AI Provider Trust Registry evidence verified as of 2026-07-05

Registry / OpenAI API

OpenAI API

developer: OpenAI platform: OpenAI category: first party

OpenAI's first-party API platform for GPT-family models. No training on API business data by default, documented ~30-day abuse-monitoring retention with approval-gated Zero Data Retention, regional data-residency options, and a trust portal (trust.openai.com) covering SOC 2 Type 2 and ISO certifications for the API Platform.

Watch-outs 5

The cells where this offering is not a clean public yes. This is what to check before you sign.

Vendor trust
SOC 2 Type II Is a SOC 2 Type II report available for this offering?
Yes, sales-gated confidence: high · verified 2026-07-05

Trust portal publicly attests a SOC 2 Type 2 report covering Security, Availability, Confidentiality and Privacy TSC for the API Platform. The report itself is gated: "Customers with active trust.openai.com accounts can access the latest report under 'Documents.'"

tier: self_serve · route: trust_center_nda ·

scope: ['API Platform', 'ChatGPT Enterprise', 'ChatGPT Edu', 'ChatGPT Team'] · criteria: ['Security', 'Availability', 'Confidentiality', 'Privacy']

source

ISO 27001 Is there an ISO/IEC 27001 certification covering this offering?
Yes, public confidence: high · verified 2026-07-05

ISO/IEC 27001:2022 is publicly listed on the trust portal as covering the API Platform (alongside 27017/27018/27701); certificate documents require a trust-portal account. [human 2026-07-05] Dismissed: cert is now publicly viewable (availability improved, not weakened).

tier: self_serve · route: public ·

related: ['ISO/IEC 27017:2015', 'ISO/IEC 27018:2019', 'ISO/IEC 27701:2019'] · standard: ISO/IEC 27001:2022

source

ISO 42001 Is there an ISO/IEC 42001 (AI management system) certification?
Yes, public confidence: high · verified 2026-07-05

ISO/IEC 42001:2023 (AI management system) is publicly listed on the trust portal among certifications applying to the API Platform. [human 2026-07-05] Dismissed: scrape artifact. OpenAI holds ISO/IEC 42001 (openai.com/security-and-privacy); trust.openai.com JS portal returned an incomplete cert list.

tier: self_serve · route: public ·

standard: ISO/IEC 42001:2023

source

Trust center Is there a maintained trust center / compliance portal?
Yes, public confidence: high · verified 2026-07-05

Maintained trust portal at trust.openai.com; overview page is public, most documents (reports, certificates) require registering an account. No Wayback snapshot exists for the portal (JS-heavy page).

tier: self_serve · route: public ·

certifications_listed: ['SOC 2 Type 2', 'ISO/IEC 27001:2022', 'ISO/IEC 27017:2015', 'ISO/IEC 27018:2019', 'ISO/IEC 27701:2019', 'ISO/IEC 42001:2023', 'PCI DSS v4.0.1', 'CSA STAR', 'FedRAMP 20x', 'TX-RAMP']

source

Data handling
HIPAA BAA Will they sign a HIPAA Business Associate Agreement covering this offering?
Yes, sales-gated confidence: high · verified 2026-07-05

BAA for the API is requested via [email protected] and reviewed case-by-case; no enterprise agreement is required. Critically, the API BAA covers only endpoints eligible for Zero Data Retention, a signed BAA with calls to non-ZDR-configured endpoints can be out of scope.

tier: self_serve · route: sales_contract · default: requires_approval ·

scope: ZDR-eligible endpoints only · contact: [email protected] · healthcare_addendum: https://cdn.openai.com/osa/healthcare-addendum.pdf · enterprise_agreement_required: False

source · archived copy

GDPR DPA Is there a public DPA with SCCs and a published subprocessor list?
Yes, public confidence: high · verified 2026-07-05

Public DPA (current version v.010126, PDF verified 2026-07-05) incorporating EU Standard Contractual Clauses for international transfers, with a published sub-processor list and a change-notification sign-up mechanism. DPA must be executed by the customer to apply.

tier: self_serve · route: public · default: requires_config ·

sccs: EU SCCs (2021/914) Modules 2 (C2P) and 3 (P2SubP) · dpa_pdf: https://cdn.openai.com/pdf/openai-data-processing-addendum.pdf · dpa_version: v.010126 · subprocessor_list: https://openai.com/policies/sub-processor-list/

source

No-training default Is there a public commitment not to train on customer API data by default?
Yes, public confidence: high · verified 2026-07-05

Docs state "data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us)". No-training is the default; sharing is opt-in only.

tier: self_serve · route: public · default: enabled ·

opt_in_data_sharing: available

source · archived copy

Retention / ZDR Is retention documented, and is zero-data-retention available?
Yes, sales-gated confidence: high · verified 2026-07-05

Retention is publicly documented: abuse-monitoring logs kept up to 30 days by default (longer if required by law); application state varies by endpoint (e.g. conversations/threads kept until deleted). Zero Data Retention excludes content from abuse-monitoring logs but is "subject to prior approval by OpenAI", it is NOT the default and must be requested, approved, then configured per organization/project.

tier: self_serve · route: sales_contract · default: requires_approval ·

retention_days: 30 · zdr_excluded_models: ['dall-e-2', 'dall-e-3'] · zdr_approval_required: True · zdr_eligible_endpoints: ['chat completions', 'responses', 'images', 'embeddings', 'audio transcriptions/translations', 'speech', 'moderations', 'completions', 'realtime']

source · archived copy

Residency Can data be pinned to a region (especially the EU)?
Yes, sales-gated confidence: high · verified 2026-07-05

Data residency is configured per Project at creation only (existing Projects cannot be migrated). Non-US regions additionally require OpenAI approval for modified abuse-monitoring controls and execution of a Zero Data Retention amendment, so EU residency effectively bundles ZDR and is approval-gated rather than purely self-serve.

tier: self_serve · route: sales_contract · default: requires_approval · geography: EU, UK, US, Canada, Japan, South Korea, Singapore, India, Australia, UAE

regions: ['us', 'eu', 'uk', 'ca', 'jp', 'kr', 'sg', 'in', 'au', 'ae'] · mechanism: per-Project region selection at Project creation (regional domain prefixes) · announcement: https://openai.com/index/introducing-data-residency-in-europe/

source · archived copy

EU AI Act
GPAI Code Is the model developer on the EC's GPAI Code of Practice signatory list?
Yes, public confidence: high · verified 2026-07-05

OpenAI appears on the European Commission's GPAI Code of Practice signatory list as a full signatory (all chapters); only xAI is listed as a partial (Safety & Security chapter only) signatory. This is a model-developer obligation; OpenAI is both developer and platform here.

route: public · geography: EU

chapters: all (full code)

source · archived copy

Art. 53 summary Has the model developer published the Art. 53 training-data summary?
?Unclear confidence: low · verified 2026-07-05

OpenAI's Help Center article "EU AI Act" states (per search-index snippet): "In accordance with OpenAI's obligations under Article 53(1)(d) of the AI Act, OpenAI publishes summaries about the content used for training", but the article returns 403 to automated fetchers, has no Wayback snapshot, and the actual EC-template training-content summary document could not be located on openai.com/cdn.openai.com. Secondary reporting (Aug 2025) questioned whether GPT-5 shipped with the required summary. Needs human verification in a browser.

route: public · geography: EU

source

Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.