AI Provider Trust Registry evidence verified as of 2026-07-05

Registry / compare

OpenAI API vs Azure OpenAI Service

The same dimension can grade differently depending on who serves the model. Every cell links to its source; grades are evidence grades, not endorsements.

Dimension OpenAI API Azure OpenAI Service
SOC 2 Type II Yes, sales-gated Trust portal publicly attests a SOC 2 Type 2 report covering Security, Availability, Confidentiality and Privacy TSC for the API Platform. The report itself is gated:... Yes, sales-gated Two-level rule: this is Azure's (the serving platform's) SOC 2 Type 2 attestation, not OpenAI's. Microsoft publicly documents the Azure SOC 2 Type 2 attestation; the report...
ISO 27001 Yes, public ISO/IEC 27001:2022 is publicly listed on the trust portal as covering the API Platform (alongside 27017/27018/27701); certificate documents require a trust-portal... Yes, public Azure's (platform) certification. The Azure ISO/IEC 27001:2022 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 services; certificate and audit...
ISO 42001 Yes, public ISO/IEC 42001:2023 (AI management system) is publicly listed on the trust portal among certifications applying to the API Platform. [human 2026-07-05] Dismissed: scrape... Yes, public Microsoft holds ISO/IEC 42001:2023 certification with "Microsoft Foundry" (the service that hosts Azure OpenAI models, per Microsoft's 2025 Azure blog announcement covering...
Trust center Yes, public Maintained trust portal at trust.openai.com; overview page is public, most documents (reports, certificates) require registering an account. No Wayback snapshot exists for the... Yes, public Microsoft maintains both a public Trust Center (https://www.microsoft.com/trust-center) and the Service Trust Portal for audit artifacts (SOC, ISO, etc.). Portal browsing is...
HIPAA BAA Yes, sales-gated BAA for the API is requested via [email protected] and reviewed case-by-case; no enterprise agreement is required. Critically, the API BAA covers only endpoints eligible for Zero... Yes, public Microsoft's HIPAA BAA is included by default in customer agreements: the DPA states "execution of customer's volume licensing agreement includes execution of the HIPAA Business...
GDPR DPA Yes, public Public DPA (current version v.010126, PDF verified 2026-07-05) incorporating EU Standard Contractual Clauses for international transfers, with a published sub-processor list... Yes, public The Microsoft Products and Services DPA is publicly downloadable (most recent version May 2026) and, per Microsoft's EU Model Clauses compliance page, Microsoft "makes the EU...
No-training default Yes, public Docs state "data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us)". No-training is the default; sharing... Yes, public Microsoft's public commitment (data-privacy page, verified 2026-07-05): prompts, completions, embeddings, and training data "are NOT available to OpenAI", "are NOT used by...
Retention / ZDR Yes, sales-gated Retention is publicly documented: abuse-monitoring logs kept up to 30 days by default (longer if required by law); application state varies by endpoint (e.g.... Yes, sales-gated Retention is documented: standard inference is stateless, but flagged prompts/completions may be stored in a per-geography abuse-monitoring data store for human review;...
Residency Yes, sales-gated Data residency is configured per Project at creation only (existing Projects cannot be migrated). Non-US regions additionally require OpenAI approval for modified... Yes, public Residency is deployment-type dependent, hence default:requires_config. Standard deployments keep prompts/responses in the customer-specified geography; "DataZone" EU...
GPAI Code Yes, public OpenAI appears on the European Commission's GPAI Code of Practice signatory list as a full signatory (all chapters); only xAI is listed as a partial (Safety & Security chapter... Yes, public Layered reality: the GPAI Code of Practice is a provider (model developer) obligation, and the developer here is OpenAI, a full signatory on the EC's list (verified...
Art. 53 summary ?Unclear OpenAI's Help Center article "EU AI Act" states (per search-index snippet): "In accordance with OpenAI's obligations under Article 53(1)(d) of the AI Act, OpenAI publishes... Yes, public EU AI Act Art 53(1)(d) is a developer obligation, graded on OpenAI, not Microsoft. OpenAI's official EU AI Act help-center article states that "in accordance with its...