OpenAI
Certifications & attestations
| Certification | Status | Source | Last verified |
|---|---|---|---|
| SOC 2 Type II Covers the API Platform, ChatGPT Enterprise, ChatGPT Edu, and ChatGPT Team; Security, Availability, Confidentiality, and Privacy criteria. Report available via trust portal (NDA). | Verified | vendor source ↗ | June 10, 2026 |
| SOC 3 Public SOC 3 report downloadable from the trust portal. | Verified | vendor source ↗ | June 10, 2026 |
| ISO 27001 ISO/IEC 27001:2022 certificate covering the API, ChatGPT Enterprise, and ChatGPT Edu; publicly viewable on the trust portal. | Verified | vendor source ↗ | June 10, 2026 |
| ISO 27017 ISO/IEC 27017:2015 cloud security controls, implemented as an extension of the ISO 27001 ISMS. | Verified | vendor source ↗ | June 10, 2026 |
| ISO 27018 ISO/IEC 27018:2019 protection of PII in public clouds. | Verified | vendor source ↗ | June 10, 2026 |
| ISO 27701 ISO/IEC 27701:2019 privacy information management extension. | Verified | vendor source ↗ | June 10, 2026 |
| ISO 42001 ISO/IEC 42001:2023 AI management system certification. | Verified | vendor source ↗ | June 10, 2026 |
| CSA STAR CAIQ self-assessment available on the trust portal. | Verified | vendor source ↗ | June 10, 2026 |
| FedRAMP 20x FedRAMP 20x listed on the trust portal with dedicated services-and-features documentation. | Verified | vendor source ↗ | June 10, 2026 |
| TX-RAMP | Verified | vendor source ↗ | June 10, 2026 |
| PCI DSS PCI DSS v4.0.1 for the ChatGPT components that support delegated payment processing only. | Verified | vendor source ↗ | June 10, 2026 |
| HIPAA Security page says OpenAI 'helps customers meet' HIPAA requirements; BAA availability for eligible API customers not restated on fetched pages — kept as reported, not verified. | Reported · pending verification | vendor source ↗ | June 10, 2026 |
→ Direct answer: Does OpenAI have SOC 2?
Subprocessors
Subprocessor extraction for OpenAI is pending.
Hosting & data residency
- InfrastructureMicrosoft Azure
- Data residencyOpenAI has announced data residency options for the API and ChatGPT Enterprise, but residency terms are not restated on the trust pages fetched 2026-06-10 — claim kept as pending.
Trust documents & links
- Trust centerhttps://trust.openai.com
- Security pagehttps://openai.com/security-and-privacy/
- DPAhttps://openai.com/policies/data-processing-addendum/
- Status pagehttps://status.openai.com
Security incidents & disclosures
No incidents on record in the public sources we track, as of June 10, 2026. Absence of a record is not a guarantee — see methodology.
Change history
2026-06-10
Vendor added with a verified initial snapshot: SOC 2 Type II, SOC 3, ISO 27001/27017/27018/27701, ISO 42001, CSA STAR, FedRAMP 20x, TX-RAMP, and scoped PCI DSS confirmed against trust.openai.com (fetched 2026-06-10). HIPAA listed as reported only.
2026-06-10
Removed an incorrect subprocessors URL recorded at vendor-add: the SafeBase itemUid pointed at Datadog's trust-center subprocessors item, not OpenAI's. OpenAI's subprocessor list location is still to be confirmed.