AI Vendor Security & Compliance Brief
ChatGPT
Independent due-diligence summary · every fact links to the vendor's official source
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| GDPR | Stated by vendor | https://openai.com/policies/eu-privacy-policy/ |
| ISO 27001 | Stated by vendor | https://trust.openai.com/ |
| SOC 2 | Stated by vendor | https://trust.openai.com/ |
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Sub-processors | Microsoft Azure, Stripe, Twilio | https://openai.com/policies/subprocessors |
Security Posture authoritative · cited
Known Vulnerabilities (CVE / CISA KEV)
Not determinable
Could not map this vendor to a software identity — abstained rather than guess.
Vulnerability Disclosure Policy (security.txt)
Found
1
Email Spoofing Protection (DMARC)
Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate
Valid
Data Breach History (HIBP)
None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard)
Not determinable
Could not map this vendor to a software identity — abstained rather than guess.
OFAC Sanctions Screening
None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05)
Not determinable
Could not map this vendor to a software identity — abstained rather than guess.
Independently Verified Certifications
| Certification | Status | Evidence |
|---|---|---|
| ISO 27001 | active | https://trust.openai.com |
Vendor-Claimed, Not Independently Verified treat as unconfirmed
| CAIQ | claimed_unverified | https://trust.openai.com |
| CYBER INSURANCE | claimed_unverified | https://trust.openai.com |
| FEDRAMP LOW | claimed_unverified | https://trust.openai.com |
| ISO 27017 | claimed_unverified | https://trust.openai.com |
| ISO 27018 | claimed_unverified | https://trust.openai.com |
| ISO 27701 | claimed_unverified | https://trust.openai.com |
| PCI DSS | claimed_unverified | https://trust.openai.com |
| PEN TEST | claimed_unverified | https://trust.openai.com |
| SOC2 TYPE2 | claimed_unverified | https://trust.openai.com |
| SOC3 | claimed_unverified | https://trust.openai.com |
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Ccpa Compliance | https://openai.com/policies/privacy-policy |
| Dpa | https://openai.com/policies/data-processing-addendum |
| Gdpr Compliance | https://openai.com/policies/data-processing-addendum |
| Msa | https://openai.com/policies/services-agreement |
| Privacy | https://openai.com/policies/privacy-policy |
| Security | https://openai.com/sitemap.xml/security/ |
| Sla | https://openai.com/policies |
| Subprocessors | https://platform.openai.com/subprocessors |
| Tos | https://openai.com/policies/terms-of-use |
| Trust | https://status.openai.com |
| Vuln Mgmt | https://openai.com/.well-known/security.txt |
Monitor ChatGPT — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment ChatGPT changes something that affects your risk. Built for procurement & security teams.
Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal
pages and links to its source. This brief contains no scraped sentiment, forum chatter, or
AI-inferred opinion — only verifiable, deterministic facts. Verify each source before
procurement decisions.