// Trust & Security Report
OpenAI OpCo, LLC (contracting as OpenAI Ireland Ltd. for EEA/Swiss customers)
Whisper is OpenAI's speech-to-text (ASR) technology, distributed in three distinct forms with different security postures: (1) the open-source Whisper model/weights (MIT license, self-hosted, no data sent to OpenAI), (2) the hosted Whisper endpoints on the OpenAI API platform (audio transcription/translation, pay-per-use), and (3) Whisper-family models powering voice features inside ChatGPT (Free/Plus/Team/Enterprise/Edu). The vendor entity behind all three is OpenAI.
Certifications held
12
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.openai.com“Our products are covered in our SOC 2 Type 2 report and have been evaluated by an independent third-party auditor to confirm that our controls align with industry standards for security, confidentiality, privacy and availability.”
Verify on trust.openai.com“SOC 3 (badge listed in the trust portal's certifications section, public-facing summary counterpart to the SOC 2 report).”
Verify on trust.openai.com“This certificate documents OpenAI's operation an Information Security Management System that conforms to the requirements of ISO/IEC 27001:2022 for OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu services.”
Verify on trust.openai.com“Control implementation also conforms to additional control sets of ISO/IEC 27017:2015 and ISO/IEC 27018:2019.”
Verify on trust.openai.com“Control implementation also conforms to additional control sets of ISO/IEC 27017:2015 and ISO/IEC 27018:2019.”
Verify on trust.openai.com“...extending to include the PIMS requirements, control implementation guidance, and additional control set of ISO/IEC 27701:2019.”
Verify on trust.openai.com“ISO/IEC 42001:2023 (listed as a certification badge in the trust portal's compliance section; separate AI-governance-specific standard, distinct from ISO 27001).”
Verify on cdn.openai.com“This OpenAI Data Processing Addendum ("DPA")... OpenAI acts as a Data Processor on the Customer's behalf... To the extent OpenAI Ireland Limited transfers EEA and Swiss Data to other OpenAI Affiliates or third parties outside the European Economic Area or Switzerland to provide the Services, it will do so on the basis of agreements containing SCCs that ensure appropriate safeguards for the protection of Customer Data are in place or an adequacy decision issued by the European Commission under Article 45 GDPR.”
Verify on trust.openai.com“OpenAI now maintains PCI-DSS compliance for the components of ChatGPT that support delegated payment processing.”
Verify on trust.openai.com“CSA STAR (badge listed in the trust portal's certifications/compliance section).”
Verify on trust.openai.com“FedRAMP 20x (badge listed in the trust portal's compliance section). Scope on the public overview page is not broken out per-product; FedRAMP authorizations at OpenAI have historically applied to government-specific offerings rather than the general-availability API.”
Verify on trust.openai.com“TX-RAMP (badge listed in the trust portal's compliance section; Texas state government risk and authorization management program).”
> Show 1 unconfirmed / not-held certifications
source: trust.openai.comNo public evidence on OpenAI's own trust portal: HIPAA does not appear as a certification badge on https://trust.openai.com/ (confirmed on two separate fetches). Secondary/independent reporting states OpenAI offers a Business Associate Agreement (BAA) for API and 'ChatGPT for Healthcare' customers on a case-by-case basis via compliance@openai.com, but this could not be confirmed directly on a vendor-owned page (openai.com/business-data and openai.com/enterprise-privacy both returned HTTP 403 to automated fetch during this assessment).
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Self-hosted open-source Whisper: fully user-controlled, no data leaves user infrastructure. API/ChatGPT: processed on OpenAI's cloud infrastructure; OpenAI Ireland Ltd. is the contracting/processing entity for EEA and Swiss data with Standard Contractual Clauses governing onward transfers; no Whisper-specific regional data-residency option was found in public documentation.
Training posture differs by product tier. API platform (which hosts the Whisper transcription/translation endpoints) and ChatGPT Team/Enterprise/Edu: per the executed DPA, OpenAI processes Customer Data only per customer instructions and multiple independent secondary sources consistently report API/business data is not used to train models unless the customer explicitly opts in; this specific 'no training by default' wording could not be independently re-verified on a vendor page during this assessment because openai.com/business-data and openai.com/enterprise-privacy both returned HTTP 403 to automated fetch. Free/Plus ChatGPT (which also surfaces Whisper-based voice features) has a different, less protective default and historically may use conversations to improve models unless the user opts out in settings - do not apply the 'no training' claim to that tier. The open-source Whisper model is run entirely on the user's own infrastructure, so no OpenAI training-on-your-data question applies at all. Flag: third-party reporting (Basil AI, Nov 2025) alleges the Whisper API's 'zero data retention' marketing claim is inconsistent with an actual ~30-day retention window for abuse monitoring; this specific vendor wording could not be directly verified due to the same 403 blocks, so it is not graded here but is called out for advisor review.
// Security controls
Independent audit coverage
SOC 2 Type II and SOC 3 reports cover OpenAI's API platform, ChatGPT Enterprise, and ChatGPT Edu; free/Plus ChatGPT is explicitly excluded per independent secondary reporting (not itemized on the trust portal overview itself).
trust.openai.comISMS certification
ISO/IEC 27001:2022 Information Security Management System certified for OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu services, extended with ISO 27017 (cloud), ISO 27018 (PII in cloud), and ISO 27701 (privacy) control sets.
trust.openai.comSub-processor transparency
A public sub-processor list is maintained and customers are notified of additions with a 30-day objection window under the DPA.
cdn.openai.comBreach notification
DPA commits OpenAI to notify customers "without undue delay after becoming aware of any Personal Data Breach."
cdn.openai.comEncryption specifics
Not independently confirmed for this assessment. The DPA itself only commits generically to "reasonable and appropriate organizational and technical security measures... as set forth in the Agreement" without stating an algorithm; specific claims seen in secondary write-ups (e.g. AES-256 at rest, TLS 1.2+ in transit) could not be verified on a vendor-owned page because openai.com/security-and-privacy and openai.com/enterprise-privacy both returned HTTP 403 to automated fetch. Treat encryption-algorithm specifics as unverified until confirmed directly.
cdn.openai.comSelf-hosted model (open-source Whisper)
No OpenAI-side security controls apply because no data is transmitted to OpenAI; the security posture of a self-hosted deployment is entirely the responsibility of the organization running it.
github.com// Products & data scope
data: None sent to OpenAI; runs entirely on the user's own hardware/infrastructure via local inference.
MIT-licensed code and weights, installable via `pip install openai-whisper` / GitHub. No OpenAI certification applies or is needed since no OpenAI infrastructure is involved; security is fully the deploying organization's responsibility.
data: Audio input and transcription/translation output are sent to and processed on OpenAI's servers; per secondary reporting, retained up to ~30 days for abuse/misuse monitoring then deleted, not used for model training by default (see ai_training_note for verification caveats).
Part of the general-availability OpenAI API platform. Trust-portal certifications (SOC 2 Type II, ISO 27001/27017/27018/27701) describe coverage of 'OpenAI's API' as a whole; Whisper's specific endpoints are not separately named on the public trust-portal page, so coverage is a reasonable inference rather than an explicit vendor statement.
data: Voice input is processed as part of the broader ChatGPT conversation; data handling and training defaults differ sharply by plan.
ChatGPT Team, Enterprise, and Edu are covered by SOC 2/ISO certifications and are not used for model training by default. Free and Plus ChatGPT are explicitly NOT covered by SOC 2 per independent reporting, and conversation data (including voice) may be used to improve models unless the user opts out in settings. This tier split is the most important nuance for a listing.
// What to watch
- Product-scope inference: OpenAI's trust portal lists certifications for 'OpenAI's API, ChatGPT Enterprise, and ChatGPT Edu' but never names 'Whisper', 'audio', or 'transcription' explicitly; treating the Whisper API as covered is a reasonable but unconfirmed inference.
- Free and Plus ChatGPT (which also surface Whisper-based voice input) are explicitly excluded from SOC 2 coverage per independent reporting - do not imply SOC 2 applies to those tiers.
- Possible over-claim to verify: third-party reporting (Basil AI, Nov 2025) alleges the Whisper API is marketed with a 'zero data retention' claim while actually retaining audio up to ~30 days for abuse monitoring. Could not independently confirm OpenAI's own wording because openai.com/business-data, openai.com/enterprise-privacy, and platform.openai.com/docs/data-usage-policies all returned HTTP 403 to automated fetch during this assessment.
- HIPAA is not listed as a certification/badge on OpenAI's own trust portal. Secondary sources describe a case-by-case Business Associate Agreement (BAA) for API/healthcare customers; this must not be shown to AIFOXX users as a 'certification' - if shown at all, label it 'BAA available on request, case-by-case' with the case-by-case caveat prominent.
- Do not conflate with the unrelated product 'WhisperAI' (whisperai.com) surfaced in search results - confirmed different company/domain, not covered by this assessment.
- FedRAMP 20x and TX-RAMP badges likely scope to OpenAI's government-specific offerings, not the general-availability Whisper API; the public trust-portal overview does not break out per-product scope for these two.
// At a glance
Pricing model
Open-source model: free (self-hosted compute cost only). API: pay-per-use, priced per minute of audio processed. ChatGPT voice: bundled within Free/Plus/Team/Enterprise/Edu subscription tiers.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on OpenAI OpCo, LLC (contracting as OpenAI Ireland Ltd. for EEA/Swiss customers)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.openai.com