Registry / OpenAI API
OpenAI API
OpenAI's first-party API platform for GPT-family models. No training on API business data by default, documented ~30-day abuse-monitoring retention with approval-gated Zero Data Retention, regional data-residency options, and a trust portal (trust.openai.com) covering SOC 2 Type 2 and ISO certifications for the API Platform.
Watch-outs 5
The cells where this offering is not a clean public yes. This is what to check before you sign.
- SOC 2 Type II: Yes, sales-gated SOC 2 Type II report access requires an active trust.openai.com account.
- HIPAA BAA: Yes, sales-gated BAA covers only Zero Data Retention endpoints.
- Retention / ZDR: Yes, sales-gated Zero Data Retention requires prior approval and is not default.
- Residency: Yes, sales-gated EU data residency requires OpenAI approval and Zero Data Retention amendment.
- Art. 53 summary: Unclear Art. 53 training-data summary publication status is unclear.
Trust portal publicly attests a SOC 2 Type 2 report covering Security, Availability, Confidentiality and Privacy TSC for the API Platform. The report itself is gated: "Customers with active trust.openai.com accounts can access the latest report under 'Documents.'"
tier: self_serve · route: trust_center_nda ·
scope: ['API Platform', 'ChatGPT Enterprise', 'ChatGPT Edu', 'ChatGPT Team'] · criteria: ['Security', 'Availability', 'Confidentiality', 'Privacy']
ISO/IEC 27001:2022 is publicly listed on the trust portal as covering the API Platform (alongside 27017/27018/27701); certificate documents require a trust-portal account. [human 2026-07-05] Dismissed: cert is now publicly viewable (availability improved, not weakened).
tier: self_serve · route: public ·
related: ['ISO/IEC 27017:2015', 'ISO/IEC 27018:2019', 'ISO/IEC 27701:2019'] · standard: ISO/IEC 27001:2022
ISO/IEC 42001:2023 (AI management system) is publicly listed on the trust portal among certifications applying to the API Platform. [human 2026-07-05] Dismissed: scrape artifact. OpenAI holds ISO/IEC 42001 (openai.com/security-and-privacy); trust.openai.com JS portal returned an incomplete cert list.
tier: self_serve · route: public ·
standard: ISO/IEC 42001:2023
Maintained trust portal at trust.openai.com; overview page is public, most documents (reports, certificates) require registering an account. No Wayback snapshot exists for the portal (JS-heavy page).
tier: self_serve · route: public ·
certifications_listed: ['SOC 2 Type 2', 'ISO/IEC 27001:2022', 'ISO/IEC 27017:2015', 'ISO/IEC 27018:2019', 'ISO/IEC 27701:2019', 'ISO/IEC 42001:2023', 'PCI DSS v4.0.1', 'CSA STAR', 'FedRAMP 20x', 'TX-RAMP']
BAA for the API is requested via [email protected] and reviewed case-by-case; no enterprise agreement is required. Critically, the API BAA covers only endpoints eligible for Zero Data Retention, a signed BAA with calls to non-ZDR-configured endpoints can be out of scope.
tier: self_serve · route: sales_contract · default: requires_approval ·
scope: ZDR-eligible endpoints only · contact: [email protected] · healthcare_addendum: https://cdn.openai.com/osa/healthcare-addendum.pdf · enterprise_agreement_required: False
Public DPA (current version v.010126, PDF verified 2026-07-05) incorporating EU Standard Contractual Clauses for international transfers, with a published sub-processor list and a change-notification sign-up mechanism. DPA must be executed by the customer to apply.
tier: self_serve · route: public · default: requires_config ·
sccs: EU SCCs (2021/914) Modules 2 (C2P) and 3 (P2SubP) · dpa_pdf: https://cdn.openai.com/pdf/openai-data-processing-addendum.pdf · dpa_version: v.010126 · subprocessor_list: https://openai.com/policies/sub-processor-list/
Docs state "data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us)". No-training is the default; sharing is opt-in only.
tier: self_serve · route: public · default: enabled ·
opt_in_data_sharing: available
Retention is publicly documented: abuse-monitoring logs kept up to 30 days by default (longer if required by law); application state varies by endpoint (e.g. conversations/threads kept until deleted). Zero Data Retention excludes content from abuse-monitoring logs but is "subject to prior approval by OpenAI", it is NOT the default and must be requested, approved, then configured per organization/project.
tier: self_serve · route: sales_contract · default: requires_approval ·
retention_days: 30 · zdr_excluded_models: ['dall-e-2', 'dall-e-3'] · zdr_approval_required: True · zdr_eligible_endpoints: ['chat completions', 'responses', 'images', 'embeddings', 'audio transcriptions/translations', 'speech', 'moderations', 'completions', 'realtime']
Data residency is configured per Project at creation only (existing Projects cannot be migrated). Non-US regions additionally require OpenAI approval for modified abuse-monitoring controls and execution of a Zero Data Retention amendment, so EU residency effectively bundles ZDR and is approval-gated rather than purely self-serve.
tier: self_serve · route: sales_contract · default: requires_approval · geography: EU, UK, US, Canada, Japan, South Korea, Singapore, India, Australia, UAE
regions: ['us', 'eu', 'uk', 'ca', 'jp', 'kr', 'sg', 'in', 'au', 'ae'] · mechanism: per-Project region selection at Project creation (regional domain prefixes) · announcement: https://openai.com/index/introducing-data-residency-in-europe/
OpenAI appears on the European Commission's GPAI Code of Practice signatory list as a full signatory (all chapters); only xAI is listed as a partial (Safety & Security chapter only) signatory. This is a model-developer obligation; OpenAI is both developer and platform here.
route: public · geography: EU
chapters: all (full code)
OpenAI's Help Center article "EU AI Act" states (per search-index snippet): "In accordance with OpenAI's obligations under Article 53(1)(d) of the AI Act, OpenAI publishes summaries about the content used for training", but the article returns 403 to automated fetchers, has no Wayback snapshot, and the actual EC-template training-content summary document could not be located on openai.com/cdn.openai.com. Secondary reporting (Aug 2025) questioned whether GPT-5 shipped with the required summary. Needs human verification in a browser.
route: public · geography: EU
Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.