Read the companion guide: How to Prepare for Your OpenAI Negotiation
Preparation Guide →13 Critical Contract Areas at a Glance
| # | Contract Area | What to Negotiate | Risk if Missed |
|---|---|---|---|
| 1 | Data Privacy | Confidentiality, retention control, DPA, GDPR/CCPA compliance | Data leakage, regulatory fines |
| 2 | IP Ownership | Ownership of inputs and outputs, limited licence back to OpenAI | Uncertain IP rights, third-party claims |
| 3 | Usage & Compliance | Align usage policies with business needs, industry-specific rules | Contract breach, regulatory violation |
| 4 | Model Transparency | Documentation, change notifications, audit support, bias assurance | Unpredictable model behaviour |
| 5 | Indemnification | IP infringement indemnity from OpenAI, narrow your indemnity back | Uninsured legal exposure |
| 6 | SLA & Uptime | Uptime commitment, latency, support SLAs, remedies (credits) | Downtime with no recourse |
| 7 | Pricing & Cost Controls | Volume discounts, spend caps, fixed rates, transparency | Budget overruns, surprise charges |
| 8 | Renewal & Lock-In | Short terms, data portability, renewal caps, exit rights | Vendor lock-in, price escalation |
| 9 | Security | Encryption, access controls, SOC 2, breach notification | Data breach liability |
| 10 | Training Opt-Out | Explicit no-training clause, deletion rights, audit verification | Proprietary data absorbed into public model |
| 11 | Liability Limits | Higher caps, carve-outs for IP/security/wilful misconduct | Minimal vendor accountability |
| 12 | Termination & Exit | For-cause and for-convenience termination, data retrieval, refunds | Trapped in unfavourable agreement |
| 13 | Red Flags | Data loopholes, missing NDA, one-sided changes, no SLA, weak indemnity | Signing a contract that works against you |
Data Privacy
Protecting sensitive data is paramount. The contract must define how OpenAI handles your data — the prompts you send and the AI-generated outputs. All inputs and outputs should be treated as your confidential information. OpenAI commits by default not to train on business customer data, but you must cement this in the contract.
| Privacy Requirement | What to Negotiate | Why It Matters |
|---|---|---|
| Confidentiality | All inputs and outputs treated as your confidential information | Prevents OpenAI from sharing data with third parties or using it beyond service delivery |
| Retention control | You set data retention policies (including zero retention) | Limits exposure of historical data; supports GDPR "right to be forgotten" |
| Data Processing Addendum | Signed DPA covering GDPR, CCPA, and sector-specific laws | Legal framework for personal data handling; OpenAI acts as processor on your instructions |
| Deletion rights | Right to request deletion with written confirmation | Ensures data doesn't persist after you no longer need it |
| Sector-specific compliance | HIPAA BAA for healthcare, financial regulation addenda | Without these, processing regulated data is a compliance violation |
Intellectual Property Ownership
Clarify who owns what — your inputs to the AI and its outputs. OpenAI's standard business terms assign you ownership of both inputs and outputs, but you should still nail down the details contractually to avoid ambiguity.
| IP Element | Recommended Position | Watch-Fors |
|---|---|---|
| Ownership of outputs | You own all AI-generated output based on your prompts | Ensure no broad licence that lets OpenAI reuse your outputs |
| Ownership of inputs | Your data and content remain your property at all times | OpenAI should not gain any ownership over material you provide |
| Licence back to OpenAI | Limited licence solely to perform the service — nothing more | Reject any broad licence allowing other uses of your content |
| Third-party IP in outputs | Negotiate warranties or indemnities for IP issues | AI may inadvertently generate content similar to copyrighted material |
Usage Restrictions & Compliance
OpenAI has usage policies that enterprise customers must follow. Understand use-case restrictions and ensure they align with your intended AI applications. You want to both comply with OpenAI's rules and meet your own regulatory obligations.
- Respect OpenAI's usage policies — review restrictions on reverse engineering, competing model development, and prohibited content generation; flag any that conflict with your business plans
- Ensure industry-specific compliance — healthcare requires HIPAA BAA, finance requires SEC/FINRA awareness, banking requires data sovereignty controls
- Test high-risk use cases — legal/medical advice, hiring decisions, and financial planning require human review and accuracy validation before deployment
- Verify geographic and export compliance — OpenAI must follow U.S. export controls; confirm service availability in all countries where you operate
- Get written clarification on grey areas — if your strategy involves using outputs to improve internal ML models, clarify where the line is and get it in writing
Model Transparency
While OpenAI's models are largely "black boxes", you should negotiate for as much insight and transparency as feasible to build trust and meet governance obligations.
| Transparency Area | What to Negotiate |
|---|---|
| Model documentation | System cards, model cards, transparency reports describing capabilities, limitations, biases, and training data scope |
| Change notifications | Advance notice of significant model updates, algorithm changes, or safety filter modifications — with sandbox testing rights |
| Audit support | Access to logs of all prompts and outputs; tools or support for offline review and pattern analysis |
| Bias and ethical assurance | Commitment to bias testing, periodic fairness reviews, content filtering options aligned with your policies |
| Performance reporting | Monthly reports on model performance, identified risks, and improvement updates |
📚 Related Reading
Indemnification
Indemnification is your safety net for legal troubles arising from OpenAI's services. Given emerging legal issues surrounding generative AI — particularly IP claims related to training data — securing strong indemnities from OpenAI is non-negotiable.
🟢 Indemnities to Secure FROM OpenAI
- IP infringement indemnity — OpenAI defends you if third parties claim the AI's outputs or training data infringe their copyright, patent, or IP rights
- Training data coverage — indemnity explicitly covers claims arising from the data OpenAI used to train the model
- Product liability — OpenAI is accountable if the software itself causes harm due to a defect
- Separate or uncapped indemnity limits — IP indemnification should not be subject to the general liability cap
🔴 Keep YOUR Indemnity to OpenAI Narrow
- Only indemnify for your breach of the agreement or misuse of the service
- Don't indemnify for claims arising from normal, authorised use of the AI
- Ensure OpenAI covers risks under their control (model, training data)
- You cover risks under your control (data you input, how you use outputs)
Service Levels & Uptime (SLA)
For enterprise-critical services, you need contractual assurances on availability and performance. Treat OpenAI's generative AI service as you would any important cloud service and insist on measurable reliability commitments.
| SLA Element | Target | Remedy if Missed |
|---|---|---|
| Uptime commitment | 99.9% monthly (≤45 min downtime/month) | Tiered service credits (e.g. 10% credit if below 99%, 25% if below 98%) |
| Response latency | Median response under X seconds for standard queries | Infrastructure upgrade commitment or dedicated instance |
| Support: Severity 1 (critical) | Response within 1 hour, 24/7 | Executive escalation; continuous work until resolved |
| Support: Severity 2 (high) | Response within 4 hours | Dedicated technical contact assignment |
| Repeated failures | Consecutive months below SLA threshold | Right to terminate without penalty + refund for unused services |
Pricing & Cost Controls
Generative AI services can have complex and unpredictable pricing, particularly when usage scales rapidly. The contract must address pricing transparency, flexibility, and safeguards against budget overruns.
| Cost Control Mechanism | What to Negotiate |
|---|---|
| Rate transparency | Full rate card for all models (GPT-4, GPT-3.5, etc.), premium features, support tiers, and any hidden charges |
| Volume discounts | Tiered pricing based on committed monthly spend or token volume — with flexibility to adjust mid-term |
| Spending caps | Monthly spending cap requiring written approval to exceed; automated alerts at threshold levels |
| Fixed pricing period | Lock rates for the full contract term — reject the standard 14-day price change notice; require 60–90 days minimum |
| Unused credit rollover | If prepaying, ensure unused credits roll over or negotiate partial refund clauses |
| Renewal price caps | Maximum price increase at renewal (CPI-linked or single-digit percentage) |
| Usage monitoring | Real-time visibility dashboard; proactive alerts if usage exceeds 20% above forecast |
Renewal & Lock-In
Given the rapid evolution of AI, manage vendor lock-in risk and negotiate favourable renewal terms. You don't want to be bound to OpenAI beyond your comfort level — and if you continue, it should be on reasonable terms.
🔴 Lock-In Risks
- Long contract terms with no early exit clause
- Auto-renewal with short notice periods (30 days)
- No data portability — can't export prompts, outputs, or fine-tuned models
- Renewal pricing left undefined — vendor charges list price
- Deep integration making switching technically costly
🟢 Flexibility Strategies
- Prefer 1-year initial terms unless longer terms offer significant savings
- Require 60–90 day renewal reminders; negotiate opt-out at any renewal
- Secure data export rights in usable format before account closure
- Cap renewal price increases (CPI or single-digit percentage)
- Use abstraction layers in your integration to swap AI providers if needed
Security Obligations
When entrusting sensitive business information to an AI service, demand the same security standards you'd require from any top-tier cloud provider handling your most critical data.
| Security Requirement | What the Contract Should Include |
|---|---|
| Encryption | AES-256 at rest, TLS 1.2+ in transit — for all customer data |
| Access controls | Least-privilege access, MFA for OpenAI staff, need-to-know basis only |
| Certifications | SOC 2 Type II maintained throughout term; right to review audit reports under NDA |
| Breach notification | Written notification within 24–48 hours of discovery, with details and remediation plan |
| Penetration testing | Regular third-party pen tests; summary of results or warrant that critical vulnerabilities are addressed |
| Data locality | Specify data residency requirements; notification before data is moved to different jurisdiction |
| Material breach classification | Security breach = material breach of contract, triggering termination rights |
Customer Data Use & Training Opt-Out
Ensure that OpenAI does not use your data to train its AI models or otherwise exploit it for its benefit. While OpenAI's enterprise policy currently excludes business data from training by default, you must cement this in writing.
🎯 Required Contract Language
"Customer Content will be excluded from any datasets used to train or refine OpenAI's AI models. OpenAI shall not store Customer Content beyond the extent necessary to provide the Service to Customer, except for legal compliance or security purposes."
Additionally: if you engage OpenAI for custom model fine-tuning on your data, the resulting model must be for your exclusive use. OpenAI should not use that data to train any other models or share the model with others.
Liability Limits
Limitation of liability determines who bears the financial risk if things go wrong. Vendors try to minimise their liability — your goal is to ensure OpenAI has enough skin in the game. Typically, their standard terms cap direct damages at the total fees paid in the last 12 months and disclaim indirect damages.
| Liability Element | Standard Position | What to Negotiate |
|---|---|---|
| General cap | 12 months of fees paid | Push for 2–3× annual fees, or all fees paid over contract life |
| IP indemnification | Often uncapped or separate cap | Confirm IP indemnity is separate from and additional to the general cap |
| Data breach / confidentiality | Subject to general cap | Carve out as exception to the cap — breach of privacy should carry higher exposure |
| Gross negligence / wilful misconduct | Excluded from some limitations | Ensure this is explicitly stated; define what qualifies |
| Indirect damages | Disclaimed entirely | Try to classify costs to remedy customer impacts (credits you must give) as direct damages |
| Reciprocity | Mutual caps | Ensure your liability to OpenAI is not broader than their liability to you |
Termination & Exit Rights
Even with the best planning, situations may arise where you need to terminate the contract. Negotiate clear exit rights to avoid being trapped. Cover both termination for cause (breach) and termination for convenience (voluntary exit).
- Termination for cause — either party can terminate for material breach with 30-day cure period; critical breaches (confidentiality, repeated SLA failure) allow faster exit
- Termination for convenience — right to exit with 60-day notice; if not available, ensure contract term is short enough to avoid lock-in
- Regulatory/legal change clause — if a law change makes use of the service illegal or impractical, you can terminate without penalty
- Data retrieval — export all prompts, outputs, fine-tuning data in usable format before account closure; written certification of data destruction after
- Transition assistance — OpenAI continues service for 30–60 days post-termination to allow smooth migration (at pro-rated cost)
- Refund for pre-paid fees — pro-rata refund if termination is due to OpenAI's breach; negotiate partial refund even for convenience termination
- Survival clauses — confidentiality, IP ownership, indemnities, and liability limits survive termination indefinitely
Red Flags to Watch For
Throughout the negotiation, look for contract elements — or omissions — that could cause problems in the future. Here's a checklist of things that should raise concern:
How Redress Compliance Helps with GenAI Contracts
Negotiating an OpenAI Enterprise Agreement?
Generative AI contracts are unlike traditional software licensing — the risks around data privacy, IP ownership, model behaviour, and pricing are new territory for most procurement teams. Our GenAI advisory practice helps CIOs and procurement leaders review, redline, benchmark, and negotiate OpenAI contracts from a position of strength. We've helped enterprises avoid millions in hidden costs and contractual risk. Get independent guidance before you sign.