Privacy & Security

How we protect your data across AWS and ChatGPT Business API.

OpenAI Trust Center

Data Privacy and Usage

No Model Training: OpenAI does not use data from your ChatGPT Business account, including your API inputs and outputs, to train its models by default.
Data Ownership: Your organization retains ownership and control over your inputs and outputs (where allowed by law).
Confidentiality: All organizational data remains confidential and secure.

Security Measures

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) on OpenAI's secure servers in the U.S.
Compliance: ChatGPT Business/API evaluated for SOC 2 Type 2 and GDPR; DPAs available.
Access Controls: Access limited to authorized personnel for specific purposes (support/abuse monitoring).
External Testing: Regular third-party penetration testing to identify and address security weaknesses.

AWS Controls

Identity & Access: Cognito-authenticated API access; IAM roles for Lambda and DynamoDB with least privilege.
Transport: All traffic over HTTPS via API Gateway and CloudFront.
Storage: S3 for static assets; DynamoDB for embeddings/usage; both encrypted at rest by AWS.
Secrets: OpenAI API key stored in AWS Secrets Manager; not embedded in client code.
Logging: Lambda logs in CloudWatch; no secrets logged intentionally.