# Security, privacy, and data controls
The moment you connect a Google Drive Connector or upload a customer spreadsheet to Advanced Data Analysis, you have moved your company's data into someone else's system, and the rules that govern that data are not the same for every account. This lesson is about knowing exactly which rules apply to you, what gets used for training, and how to set up ChatGPT so you can use Actions and Connectors at work without leaking anything.
Forget the marketing tiers for a second. The single most important distinction is whether your content can be used to train OpenAI's models by default.
Consumer plans (Free, Plus, Pro): By default, your conversations and uploads *may* be used to improve models. You can turn this off. In settings, Data Controls → Improve the model for everyone controls it. Turning it off also disables chat history sync in some cases, but your data stops feeding training.
Business plans (Team, Enterprise, Edu) and the API: Business content is not used to train OpenAI models by default. This is a contractual commitment, not a toggle you have to remember to flip. Team, Enterprise, and Edu workspaces exclude your data from training out of the box, and the same is true for the OpenAI API.
So the simplest mental model:
The official, up-to-date statement lives in the Enterprise privacy page and the API data usage docs. Read them once; they change rarely but they are the source of truth.
Even when your data is excluded from training, it still passes through and is usually retained for a limited window for abuse monitoring and operations. On the APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.Voir la définition complète →, standard retention is around 30 days, then deletion, unless you qualify for Zero Data Retention (ZDR), which OpenAI grants to eligible enterprise use cases so that nothing is stored after the request completes.
The takeaway: "won't train on it" answers the IP question. "How long is it stored and who can see it" is a separate question you answer with retention settings and ZDR.
This is where people get surprised. ChatGPT is not a sealed box once you add tools.
A Connector (Google Drive, SharePoint, GitHub, Box, and others) gives ChatGPT scoped, read-style access to an external system so it can pull context into a chat or power deep research. Two things to internalize:
1. The data flows both ways at query time. When ChatGPT searches your Drive to answer a question, snippets of those files enter the conversation. They are now governed by *your account's* data policy, not the source system's.
2. Admins control which Connectors exist. In Enterprise and Team workspaces, a workspace admin enables Connectors centrally. If you are setting this up for a team, restrict Connectors to the systems you actually vetted.
See the current list and behavior in the ChatGPT Connectors help docs.
An Action lets a Custom GPT call an external APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.Voir la définition complète → you define via an OpenAPI schemaschemaA schema is the formal blueprint that defines how data is structured, named, typed, and related within a database, file, or message.Voir la définition complète →. This is the riskiest surface because *you* are wiring the data path. When a user talks to your GPT, ChatGPT can send conversation content to whatever endpoint your Action points at.
Three controls matter:
Here is a minimal, safe Action schemaschemaA schema is the formal blueprint that defines how data is structured, named, typed, and related within a database, file, or message.Voir la définition complète → fragment. Note the explicit auth and the read-only single purpose:
openapi: 3.1.0
info:
title: Order Status
version: "1.0"
servers:
- url: https://api.example.com
paths:
/orders/{id}/status:
get:
operationId: getOrderStatus
summary: Return shipping status for one order
parameters:
- name: id
in: path
required: true
schema: { type: string, pattern: "^[A-Z0-9]{8,12}$" }
responses:
"200":
description: Status found
content:
application/json:
schema:
type: object
properties:
status: { type: string }
eta: { type: string, format: date }The pattern constraint is a small but real control: it stops the model from sending malformed or injected IDs to your backend.
The ChatGPT agent can browse, click, and run actions on your behalf, which means it can submit forms and move data autonomously. Codex operates over code repositories. Scheduled tasks run prompts on a timer, sometimes while you are away.
The risk profile rises with autonomy. An agent that can act on a connected system can be steered by prompt injection: malicious text hidden in a web page or document that tries to hijack the agent's instructions. Treat any autonomous run that touches sensitive systems as something that needs a human approval step, and prefer read-only access for anything experimental.
These three features quietly persist data across chats, so they deserve a security pass.
If you publish a Custom GPT to the GPT Store, remember what is shared and what is not.
For internal-only GPTs, set sharing to "Only people in my workspace" rather than public. That one setting is the difference between a private tool and a public one.
Vérification des acquis
1. On consumer plans (Free, Plus, Pro) with default settings, what happens to your conversations and uploads?
2. What makes the 'no training on your data' guarantee different for Team, Enterprise, and Edu plans compared to consumer plans?
3. Where does the lesson say you can find the official, up-to-date statement on business data privacy?
4. Select ALL correct answers about the relationship between training, storage, and data controls in ChatGPT.
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers about which accounts do NOT use your data for training by default.
Sélectionnez toutes les réponses correctes.
You do not need a 40-page policy. You need one rule that holds up under pressure:
> If the data is regulated, secret, or someone else's, it only goes into a workspace that contractually excludes training and that an admin controls. Everything else can go in your personal account.
Unpack it:
If none of those three apply (you are drafting a blog post, learning a concept, summarizing a public article), your personal account is fine.
On the APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.Voir la définition complète → the same principle holds, plus you own the system prompt and retention configuration. Use structured outputs to constrain what the model returns so a downstream system never receives free-form text it might mishandle. Here is the shape of a request that forces a strict schemaschemaA schema is the formal blueprint that defines how data is structured, named, typed, and related within a database, file, or message.Voir la définition complète →:
from openai import OpenAI
client = OpenAI()
resp = client.responses.create(
model="gpt-4.1",
input="Extract the order ID and status from: 'Order AB12CD34 shipped today.'",
text={
"format": {
"type": "json_schema",
"name": "order",
"strict": True,
"schema": {
"type": "object",
"properties": {
"order_id": {"type": "string"},
"status": {"type": "string"},
},
"required": ["order_id", "status"],
"additionalProperties": False,
},
}
},
)
print(resp.output_text)strict: True plus additionalProperties: False guarantees the model cannot smuggle extra fields into your pipelinepipelineAll active sales opportunities across the stages of the sales process, together with their combined potential value and probability of closing.Voir la définition complète →. That is a privacy control as much as a correctness one: it bounds exactly what data crosses your system boundary.
When you use function calling or the Agents SDK to give a model tools, every tool is a data egress point. Apply least privilege to each function the same way you would to the YAML Action above: narrow scope, validated inputs, and a human checkpoint before any irreversible or sensitive action. The model deciding *when* to call a tool does not absolve your code of validating *what* it calls the tool with.
If you are the person turning ChatGPT on for colleagues:
1. Use a Team or Enterprise workspace so training exclusion is contractual, not per-user.
2. Enable only vetted Connectors, and prefer read-only scopes.
3. Set Custom GPT sharing defaults to workspace-only.
4. Decide your memory and retention posture, and ask about ZDR if you handle regulated data.
5. Publish the one-sentence rule above to every user. Simplicity is what makes a policy actually followed.