Subprocessor OpenAI

Last updated: Apr 29, 2026

We use OpenAI as an AI service provider to process specific customer requests. The following explains how customer data is handled when OpenAI is involved. For further details, you can check OpenAI's documentation.

What information is sent

Only the information strictly required to generate a response is sent to OpenAI. This may include text, vulnerability info, or source code.

How the data is used

OpenAI processes the data solely to generate a response to our request. We configure OpenAI's API with Zero Data Retention, meaning:

Requests and responses are not stored in OpenAI's systems.
No conversation history or long-term state is created on OpenAI's systems.
Customer content is excluded from OpenAI's abuse monitoring logs.

Model training

Customer data sent through the OpenAI API is not used to train or improve OpenAI models.

Zero Data Retention

We have Zero Data Retention enabled, therefore, customer content sent through the API is excluded from OpenAI's abuse monitoring logs. Data is processed in memory and is not written to a persistent database or disk.

Encryption and security

OpenAI applies industry-standard cryptography to protect data:

Encryption at rest: Data stored on OpenAI systems is encrypted using AES-256 or an equivalent strong algorithm.
Encryption in transit: Data moving between your systems and OpenAI is encrypted using TLS 1.2 or higher to protect it from interception on the network.

Certifications and compliance

SOC 2 Type II
SOC 3
ISO/IEC 27001 - Information Security Management
ISO/IEC 27017 - Cloud Security Controls
ISO/IEC 27018 - Protection of Personal Data in Cloud Services
ISO/IEC 27701 - Privacy Information Management
ISO/IEC 42001 - Artificial Intelligence Management System (AI governance & risk).
CSA STAR (Level 1 - Self-Assessment)
TX-RAMP
CCPA
GDPR

You can find more information in the OpenAI Trust Portal.