Trust and privacy are at the core of our mission at OpenAI. We're committed to privacy and security for ChatGPT Team, ChatGPT Enterprise, and our API Platform.
- We do not train on your business data (data from ChatGPT Team, ChatGPT Enterprise, or our API Platform).
- You own your inputs and outputs (where allowed by law).
- You control how long your data is retained (ChatGPT Enterprise).
- Enterprise-level authentication through SAML SSO (ChatGPT Enterprise and API).
- Fine-grained control over access and available features.
- Custom models are yours alone to use and are not shared with anyone else.
- We’ve been audited for SOC 2 compliance (ChatGPT Enterprise and API).
- Data encryption at rest (AES-256) and in transit (TLS 1.2+).
- Visit our Trust Portal to understand more about our security measures.
The easiest way to get started with OpenAI is to deploy ChatGPT Team or ChatGPT Enterprise for your employees. It's simple to use and allows anyone in your organization to be productive with AI. If your engineering teams wish to build custom solutions using our technology, try our API Platform(opens in a new window).
No. We do not use your ChatGPT Team, ChatGPT Enterprise, or API data, inputs, and outputs for training our models.
Your end users can build and share GPTs internally with each other within your workspace. The same commitments we provide for ChatGPT Enterprise and ChatGPT Team also apply to your use of GPTs within those workspaces. Note that if your workspace admins enable GPTs to be shareable with the public, any GPTs that your users choose to publish externally may be subject to additional review. Learn more about GPTs.
As between you and OpenAI: you retain all rights to the inputs you provide to our services and you own any output you rightfully receive from our services to the extent permitted by law. We only receive rights in input and output necessary to provide you with our services, comply with applicable law, and enforce our policies.
OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data. Our security team has an on-call rotation that has 24/7/365 coverage and is paged in case of any potential security incident. We offer a Bug Bounty Program for responsible disclosure of vulnerabilities discovered on our platform and products. Please visit our Trust Portal(opens in a new window) for more details.
Yes, we are able to execute a Data Processing Addendum (DPA) with customers for their use of ChatGPT Team, ChatGPT Enterprise, and the API in support of their compliance with GDPR and other privacy laws. Please complete our DPA form(opens in a new window) to execute a DPA with OpenAI.
We may run any business data submitted to OpenAI's services through automated content classifiers and safety tools, including to better understand how our services are used. The classifications created are metadata about the business data but do not contain any of the business data itself. Business data is only subject to human review as described below on a service-by-service basis.
Built for businesses, ChatGPT Enterprise offers organizations the ability to use ChatGPT with controls, deployment tools, and speed required to make your entire organization more productive. Learn more about ChatGPT Enterprise.
Within your organization, end users can view their own conversations. Your organization has control over workspaces, and workspace admins can access an audit log of conversations and GPTs through the Enterprise Compliance API(opens in a new window). Authorized OpenAI employees will only ever access your conversations for the purposes of resolving incidents, recovering end user conversations with your explicit permission, or where required by applicable law.
ChatGPT Enterprise has been audited and certified for SOC 2 Type 1 compliance (Type 2 coming soon). Read more in our Trust Portal(opens in a new window).
Your workspace admins control how long your data is retained. Any deleted conversations are removed from our systems within 30 days, unless we are legally required to retain them. Note that retention enables features like conversation history, and shorter retention periods may compromise product experience.
Built for teams and small businesses, ChatGPT Team offers collaborative tools and self-serve access to the power of ChatGPT in a dedicated workspace for your team. Learn more about ChatGPT Team.
Within your organization, only end users can view their conversations. Workspace admins have control over workspaces and access. Our access to conversations stored on our systems is limited to (1) authorized employees that require access for engineering support, investigating potential platform abuse, and legal compliance and (2) specialized third-party contractors who are bound by confidentiality and security obligations, solely to review for abuse and misuse.
ChatGPT Team's security measures are detailed in our Security Whitepaper (SOC 2 compliance coming soon). Read more in our Trust Portal(opens in a new window).
Each of your end users controls whether their conversations are retained. Any deleted or unsaved conversations are removed from our systems within 30 days, unless we are legally required to retain them. Note that retention enables features like conversation history, and shorter retention periods may compromise product experience.
The OpenAI API Platform gives developers access to powerful models like GPT-4 and GPT-3.5 Turbo. You can create various applications and services, including fine-tuning models for specific tasks. Find more information in our Platform Docs(opens in a new window).
Our API Platform has been audited and certified for SOC 2 Type 2 compliance. Read more in our Trust Portal(opens in a new window).
We are able to sign Business Associate Agreements (BAA) in support of customers' compliance with the Health Insurance Portability and Accountability Act (HIPAA). Please reach out(opens in a new window) if you require a BAA.
Yes, you can adapt certain models to specific tasks by fine-tuning them with your own prompt-completion pairs. Your fine-tuned models are for your use alone and never served to or shared with other customers or used to train other models. Data submitted to fine-tune a model is retained until the customer deletes the files.
OpenAI may securely retain API inputs and outputs for up to 30 days to provide the services and to identify abuse. After 30 days, API inputs and outputs are removed from our systems, unless we are legally required to retain them. You can also request zero data retention (ZDR) for eligible endpoints if you have a qualifying use-case. For details on data handling, visit our Platform Docs(opens in a new window) page.
Our access to API business data stored on our systems is limited to (1) authorized employees that require access for engineering support, investigating potential platform abuse, and legal compliance and (2) specialized third-party contractors who are bound by confidentiality and security obligations, solely to review for abuse and misuse.
OpenAI trains its models in two stages. First, we learn from a large amount of data. Then, we use data from ChatGPT users and human trainers to make sure the outputs are safe and accurate and to improve their general capabilities. Learn more about our training process(opens in a new window).
OpenAI uses data from different places including public sources, licensed third-party data, and information created by human reviewers. We also use data from versions of ChatGPT and DALL-E for individuals. Data from ChatGPT Team, ChatGPT Enterprise, and the API Platform (after March 1, 2023) isn't used for training our models.