User Data Management by OpenAI: Collection, Storage, Processing, Sharing, Security, and Use

OpenAI, as a research and deployment company for AI, prioritizes trust and privacy, especially for its professional products like ChatGPT (Team, Enterprise, Edu) and its API platform. These services, covered by the SOC 3 report, have specific user data management practices that differ from consumer services like the individual version of ChatGPT. This article explores how OpenAI manages user data during these interactions.

User Data Collection

OpenAI collects various categories of data from users interacting with its professional ChatGPT services and API. One significant category is personal data, which includes account-related information such as your name, contact details, account identifiers, date of birth, payment information, and transaction history. This information is crucial for managing user accounts and facilitating transactions.

In addition to personal data, OpenAI also collects user content, which encompasses the data you input into the services. This includes prompts and any uploaded content, such as files, images, and audio. For professional services, this type of data is specifically referred to as “Client Data.”

Another important category is metadata. When you upload images, hidden metadata may be collected, including EXIF data, time, and location (GPS coordinates). Furthermore, device information, such as the type of device, operating system, and browser version, is also gathered to enhance the user experience and ensure compatibility.

Lastly, OpenAI monitors abuse through the collection of abuse monitoring data. Logs generated from your use of the platform may contain client content and derived metadata, which are essential for enforcing API usage policies and mitigating harmful uses of AI. This monitoring helps maintain a safe and secure environment for all users.

It’s important to note that the content of uploaded images, such as backgrounds or readable text, may also be included in the data provided to OpenAI, especially if the photo is high resolution.

User Data Storage

User data is stored on OpenAI’s systems and those of trusted service providers located in the U.S. and worldwide. The infrastructure for ChatGPT and API services is hosted by subcontractors like Microsoft Azure and Snowflake, which provide scalable cloud hosting and data warehousing.

Client Data is managed securely, in compliance with data protection regulations and established client agreements, following industry best practices. For eligible API clients, data residency controls are available to configure where data is stored for specific projects.

Processing and Use of User Data

OpenAI processes and uses user data in various ways to provide and improve its services, ensure security and compliance, but not for marketing or sales purposes:

Service Provision: Data is used to provide, analyze, and maintain services, such as responding to queries in ChatGPT.
Model and Feature Improvement: Data may be used to enhance services and conduct research. OpenAI continuously improves its models through exposure to real-world problems and data.
- By default, OpenAI does not use commercial data from ChatGPT Team, Enterprise, Edu, and the API platform to train its models.
- For individual services, user content may be used for training, but users can opt out via data control settings.
- API clients can choose to enable data sharing to help improve models, managed at the organizational or project level.
Analysis and Monitoring: Data may be aggregated or de-identified for service usage analysis and research. Abuse monitoring logs are generated for all API feature uses and retained for up to 30 days.
Security and Abuse Prevention: Data is used to prevent fraud and protect system security. Limited human review of user content occurs only when necessary for investigations or support.

User Data Sharing

OpenAI may share user data with certain parties under specific circumstances, generally under confidentiality commitments:

Third-Party Service Providers: Content is shared with a limited group of trusted service providers necessary for service delivery, subject to strict confidentiality obligations.
Affiliates: Personal data may be disclosed to OpenAI’s affiliates, who may use it in accordance with the Privacy Policy.
Professional Account Administrators: In enterprise accounts, administrators may access user accounts and content.
Government Authorities: OpenAI may share personal data with government authorities as required by law.

User Data Security

OpenAI implements technical, administrative, and organizational security measures to protect user data throughout its lifecycle. Their security program is designed to safeguard systems, data, and Client Data.

General Measures: The company maintains security policies reviewed annually. Automated systems respond to security threats.
Access Controls: Logical access is limited to authorized personnel, with multi-factor authentication required for employees.
Encryption: Client Data is protected by encryption at rest (AES-256) and in transit (TLS 1.2+).
Network Security: Networks are protected by enterprise-grade firewalls and monitored for security and availability.

Privacy and Regulat ory Compliance

OpenAI is committed to supporting its clients’ compliance with privacy laws and industry regulations.

Data Processing Addendum (DPA): OpenAI may sign a DPA with clients to support compliance with GDPR and other privacy laws.
General Compliance: OpenAI maintains policies to ensure compliance with legal and regulatory requirements.