISO 27017 (cloud), ISO 27018 (PII in cloud), and ISO 27701 (privacy) control sets.

    trust.openai.com

    Sub-processor transparency

    A public sub-processor list is maintained and customers are notified of additions with a 30-day objection window under the DPA.

    cdn.openai.com

    Breach notification

    DPA commits OpenAI to notify customers "without undue delay after becoming aware of any Personal Data Breach."

    cdn.openai.com

    Encryption specifics

    Not independently confirmed for this assessment. The DPA itself only commits generically to "reasonable and appropriate organizational and technical security measures... as set forth in the Agreement" without stating an algorithm; specific claims seen in secondary write-ups (e.g. AES-256 at rest, TLS 1.2+ in transit) could not be verified on a vendor-owned page because openai.com/security-and-privacy and openai.com/enterprise-privacy both returned HTTP 403 to automated fetch. Treat encryption-algorithm specifics as unverified until confirmed directly.

    cdn.openai.com

    Self-hosted model (open-source Whisper)

    No OpenAI-side security controls apply because no data is transmitted to OpenAI; the security posture of a self-hosted deployment is entirely the responsibility of the organization running it.

    github.com

    // Products & data scope

    Whisper (open-source model)Speech-to-text ML model, open weights

    data: None sent to OpenAI; runs entirely on the user's own hardware/infrastructure via local inference.

    MIT-licensed code and weights, installable via `pip install openai-whisper` / GitHub. No OpenAI certification applies or is needed since no OpenAI infrastructure is involved; security is fully the deploying organization's responsibility.

    Whisper API (hosted transcription/translation endpoints)Cloud API, speech-to-text

    data: Audio input and transcription/translation output are sent to and processed on OpenAI's servers; per secondary reporting, retained up to ~30 days for abuse/misuse monitoring then deleted, not used for model training by default (see ai_training_note for verification caveats).

    Part of the general-availability OpenAI API platform. Trust-portal certifications (SOC 2 Type II, ISO 27001/27017/27018/27701) describe coverage of 'OpenAI's API' as a whole; Whisper's specific endpoints are not separately named on the public trust-portal page, so coverage is a reasonable inference rather than an explicit vendor statement.

    ChatGPT voice features (Whisper-family models embedded in ChatGPT)Consumer/business conversational AI, voice input

    data: Voice input is processed as part of the broader ChatGPT conversation; data handling and training defaults differ sharply by plan.

    ChatGPT Team, Enterprise, and Edu are covered by SOC 2/ISO certifications and are not used for model training by default. Free and Plus ChatGPT are explicitly NOT covered by SOC 2 per independent reporting, and conversation data (including voice) may be used to improve models unless the user opts out in settings. This tier split is the most important nuance for a listing.

    // What to watch

    • Product-scope inference: OpenAI's trust portal lists certifications for 'OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu' but never names 'Whisper', 'audio', or 'transcription' explicitly; treating the Whisper API as covered is a reasonable but unconfirmed inference.
    • Free and Plus ChatGPT (which also surface Whisper-based voice input) are explicitly excluded from SOC 2 coverage per independent reporting - do not imply SOC 2 applies to those tiers.
    • Possible over-claim to verify: third-party reporting (Basil AI, Nov 2025) alleges the Whisper API is marketed with a 'zero data retention' claim while actually retaining audio up to ~30 days for abuse monitoring. Could not independently confirm OpenAI's own wording because openai.com/business-data, openai.com/enterprise-privacy, and platform.openai.com/docs/data-usage-policies all returned HTTP 403 to automated fetch during this assessment.
    • HIPAA is not listed as a certification/badge on OpenAI's own trust portal. Secondary sources describe a case-by-case Business Associate Agreement (BAA) for API/healthcare customers; this must not be shown to AIFOXX users as a 'certification' - if shown at all, label it 'BAA available on request, case-by-case' with the case-by-case caveat prominent.
    • Do not conflate with the unrelated product 'WhisperAI' (whisperai.com) surfaced in search results - confirmed different company/domain, not covered by this assessment.
    • FedRAMP 20x and TX-RAMP badges likely scope to OpenAI's government-specific offerings, not the general-availability Whisper API; the public trust-portal overview does not break out per-product scope for these two.

    // At a glance

    Pricing model

    Open-source model: free (self-hosted compute cost only). API: pay-per-use, priced per minute of audio processed. ChatGPT voice: bundled within Free/Plus/Team/Enterprise/Edu subscription tiers.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on OpenAI OpCo, LLC (contracting as OpenAI Ireland Ltd. for EEA/Swiss customers)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.openai.com

    > Browse all vendor trust reports