Trust and privacy are at the core of our mission at OpenAI. We’re committed to privacy and security for ChatGPT Team, ChatGPT Enterprise, and our API Platform.
Our commitments
Ownership: You own and control your data
- We do not train on your business data (data from ChatGPT Team, ChatGPT Enterprise, or our API Platform)
- You own your inputs and outputs (where allowed by law)
- You control how long your data is retained (ChatGPT Enterprise)
Control: You decide who has access
- Enterprise-level authentication through SAML SSO (ChatGPT Enterprise and API)
- Fine-grained control over access and available features
- Custom models are yours alone to use and are not shared with anyone else
Security: Comprehensive compliance
- We’ve been audited for SOC 2 compliance (ChatGPT Enterprise and API)
- Data encryption at rest (AES-256) and in transit (TLS 1.2+)
- Visit our Trust Portal to understand more about our security measures
General FAQ
The easiest way to get started with OpenAI is to deploy ChatGPT Team or ChatGPT Enterprise for your employees. It’s simple to use and allows anyone in your organization to be productive with AI. If your engineering teams wish to build custom solutions using our technology, try our API Platform.
No. We do not use your ChatGPT Team, ChatGPT Enterprise, or API data, inputs, and outputs for training our models.
Your end users can build and share GPTs internally with each other within your workspace. The same commitments we provide for ChatGPT Enterprise and ChatGPT Team also apply to your use of GPTs within those workspaces. Note that if your workspace admins enable GPTs to be shareable with the public, any GPTs that your users choose to publish externally may be subject to additional review. Learn more about GPTs.
As between you and OpenAI: you retain all rights to the inputs you provide to our services and you own any output you rightfully receive from our services to the extent permitted by law. We only receive rights in input and output necessary to provide you with our services, comply with applicable law, and enforce our policies.
OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data. Our security team has an on-call rotation that has 24/7/365 coverage and is paged in case of any potential security incident. We offer a Bug Bounty Program for responsible disclosure of vulnerabilities discovered on our platform and products. Please visit our Trust Portal for more details.
Yes, we are able to execute a Data Processing Addendum (DPA) with customers for their use of ChatGPT Team, ChatGPT Enterprise, and the API in support of their compliance with GDPR and other privacy laws. Please complete our DPA form to execute a DPA with OpenAI.
We may run any business data submitted to OpenAI’s services through automated content classifiers and safety tools, including to better understand how our services are used. The classifications created are metadata about the business data but do not contain any of the business data itself. Business data is only subject to human review as described below on a service-by-service basis.
ChatGPT Enterprise FAQ
Built for businesses, ChatGPT Enterprise offers organizations the ability to use ChatGPT with controls, deployment tools, and speed required to make your entire organization more productive. Learn more about ChatGPT Enterprise.
Within your organization, end users can view their own conversations. Workspace admins have control over workspaces and access, and can view conversations and chat history on those workspaces. Authorized OpenAI employees will only ever access your conversations for the purposes of resolving incidents, recovering end user conversations with your explicit permission, or where required by applicable law.
ChatGPT Enterprise has been audited and certified for SOC 2 Type 1 compliance (Type 2 coming soon). Read more in our Trust Portal.
Your workspace admins control how long your data is retained. Any deleted conversations are removed from our systems within 30 days, unless we are legally required to retain them. Note that retention enables features like conversation history, and shorter retention periods may compromise product experience.
ChatGPT Team FAQ
Built for teams and small businesses, ChatGPT Team offers collaborative tools and self-serve access to the power of ChatGPT in a dedicated workspace for your team. Learn more about ChatGPT Team.
Within your organization, only end users can view their conversations. Workspace admins have control over workspaces and access. Our access to conversations stored on our systems is limited to (1) authorized employees that require access for engineering support, investigating potential platform abuse, and legal compliance and (2) specialized third-party contractors who are bound by confidentiality and security obligations, solely to review for abuse and misuse.
ChatGPT Team’s security measures are detailed in our Security Whitepaper (SOC 2 compliance coming soon). Read more in our Trust Portal.
Each of your end users controls whether their conversations are retained. Any deleted or unsaved conversations are removed from our systems within 30 days, unless we are legally required to retain them. Note that retention enables features like conversation history, and shorter retention periods may compromise product experience.
API Platform FAQ
The OpenAI API Platform gives developers access to powerful models like GPT-4 and GPT-3.5 Turbo. You can create various applications and services, including fine-tuning models for specific tasks. Find more information in our Platform Docs.
Our API Platform has been audited and certified for SOC 2 Type 2 compliance. Read more in our Trust Portal.
We are able to sign Business Associate Agreements (BAA) in support of customers’ compliance with the Health Insurance Portability and Accountability Act (HIPAA). Please reach out if you require a BAA.
Yes, you can adapt certain models to specific tasks by fine-tuning them with your own prompt-completion pairs. Your fine-tuned models are for your use alone and never served to or shared with other customers or used to train other models. Data submitted to fine-tune a model is retained until the customer deletes the files.
OpenAI may securely retain API inputs and outputs for up to 30 days to provide the services and to identify abuse. After 30 days, API inputs and outputs are removed from our systems, unless we are legally required to retain them. You can also request zero data retention (ZDR) for eligible endpoints if you have a qualifying use-case. For details on data handling, visit our Platform Docs page.
Our access to API business data stored on our systems is limited to (1) authorized employees that require access for engineering support, investigating potential platform abuse, and legal compliance and (2) specialized third-party contractors who are bound by confidentiality and security obligations, solely to review for abuse and misuse.
Model training FAQ
OpenAI trains its models in two stages. First, we learn from a large amount of data. Then, we use data from ChatGPT users and human trainers to make sure the outputs are safe and accurate and to improve their general capabilities. Learn more about our training process.
OpenAI uses data from different places including public sources, licensed third-party data, and information created by human reviewers. We also use data from versions of ChatGPT and DALL·E for individuals. Data from ChatGPT Team, ChatGPT Enterprise, and the API Platform (after March 1, 2023) isn't used for training our models.