Skip to main navigation Skip to main content Skip to page footer
StocKinger Consulting LLC StocKinger Consulting LLC

How companies can obtain the OpenAI data processing agreement (avv/dpa)

Why this topic is important

As soon as companies start using OpenAI services for business purposes —whether via the API, ChatGPT Business, or ChatGPT Enterprise —the GDPR question inevitably arises:

Is there a data processing agreement (DPA) with OpenAI—and how can I access it?

The good news: Yes, it exists. The not-so-good news: It's not quite where you would intuitively expect it to be.

This article shows you step by step:

  • What the OpenAI Data Processing Addendum (DPA) is legally,
  • which licenses it applies to (API, Business, Enterprise),
  • how to conclude it and
  • where to obtain the required Organization ID (Org ID).

 

What is the OpenAI Data Processing Addendum?

OpenAI's Data Processing Addendum (DPA) is the data processing agreement pursuant to Art. 28 GDPR.

In it, OpenAI regulates, among other things:

  • the processing of personal data on behalf of the customer,
  • Earmarking and obligation to follow instructions,
  • technical and organizational measures (TOMs),
  • Subcontractor,
  • International data transfers (including EU standard contractual clauses, SCCs).

You can find the official document here: https://openai.com/de-DE/policies/data-processing-addendum/

Important: The DPA does not apply automatically, but must be actively concluded.

 

Which OpenAI products does the DPA apply to?

The OpenAI DPA applies to all commercial OpenAI offerings where OpenAI acts as a processor:

Applies to

  • OpenAI API (including GPT‑4.x, GPT‑4o, Assistants, Fine‑Tuning)
  • ChatGPT Business
  • ChatGPT Enterprise

Does not apply to

  • ChatGPT Free
  • ChatGPT Plus (personal use)

So it is not the tool that is decisive, but the contractual context of use.

 

How does a customer get a contract?

The path to the AVV does not run through the ChatGPT admin area, but through a separate signature form.

Step 1: Create an organization at OpenAI (ChatGPT account or API account)

A prerequisite is an organization in the OpenAI Platform account.

This can be done at: https://platform.openai.com/settings/organization/general

There you can see:

  • organization name
  • Organization ID (Org ID)
  • verification status

Step 2: Find the Organization ID (Org ID)

The Org ID is a technical but legally relevant identifier.

How to find them:

  1. Open https://platform.openai.com/settings/organization/general
  2. Go to the Organization → General section.
  3. Copy the Organization ID value (typically begins with org-…)

This Org ID is mandatory in the DPA form.

Step 3: Complete the DPA form

At the bottom of the DPA page https://openai.com/de-DE/policies/data-processing-addendum/, you will find the link

"Execute data processing agreement"

This leads to an online form (currently via ironcladapp.com).

 

Information requested

The form requires, among other things:

  • Full legal company name
  • Organization ID
  • Based in the EEA or Switzerland (Yes/No)
  • responsible OpenAI contract unit
  • authorized signatory
  • Email address of the signatory

After sending:

  • the signatory will receive confirmation by email
  • The DPA becomes a legally binding part of the contractual relationship.

Legal effect after completion

After successful completion, the following applies:

  • Your company = controller
  • OpenAI = Processor

The DPA:

  • can be included in the list of processors
  • is the basis for DSFA, TOM assessments, and data protection audits
  • Centrally covers API usage, business, and enterprise

Typical practical questions (brief answers)

Is the link to the DPA alone sufficient? → No. The decisive factor is the concluded contract, not the document itself.

Do I have to conclude this for each project? → No. The DPA applies organization-wide for the respective Org ID.

Do I need additional SCCs? → No. The SCCs are part of the DPA.

Conclusion

OpenAI enables companies to work with modern AI models in compliance with the GDPR.

but only if you actively take the formal step to contact the DPA.

If you use API, ChatGPT Business, or Enterprise, you should:

  1. create an organization,
  2. document the Org ID,
  3. complete the DPA form,
  4. file the contract properly.

This means that OpenAI is no longer a gray area—it is now a clearly integrated processor.

Note: This article does not constitute legal advice, but describes the current practical procedure from a corporate and data protection perspective.