ChatGPT
OpenAI's flagship conversational AI assistant powered by GPT models; writes, codes, reasons, browses, runs agents, and creates images/video across web, mobile, and desktop.
Independent assessment across data handling, compliance, security and transparency.
Overview
ChatGPT is OpenAI's consumer and enterprise chat assistant built on the GPT family of models. It handles writing, research, code generation, image and video creation (Sora), voice chat, file analysis, Deep Research, and agentic task execution via Agent Mode. It is the most widely adopted generative-AI product in the enterprise, available in Free, Go, Plus, Pro, Business, Enterprise, and Edu tiers. Business and Enterprise plans add SSO, admin controls, a signed DPA, SOC 2 Type II scope, and a contractual no-training default, while consumer tiers train on user data unless the user toggles it off.
Risk by subscription tier
3The same vendor often carries very different risk depending on the plan. Free tiers typically allow training on prompts, paid tiers usually do not.
| Plan | Risk |
|---|---|
| Team | 4/10·Medium |
| Plus | 7/10·High |
| Free | 9/10·Critical |
Risk factors
3- Consumer-first tool with potential for data training
- No enterprise-specific privacy controls
- User data may be used for model improvement
Recommendations
8- Block chat.openai.com and chatgpt.com at the network edge for users not provisioned through ChatGPT Business/Enterprise SSO
- Purchase ChatGPT Business or Enterprise, enforce SSO/SCIM, and sign OpenAI's DPA before rolling out broadly
- For PHI workflows, require ChatGPT for Healthcare or API with a signed BAA and Zero Data Retention — not consumer ChatGPT
- Disable 'Improve the model for everyone' by policy and verify via workspace-level controls, not trust in individual toggles
- Turn off or scope Memory, Custom GPTs, and third-party connectors until they're reviewed by security and legal
- Deploy a CASB/DLP rule that detects source code, secrets, and regulated data being pasted into chatgpt.com
- Publish an acceptable-use policy that names ChatGPT specifically and require training before granting seats
- Log and review ChatGPT Enterprise audit events monthly; wire the Compliance API to your SIEM
Data handling
- Storage
- Stored in OpenAI-managed infrastructure (primarily AWS/Azure US); ChatGPT Enterprise and API offer regional data residency in the EU, UK, Japan, Korea, Singapore, India, Canada, and Australia.
- Retention
- Consumer tiers retain chat history until user deletes it (with 30-day soft delete), subject to ongoing legal hold. Business/Enterprise admins set retention. API Zero Data Retention is available for eligible endpoints and is required for the BAA.
- Training on inputs
- Consumer Free/Plus/Pro/Go default to training on user inputs unless opted out. ChatGPT Business, Enterprise, Edu, Healthcare, and the API do not train on customer data by default.
More Chatbots tools
See all →AI21 Jurassic
Large language model chat and text generation by AI21 Labs.
ARC Search
AI-enhanced mobile browser with smart page summarization.
Abacus AI
Enterprise AI platform for building custom LLM-powered applications.
Ada AI
AI-powered customer service automation platform.
Andi Search
AI-powered search engine that provides direct conversational answers.
Anyscale
Scalable AI compute platform for deploying and serving LLMs.