Use of OpenAI as a subprocessor
Last updated: March 2, 2026
We use OpenAI as an AI service provider to process specific customer requests. The following explains how customer data is handled when OpenAI is involved. For further details, you can check OpenAI’s documentation .
What information is sent
Only the information strictly required to generate a response is sent to OpenAI. This may include text, vulnerability info, or source code.
How the data is used
OpenAI processes the data solely to generate a response to our request. We explicitly configure OpenAI’s API to disable response storage, meaning:
- Requests and responses are not stored as retrievable application data.
- No conversation history or long-term state is created on OpenAI’s systems.
Model training
Customer data sent through the OpenAI API is not used to train or improve OpenAI models.
Retention and logging
For security and abuse-prevention purposes, OpenAI may temporarily retain request data in internal safety logs for up to 30 days, after which it is deleted, unless a longer period is required by law. This retention is controlled by OpenAI and is separate from our systems.
Encryption and security
OpenAI applies industry-standard cryptography to protect data:
- Encryption at rest: Data stored on OpenAI systems is encrypted using AES-256 or an equivalent strong algorithm.
- Encryption in transit: Data moving between your systems and OpenAI is encrypted using TLS 1.2 or higher to protect it from interception on the network.
Certifications and compliance
- SOC 2 Type II
- SOC 3
- ISO/IEC 27001 - Information Security Management
- ISO/IEC 27017 - Cloud Security Controls
- ISO/IEC 27018 - Protection of Personal Data in Cloud Services
- ISO/IEC 27701 - Privacy Information Management
- ISO/IEC 42001 - Artificial Intelligence Management System (AI governance & risk).
- CSA STAR (Level 1 - Self-Assessment)
- TX-RAMP
- CCPA
- GDPR
You can find more information in the OpenAI Trust Portal .