ChatGPT Enterprise
Enterprise-Ready
The vendor is rated "Enterprise-Ready" with a score of 89 out of 100. Strong evidence includes confirmed SOC 2 Type 2 and ISO 27001 certifications, with audit reports available under NDA. A material gap is the recent disclosure of CVE-2025-43714, for which no vendor fix is currently listed. Buyers should ask for the remediation timeline for this vulnerability and confirm their exposure.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure 1 known CVE(s); none currently in CISA KEV.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 5 legal/policy documents publicly tracked.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://openai.com/enterprise-privacy/ |
| GDPR | Stated by vendor | https://openai.com/policies/eu-privacy-policy/ |
| HIPAA | Stated by vendor | https://openai.com/enterprise-privacy/ |
| ISO 27001 | Stated by vendor | https://trust.openai.com/ |
| SOC 2 | Stated by vendor | https://trust.openai.com/ |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Data Processing Agreement (DPA) | View document → | https://openai.com/policies/data-processing-addendum |
| Sub-processors (published list) | View document → | https://openai.com/policies/subprocessors |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
ChatGPT Free/Plus: conversations may be used to train models unless you turn off 'Improve the model for everyone' in Data Controls.
cited →
Enterprise:
does not train
ChatGPT Business/Enterprise/Edu and the API: business data (inputs and outputs) is excluded from model training by default; training only occurs if the customer explicitly opts in.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Security & Compliance Timeline authoritative · dated
- 2025-05-19 CVE CVE-2025-43714 disclosed (MEDIUM · no fix listed)
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://trust.openai.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://trust.openai.com/ |
Common compliance questions
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Privacy | https://openai.com/enterprise-privacy/ |
| Security | https://openai.com/security/ |
| Soc Report | https://trust.openai.com/ |
| Tos | https://openai.com/policies/terms-of-use/ |
| Trust | https://trust.openai.com/ |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Data Processing Addendum (DPA) | On request / trust portal | No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>). Trust center → |
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center → |
| Business Associate Agreement (BAA) | On request | OpenAI signs BAAs for ChatGPT Enterprise and the API. Request one by emailing baa@openai.com. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
3 legal & policy documents under change-monitoring since 2026-06-09. 1 tracked change detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-08 | CVE / Security Incident |
1 new CVE (published from 2025-05-19): CVE-2025-43714. 1 of these have no vendor fix listed yet (CVE-2025-43714).
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
Search the Legal Documents verbatim · cited
Search ChatGPT Enterprise's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor ChatGPT Enterprise — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment ChatGPT Enterprise changes something that affects your risk. Built for procurement & security teams.