Registry / compare
OpenAI API vs Azure OpenAI Service
The same dimension can grade differently depending on who serves the model. Every cell links to its source; grades are evidence grades, not endorsements.
| Dimension | OpenAI API | Azure OpenAI Service |
|---|---|---|
| SOC 2 Type II | ◐Yes, sales-gated Trust portal publicly attests a SOC 2 Type 2 report covering Security, Availability, Confidentiality and Privacy TSC for the API Platform. The report itself is gated:... | ◐Yes, sales-gated Two-level rule: this is Azure's (the serving platform's) SOC 2 Type 2 attestation, not OpenAI's. Microsoft publicly documents the Azure SOC 2 Type 2 attestation; the report... |
| ISO 27001 | ●Yes, public ISO/IEC 27001:2022 is publicly listed on the trust portal as covering the API Platform (alongside 27017/27018/27701); certificate documents require a trust-portal... | ●Yes, public Azure's (platform) certification. The Azure ISO/IEC 27001:2022 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 services; certificate and audit... |
| ISO 42001 | ●Yes, public ISO/IEC 42001:2023 (AI management system) is publicly listed on the trust portal among certifications applying to the API Platform. [human 2026-07-05] Dismissed: scrape... | ●Yes, public Microsoft holds ISO/IEC 42001:2023 certification with "Microsoft Foundry" (the service that hosts Azure OpenAI models, per Microsoft's 2025 Azure blog announcement covering... |
| Trust center | ●Yes, public Maintained trust portal at trust.openai.com; overview page is public, most documents (reports, certificates) require registering an account. No Wayback snapshot exists for the... | ●Yes, public Microsoft maintains both a public Trust Center (https://www.microsoft.com/trust-center) and the Service Trust Portal for audit artifacts (SOC, ISO, etc.). Portal browsing is... |
| HIPAA BAA | ◐Yes, sales-gated BAA for the API is requested via [email protected] and reviewed case-by-case; no enterprise agreement is required. Critically, the API BAA covers only endpoints eligible for Zero... | ●Yes, public Microsoft's HIPAA BAA is included by default in customer agreements: the DPA states "execution of customer's volume licensing agreement includes execution of the HIPAA Business... |
| GDPR DPA | ●Yes, public Public DPA (current version v.010126, PDF verified 2026-07-05) incorporating EU Standard Contractual Clauses for international transfers, with a published sub-processor list... | ●Yes, public The Microsoft Products and Services DPA is publicly downloadable (most recent version May 2026) and, per Microsoft's EU Model Clauses compliance page, Microsoft "makes the EU... |
| No-training default | ●Yes, public Docs state "data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us)". No-training is the default; sharing... | ●Yes, public Microsoft's public commitment (data-privacy page, verified 2026-07-05): prompts, completions, embeddings, and training data "are NOT available to OpenAI", "are NOT used by... |
| Retention / ZDR | ◐Yes, sales-gated Retention is publicly documented: abuse-monitoring logs kept up to 30 days by default (longer if required by law); application state varies by endpoint (e.g.... | ◐Yes, sales-gated Retention is documented: standard inference is stateless, but flagged prompts/completions may be stored in a per-geography abuse-monitoring data store for human review;... |
| Residency | ◐Yes, sales-gated Data residency is configured per Project at creation only (existing Projects cannot be migrated). Non-US regions additionally require OpenAI approval for modified... | ●Yes, public Residency is deployment-type dependent, hence default:requires_config. Standard deployments keep prompts/responses in the customer-specified geography; "DataZone" EU... |
| GPAI Code | ●Yes, public OpenAI appears on the European Commission's GPAI Code of Practice signatory list as a full signatory (all chapters); only xAI is listed as a partial (Safety & Security chapter... | ●Yes, public Layered reality: the GPAI Code of Practice is a provider (model developer) obligation, and the developer here is OpenAI, a full signatory on the EC's list (verified... |
| Art. 53 summary | ?Unclear OpenAI's Help Center article "EU AI Act" states (per search-index snippet): "In accordance with OpenAI's obligations under Article 53(1)(d) of the AI Act, OpenAI publishes... | ●Yes, public EU AI Act Art 53(1)(d) is a developer obligation, graded on OpenAI, not Microsoft. OpenAI's official EU AI Act help-center article states that "in accordance with its... |