Loading the catalogue…
Loading the catalogue…
OpenAI is a US-incorporated, CLOUD Act-exposed AI lab operating as a nonprofit-controlled public benefit corporation following its October 2025 restructuring; its frontier GPT-class models are classified as GPAI with systemic risk under the EU AI Act, and it signed the GPAI Code of Practice in July 2025. GDPR enforcement history — including Italy's €15 million fine (subsequently annulled on jurisdictional grounds, not on merit) and ongoing EDPB ChatGPT taskforce investigations — combined with the structural non-mitigability of US jurisdiction represents elevated compliance risk for EU regulated customers. Enterprise-grade security credentials (SOC 2 Type 2, ISO 27001/27701, ISO 42001) and EU data residency options partly offset deployment risk, but the US parent's legal jurisdiction cannot be eliminated by technical or contractual means.
OpenAI is a US-incorporated, US-headquartered entity and is unambiguously subject to the CLOUD Act and FISA Section 702. US intelligence or law enforcement can compel disclosure of customer data accessible to OpenAI, including data processed via OpenAI Ireland Limited, without EU data subject notification. EU data residency options reduce physical data exposure but do not eliminate the legal jurisdiction of the US parent. This is a structural, non-mitigable risk for EU customers in regulated sectors.
Retired US Army General Paul M. Nakasone (former NSA director and US Cyber Command commander) sits on the OpenAI Foundation board. Combined with active DoD contracts and classified-network model deployment (confirmed February 2026), this represents a level of US national security establishment proximity that is a material supply-chain risk consideration for EU public sector, defence-adjacent, and critical infrastructure operators.
Italy's Garante found multiple GDPR violations (November 2024) — no legal basis for training data processing, transparency failures, unreported March 2023 data breach, inadequate age verification. The €15 million fine was annulled by the Court of Rome on 18 March 2026 on a jurisdictional point only (Italy ceded competence to Irish DPC). The court did not assess whether OpenAI violated GDPR on the merits. EDPB ChatGPT taskforce investigations across multiple EU member states remain ongoing. A second incident (Memory feature, August 2025) adds to the pattern.
The 2026 EDPB Coordinated Enforcement Framework (CEF) focuses on GDPR transparency obligations (Articles 12–14) — the exact same category of violations alleged against OpenAI by the Garante and EDPB ChatGPT taskforce. With 25 DPAs conducting simultaneous investigations across the EEA and the Irish DPC now holding lead authority over OpenAI, transparency-related enforcement activity could intensify through 2026.
Approximately 50% of AI safety researchers departed OpenAI in 2024, citing the company's deprioritisation of safety goals. Further leadership turbulence in 2025–2026 (CPO, enterprise CTO, Sora head, and multiple senior researchers departing; April 2026 operational reshuffling) raises questions about research continuity, institutional knowledge retention, and long-term supportability of deployed models.
The October 2025 restructuring to a public benefit corporation eliminated prior legally-enforceable profit caps. The Elon Musk lawsuit (dismissed on statute-of-limitations grounds May 2026, appeal pending) drew sustained public attention to allegations that OpenAI's mission may have been subordinated to commercial interests. PBC status does not carry the same legally-enforceable mission primacy as the previous structure. The OpenAI Foundation retains control but its long-term independence from commercial pressure is untested.
OpenAI's frontier GPT-5 and GPT-4-class models are estimated to exceed the EU AI Act's 10^25 FLOP systemic risk threshold, imposing the most stringent GPAI obligations (safety frameworks, adversarial testing, incident reporting to the EU AI Office, Article 53 documentation). While OpenAI has signed the GPAI Code of Practice, full Article 53 technical documentation and training data summaries for frontier models have not yet been publicly confirmed as complete. Full EU AI Act enforcement powers for GPAI become active August 2, 2026.
The consolidated New York Times / publisher copyright lawsuit remains active as of June 2026. A worst-case adverse judgment requiring dataset destruction could materially affect the legal standing of frontier models trained on the contested data and create model continuity risk.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
The catalogue lists every family Stav knows about — including families we don’t yet host, so the picture stays authoritative.
Holds SOC 2 Type 2 (security, confidentiality, privacy, availability), ISO/IEC 27001:2022, 27017, 27018, and 27701:2019 certifications for enterprise products and API platform, plus ISO 42001:2023 AI Management System and PCI-DSS. FedRAMP and CSA STAR Level 1 also confirmed. Active Bugcrowd bug bounty programme with cash rewards and safe harbour. Trust Portal (trust.openai.com) confirmed live as of June 11, 2026.
Signed the EU GPAI Code of Practice in July 2025, gaining a rebuttable presumption of conformity with EU AI Act GPAI model obligations. Actively participated in the Code's development with the EU AI Office — among the first frontier model providers to sign.
Established OpenAI Ireland Limited as the GDPR data controller for EEA/Switzerland effective February 2024, activating the GDPR one-stop-shop with the Irish DPC as lead supervisory authority. Offers Data Processing Addendum, EU data residency options, HIPAA BAA, and Zero Data Retention for qualifying enterprise customers.
Published system cards for recently released frontier models (o3-mini, Deep Research, GPT-4.5) on the publicly accessible Trust Portal. Maintains a Preparedness Framework for frontier model safety evaluation — one of the first industry-wide frontier model safety protocols.
Released open-weight models (gpt-oss-120b and gpt-oss-20b) under Apache 2.0 licence in August 2025 — the first substantial open-weight LLM release since GPT-2 (2019). Whisper and CLIP also available under MIT licence. Provides a self-hosting path for non-frontier use cases that partially addresses sovereignty concerns.
October 2025 PBC restructuring completed with approval from the California and Delaware Attorneys General and commitments to continued safety governance. OpenAI Foundation retains board control. Elon Musk's lawsuit — which sought to unwind the restructuring and could have been 'catastrophic' for OpenAI — was dismissed by unanimous jury verdict on May 18, 2026, preserving the current corporate structure (appeal pending).
Privacy policy review
Creator profile
OpenAI is a US-headquartered, CLOUD Act-exposed AI lab whose frontier GPT-class models are definitively classified as GPAI with systemic risk under the EU AI Act. It has signed the GPAI Code of Practice, established OpenAI Ireland Limited as EU data controller under the GDPR one-stop-shop, and holds SOC 2 Type 2, ISO 27001/27017/27018/27701 certifications — strong baseline security credentials. The primary risk for EU regulated customers is the combination of confirmed CLOUD Act/FISA exposure, a major GDPR enforcement history (Italian Garante €15 m fine, later annulled on appeal), ongoing EDPB scrutiny, and a corporate governance structure that underwent contentious restructuring in 2025, raising questions about the long-term primacy of mission over commercial incentives.
Stav editorial summary
OpenAI is a United States entity. Training data and weights produced under United States-jurisdiction are covered by the CLOUD Act.
Exposed on training. Inference is unaffected when hosted on Stav infrastructure inside the EEA.
Stav compliance has not yet scored OpenAI. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“OpenAI released two open-weight language models called gpt-oss-120b and gpt-oss-20b. ”
“A group of ex-OpenAI employees, Nobel laureates, law professors and civil society organizations sent a letter last month to attorneys general in Calif...”
“With our updated structure, announced on October 28, 2025: The nonprofit is now the OpenAI Foundation. The for-profit is now a public benefit corporat...”
In a unanimous decision, the nine-member advisory jury said Musk was beyond the statute of limitations when he launched his case in 2024. Judge Yvonne...
Musk’s lead attorney, Marc Toberoff, said at a press conference after the verdict that they plan to appeal.
It found that Italy had no right to judge OpenAI at all - and the full reasoning, published on May ... A Rome court on March 18, 2026 annulled the on...
The EDPB's 2026 coordinated enforcement action targets GDPR transparency — privacy notices, consent disclosures, and data subject communication.
In April 2026, OpenAI's head of AGI deployment, Fidji Simo, said she would take "several weeks" of medical leave. This triggered a reshuffling of the ...
With our updated structure, announced on October 28, 2025: The nonprofit is now the OpenAI Foundation. The for-profit is now a public benefit corporat...
Microsoft was granted a 27% share, the nonprofit was given a 26% share, with other employees and investors getting 47%.
OpenAI said what motivated the change was its ongoing dialogue with civic leaders and the attorneys general of California and Delaware, where OpenAI i...
Today, we are announcing our decision to sign the Code of Practice and use it to demonstrate compliance with our relevant obligations under the EU AI ...
Currently, it is estimated that only 5-15 companies worldwide – such as OpenAI, Anthropic, Google, and Microsoft – would be subject to the Safety and ...
As of early 2026, models from OpenAI (GPT-4 class and above), Google DeepMind (Gemini Ultra), Anthropic (Claude 3 Opus and above), and Meta (Llama 3 4...
Families served on Stav
Model compliance cards
Broad enterprise adoption across regulated sectors evidenced by HIPAA-compliant product tiers, FedRAMP certification, ISO 42001 AI management certification, and dedicated ChatGPT for Healthcare product — demonstrating responsiveness to regulated-sector compliance requirements.
DPO appointed and dedicated EEA privacy policy published following EDPB regulatory pressure — concrete structural changes adopted in response to regulatory engagement, not solely on a voluntary basis.
Published safeguards & certifications
“Today, we are announcing our decision to sign the Code of Practice and use it to demonstrate compliance with our relevant obligations under the EU AI ...”
“Consumer versions of ChatGPT such as the free and Plus tiers are not listed under this SOC 2 certification. However, OpenAI’s enterprise focused produ...”
“On March 18, 2026, as reported by Matthew Newman at MLex, the Court of Rome annulled Decision No. 755, issued on November 2, 2024, by Italy’s data pro...”
“Microsoft was granted a 27% share, the nonprofit was given a 26% share, with other employees and investors getting 47%. ”
“Whisper's code and model weights are released under the MIT License.”
“From their investigation, the Garante noted numerous data protection violations including: the absence of an "appropriate legal basis" for processing ...”
“Currently, it is estimated that only 5-15 companies worldwide – such as OpenAI, Anthropic, Google, and Microsoft – would be subject to the Safety and ...”
“However, unlike the original 2019 restructuring that explicitly ensured commercial goals were subordinate to the nonprofit's mission, public benefit c...”
“OpenAI said what motivated the change was its ongoing dialogue with civic leaders and the attorneys general of California and Delaware, where OpenAI i...”
“As of early 2026, models from OpenAI (GPT-4 class and above), Google DeepMind (Gemini Ultra), Anthropic (Claude 3 Opus and above), and Meta (Llama 3 4...”
“If you live in the European Economic Area (EEA) or Switzerland, OpenAI Ireland Limited, with its registered office at 1st Floor, The Liffey Trust Cent...”
“Our products are also ISO 27001, 27017, 27018, and 27701 certified. Request access to our SOC 2 Report below to learn more about our security controls...”
If you live in the European Economic Area (EEA) or Switzerland, OpenAI Ireland Limited, with its registered office at 1st Floor, The Liffey Trust Cent...
From their investigation, the Garante noted numerous data protection violations including: the absence of an "appropriate legal basis" for processing ...
On March 18, 2026, as reported by Matthew Newman at MLex, the Court of Rome annulled Decision No. 755, issued on November 2, 2024, by Italy’s data pro...
Our products are also ISO 27001, 27017, 27018, and 27701 certified. Request access to our SOC 2 Report below to learn more about our security controls...
Consumer versions of ChatGPT such as the free and Plus tiers are not listed under this SOC 2 certification. However, OpenAI’s enterprise focused produ...
OpenAI released two open-weight language models called gpt-oss-120b and gpt-oss-20b.
Whisper's code and model weights are released under the MIT License.
However, unlike the original 2019 restructuring that explicitly ensured commercial goals were subordinate to the nonprofit's mission, public benefit c...
A group of ex-OpenAI employees, Nobel laureates, law professors and civil society organizations sent a letter last month to attorneys general in Calif...