AI subprocessor and model-provider claims: what should buyers ask?
Last reviewed June 2, 2026
AI privacy and security claims often skip the provider chain. This guide turns subprocessor lists, underlying model provider wording, prompt-routing statements, and regional-processing claims into evidence a buyer can request before relying on a vendor answer.
Evidence buyers verify
- A data-flow map for prompts, files, outputs, logs, embeddings, connector data, support events, moderation review, and model-provider calls.
- The subprocessor list entries that apply to the exact AI product, plan, endpoint, and region the buyer will use.
- A model-provider path showing primary model, fallback model, orchestration layer, region, logging, and customer configuration options.
Opens the checker for this claim type. Paste your vendor's exact wording there. Evidence questions only — not a blacklist or fraud detector. Not sure what a result looks like? See a sample receipt.
Sources this guide draws from
- OpenAI sub-processor list OpenAI company-page· April 2025 update; accessed June 2, 2026
Public company source for product/service scope, locations of processing, subprocessor purposes, moderation processing, and ZDR exceptions.
- OpenAI business data page OpenAI company-page· Accessed June 2, 2026
Public company source for service-provider encryption, data retention controls, in-region inference, and API processing wording.
- OpenAI enterprise privacy page OpenAI company-page· Updated January 8, 2026; accessed June 2, 2026
Public company source for connected apps, internal sources, business-data review, DPA support, and app data-access wording.
- NIST AI Risk Management Framework 1.0 NIST standard· January 26, 2023
Official framework source for mapping AI claims to documented context, limitations, supply-chain roles, and risk controls.
Public claims with documented evidence gaps
"between OpenAI and its service providers"
Compliance / Safety- Source and date
- OpenAI business data page · Accessed June 2, 2026
- Evidence signal
- Service-provider wording that needs a named provider path, data categories, retention limits, and support-access boundary.
- Evidence gap
- A buyer needs which providers process prompts, outputs, files, logs, embeddings, connector data, and support events for the product surface they will use.
- Buyer question
- For the service-provider claim, which subprocessors or model providers receive prompts, outputs, logs, or support-case data for our endpoint and region?
"Processing is performed at the data center that is closest to the End User"
Compliance / Safety- Source and date
- OpenAI sub-processor list · April 2025 update; accessed June 2, 2026
- Evidence signal
- Location wording tied to a subprocessor row, not necessarily a full regional-processing promise for every data type.
- Evidence gap
- A buyer needs product/service scope, data center selection logic, product exceptions, logs, support access, and whether model inference follows the same region path.
- Buyer question
- For the closest-data-center wording, which AI data types follow that path and which model, logging, moderation, or support steps use a different path?
"Sharing with the Sub-processor platform only occurs when content is flagged"
Compliance / Safety- Source and date
- OpenAI sub-processor list · April 2025 update; accessed June 2, 2026
- Evidence signal
- Moderation-sharing exception that can affect customer-content handling even when a broader privacy claim sounds simple.
- Evidence gap
- A buyer needs the flagging trigger, customer-content sample scope, review period, subprocessor role, retention period, and customer notice or appeal path.
- Buyer question
- For the flagged-content sharing claim, what customer content can be shared, with which subprocessor, for how long, and under which product conditions?
"Apps enable ChatGPT to send and retrieve information from connected internal sources and third-party applications"
Compliance / Safety- Source and date
- OpenAI enterprise privacy page · Updated January 8, 2026; accessed June 2, 2026
- Evidence signal
- Connector wording that introduces a data path outside the base model and can change who can access source content.
- Evidence gap
- A buyer needs connector permission scope, app provider path, admin controls, retrieval logging, token handling, and whether connected data can affect training, evaluation, or support review.
- Buyer question
- For connected-app claims, which third-party apps can send or retrieve data, what permissions are granted, and where do connector prompts, outputs, and logs appear?
Match each claim pattern to the evidence buyers need
| Claim pattern | Evidence needed | Buyer question |
|---|---|---|
| Underlying model provider, model routing, or where prompts go | Model-provider name, product surface, model-call path, region, prompt and output categories, logging, fallback model, and routing rules. | Which model provider processes our prompts, and what changes if the vendor switches model, region, endpoint, or fallback provider? |
| Subprocessor disclosure, service-provider list, or trust-center row | Subprocessor name, product/service scope, processing purpose, location, data categories, retention period, notification process, and opt-out or objection path where available. | Which subprocessors touch AI prompts, files, outputs, logs, embeddings, connector data, or support cases for the product we would buy? |
| Zero retention or no storage while subprocessors are involved | Eligible endpoints, request/response retention, logs and metadata, moderation exceptions, support access, audit records, and subprocessor retention limits. | What logs or metadata remain outside zero retention, and which subprocessors can retain data for moderation, security, support, or legal reasons? |
| EU-hosted, regional processing, or data stays in a named region | Data-type map, model-provider path, inference region, log region, support access, subprocessor locations, connector transfers, and customer configuration limits. | Which prompts, files, outputs, logs, analytics, support events, and model-provider calls stay in the named region, and which do not? |
| Connected apps, plugins, or enterprise integrations with AI | Connector inventory, OAuth scopes, source permission model, token storage, retrieval logs, deletion behavior, and third-party app data handling. | When the AI reads a connected source, what access token is used, what gets logged, and which provider can see the retrieved content? |
| Vendor can change model providers or subprocessors | Change notice period, affected products, customer notification channel, DPA/subprocessor list updates, regression testing, and re-approval process inside the buyer team. | How will we know if a model provider, region, or subprocessor changes after contract signature? |
Evidence to request
- A data-flow map for prompts, files, outputs, logs, embeddings, connector data, support events, moderation review, and model-provider calls.
- The subprocessor list entries that apply to the exact AI product, plan, endpoint, and region the buyer will use.
- A model-provider path showing primary model, fallback model, orchestration layer, region, logging, and customer configuration options.
- Retention and exception terms for request bodies, response bodies, logs, metadata, audit records, flagged content, and support cases.
- Subprocessor and model-provider change notice terms, including how the buyer will review a changed data path.
Questions to put in front of the vendor
- Which model provider processes the prompts, files, outputs, embeddings, and logs for this AI feature?
- Which subprocessors touch the data path, and what exact processing purpose does each one serve?
- What changes if we use a different endpoint, region, product plan, connected app, fine-tuning workflow, or zero-retention setting?
- What logs, metadata, moderation records, support cases, or audit records remain after request and response data is deleted?
- How does the vendor notify customers when a model provider, region, or subprocessor changes?
- Can the vendor provide a data-flow diagram that matches the product surface and configuration we would deploy?
Wording boundaries to compare against
- Prompts and outputs for [product/endpoint] are processed by [provider] in [region], with logs retained for [period] unless [setting] applies.
- Subprocessors listed in [document] process named data categories for support, moderation, hosting, or authentication, subject to the stated retention terms.
- Customer content is not used for shared model training by default; retention, moderation, support, and connector data follow separate documented boundaries.
- Regional processing applies to named data categories and endpoints; support, logs, subprocessors, or fallback model calls may follow documented exceptions.
Frequently asked questions
- What should buyers ask about AI subprocessors?
- Ask which subprocessors process prompts, files, outputs, logs, embeddings, connector data, moderation records, and support cases. The answer should name product scope, processing purpose, location, retention, and change-notice terms.
- Which model provider processes our prompts?
- Ask for the primary model provider, fallback provider, orchestration layer, region, endpoint, logging path, and any configuration that changes the route. A broad privacy claim is not enough if the model-provider path is hidden.
- Does zero retention remove subprocessor and support records?
- Not automatically. Zero-retention wording may cover request and response bodies while logs, metadata, moderation records, support cases, audit records, or subprocessor records follow separate terms. Ask for each data category separately.
Have your vendor's exact claim wording ready?
Check an AI subprocessor or model-provider claim How the evidence method works