AI Vendor Security & Compliance Brief

ChatGPT logo ChatGPT

Independent due-diligence summary · every fact links to the vendor's official source
7 source-cited facts
1 independently verified certs
4 legal documents tracked
Generated 2026-07-03
89/100
AI Governance Readiness

Enterprise-Ready

This vendor is rated 'Enterprise-Ready' with a score of 89 out of 100. Key strengths include an independently verified ISO 27001 certification and a commitment not to train on customer data under enterprise terms. However, the vendor's governance readiness recently downgraded due to a newly disclosed vulnerability, CVE-2025-43714 (MEDIUM), for which no fix is currently listed. It is recommended to ask for the remediation timeline for CVE-2025-43714 and confirm your exposure.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification 1 independently verified certification(s): ISO 27001.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure 1 known CVE(s); none currently in CISA KEV.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 4 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
GDPR Stated by vendor https://openai.com/policies/eu-privacy-policy/
ISO 27001 Stated by vendor https://trust.openai.com/
SOC 2 Stated by vendor https://trust.openai.com/
HIPAA Not publicly verified
BAA Available (HIPAA) Not publicly verified
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Sub-processors (published list) View document → https://openai.com/policies/subprocessors
Trains on Customer Data key clause
Free / Pro: trains on data ChatGPT Free/Plus: conversations may be used to train models unless you turn off 'Improve the model for everyone' in Data Controls. cited →
Enterprise: does not train ChatGPT Business/Enterprise/Edu and the API: business data (inputs and outputs) is excluded from model training by default; training only occurs if the customer explicitly opts in. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Found 1
Vulnerabilities are usually disclosed after the vendor ships a fix, so most carry a patch. What matters for your risk is whether any are actively exploited (CISA KEV) and whether you run a patched version — patched entries below are a normal sign of an active security-response process, not an open exposure.
Vulnerability Disclosure Policy (security.txt) Found 1
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) Not applicable
Privately held — not a US-listed public company, so no SEC 8-K cyber-incident reporting obligation applies.

Security & Compliance Timeline authoritative · dated

Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.

Independently Verified Certifications

CertificationStatusEvidence
ISO 27001 active https://trust.openai.com

Vendor-Claimed, Not Independently Verified treat as unconfirmed

CAIQ Claimed — not independently verified https://trust.openai.com
CYBER INSURANCE Claimed — not independently verified https://trust.openai.com
FEDRAMP LOW Claimed — not independently verified https://trust.openai.com
ISO 27017 Claimed — not independently verified https://trust.openai.com
ISO 27018 Claimed — not independently verified https://trust.openai.com
ISO 27701 Claimed — not independently verified https://trust.openai.com
PCI DSS Claimed — not independently verified https://trust.openai.com
PEN TEST Claimed — not independently verified https://trust.openai.com
SOC2 TYPE2 Claimed — not independently verified https://trust.openai.com
SOC3 Claimed — not independently verified https://trust.openai.com
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Ccpa Compliance https://openai.com/policies/privacy-policy
Gdpr Compliance https://openai.com/policies/data-processing-addendum
Trust https://trust.openai.com/
Vuln Mgmt https://openai.com/.well-known/security.txt

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Data Processing Addendum (DPA) On request / trust portal No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>). Trust center →
Sub-processor List Trust portal / on request A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center →
Business Associate Agreement (BAA) On request OpenAI will sign a BAA for ChatGPT Enterprise and the API where PHI is processed. Request one by emailing baa@openai.com. Trust center →
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

1 legal & policy document under change-monitoring since 2026-05-31. 2 tracked changes detected since baseline.

Baa
DetectedChangeDetail
2026-06-08 Governance Readiness Change Governance readiness downgraded: Enterprise-Ready → Conditional. Driven by: 1 new CVE (published from 2025-05-19): CVE-2025-43714. 1 of these have no vendor fix
What this means: This vendor's overall governance posture dropped a tier, driven by 1 change this period (see the summary below) — re-check whether it still meets your bar before renewal or expansion.
2026-06-08 CVE / Security Incident 1 new CVE (published from 2025-05-19): CVE-2025-43714. 1 of these have no vendor fix listed yet (CVE-2025-43714).
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.

View full ChatGPT change history →

Search the Legal Documents verbatim · cited

Search ChatGPT's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor ChatGPT — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment ChatGPT changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.