Q37
Do you have a current SOC 2 Type II report?
SOC 2 Type II: claimed_with_trust_page
OpenAI Vendor Risk Assessment — Full Report
Before you share customer data with OpenAI, your compliance team needs documented proof they can be trusted. ThirdProof investigated OpenAI across 27 intelligence sources — here's what we found.
Risk Tier
Tier 2 — High RiskSOC 2
⚠ Vendor AttestedFedRAMP
— Not AuthorizedLast Assessed
Mar 25, 2026🟢IP Reputation: Abuse score: 0%, 0 reports🟡SSL/TLS: TLSv1.3🟢Domain Age: 19.2 years🟢Infrastructure: 13 open ports, 0 CVEs
- SOC 2 Status
- OpenAI has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
- Sanctions Screening
- OpenAI returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned OpenAI a High Risk tier with 87% confidence across 27 intelligence sources.
24 sources queried. 87% confidence. Every OpenAI investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.
Get OpenAI's Full Report Free →5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes
Certification & Compliance Status
Security Questionnaire — Auto-Filled
43 of 133 questions answered for OpenAI
Auto-filled from public evidence • 32% complete
Q38
Do you have ISO 27001 certification?
ISO 27001 claim found on trust page (Vendor attested)
Q41
Are you FedRAMP authorized? At what level?
Not found in FedRAMP marketplace
Q40
Are you HIPAA compliant? Do you sign BAAs?
OpenAI offers Business Associate Agreement (BAA) for ChatGPT Enterprise to support HIPAA compliance requirements.
Q42
Are you GDPR compliant? Do you have a DPA available?
OpenAI provides a Data Processing Addendum (DPA) for ChatGPT Enterprise to support GDPR compliance.
+ 5 more compliance questions answered in the full report
Every investigation produces a full PDF report plus the complete 133-question questionnaire, mapped to SOC 2, HIPAA, PCI DSS, SIG, and more.
Get OpenAI's Full Report Free →◇27 data sources queried per assessment
◷Reports generated in an average of 7 minutes
◈SHA-256 verified for audit integrity
✓Deterministic risk scoring — no AI guesswork
2Tier
High Risk
Openai
Vendor Risk Assessment
Confidence Score87%
Based on data availability and source coverage
24
Sources Queried
23
Sources With Data
March 25, 2026
Last Assessed
Executive Summary
AI-generated analysis for Openai
OpenAI (openai.com) is a high-profile artificial intelligence platform rated Tier 2 (High Risk) by ThirdProof's rule engine, reflecting a combination of documented security incidents reported in archived media and unresolved gaps in independently verifiable compliance posture. This rating warrants a conditional engagement posture pending resolution of specific requirements outlined in this report. OpenAI demonstrates several meaningful positive signals across infrastructure and operational security dimensions:
Key Findings
- The domain has been registered since 2007 and carries 19+ years of establishment, with a Web archive service archive presence dating to 2001.
- Domain reputation is clean — openai.com is not listed on SURBL, Spamhaus DBL, or URLhaus malware blacklists, and Malware detection service returns no threats.
- The IP address resolves through Cloudflare's CDN with a 0% abuse confidence score and is whitelisted.
- No sanctions or watchlist matches were found across OFAC, EU, or UN lists.
- No SEC or FDIC enforcement actions are associated with the entity.
- OpenAI maintains a public trust portal (trust.openai.com) and published subprocessor page with 3 identified subprocessors (SafeBase, Bugcrowd, Microsoft Azure), none of which triggered sanctions or safety flags.
- The HTTP security posture received a B grade (75/100) from independent header scanning, with HSTS enabled.
- SOC 2 Type II compliance is claimed on the vendor's trust page via the Drata platform, and multiple ISO 27001 variants are claimed on the public security page. However, several concerns require active resolution before this vendor is approved for medium data access use cases:
- Historical archived media includes three critical-severity articles referencing API user data exposure, a reported ChatGPT hack with data leaked, and an associated breach warning — these represent documented security incident history that buyers must evaluate.
- Five certifications (SOC 2, ISO 27001, PCI DSS, CSA STAR, FedRAMP) are vendor-attested on OpenAI's public pages but could not be independently verified through public registries during this investigation. ISO 27001 was not found in the IAF CertSearch registry, and FedRAMP was not confirmed in the FedRAMP Marketplace.
- No publicly accessible AI-specific data usage policy was discoverable via automated scanning. For a vendor whose core product is AI model serving, the absence of a crawlable policy covering training data use, retention periods, and third-party model providers is a material gap for enterprise procurement.
- Community trust signals include Hacker News discussions citing executive allegations of deliberate misrepresentation regarding a military contract and the removal of the word "safely" from OpenAI's mission statement — these are reputational signals that enterprise compliance teams should review in the context of their own risk tolerance. Overall, OpenAI presents a mixed risk profile: strong infrastructure hygiene and broad compliance claims are offset by a documented history of security incidents and insufficient independent verification of those claims. A conditional engagement posture is warranted, with specific evidence requirements that the vendor is well-positioned to satisfy.
Independence Statement
All evidence in this report was independently sourced from external data providers and public registries without vendor participation or knowledge.
Investigation Findings
6 findings identified for Openai
1 critical1 high4 medium
critical
Critical Adverse Media: OpenAI data breach exposing API user data
3 recent article(s) reference critical security or regulatory issues for "OpenAI": "OpenAI breach exposes API user data" (MSN) https://news.google.com/rss/articles/CBMi0wFBVV95cUxOTkd0QmQ4TFotX3pLNUJzbEczYnQ0ZGVHekZzQTIwajhoSGdEazNxWUlwUVRxQTF5bTlRdDVDeExUSENCTG1mMnJ2a3NyTmNXNEF4N0RPU2MwbjNDRVVBZnR5R3M1c3BCM2J1bWZwb3NMc2ZWNHRJcUNRSmJESXgzdk1iRE1mb2xZS0stVEtzMkcwb0tqXy1JcjlEZzFhRnF2bnlPWTMyaXZrRHNMY3BrbVB1YjZ1ZWVLdWtTcEJZRDh0U3Q4eDJ5Ml9pc0JVY3FORTdR?oc=5; "ChatGPT of OpenAI Hacked and data leaked" (Cybersecurity Insiders) https://news.google.com/rss/articles/CBMihwFBVV95cUxQdzBZVDhxanRMcVk0NXJuX3lienYyaXd6ZUsxM3RwVFdUMXI4cWVqYU9GbjBZcktPYTVYcUdYakw2cTA5X0wzZ2lzNlU0eWV0TWduV2lwMnJXZ3F3MXZnWVJvY211NEVzNHd6SUpSLVZXWE1aUUdYcTNIMzhMODItLTAzOHRreGs?oc=5; "OpenAI breach warning: Was OpenAI hacked and is your data exposed — here’s what ..." (The Economic Times) https://news.google.com/rss/articles/CBMipgJBVV95cUxNUDZ4aVMwbldQQ3JrZzBkRHI2R25sUVowTjNTYUVqdzJZbnRSNFVTLTQ0eGZOT3hVUmNveTRGOUdGcTlnLWRCeWZ0NEl4ejQ2d3otX0w1OS1HNDR6Y3ppU1RlWHRMUlgzUlNTVVFCSHh3bFVwZVhaV2NfSkVpNm5wS0xaazR2Tm1hRm42c3dHRDB3U2ptQXBXRE1GSmxfa2ZfSFVkRkN1d05UQWdPMDJpRFVfbFZyWnFiSDNRbExCMFdQMVBMUmxic3hfTmw3bHl6MU1pT2c2X0UtZHo4bC1RQ01SaEhlcV9fYzg4cDFpbTBLSTh0NDNBdXNRWHRFSUtVN0pNTXlYS0hOUGNFRWVXLVlEczZTTDRyYjNVaWJtd2J4ZzFZcEHSAasCQVVfeXFMUFZETGRjVVJsZng1ajNKaVJTWm1uOTBvQ1A0bWxCSGRHSzNLREpKb3ZjUi12ai1XX3BoX0JoWkRyN0lOc2RjOUdhVWYwQjNOT0dNUUJmbFItZDg5TVRpYnRhWWFHdWFpZFZrdHRmcG5tMW80SUFtcnNhdVJvSU1ESUlFbS1yZ2tnRWxJOThPd3JxMk9ienJiekVHRk5pYzVfTWpfMmE5TXpUR3l3cElScTVGY0J6dUtIOU5hWmxNYWdVaFpQWmlnSXp5U1lRMHdmQVkyNXV3LXN1TUxpbU43bnptWGdSd0RaaFdadjREUUpLa2Vkbm1oQ3c4cVUzZHQ0dnJ5eG1RaGlSV2Zxd19xTkFqd0phMTZqbE0xdEZQTmREeUlwSXFyWkswLXM?oc=5
high
Adverse Media: Mixpanel incident exposes limited OpenAI API user data
1 article(s) reference significant concerns for "OpenAI": "OpenAI Breach Alert: Mixpanel Incident Exposes Limited API User Data" (Bitdefender) https://news.google.com/rss/articles/CBMivgFBVV95cUxQTUFWLWlPU0Q4bS1vYW96VV9MMTM1eTdCYzRWQ0JGTDBneGlmMjFwODNVMUl4cGxTR2dLaGpkRW1rLW1kUHpTQjFtVml3TUVhc1g5Mlh0aGl0cXZiQTBvUGFpTGRyZ0Fta2pDa09mUXI4dk1ta0pTNmNtLTZkQ1lEM2lIejV4ZnVxREJ1dk14c1E5dUJhcnlJbEZlOHNuaEpIQ2xiWUkzdDFiWHczMkpmVk1vTzU1bDhzV19GSzFB?oc=5
medium
Adverse Media Scan Unavailable
A critical data source was unavailable during this investigation. Manual verification is recommended.
Source:Adverse Media Scan (Fallback)
medium
Tech Community Discussion: trust
2 Hacker News stories about "OpenAI" related to trust. Top story: "Dario Amodei calls OpenAI’s messaging around military deal ‘straight up lies’" (805 points).
medium
Multiple Certificate Issuers (33)
openai.com has certificates from 33 different Certificate Authorities. This may indicate inconsistent certificate management practices.
medium
AI Data Usage Policy Not Discoverable at Standard Paths
An AI-specific data usage policy was not discoverable for openai.com through automated scanning of common policy paths and web search. The vendor may publish relevant data handling commitments in enterprise agreement documents (DPAs, product terms, licensing portals) that are not indexed at standard public URLs. Request the vendor's Data Protection Addendum or AI-specific terms directly.
✓
Security Strengths
28 positive signals verified
✓
Legal Entity Actively Registered
Business Registration →✓
[Filtered] Recently Registered Entity
Business Registration →✓
No Sanctions Matches Found
Sanctions & Watchlist Screening →✓
Firmographic Data Available
Company Intelligence →✓
Domain Infrastructure Healthy
Domain Analysis →✓
Valid SSL Certificate
Domain Analysis →✓
13 Open Ports Detected
Infrastructure Exposure →✓
Established Domain (19+ years)
Domain Registration →✓
Clean domain reputation
Threat Intelligence →✓
Tech Community Discussion: legal
Tech Community Sentiment →✓
Tech Community Discussion: privacy
Tech Community Sentiment →✓
HTTP Security Grade: B
HTTP Security Scan →✓
Large Certificate Footprint (425 subdomains)
Certificate Transparency →✓
Established Web Presence (24+ years)
Web Archive History →✓
Domain in 9 Threat Intelligence Pulses
Threat Intelligence (OTX) →✓
Clean IP Reputation
IP Reputation →✓
Clean Safe Browsing Status
Malware & Phishing Check →✓
Clean Website Security Scan
Website Security Scan →✓
Certification Claimed: SOC 2
Trust & Compliance Page Scan →✓
Certification Claimed: ISO 27001
Trust & Compliance Page Scan →✓
Certification Claimed: PCI DSS
Trust & Compliance Page Scan →✓
Certification Claimed: CSA STAR
Trust & Compliance Page Scan →✓
Certification Claimed: FedRAMP
Trust & Compliance Page Scan →✓
3 Subprocessors Identified
Supply Chain & Subprocessor Discovery →✓
Not Found as FDIC-Insured Institution
FDIC Institution Check →✓
No SEC Enforcement Filings Found
SEC Filing Search →✓
HITRUST Directory Match — Manual Verification Required
Certification Registry Verification →✓
SOC 2 Compliance Claimed on Trust Page
Certification Registry Verification →Recommended Actions
Steps to address findings for Openai
- 1
Request OpenAI's SOC 2 Type II audit report and bridge letter — visit trust.openai.com or email security@openai.com. Ask for the most recent audit period and confirm coverage includes the API platform services relevant to your use case. Complete within 30 days.
- 2
Obtain OpenAI's Data Protection Addendum (DPA) and API-specific data retention and training use terms in writing. Ask specifically: (1) Is customer API data used to train models? (2) What is the default prompt retention period? (3) Can zero-retention mode be enabled for your account? Request these via your account representative or through trust.openai.com. Complete within 30 days.
- 3
Request post-incident summaries for the November 2025 Mixpanel/API user data incident and the March 2026 reported breach. Ask OpenAI's security team to confirm the scope of affected data, the remediation steps taken, and any control changes implemented. Retain documentation in your vendor risk register.
- 4
Request OpenAI's ISO 27001 certificate(s) directly — ask for the certificate number, issuing CA, and expiry date, then independently cross-reference against the IAF CertSearch registry at https://www.iafcertsearch.org. This takes approximately 5 minutes and provides independent verification of the vendor's claim.
- 5
Verify FedRAMP status manually at https://marketplace.fedramp.gov by searching for 'OpenAI'. If your use case involves U.S. federal data or FedRAMP requirements, contact OpenAI's federal sales team to clarify the 'FedRAMP 20x' designation referenced on their trust page.
- 6
Request a complete and current subprocessor list from OpenAI beyond the 3 entries visible on trust.openai.com. Under GDPR Article 28, vendors must maintain and provide a complete list of subprocessors upon request. Confirm that all subprocessors with access to your data are covered by appropriate data processing agreements.
Intelligence Sources Queried
24 sources in this assessment
23of 24 sources returned data
IP Reputation
AI Data Usage Policy
Threat Intelligence (OTX)
Certification Registry Verification
Certificate Transparency
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
HTTP Security Scan
Sanctions & Watchlist Screening
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Trust & Compliance Page Scan
Website Security Scan
Threat Intelligence
Web Archive History
Domain Registration
Adverse Media Scan (Fallback)
Data Coverage Notes
Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.
- The primary adverse media scan source was unavailable during this investigation. The historical media search (Google News archive) partially compensates, but some recent adverse media from the past 12 months may not be captured. Manual review of recent news coverage is recommended.
- ISO 27001 certification could not be confirmed via the IAF CertSearch public registry — this may reflect a registry indexing delay, a certificate issued under a CA not indexed by IAF, or the certificate not yet being publicly listed. This is a data limitation, not a definitive confirmation of non-certification.
- FedRAMP status could not be confirmed in the standard FedRAMP Marketplace registry. OpenAI's trust page references 'FedRAMP 20x', which may refer to a new or emerging authorization track not yet reflected in the public marketplace. Manual verification with GSA or OpenAI's federal sales team is required.
- External cyber risk scoring was not available during this investigation, limiting quantitative benchmarking of OpenAI's security posture against peers.
- The subprocessor page at trust.openai.com lists only 3 subprocessors (SafeBase, Bugcrowd, Microsoft Azure). This list may be a partial representation — large AI platforms typically engage significantly more infrastructure and data processing subprocessors. Request a complete and current subprocessor list from the vendor.
- The HITRUST directory match references Azure OpenAI service HITRUST compliance (a Microsoft property) rather than OpenAI Inc. directly. These are distinct legal entities and the HITRUST status cannot be attributed to OpenAI's own systems based on available evidence.
- The LEI registry returned a match for 'OAI INTERNATIONAL, INC.' with a low entity disambiguation score of 30/100, indicating this is likely a different entity. No verified LEI for OpenAI, Inc. was confirmed in this investigation.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
Security & Compliance Profile
32% complete · 43/133 questions answered from public sourcesAre you OpenAI? Claim this profile to complete your security record. Buyers are reviewing this profile now.
Claim this profile →What a ThirdProof assessment covers↓
Sanctions Screening
Is OpenAI on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is OpenAI's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is OpenAI a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has OpenAI appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is OpenAI's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are OpenAI's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does OpenAI claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does OpenAI depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has OpenAI appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Seeing this in an audit? ThirdProof lets you investigate OpenAI and every other vendor in your stack — average report time: 7 minutes. Get OpenAI's Full Report Free →
Frequently asked about OpenAI
Does OpenAI have SOC 2 Type II?+
Yes — OpenAI holds SOC 2 (Type II not confirmed). Rated High Risk — Critical adverse media in historical .... See all 6 findings →
Is OpenAI on the OFAC sanctions list?+
OpenAI returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of March 2026.
What is OpenAI's vendor risk tier?+
ThirdProof assigned OpenAI a risk tier of High Risk with 87% confidence based on assessment across 27 intelligence sources as of March 2026.
Can I get an auto-filled security questionnaire for OpenAI?+
Yes. Every ThirdProof investigation of OpenAI produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending OpenAI a single email or waiting for a vendor response.
Is OpenAI safe to use as a vendor?+
OpenAI is a AI platform vendor that handles organizational data. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see OpenAI's full risk profile.
Does OpenAI have SOC 2 certification?+
Yes — OpenAI holds SOC 2 + 4 other certs. Rated High Risk — Critical adverse media in historical .... See all 6 findings →
Is OpenAI FedRAMP authorized?+
FedRAMP authorization is relevant for government contractors evaluating AI platform platforms. Based on ThirdProof's assessment, OpenAI is not currently listed on the FedRAMP Marketplace. Organizations with federal compliance requirements should verify this directly and consider alternative vendors with FedRAMP authorization where required.
Has OpenAI had any data breaches?+
Data breach history is an important signal for any vendor, particularly AI platform platforms like OpenAI that handle organizational data. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is OpenAI on any sanctions lists?+
Sanctions screening is standard due diligence for AI platform vendors. ThirdProof screens OpenAI against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If OpenAI or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess OpenAI for vendor risk?+
Assessing OpenAI as a AI platform vendor involves verifying SOC 2 Type II and applicable industry standards compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.
OpenAI is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates OpenAI across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes
Replaces $600–$900 in manual compliance consulting time per vendor assessed.