No. We do not use your ChatGPT Enterprise or API data, inputs, and outputs for training our models.

You can adapt certain models to specific tasks by fine-tuning them with your own prompt-completion pairs. Your fine-tuned model is yours alone to use and is not served to or shared with other customers or used to train other models. Data submitted to fine-tune a model is retained until the customer deletes the file. Learn more about fine-tuning.

You retain all rights to the inputs you provide to our services. You also own any output you rightfully receive from the services to the extent permitted by law. We only receive rights in input and output necessary to provide you with our services, comply with applicable law, and enforce our policies.

OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data. Our security team has an on-call rotation that has 24/7/365 coverage and is paged in case of any potential security incident. We offer a Bug Bounty Program for responsible disclosure of vulnerabilities discovered on our platform and products. Please visit our Trust Portal for more details.

Yes, we are able to execute a Data Processing Addendum (DPA) with customers for their use of ChatGPT Enterprise and the API in support of their compliance with GDPR and other privacy laws. Please complete our DPA form to execute a DPA with OpenAI.

We may run any business data submitted to OpenAI’s services through automated content classifiers.  Classifiers are metadata about business data but do not contain any business data itself. Business data is only subject to human review as described below on a service-by-service basis.

Within your organization, only end users can view their conversations. Workspace admins have control over workspaces and access. ​​Authorized OpenAI employees will only ever access your data for the purposes of resolving incidents, recovering end user conversations with your explicit permission, or where required by applicable law.

ChatGPT Enterprise has been audited for SOC 2 Type 1 compliance (Type 2 coming soon). Read more in our Trust Portal.

ChatGPT Enterprise securely retains data to enable features like conversation history. You control how long your data is retained. Any deleted conversations are removed from our systems within 30 days. Note that shorter retention periods may compromise product experience.

Our API Platform has been audited for SOC 2 Type 2 compliance. Read more in our Trust Portal.

We are able to sign Business Associate Agreements (BAA) in support of customers’ compliance with the Health Insurance Portability and Accountability Act (HIPAA). Please reach out to our sales team if you require a BAA.

Yes, you can adapt certain models to specific tasks by fine-tuning them with your own prompt-completion pairs. Your fine-tuned models are for your use alone and never served to or shared with other customers or used to train other models. Data submitted to fine-tune a model is retained until the customer deletes the files.

OpenAI may securely retain API inputs and outputs for up to 30 days to identify abuse. You can also request zero data retention (ZDR) for eligible endpoints if you have a qualifying use-case. For details on data handling, visit our Platform Docs page.

Access to API business data stored on our systems is limited to (1) authorized employees that require access for engineering support, investigating potential platform abuse, and legal compliance and (2) specialized third-party contractors who are bound by confidentiality and security obligations, solely to review for abuse and misuse.

OpenAI uses data from different places including public sources, licensed third-party data, and information created by human reviewers. We also use data from versions of ChatGPT and DALL-E for individuals. Data from ChatGPT Enterprise and the API Platform (after March 1, 2023) isn't used for training our models.