{ "scorecard": { "domain": "openai.com", "company_name": "OpenAI", "slug": "openai", "headline": { "label": "weak", "total_score": 4, "summary": "Public trust surface scored 4 with 32 positive detectors out of 74 across 4 pages. Higher remediation scores mean more visible work remains." }, "scores": { "public_surface": 0, "ai_language": 0, "legal_clarity": 0, "security_trust": 0, "consistency": 25, "remediation_opportunity": 100 }, "maturity": [ { "dimension_key": "public_surface", "label": "Public Surface", "public_description": "Whether trust, legal, security, AI, and methodology pages are visible and navigable." }, { "dimension_key": "ai_language", "label": "AI Language", "public_description": "Whether AI claims are specific, bounded, and paired with review or data-use language." }, { "dimension_key": "legal_clarity", "label": "Legal Clarity", "public_description": "Whether privacy, terms, DPA, subprocessors, and acceptable-use surfaces are visible." }, { "dimension_key": "security_trust", "label": "Security Trust", "public_description": "Whether security, vulnerability, incident-response, and contact paths are documented." }, { "dimension_key": "consistency", "label": "Consistency", "public_description": "Whether claims, caveats, and trust artifacts are coherent across pages." }, { "dimension_key": "remediation_opportunity", "label": "Remediation Opportunity", "public_description": "Whether the public surface makes the next improvement work obvious." } ], "observed_artifacts": [ { "type": "privacy_policy", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "privacy_center", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "data_subject_request_portal", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "cookie_policy", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "cookie_preferences", "present": true, "url": "https://openai.com/policies/privacy-policy" }, { "type": "consent_management", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "data_retention_policy", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "data_sharing_notice", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "cross_border_transfers", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "data_breach_notice", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "data_residency_policy", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "data_processing_addendum", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "subprocessors_list", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "acceptable_use_policy", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "ai_usage_policy", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "responsible_ai_principles", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "customer_data_training_policy", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "model_provider_disclosure", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "prompt_logging_policy", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "human_review_policy", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "evals_and_red_teaming", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "prohibited_uses", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "model_card_or_system_card", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "ai_evaluation_or_safety_report", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "transparency_report", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "model_limitations", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "output_moderation_policy", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "feedback_training_policy", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "security_practices_page", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "backup_and_recovery", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "secure_sdlc_page", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "vulnerability_disclosure", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "security_contact", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "incident_response", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "incident_history", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "postmortems", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "security_txt", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "security_whitepaper", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "bug_bounty", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "certifications", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "attestation_summary", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "security_overview", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "incident_communication", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "encryption_at_rest", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "mfa_sso", "present": true, "url": "https://openai.com/enterprise-privacy" }, { "type": "status_page", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "methodology_page", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "scoring_rubric", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "score_caveat", "present": false, "url": "https://openai.com/security-and-privacy" }, { "type": "data_sources", "present": false, "url": "https://openai.com/security-and-privacy" }, { "type": "confidence_labels", "present": false, "url": "https://openai.com/security-and-privacy" }, { "type": "endorsement_and_certification", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "sponsor_separation", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "unsupported_maturity", "present": true, "url": "https://openai.com/security-and-privacy/" }, { "type": "customer_logos", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "testimonials", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "third_party_validation", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "awards", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "trust_center", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "contact_paths", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "docs_hub", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "public_status_page", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "footer_crosslinks", "present": true, "url": "https://openai.com/security-and-privacy" }, { "type": "sitemap", "present": false, "url": "https://openai.com/security-and-privacy/" }, { "type": "navigation", "present": false, "url": "https://openai.com/security-and-privacy" }, { "type": "responsible_disclosure_contact", "present": false, "url": "https://openai.com/security-and-privacy/" } ], "public_findings": [ { "title": "Missing Privacy Policy", "severity": "high", "category": "legal", "summary": "The public surface did not clearly expose privacy policy.", "public_tip": "Clarify what personal data you collect, process, retain, and disclose." }, { "title": "Missing Cookie Policy", "severity": "medium", "category": "legal", "summary": "The public surface did not clearly expose cookie policy.", "public_tip": "Publish cookie and tracking language with a clear consent path." }, { "title": "Missing Data Retention Policy", "severity": "medium", "category": "legal", "summary": "The public surface did not clearly expose data retention policy.", "public_tip": "State how long data is kept and what triggers deletion or archival." }, { "title": "Missing Data Sharing Notice", "severity": "medium", "category": "legal", "summary": "The public surface did not clearly expose data sharing notice.", "public_tip": "Clarify which parties receive data and why." }, { "title": "Missing Cross-Border Transfers", "severity": "medium", "category": "legal", "summary": "The public surface did not clearly expose cross-border transfers.", "public_tip": "Explain transfer mechanisms, safeguards, and processor relationships." }, { "title": "Missing Data Breach Notice", "severity": "high", "category": "legal", "summary": "The public surface did not clearly expose data breach notice.", "public_tip": "Explain how breach notification works and who is notified." }, { "title": "Missing Data Residency Policy", "severity": "medium", "category": "legal", "summary": "The public surface did not clearly expose data residency policy.", "public_tip": "State where data is stored and whether region selection is supported." }, { "title": "Missing Data Processing Addendum", "severity": "high", "category": "legal", "summary": "The public surface did not clearly expose data processing addendum.", "public_tip": "Make the DPA request path easy to find for customers and partners." }, { "title": "Missing Subprocessors List", "severity": "high", "category": "legal", "summary": "The public surface did not clearly expose subprocessors list.", "public_tip": "Publish a current subprocessor or vendor list with update cadence." }, { "title": "Missing Acceptable Use Policy", "severity": "medium", "category": "legal", "summary": "The public surface did not clearly expose acceptable use policy.", "public_tip": "Clarify prohibited and abusive use patterns in public-facing terms." }, { "title": "Missing AI Usage Policy", "severity": "high", "category": "ai-governance", "summary": "The public surface did not clearly expose ai usage policy.", "public_tip": "Explain how AI is used, reviewed, and bounded in public-facing products." }, { "title": "Missing Responsible AI Principles", "severity": "high", "category": "ai-governance", "summary": "The public surface did not clearly expose responsible ai principles.", "public_tip": "Publish a short principle set that maps to actual product controls." }, { "title": "Missing Backup and Recovery", "severity": "medium", "category": "security", "summary": "The public surface did not clearly expose backup and recovery.", "public_tip": "State whether backups exist, how recovery works, and what resilience is promised." }, { "title": "Missing Secure SDLC", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose secure sdlc.", "public_tip": "Describe the lifecycle controls that support secure development." }, { "title": "Missing Vulnerability Disclosure", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose vulnerability disclosure.", "public_tip": "Publish the disclosure path and safe-harbor terms together." }, { "title": "Missing Security Contact", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose security contact.", "public_tip": "Expose a clear public security contact or disclosure mailbox." }, { "title": "Missing Incident Response", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose incident response.", "public_tip": "State how incidents are detected, escalated, and communicated." }, { "title": "Missing Incident History", "severity": "medium", "category": "security", "summary": "The public surface did not clearly expose incident history.", "public_tip": "If incident history is public, link it clearly from the trust surface." }, { "title": "Missing Postmortems", "severity": "medium", "category": "security", "summary": "The public surface did not clearly expose postmortems.", "public_tip": "Document post-incident learning when public postmortems exist." }, { "title": "Missing Certifications", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose certifications.", "public_tip": "Only publish certification claims alongside a public attestation artifact." }, { "title": "Missing Attestation Summary", "severity": "medium", "category": "security", "summary": "The public surface did not clearly expose attestation summary.", "public_tip": "Summarize the attestation in public-safe language and link the source artifact." }, { "title": "Missing Security Overview", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose security overview.", "public_tip": "Add a concise overview of the security program and where the supporting evidence lives." }, { "title": "Missing Incident Communication", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose incident communication.", "public_tip": "Document how customers are notified and where public incident updates live." }, { "title": "Missing Status Page", "severity": "high", "category": "security", "summary": "The public surface did not clearly expose status page.", "public_tip": "Link the status page from the trust surface if it is part of the buyer review path." }, { "title": "Missing Methodology Page", "severity": "high", "category": "methodology", "summary": "The public surface did not clearly expose methodology page.", "public_tip": "Explain the rules and limitations of the scan." }, { "title": "Missing Scoring Rubric", "severity": "medium", "category": "methodology", "summary": "The public surface did not clearly expose scoring rubric.", "public_tip": "Show how the score is derived from visible evidence." }, { "title": "Missing Score Caveat", "severity": "high", "category": "methodology", "summary": "The public surface did not clearly expose score caveat.", "public_tip": "Keep the public-signal caveat visible near the score and methodology." }, { "title": "Missing Data Sources", "severity": "medium", "category": "methodology", "summary": "The public surface did not clearly expose data sources.", "public_tip": "Explain where the evidence came from and when it was observed." }, { "title": "Missing Confidence Labels", "severity": "low", "category": "methodology", "summary": "The public surface did not clearly expose confidence labels.", "public_tip": "Describe uncertainty bands or confidence levels when the evidence is partial." }, { "title": "Missing Endorsement and Certification Claims", "severity": "low", "category": "claims", "summary": "The public surface did not clearly expose endorsement and certification claims.", "public_tip": "Keep endorsement claims separate from evidence and source citations." }, { "title": "Missing Sponsor Separation", "severity": "low", "category": "claims", "summary": "The public surface did not clearly expose sponsor separation.", "public_tip": "Keep sponsors separate from methodology and findings." }, { "title": "Missing Testimonials", "severity": "low", "category": "claims", "summary": "The public surface did not clearly expose testimonials.", "public_tip": "Separate testimonial language from evidence and methodology." }, { "title": "Missing Third-Party Validation", "severity": "low", "category": "claims", "summary": "The public surface did not clearly expose third-party validation.", "public_tip": "Keep external validation claims distinct from the scanner's own findings." }, { "title": "Missing Awards", "severity": "low", "category": "claims", "summary": "The public surface did not clearly expose awards.", "public_tip": "Treat awards as positioning, not proof of operational maturity." }, { "title": "Missing Documentation Hub", "severity": "low", "category": "surface", "summary": "The public surface did not clearly expose documentation hub.", "public_tip": "Link product documentation from the trust surface when it helps buyer review." }, { "title": "Missing Public Status Page", "severity": "low", "category": "surface", "summary": "The public surface did not clearly expose public status page.", "public_tip": "Link the status page from the public trust surface if it exists." }, { "title": "Missing Sitemap", "severity": "low", "category": "surface", "summary": "The public surface did not clearly expose sitemap.", "public_tip": "Keep trust pages reachable from a sitemap or index page." }, { "title": "Missing Navigation", "severity": "low", "category": "surface", "summary": "The public surface did not clearly expose navigation.", "public_tip": "Make trust pages visible in top-level navigation when possible." }, { "title": "Missing Responsible Disclosure Contact", "severity": "high", "category": "surface", "summary": "The public surface did not clearly expose responsible disclosure contact.", "public_tip": "Expose a responsible-disclosure path with a safe-harbor explanation." }, { "title": "Trust center missing privacy policy", "severity": "high", "category": "consistency", "summary": "A trust center is visible, but the linked privacy policy was not clearly observed.", "public_tip": "Link the privacy policy directly from the trust center and footer." }, { "title": "Trust center missing methodology", "severity": "medium", "category": "methodology", "summary": "A trust center is visible, but the methodology or scoring rubric was not clearly observed.", "public_tip": "Link the methodology page, scoring rubric, and caveat from the trust center." }, { "title": "Security page missing contact path", "severity": "medium", "category": "security", "summary": "A security page is visible, but a public security contact or disclosure mailbox was not clearly observed.", "public_tip": "Expose a security contact, safe-harbor path, or security.txt reference." } ], "improvement_guidance": [ { "title": "Close the public trust-page gaps", "public_tip": "Add the missing pages, or clearly link existing pages from the trust center and footer.", "recommended_artifacts": [ "acceptable_use_policy", "ai_policy", "ai_usage_policy", "attestation_summary", "awards", "backup_and_recovery", "certifications", "confidence_labels", "cookie_policy", "cookie_preferences", "cross_border_transfers", "customer_logos", "data_breach_notice", "data_processing_addendum", "data_residency_policy", "data_retention_policy", "data_sharing_notice", "data_sources", "data_subject_request_portal", "docs_hub", "endorsement_and_certification", "incident_communication", "incident_history", "incident_response", "methodology_page", "model_card_or_system_card", "navigation", "postmortems", "privacy_center", "privacy_policy", "public_status_page", "responsible_ai_principles", "responsible_disclosure_contact", "score_caveat", "scoring_rubric", "secure_sdlc_page", "security_contact", "security_overview", "security_practices_page", "security_txt", "security_whitepaper", "sitemap", "sponsor_separation", "status_page", "subprocessors_list", "testimonials", "third_party_validation", "trust_center", "vulnerability_disclosure" ], "best_practice_refs": [ { "key": "trust-center", "label": "Trust center coverage" }, { "key": "policy-links", "label": "Policy cross-linking" } ] }, { "title": "Resolve claim mismatches", "public_tip": "Rewrite the public claim so the same wording appears across the trust, legal, and security surfaces.", "recommended_artifacts": [ "methodology_page", "score_caveat" ], "best_practice_refs": [ { "key": "evidence", "label": "Claim-to-evidence traceability" }, { "key": "caveat", "label": "Explicit public caveat" } ] } ], "methodology": { "engine_version": "0.1.0", "rules_version": "trust-scanner-rules.v1", "crawl_snapshot_date": "2026-05-20", "page_count": 4, "disclaimer": "Based on analyzed public trust signals, not proof of any internal security maturity." } }, "detector_hits": [ { "detector_id": "legal:privacy_policy", "label": "Privacy policy", "category": "legal", "severity": "high", "present": false, "summary": "Privacy policy was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:privacy_rights_notice", "label": "Privacy rights notice", "category": "legal", "severity": "medium", "present": false, "summary": "Privacy rights notice was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:data_retention_policy", "label": "Data retention policy", "category": "legal", "severity": "medium", "present": false, "summary": "Data retention policy was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:data_sharing_notice", "label": "Data sharing notice", "category": "legal", "severity": "medium", "present": false, "summary": "Data sharing notice was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:cross_border_transfers", "label": "Cross-border transfers", "category": "legal", "severity": "medium", "present": false, "summary": "Cross-border transfers was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:data_breach_notice", "label": "Data breach notice", "category": "legal", "severity": "high", "present": false, "summary": "Data breach notice was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:data_residency_policy", "label": "Data residency policy", "category": "legal", "severity": "low", "present": false, "summary": "Data residency policy was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:terms_of_service", "label": "Terms of service", "category": "legal", "severity": "high", "present": false, "summary": "Terms of service was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:cookie_policy", "label": "Cookie policy", "category": "legal", "severity": "low", "present": false, "summary": "Cookie policy was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:data_processing_addendum", "label": "Data processing addendum", "category": "legal", "severity": "medium", "present": false, "summary": "Data processing addendum was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:subprocessors_list", "label": "Subprocessors list", "category": "legal", "severity": "medium", "present": false, "summary": "Subprocessors list was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:acceptable_use_policy", "label": "Acceptable use policy", "category": "legal", "severity": "low", "present": false, "summary": "Acceptable use policy was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "legal:hub_completeness", "label": "Legal hub completeness", "category": "legal", "severity": "info", "present": true, "summary": "4 legal-oriented public pages were observed.", "evidence": [ "4 legal pages matched policy keywords" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:ai_usage_policy", "label": "AI usage policy", "category": "ai-governance", "severity": "medium", "present": false, "summary": "AI usage policy was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "ai-governance:responsible_ai_principles", "label": "Responsible AI principles", "category": "ai-governance", "severity": "low", "present": false, "summary": "Responsible AI principles was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "ai-governance:customer_data_training_policy", "label": "Customer data training policy", "category": "ai-governance", "severity": "high", "present": true, "summary": "Customer data training policy is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "US privacy policy", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:model_provider_disclosure", "label": "Model provider disclosure", "category": "ai-governance", "severity": "medium", "present": true, "summary": "Model provider disclosure is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:prompt_logging_policy", "label": "Prompt logging policy", "category": "ai-governance", "severity": "medium", "present": true, "summary": "Prompt logging policy is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:human_review_policy", "label": "Human review policy", "category": "ai-governance", "severity": "low", "present": true, "summary": "Human review policy is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:evals_and_red_teaming", "label": "Evals and red teaming", "category": "ai-governance", "severity": "low", "present": true, "summary": "Evals and red teaming is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:prohibited_uses", "label": "Prohibited uses", "category": "ai-governance", "severity": "low", "present": true, "summary": "Prohibited uses is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:model_card_or_system_card", "label": "Model card or system card", "category": "ai-governance", "severity": "low", "present": true, "summary": "Model card or system card is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:ai_evaluation_or_safety_report", "label": "AI evaluation or safety report", "category": "ai-governance", "severity": "low", "present": true, "summary": "AI evaluation or safety report is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:transparency_report", "label": "Transparency report", "category": "ai-governance", "severity": "low", "present": true, "summary": "Transparency report is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:model_limitations", "label": "Model limitations", "category": "ai-governance", "severity": "low", "present": true, "summary": "Model limitations is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:output_moderation_policy", "label": "Output moderation policy", "category": "ai-governance", "severity": "low", "present": true, "summary": "Output moderation policy is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI", "US privacy policy", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:feedback_training_policy", "label": "Feedback and training policy", "category": "ai-governance", "severity": "low", "present": true, "summary": "Feedback and training policy is publicly documented.", "evidence": [ "Security & privacy at OpenAI", "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "ai-governance:boundedness", "label": "AI language boundedness", "category": "governance", "severity": "medium", "present": false, "summary": "Assesses whether AI claims are bounded, specific, and tied to human-review or data-use language.", "evidence": [ "https://openai.com/policies/privacy-policy: explicit AI policy page" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "security:security_practices_page", "label": "Security practices", "category": "security", "severity": "medium", "present": true, "summary": "Security practices is publicly documented.", "evidence": [ "Security & privacy at OpenAI", "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "security:security_overview", "label": "Security overview", "category": "security", "severity": "low", "present": false, "summary": "Security overview was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:secure_sdlc_page", "label": "Secure SDLC", "category": "security", "severity": "medium", "present": false, "summary": "Secure SDLC was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:vulnerability_disclosure", "label": "Vulnerability disclosure", "category": "security", "severity": "high", "present": false, "summary": "Vulnerability disclosure was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:security_contact", "label": "Security contact", "category": "security", "severity": "medium", "present": false, "summary": "Security contact was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:incident_response", "label": "Incident response", "category": "security", "severity": "low", "present": false, "summary": "Incident response was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:incident_communication", "label": "Incident communication", "category": "security", "severity": "low", "present": false, "summary": "Incident communication was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:bug_bounty", "label": "Bug bounty", "category": "security", "severity": "low", "present": true, "summary": "Bug bounty is publicly documented.", "evidence": [ "Security & privacy at OpenAI" ], "urls": [ "https://openai.com/security-and-privacy" ] }, { "detector_id": "security:certifications", "label": "Certifications", "category": "security", "severity": "low", "present": false, "summary": "Certifications was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:backup_and_recovery", "label": "Backup and recovery", "category": "security", "severity": "low", "present": false, "summary": "Backup and recovery was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:encryption_at_rest", "label": "Encryption at rest", "category": "security", "severity": "low", "present": true, "summary": "Encryption at rest is publicly documented.", "evidence": [ "Security & privacy at OpenAI" ], "urls": [ "https://openai.com/security-and-privacy" ] }, { "detector_id": "security:mfa_sso", "label": "MFA and SSO", "category": "security", "severity": "low", "present": true, "summary": "MFA and SSO is publicly documented.", "evidence": [ "Enterprise privacy at OpenAI" ], "urls": [ "https://openai.com/enterprise-privacy" ] }, { "detector_id": "security:status_page", "label": "Status page", "category": "security", "severity": "low", "present": false, "summary": "Status page was not clearly found.", "evidence": [], "urls": [] }, { "detector_id": "security:evidence_density", "label": "Security evidence density", "category": "security", "severity": "info", "present": true, "summary": "3 pages carry security-oriented evidence language.", "evidence": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "methodology:page", "label": "Methodology page", "category": "methodology", "severity": "medium", "present": false, "summary": "No clear methodology page was observed.", "evidence": [], "urls": [] }, { "detector_id": "methodology:score_caveat", "label": "Score and caveat language", "category": "methodology", "severity": "low", "present": false, "summary": "Checks for score explanation language, source transparency, and an explicit public-signal caveat.", "evidence": [ "score_language_pages=0", "caveat_language_pages=0", "source_language_pages=0", "confidence_language_pages=0" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "methodology:data_sources", "label": "Data sources", "category": "methodology", "severity": "low", "present": false, "summary": "Checks whether the page explains where the signal data comes from.", "evidence": [ "data_source_pages=0" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "methodology:confidence_labels", "label": "Confidence labels", "category": "methodology", "severity": "low", "present": false, "summary": "Checks whether the methodology describes uncertainty or confidence levels.", "evidence": [ "confidence_pages=0" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "claims:endorsement_and_certification", "label": "Endorsement and certification claims", "category": "claims", "severity": "info", "present": false, "summary": "No endorsement-style claims were observed.", "evidence": [], "urls": [] }, { "detector_id": "claims:sponsor_separation", "label": "Sponsor separation language", "category": "claims", "severity": "info", "present": false, "summary": "Checks whether sponsor or sponsorship language appears in the public trust surface.", "evidence": [], "urls": [] }, { "detector_id": "claims:unsupported_maturity", "label": "Unsupported maturity phrasing", "category": "claims", "severity": "info", "present": true, "summary": "Public copy avoids broad, unsupported maturity language.", "evidence": [ "unsupported_phrases_pages=0" ], "urls": [] }, { "detector_id": "claims:customer_logos", "label": "Customer logos", "category": "claims", "severity": "low", "present": true, "summary": "Customer-logo or customer-name trust language was observed.", "evidence": [ "Security & privacy at OpenAI", "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "claims:testimonials", "label": "Testimonials", "category": "claims", "severity": "info", "present": false, "summary": "No testimonial language was observed.", "evidence": [], "urls": [] }, { "detector_id": "claims:third_party_validation", "label": "Third-party validation", "category": "claims", "severity": "info", "present": false, "summary": "No third-party validation language was observed.", "evidence": [], "urls": [] }, { "detector_id": "claims:awards", "label": "Awards", "category": "claims", "severity": "info", "present": false, "summary": "No awards-style claim language was observed.", "evidence": [], "urls": [] }, { "detector_id": "consistency:claim_consistency", "label": "Claim consistency", "category": "consistency", "severity": "low", "present": true, "summary": "Cross-page trust language appears coherent.", "evidence": [ "cross_link_pages=0", "contradiction_count=0" ], "urls": [] }, { "detector_id": "surface:trust_center_discoverability", "label": "Trust center discoverability", "category": "surface", "severity": "info", "present": true, "summary": "A trust-center style public surface is visible.", "evidence": [ "https://openai.com/security-and-privacy -> security_practices (94)", "https://openai.com/security-and-privacy: privacy signals", "https://openai.com/security-and-privacy: role_hint", "https://openai.com/security-and-privacy: meta:data_residency", "https://openai.com/security-and-privacy: meta:description:OpenAI security and privacy overview", "https://openai.com/security-and-privacy: meta:pdf", "https://openai.com/security-and-privacy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/security-and-privacy: footer_link:https://openai.com/policies/privacy-policy", "https://openai.com/security-and-privacy: trust center language", "https://openai.com/security-and-privacy: 1 trust footer links", "https://openai.com/enterprise-privacy -> ai_policy (94)", "https://openai.com/enterprise-privacy: privacy signals", "https://openai.com/enterprise-privacy: role_hint", "https://openai.com/enterprise-privacy: meta:description:Enterprise privacy commitments", "https://openai.com/enterprise-privacy: footer_link:https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy: trust center language", "https://openai.com/enterprise-privacy: 1 trust footer links", "https://openai.com/policies/privacy-policy -> privacy_policy (94)", "https://openai.com/policies/privacy-policy: privacy signals", "https://openai.com/policies/privacy-policy: role_hint", "https://openai.com/policies/privacy-policy: meta:description:Consumer privacy policy", "https://openai.com/policies/privacy-policy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy: trust center language", "https://openai.com/index/business-data -> ai_policy (94)", "https://openai.com/index/business-data: privacy signals", "https://openai.com/index/business-data: role_hint", "https://openai.com/index/business-data: meta:description:Business data privacy and compliance", "https://openai.com/index/business-data: footer_link:https://openai.com/security-and-privacy", "https://openai.com/index/business-data: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/index/business-data: trust center language", "https://openai.com/index/business-data: 1 trust footer links" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "surface:coverage", "label": "Surface coverage", "category": "surface", "severity": "info", "present": true, "summary": "Observed 3 distinct trust-relevant page roles and 3 trust links.", "evidence": [ "https://openai.com/security-and-privacy -> security_practices (94)", "https://openai.com/security-and-privacy: privacy signals", "https://openai.com/security-and-privacy: role_hint", "https://openai.com/security-and-privacy: meta:data_residency", "https://openai.com/security-and-privacy: meta:description:OpenAI security and privacy overview", "https://openai.com/security-and-privacy: meta:pdf", "https://openai.com/security-and-privacy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/security-and-privacy: footer_link:https://openai.com/policies/privacy-policy", "https://openai.com/security-and-privacy: trust center language", "https://openai.com/security-and-privacy: 1 trust footer links", "https://openai.com/enterprise-privacy -> ai_policy (94)", "https://openai.com/enterprise-privacy: privacy signals", "https://openai.com/enterprise-privacy: role_hint", "https://openai.com/enterprise-privacy: meta:description:Enterprise privacy commitments", "https://openai.com/enterprise-privacy: footer_link:https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy: trust center language", "https://openai.com/enterprise-privacy: 1 trust footer links", "https://openai.com/policies/privacy-policy -> privacy_policy (94)", "https://openai.com/policies/privacy-policy: privacy signals", "https://openai.com/policies/privacy-policy: role_hint", "https://openai.com/policies/privacy-policy: meta:description:Consumer privacy policy", "https://openai.com/policies/privacy-policy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy: trust center language", "https://openai.com/index/business-data -> ai_policy (94)", "https://openai.com/index/business-data: privacy signals", "https://openai.com/index/business-data: role_hint", "https://openai.com/index/business-data: meta:description:Business data privacy and compliance", "https://openai.com/index/business-data: footer_link:https://openai.com/security-and-privacy", "https://openai.com/index/business-data: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/index/business-data: trust center language", "https://openai.com/index/business-data: 1 trust footer links" ], "urls": [ "https://openai.com/security-and-privacy/" ] }, { "detector_id": "surface:docs_hub", "label": "Documentation hub", "category": "surface", "severity": "low", "present": false, "summary": "No clear documentation hub was observed.", "evidence": [], "urls": [] }, { "detector_id": "surface:status_page", "label": "Status page", "category": "surface", "severity": "low", "present": false, "summary": "No clear public status page was observed.", "evidence": [], "urls": [] }, { "detector_id": "surface:footer_crosslinks", "label": "Footer cross-links", "category": "surface", "severity": "info", "present": true, "summary": "Trust-relevant footer cross-links were observed.", "evidence": [ "https://openai.com/security-and-privacy -> security_practices (94)", "https://openai.com/security-and-privacy: privacy signals", "https://openai.com/security-and-privacy: role_hint", "https://openai.com/security-and-privacy: meta:data_residency", "https://openai.com/security-and-privacy: meta:description:OpenAI security and privacy overview", "https://openai.com/security-and-privacy: meta:pdf", "https://openai.com/security-and-privacy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/security-and-privacy: footer_link:https://openai.com/policies/privacy-policy", "https://openai.com/security-and-privacy: trust center language", "https://openai.com/security-and-privacy: 1 trust footer links", "https://openai.com/enterprise-privacy -> ai_policy (94)", "https://openai.com/enterprise-privacy: privacy signals", "https://openai.com/enterprise-privacy: role_hint", "https://openai.com/enterprise-privacy: meta:description:Enterprise privacy commitments", "https://openai.com/enterprise-privacy: footer_link:https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy: trust center language", "https://openai.com/enterprise-privacy: 1 trust footer links", "https://openai.com/policies/privacy-policy -> privacy_policy (94)", "https://openai.com/policies/privacy-policy: privacy signals", "https://openai.com/policies/privacy-policy: role_hint", "https://openai.com/policies/privacy-policy: meta:description:Consumer privacy policy", "https://openai.com/policies/privacy-policy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy: trust center language", "https://openai.com/index/business-data -> ai_policy (94)", "https://openai.com/index/business-data: privacy signals", "https://openai.com/index/business-data: role_hint", "https://openai.com/index/business-data: meta:description:Business data privacy and compliance", "https://openai.com/index/business-data: footer_link:https://openai.com/security-and-privacy", "https://openai.com/index/business-data: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/index/business-data: trust center language", "https://openai.com/index/business-data: 1 trust footer links" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "surface:sitemap", "label": "Sitemap", "category": "surface", "severity": "low", "present": false, "summary": "No sitemap surface was clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "surface:navigation", "label": "Navigation", "category": "surface", "severity": "low", "present": false, "summary": "No obvious trust-navigation surface was observed.", "evidence": [ "https://openai.com/security-and-privacy -> security_practices (94)", "https://openai.com/security-and-privacy: privacy signals", "https://openai.com/security-and-privacy: role_hint", "https://openai.com/security-and-privacy: meta:data_residency", "https://openai.com/security-and-privacy: meta:description:OpenAI security and privacy overview", "https://openai.com/security-and-privacy: meta:pdf", "https://openai.com/security-and-privacy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/security-and-privacy: footer_link:https://openai.com/policies/privacy-policy", "https://openai.com/security-and-privacy: trust center language", "https://openai.com/security-and-privacy: 1 trust footer links", "https://openai.com/enterprise-privacy -> ai_policy (94)", "https://openai.com/enterprise-privacy: privacy signals", "https://openai.com/enterprise-privacy: role_hint", "https://openai.com/enterprise-privacy: meta:description:Enterprise privacy commitments", "https://openai.com/enterprise-privacy: footer_link:https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy: trust center language", "https://openai.com/enterprise-privacy: 1 trust footer links", "https://openai.com/policies/privacy-policy -> privacy_policy (94)", "https://openai.com/policies/privacy-policy: privacy signals", "https://openai.com/policies/privacy-policy: role_hint", "https://openai.com/policies/privacy-policy: meta:description:Consumer privacy policy", "https://openai.com/policies/privacy-policy: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy: trust center language", "https://openai.com/index/business-data -> ai_policy (94)", "https://openai.com/index/business-data: privacy signals", "https://openai.com/index/business-data: role_hint", "https://openai.com/index/business-data: meta:description:Business data privacy and compliance", "https://openai.com/index/business-data: footer_link:https://openai.com/security-and-privacy", "https://openai.com/index/business-data: footer_link:https://openai.com/enterprise-privacy", "https://openai.com/index/business-data: trust center language", "https://openai.com/index/business-data: 1 trust footer links" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "surface:contact_paths", "label": "Public contact paths", "category": "surface", "severity": "info", "present": true, "summary": "4 pages expose public contact or trust-contact language.", "evidence": [ "Security & privacy at OpenAI [link, page]", "Enterprise privacy at OpenAI [link]", "US privacy policy [link, page]", "Business data privacy, security, and compliance [link, page]" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ] }, { "detector_id": "safety:redaction", "label": "Public output redaction", "category": "safety", "severity": "info", "present": true, "summary": "Public output does not surface obvious secrets, credentials, or private keys.", "evidence": [], "urls": [] }, { "detector_id": "legal:privacy_center", "label": "Privacy Center", "category": "legal", "severity": "info", "present": true, "summary": "Privacy Center was observed in the public surface.", "evidence": [ "Security & privacy at OpenAI", "Enterprise privacy at OpenAI", "US privacy policy" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy" ] }, { "detector_id": "legal:data_subject_request_portal", "label": "Data Subject Request Portal", "category": "legal", "severity": "info", "present": true, "summary": "Data Subject Request Portal was observed in the public surface.", "evidence": [ "Security & privacy at OpenAI", "Enterprise privacy at OpenAI", "US privacy policy" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy" ] }, { "detector_id": "legal:cookie_preferences", "label": "Cookie Preferences", "category": "legal", "severity": "info", "present": true, "summary": "Cookie Preferences was observed in the public surface.", "evidence": [ "US privacy policy" ], "urls": [ "https://openai.com/policies/privacy-policy" ] }, { "detector_id": "legal:consent_management", "label": "Consent Management", "category": "legal", "severity": "info", "present": true, "summary": "Consent Management was observed in the public surface.", "evidence": [ "Security & privacy at OpenAI", "Enterprise privacy at OpenAI", "US privacy policy" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy" ] }, { "detector_id": "security:incident_history", "label": "Incident History", "category": "security", "severity": "medium", "present": false, "summary": "Incident History was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "security:postmortems", "label": "Postmortems", "category": "security", "severity": "medium", "present": false, "summary": "Postmortems was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "security:security_txt", "label": "security.txt", "category": "security", "severity": "info", "present": true, "summary": "security.txt was observed in the public surface.", "evidence": [ "Security & privacy at OpenAI", "US privacy policy" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/policies/privacy-policy" ] }, { "detector_id": "security:security_whitepaper", "label": "Security Whitepaper", "category": "security", "severity": "info", "present": true, "summary": "Security Whitepaper was observed in the public surface.", "evidence": [ "Security & privacy at OpenAI", "Enterprise privacy at OpenAI", "Business data privacy, security, and compliance" ], "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ] }, { "detector_id": "security:attestation_summary", "label": "Attestation Summary", "category": "security", "severity": "medium", "present": false, "summary": "Attestation Summary was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "methodology:scoring_rubric", "label": "Scoring Rubric", "category": "methodology", "severity": "medium", "present": false, "summary": "Scoring Rubric was not clearly observed.", "evidence": [], "urls": [] }, { "detector_id": "contact:responsible_disclosure_contact", "label": "Responsible Disclosure Contact", "category": "surface", "severity": "high", "present": false, "summary": "Responsible Disclosure Contact was not clearly observed.", "evidence": [], "urls": [] } ], "artifact_observations": [ { "artifact_id": "privacy_policy", "detector_id": "legal:privacy_policy", "human_label": "Privacy Policy", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Clarify what personal data you collect, process, retain, and disclose.", "matched_terms": [ "data processing", "personal data", "privacy", "privacy policy", "privacy-policy", "privacy_policy" ], "score_dimensions": [ "public_surface", "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy" ], "evidence_spans": [ { "artifact_id": "privacy_policy", "detector_id": "legal:privacy_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Policy via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_policy", "detector_id": "legal:privacy_policy", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Policy via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_policy", "detector_id": "legal:privacy_policy", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings", "start_offset": 85, "end_offset": 100, "confidence": 98, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched data processing evidence for Privacy Policy via Some(\"privacy_policy\")", "matched_terms": [ "data processing" ], "score_dimensions": [ "public_surface", "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" } ] }, { "artifact_id": "privacy_center", "detector_id": "legal:privacy_center", "human_label": "Privacy Center", "category": "legal", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Privacy Center was observed in the public surface.", "matched_terms": [ "privacy", "privacy_policy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy" ], "evidence_spans": [ { "artifact_id": "privacy_center", "detector_id": "legal:privacy_center", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Center via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_center", "detector_id": "legal:privacy_center", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Center via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_center", "detector_id": "legal:privacy_center", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Center via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" } ] }, { "artifact_id": "data_subject_request_portal", "detector_id": "legal:data_subject_request_portal", "human_label": "Data Subject Request Portal", "category": "legal", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Data Subject Request Portal was observed in the public surface.", "matched_terms": [ "portal", "privacy", "privacy_policy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy" ], "evidence_spans": [ { "artifact_id": "data_subject_request_portal", "detector_id": "legal:data_subject_request_portal", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "lt. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 295, "end_offset": 301, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched portal evidence for Data Subject Request Portal via Some(\"security_practices\")", "matched_terms": [ "portal" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_subject_request_portal", "detector_id": "legal:data_subject_request_portal", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Data Subject Request Portal via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_subject_request_portal", "detector_id": "legal:data_subject_request_portal", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Data Subject Request Portal via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" } ] }, { "artifact_id": "cookie_policy", "detector_id": "legal:cookie_policy", "human_label": "Cookie Policy", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Publish cookie and tracking language with a clear consent path.", "matched_terms": [ "privacy_policy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/policies/privacy-policy" ], "evidence_spans": [] }, { "artifact_id": "cookie_preferences", "detector_id": "legal:cookie_preferences", "human_label": "Cookie Preferences", "category": "legal", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Cookie Preferences was observed in the public surface.", "matched_terms": [ "privacy_policy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/policies/privacy-policy" ], "evidence_spans": [] }, { "artifact_id": "consent_management", "detector_id": "legal:consent_management", "human_label": "Consent Management", "category": "legal", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Consent Management was observed in the public surface.", "matched_terms": [ "privacy", "privacy_policy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy" ], "evidence_spans": [ { "artifact_id": "consent_management", "detector_id": "legal:consent_management", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Consent Management via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "consent_management", "detector_id": "legal:consent_management", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Consent Management via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "consent_management", "detector_id": "legal:consent_management", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Consent Management via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" } ] }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "human_label": "Data Retention Policy", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "State how long data is kept and what triggers deletion or archival.", "matched_terms": [ "privacy_policy", "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "oducts. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 240, "end_offset": 249, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"security_practices\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "s own and control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 192, "end_offset": 201, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"ai_policy\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings such as the API p", "start_offset": 102, "end_offset": 111, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"privacy_policy\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "ss data remains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments for enterprise and API customers.", "start_offset": 211, "end_offset": 220, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"ai_policy\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" } ] }, { "artifact_id": "data_sharing_notice", "detector_id": "legal:data_sharing_notice", "human_label": "Data Sharing Notice", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Clarify which parties receive data and why.", "matched_terms": [ "privacy_policy" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/policies/privacy-policy" ], "evidence_spans": [] }, { "artifact_id": "cross_border_transfers", "detector_id": "legal:cross_border_transfers", "human_label": "Cross-Border Transfers", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Explain transfer mechanisms, safeguards, and processor relationships.", "matched_terms": [ "privacy_policy" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/policies/privacy-policy" ], "evidence_spans": [] }, { "artifact_id": "data_breach_notice", "detector_id": "legal:data_breach_notice", "human_label": "Data Breach Notice", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Explain how breach notification works and who is notified.", "matched_terms": [ "privacy_policy" ], "score_dimensions": [ "legal_clarity", "security_trust" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/policies/privacy-policy" ], "evidence_spans": [] }, { "artifact_id": "data_residency_policy", "detector_id": "legal:data_residency_policy", "human_label": "Data Residency Policy", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "State where data is stored and whether region selection is supported.", "matched_terms": [ "data residency", "privacy_policy" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/policies/privacy-policy" ], "evidence_spans": [ { "artifact_id": "data_residency_policy", "detector_id": "legal:data_residency_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "a is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 260, "end_offset": 274, "confidence": 96, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched data residency evidence for Data Residency Policy via Some(\"security_practices\")", "matched_terms": [ "data residency" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" } ] }, { "artifact_id": "data_processing_addendum", "detector_id": "legal:data_processing_addendum", "human_label": "Data Processing Addendum", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Make the DPA request path easy to find for customers and partners.", "matched_terms": [ "privacy_policy" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/policies/privacy-policy" ], "evidence_spans": [] }, { "artifact_id": "subprocessors_list", "detector_id": "legal:subprocessors_list", "human_label": "Subprocessors List", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Publish a current subprocessor or vendor list with update cadence.", "matched_terms": [ "privacy_policy" ], "score_dimensions": [ "legal_clarity", "public_surface" ], "remediation_motion": "privacy_legal_review", "urls": [ "https://openai.com/policies/privacy-policy" ], "evidence_spans": [] }, { "artifact_id": "acceptable_use_policy", "detector_id": "legal:acceptable_use_policy", "human_label": "Acceptable Use Policy", "category": "legal", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Clarify prohibited and abusive use patterns in public-facing terms.", "matched_terms": [], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "ai_usage_policy", "detector_id": "ai-governance:ai_usage_policy", "human_label": "AI Usage Policy", "category": "ai-governance", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Explain how AI is used, reviewed, and bounded in public-facing products.", "matched_terms": [], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "responsible_ai_principles", "detector_id": "ai-governance:responsible_ai_principles", "human_label": "Responsible AI Principles", "category": "ai-governance", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Publish a short principle set that maps to actual product controls.", "matched_terms": [], "score_dimensions": [ "ai_language", "consistency" ], "remediation_motion": "ai_policy_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "customer_data_training_policy", "detector_id": "ai-governance:customer_data_training_policy", "human_label": "Customer Data Training Policy", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Customer Data Training Policy was observed in the public surface.", "matched_terms": [ "ai_policy", "privacy_policy" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "model_provider_disclosure", "detector_id": "ai-governance:model_provider_disclosure", "human_label": "Model Provider Disclosure", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Model Provider Disclosure was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "legal_clarity" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "prompt_logging_policy", "detector_id": "ai-governance:prompt_logging_policy", "human_label": "Prompt Logging Policy", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Prompt Logging Policy was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "legal_clarity" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "human_review_policy", "detector_id": "ai-governance:human_review_policy", "human_label": "Human Review Policy", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Human Review Policy was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "consistency" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "evals_and_red_teaming", "detector_id": "ai-governance:evals_and_red_teaming", "human_label": "Evals and Red Teaming", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Evals and Red Teaming was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "methodology" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "prohibited_uses", "detector_id": "ai-governance:prohibited_uses", "human_label": "Prohibited Uses", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Prohibited Uses was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "legal_clarity" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "model_card_or_system_card", "detector_id": "ai-governance:model_card_or_system_card", "human_label": "Model Card or System Card", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Model Card or System Card was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "methodology" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "ai_evaluation_or_safety_report", "detector_id": "ai-governance:ai_evaluation_or_safety_report", "human_label": "AI Evaluation or Safety Report", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "AI Evaluation or Safety Report was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "methodology" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "transparency_report", "detector_id": "ai-governance:transparency_report", "human_label": "Transparency Report", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Transparency Report was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "methodology", "public_surface" ], "remediation_motion": "methodology_clarification", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "model_limitations", "detector_id": "ai-governance:model_limitations", "human_label": "Model Limitations", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Model Limitations was observed in the public surface.", "matched_terms": [ "ai_policy" ], "score_dimensions": [ "ai_language", "consistency" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "output_moderation_policy", "detector_id": "ai-governance:output_moderation_policy", "human_label": "Output Moderation Policy", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Output Moderation Policy was observed in the public surface.", "matched_terms": [ "ai_policy", "policy" ], "score_dimensions": [ "ai_language", "legal_clarity" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "output_moderation_policy", "detector_id": "ai-governance:output_moderation_policy", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact rout", "start_offset": 17, "end_offset": 23, "confidence": 78, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched policy evidence for Output Moderation Policy via Some(\"privacy_policy\")", "matched_terms": [ "policy" ], "score_dimensions": [ "ai_language", "legal_clarity" ], "remediation_motion": "ai_policy_review" } ] }, { "artifact_id": "feedback_training_policy", "detector_id": "ai-governance:feedback_training_policy", "human_label": "Feedback and Training Policy", "category": "ai-governance", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Feedback and Training Policy was observed in the public surface.", "matched_terms": [ "ai_policy", "train" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "feedback_training_policy", "detector_id": "ai-governance:feedback_training_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "ecurity & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency opt", "start_offset": 158, "end_offset": 163, "confidence": 96, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched train evidence for Feedback and Training Policy via Some(\"security_practices\")", "matched_terms": [ "train" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review" }, { "artifact_id": "feedback_training_policy", "detector_id": "ai-governance:feedback_training_policy", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "nterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and com", "start_offset": 121, "end_offset": 126, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched train evidence for Feedback and Training Policy via Some(\"ai_policy\")", "matched_terms": [ "train" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review" }, { "artifact_id": "feedback_training_policy", "detector_id": "ai-governance:feedback_training_policy", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "ss data privacy, security, and compliance Business data remains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments fo", "start_offset": 163, "end_offset": 168, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched train evidence for Feedback and Training Policy via Some(\"ai_policy\")", "matched_terms": [ "train" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review" } ] }, { "artifact_id": "security_practices_page", "detector_id": "security:security_practices_page", "human_label": "Security Practices", "category": "security", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Security Practices was observed in the public surface.", "matched_terms": [ "access control", "controls", "security" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "security_practices_page", "detector_id": "security:security_practices_page", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "enAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a", "start_offset": 188, "end_offset": 196, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Practices via Some(\"security_practices\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_practices_page", "detector_id": "security:security_practices_page", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "siness data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 212, "end_offset": 226, "confidence": 98, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched access control evidence for Security Practices via Some(\"ai_policy\")", "matched_terms": [ "access control" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_practices_page", "detector_id": "security:security_practices_page", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "mains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments for enterprise and API customers.", "start_offset": 221, "end_offset": 229, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Practices via Some(\"ai_policy\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" } ] }, { "artifact_id": "backup_and_recovery", "detector_id": "security:backup_and_recovery", "human_label": "Backup and Recovery", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "State whether backups exist, how recovery works, and what resilience is promised.", "matched_terms": [], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "secure_sdlc_page", "detector_id": "security:secure_sdlc_page", "human_label": "Secure SDLC", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Describe the lifecycle controls that support secure development.", "matched_terms": [], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "vulnerability_disclosure", "detector_id": "security:vulnerability_disclosure", "human_label": "Vulnerability Disclosure", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Publish the disclosure path and safe-harbor terms together.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "security_contact", "detector_id": "security:security_contact", "human_label": "Security Contact", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Expose a clear public security contact or disclosure mailbox.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "contact_routing", "urls": [], "evidence_spans": [] }, { "artifact_id": "incident_response", "detector_id": "security:incident_response", "human_label": "Incident Response", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "State how incidents are detected, escalated, and communicated.", "matched_terms": [], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "incident_history", "detector_id": "security:incident_history", "human_label": "Incident History", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "If incident history is public, link it clearly from the trust surface.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "postmortems", "detector_id": "security:postmortems", "human_label": "Postmortems", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Document post-incident learning when public postmortems exist.", "matched_terms": [], "score_dimensions": [ "security_trust", "methodology" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "security_txt", "detector_id": "security:security_txt", "human_label": "security.txt", "category": "security", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "security.txt was observed in the public surface.", "matched_terms": [ "contact", "policy", "security" ], "score_dimensions": [ "public_surface", "security_trust" ], "remediation_motion": "contact_routing", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/policies/privacy-policy" ], "evidence_spans": [ { "artifact_id": "security_txt", "detector_id": "security:security_txt", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products.", "start_offset": 7, "end_offset": 15, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched security evidence for security.txt via Some(\"security_practices\")", "matched_terms": [ "security" ], "score_dimensions": [ "public_surface", "security_trust" ], "remediation_motion": "contact_routing" }, { "artifact_id": "security_txt", "detector_id": "security:security_txt", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "mer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings such as the API platform.", "start_offset": 125, "end_offset": 132, "confidence": 90, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched contact evidence for security.txt via Some(\"privacy_policy\")", "matched_terms": [ "contact" ], "score_dimensions": [ "public_surface", "security_trust" ], "remediation_motion": "contact_routing" } ] }, { "artifact_id": "security_whitepaper", "detector_id": "security:security_whitepaper", "human_label": "Security Whitepaper", "category": "security", "present": true, "public_safe": true, "confidence": 65, "evidence_strength": "moderate", "visibility": "public_safe", "reason": "Security Whitepaper was observed in the public surface.", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "security_whitepaper", "detector_id": "security:security_whitepaper", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "enAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a", "start_offset": 188, "end_offset": 196, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Whitepaper via Some(\"security_practices\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_whitepaper", "detector_id": "security:security_whitepaper", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 202, "end_offset": 210, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Whitepaper via Some(\"ai_policy\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_whitepaper", "detector_id": "security:security_whitepaper", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "mains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments for enterprise and API customers.", "start_offset": 221, "end_offset": 229, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Whitepaper via Some(\"ai_policy\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" } ] }, { "artifact_id": "bug_bounty", "detector_id": "security:bug_bounty", "human_label": "Bug Bounty", "category": "security", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Bug Bounty was observed in the public surface.", "matched_terms": [ "bug bounty" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [ "https://openai.com/security-and-privacy" ], "evidence_spans": [ { "artifact_id": "bug_bounty", "detector_id": "security:bug_bounty", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "ontrols include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 309, "end_offset": 319, "confidence": 96, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched bug bounty evidence for Bug Bounty via Some(\"security_practices\")", "matched_terms": [ "bug bounty" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" } ] }, { "artifact_id": "certifications", "detector_id": "security:certifications", "human_label": "Certifications", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Only publish certification claims alongside a public attestation artifact.", "matched_terms": [], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "attestation_summary", "detector_id": "security:attestation_summary", "human_label": "Attestation Summary", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Summarize the attestation in public-safe language and link the source artifact.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "security_overview", "detector_id": "security:security_overview", "human_label": "Security Overview", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Add a concise overview of the security program and where the supporting evidence lives.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "incident_communication", "detector_id": "security:incident_communication", "human_label": "Incident Communication", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Document how customers are notified and where public incident updates live.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review", "urls": [], "evidence_spans": [] }, { "artifact_id": "encryption_at_rest", "detector_id": "security:encryption_at_rest", "human_label": "Encryption at Rest", "category": "security", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Encryption at Rest was observed in the public surface.", "matched_terms": [ "encryption at rest" ], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review", "urls": [ "https://openai.com/security-and-privacy" ], "evidence_spans": [ { "artifact_id": "encryption_at_rest", "detector_id": "security:encryption_at_rest", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "tomer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 205, "end_offset": 223, "confidence": 96, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched encryption at rest evidence for Encryption at Rest via Some(\"security_practices\")", "matched_terms": [ "encryption at rest" ], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review" } ] }, { "artifact_id": "mfa_sso", "detector_id": "security:mfa_sso", "human_label": "MFA and SSO", "category": "security", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "MFA and SSO was observed in the public surface.", "matched_terms": [ "sso" ], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review", "urls": [ "https://openai.com/enterprise-privacy" ], "evidence_spans": [ { "artifact_id": "mfa_sso", "detector_id": "security:mfa_sso", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "AI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 229, "end_offset": 232, "confidence": 96, "evidence_strength": "weak", "visibility": "public_safe", "public_safe": true, "reason": "Matched sso evidence for MFA and SSO via Some(\"ai_policy\")", "matched_terms": [ "sso" ], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review" } ] }, { "artifact_id": "status_page", "detector_id": "security:status_page", "human_label": "Status Page", "category": "security", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Link the status page from the trust surface if it is part of the buyer review path.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "trust_center_cleanup", "urls": [], "evidence_spans": [] }, { "artifact_id": "methodology_page", "detector_id": "methodology:page", "human_label": "Methodology Page", "category": "methodology", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Explain the rules and limitations of the scan.", "matched_terms": [], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "methodology_clarification", "urls": [], "evidence_spans": [] }, { "artifact_id": "scoring_rubric", "detector_id": "methodology:scoring_rubric", "human_label": "Scoring Rubric", "category": "methodology", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Show how the score is derived from visible evidence.", "matched_terms": [], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "methodology_clarification", "urls": [], "evidence_spans": [] }, { "artifact_id": "score_caveat", "detector_id": "methodology:score_caveat", "human_label": "Score Caveat", "category": "methodology", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Keep the public-signal caveat visible near the score and methodology.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "methodology_clarification", "urls": [], "evidence_spans": [] }, { "artifact_id": "data_sources", "detector_id": "methodology:data_sources", "human_label": "Data Sources", "category": "methodology", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Explain where the evidence came from and when it was observed.", "matched_terms": [], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "methodology_clarification", "urls": [], "evidence_spans": [] }, { "artifact_id": "confidence_labels", "detector_id": "methodology:confidence_labels", "human_label": "Confidence Labels", "category": "methodology", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Describe uncertainty bands or confidence levels when the evidence is partial.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "methodology_clarification", "urls": [], "evidence_spans": [] }, { "artifact_id": "endorsement_and_certification", "detector_id": "claims:endorsement_and_certification", "human_label": "Endorsement and Certification Claims", "category": "claims", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Keep endorsement claims separate from evidence and source citations.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding", "urls": [], "evidence_spans": [] }, { "artifact_id": "sponsor_separation", "detector_id": "claims:sponsor_separation", "human_label": "Sponsor Separation", "category": "claims", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Keep sponsors separate from methodology and findings.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding", "urls": [], "evidence_spans": [] }, { "artifact_id": "unsupported_maturity", "detector_id": "claims:unsupported_maturity", "human_label": "Unsupported Maturity Phrasing", "category": "claims", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Unsupported Maturity Phrasing was observed in the public surface.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding", "urls": [], "evidence_spans": [] }, { "artifact_id": "customer_logos", "detector_id": "claims:customer_logos", "human_label": "Customer Logos", "category": "claims", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Customer Logos was observed in the public surface.", "matched_terms": [ "customer" ], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "customer_logos", "detector_id": "claims:customer_logos", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls inclu", "start_offset": 82, "end_offset": 90, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched customer evidence for Customer Logos via Some(\"security_practices\")", "matched_terms": [ "customer" ], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding" }, { "artifact_id": "customer_logos", "detector_id": "claims:customer_logos", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "penAI Organizations own and control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 174, "end_offset": 182, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched customer evidence for Customer Logos via Some(\"ai_policy\")", "matched_terms": [ "customer" ], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding" }, { "artifact_id": "customer_logos", "detector_id": "claims:customer_logos", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "vacy and compliance Business data privacy, security, and compliance Business data remains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and", "start_offset": 137, "end_offset": 145, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched customer evidence for Customer Logos via Some(\"ai_policy\")", "matched_terms": [ "customer" ], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding" } ] }, { "artifact_id": "testimonials", "detector_id": "claims:testimonials", "human_label": "Testimonials", "category": "claims", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Separate testimonial language from evidence and methodology.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding", "urls": [], "evidence_spans": [] }, { "artifact_id": "third_party_validation", "detector_id": "claims:third_party_validation", "human_label": "Third-Party Validation", "category": "claims", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Keep external validation claims distinct from the scanner's own findings.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding", "urls": [], "evidence_spans": [] }, { "artifact_id": "awards", "detector_id": "claims:awards", "human_label": "Awards", "category": "claims", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Treat awards as positioning, not proof of operational maturity.", "matched_terms": [], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding", "urls": [], "evidence_spans": [] }, { "artifact_id": "trust_center", "detector_id": "surface:trust_center_discoverability", "human_label": "Trust Center Discoverability", "category": "surface", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Trust Center Discoverability was observed in the public surface.", "matched_terms": [ "ai", "compliance", "security" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "trust_center", "detector_id": "surface:trust_center_discoverability", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and produc", "start_offset": 4, "end_offset": 6, "confidence": 98, "evidence_strength": "weak", "visibility": "public_safe", "public_safe": true, "reason": "Matched ai evidence for Trust Center Discoverability via Some(\"security_practices\")", "matched_terms": [ "ai" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "trust_center", "detector_id": "surface:trust_center_discoverability", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train models on business data by default. Enterprise cus", "start_offset": 57, "end_offset": 59, "confidence": 84, "evidence_strength": "weak", "visibility": "public_safe", "public_safe": true, "reason": "Matched ai evidence for Trust Center Discoverability via Some(\"ai_policy\")", "matched_terms": [ "ai" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "trust_center", "detector_id": "surface:trust_center_discoverability", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "Business data privacy and compliance Business data privacy, security, and compliance Business data remains confidential and owned by the customer.", "start_offset": 26, "end_offset": 36, "confidence": 98, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched compliance evidence for Trust Center Discoverability via Some(\"ai_policy\")", "matched_terms": [ "compliance" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" } ] }, { "artifact_id": "contact_paths", "detector_id": "surface:contact_paths", "human_label": "Contact Paths", "category": "surface", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Contact Paths was observed in the public surface.", "matched_terms": [ "contact", "security" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "contact_routing", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/policies/privacy-policy" ], "evidence_spans": [ { "artifact_id": "contact_paths", "detector_id": "surface:contact_paths", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products.", "start_offset": 7, "end_offset": 15, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched security evidence for Contact Paths via Some(\"security_practices\")", "matched_terms": [ "security" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "contact_routing" }, { "artifact_id": "contact_paths", "detector_id": "surface:contact_paths", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "mer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings such as the API platform.", "start_offset": 125, "end_offset": 132, "confidence": 96, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched contact evidence for Contact Paths via Some(\"privacy_policy\")", "matched_terms": [ "contact" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "contact_routing" } ] }, { "artifact_id": "docs_hub", "detector_id": "surface:docs_hub", "human_label": "Documentation Hub", "category": "surface", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Link product documentation from the trust surface when it helps buyer review.", "matched_terms": [], "score_dimensions": [ "public_surface" ], "remediation_motion": "trust_center_cleanup", "urls": [], "evidence_spans": [] }, { "artifact_id": "public_status_page", "detector_id": "surface:status_page", "human_label": "Public Status Page", "category": "surface", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Link the status page from the public trust surface if it exists.", "matched_terms": [], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup", "urls": [], "evidence_spans": [] }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "human_label": "Footer Cross-links", "category": "surface", "present": true, "public_safe": true, "confidence": 90, "evidence_strength": "explicit", "visibility": "public_safe", "reason": "Footer Cross-links was observed in the public surface.", "matched_terms": [ "privacy", "security" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup", "urls": [ "https://openai.com/security-and-privacy", "https://openai.com/enterprise-privacy", "https://openai.com/policies/privacy-policy", "https://openai.com/index/business-data" ], "evidence_spans": [ { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "Business data privacy and compliance Business data privacy, security, and compliance Business data remains confidential and owned by t", "start_offset": 14, "end_offset": 21, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" } ] }, { "artifact_id": "sitemap", "detector_id": "surface:sitemap", "human_label": "Sitemap", "category": "surface", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Keep trust pages reachable from a sitemap or index page.", "matched_terms": [ "index" ], "score_dimensions": [ "public_surface" ], "remediation_motion": "trust_center_cleanup", "urls": [ "https://openai.com/index/business-data" ], "evidence_spans": [] }, { "artifact_id": "navigation", "detector_id": "surface:navigation", "human_label": "Navigation", "category": "surface", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Make trust pages visible in top-level navigation when possible.", "matched_terms": [], "score_dimensions": [ "public_surface" ], "remediation_motion": "trust_center_cleanup", "urls": [], "evidence_spans": [] }, { "artifact_id": "responsible_disclosure_contact", "detector_id": "contact:responsible_disclosure_contact", "human_label": "Responsible Disclosure Contact", "category": "surface", "present": false, "public_safe": true, "confidence": 15, "evidence_strength": "weak", "visibility": "public_safe", "reason": "Expose a responsible-disclosure path with a safe-harbor explanation.", "matched_terms": [], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "contact_routing", "urls": [], "evidence_spans": [] } ], "evidence_spans": [ { "artifact_id": "privacy_policy", "detector_id": "legal:privacy_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Policy via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_policy", "detector_id": "legal:privacy_policy", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Policy via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_policy", "detector_id": "legal:privacy_policy", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings", "start_offset": 85, "end_offset": 100, "confidence": 98, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched data processing evidence for Privacy Policy via Some(\"privacy_policy\")", "matched_terms": [ "data processing" ], "score_dimensions": [ "public_surface", "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_center", "detector_id": "legal:privacy_center", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Center via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_center", "detector_id": "legal:privacy_center", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Center via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "privacy_center", "detector_id": "legal:privacy_center", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Privacy Center via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_subject_request_portal", "detector_id": "legal:data_subject_request_portal", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "lt. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 295, "end_offset": 301, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched portal evidence for Data Subject Request Portal via Some(\"security_practices\")", "matched_terms": [ "portal" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_subject_request_portal", "detector_id": "legal:data_subject_request_portal", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Data Subject Request Portal via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_subject_request_portal", "detector_id": "legal:data_subject_request_portal", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Data Subject Request Portal via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "consent_management", "detector_id": "legal:consent_management", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Consent Management via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "consent_management", "detector_id": "legal:consent_management", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Consent Management via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "consent_management", "detector_id": "legal:consent_management", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Consent Management via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "legal_clarity" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "oducts. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 240, "end_offset": 249, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"security_practices\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "s own and control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 192, "end_offset": 201, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"ai_policy\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings such as the API p", "start_offset": 102, "end_offset": 111, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"privacy_policy\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_retention_policy", "detector_id": "legal:data_retention_policy", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "ss data remains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments for enterprise and API customers.", "start_offset": 211, "end_offset": 220, "confidence": 85, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched retention evidence for Data Retention Policy via Some(\"ai_policy\")", "matched_terms": [ "retention" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "data_residency_policy", "detector_id": "legal:data_residency_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "a is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 260, "end_offset": 274, "confidence": 96, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched data residency evidence for Data Residency Policy via Some(\"security_practices\")", "matched_terms": [ "data residency" ], "score_dimensions": [ "legal_clarity", "consistency" ], "remediation_motion": "privacy_legal_review" }, { "artifact_id": "output_moderation_policy", "detector_id": "ai-governance:output_moderation_policy", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact rout", "start_offset": 17, "end_offset": 23, "confidence": 78, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched policy evidence for Output Moderation Policy via Some(\"privacy_policy\")", "matched_terms": [ "policy" ], "score_dimensions": [ "ai_language", "legal_clarity" ], "remediation_motion": "ai_policy_review" }, { "artifact_id": "feedback_training_policy", "detector_id": "ai-governance:feedback_training_policy", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "ecurity & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency opt", "start_offset": 158, "end_offset": 163, "confidence": 96, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched train evidence for Feedback and Training Policy via Some(\"security_practices\")", "matched_terms": [ "train" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review" }, { "artifact_id": "feedback_training_policy", "detector_id": "ai-governance:feedback_training_policy", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "nterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and com", "start_offset": 121, "end_offset": 126, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched train evidence for Feedback and Training Policy via Some(\"ai_policy\")", "matched_terms": [ "train" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review" }, { "artifact_id": "feedback_training_policy", "detector_id": "ai-governance:feedback_training_policy", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "ss data privacy, security, and compliance Business data remains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments fo", "start_offset": 163, "end_offset": 168, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched train evidence for Feedback and Training Policy via Some(\"ai_policy\")", "matched_terms": [ "train" ], "score_dimensions": [ "ai_language", "legal_clarity", "consistency" ], "remediation_motion": "ai_policy_review" }, { "artifact_id": "security_practices_page", "detector_id": "security:security_practices_page", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "enAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a", "start_offset": 188, "end_offset": 196, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Practices via Some(\"security_practices\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_practices_page", "detector_id": "security:security_practices_page", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "siness data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 212, "end_offset": 226, "confidence": 98, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched access control evidence for Security Practices via Some(\"ai_policy\")", "matched_terms": [ "access control" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_practices_page", "detector_id": "security:security_practices_page", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "mains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments for enterprise and API customers.", "start_offset": 221, "end_offset": 229, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Practices via Some(\"ai_policy\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_txt", "detector_id": "security:security_txt", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products.", "start_offset": 7, "end_offset": 15, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched security evidence for security.txt via Some(\"security_practices\")", "matched_terms": [ "security" ], "score_dimensions": [ "public_surface", "security_trust" ], "remediation_motion": "contact_routing" }, { "artifact_id": "security_txt", "detector_id": "security:security_txt", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "mer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings such as the API platform.", "start_offset": 125, "end_offset": 132, "confidence": 90, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched contact evidence for security.txt via Some(\"privacy_policy\")", "matched_terms": [ "contact" ], "score_dimensions": [ "public_surface", "security_trust" ], "remediation_motion": "contact_routing" }, { "artifact_id": "security_whitepaper", "detector_id": "security:security_whitepaper", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "enAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a", "start_offset": 188, "end_offset": 196, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Whitepaper via Some(\"security_practices\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_whitepaper", "detector_id": "security:security_whitepaper", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 202, "end_offset": 210, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Whitepaper via Some(\"ai_policy\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "security_whitepaper", "detector_id": "security:security_whitepaper", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "mains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and compliance commitments for enterprise and API customers.", "start_offset": 221, "end_offset": 229, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched controls evidence for Security Whitepaper via Some(\"ai_policy\")", "matched_terms": [ "controls" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "bug_bounty", "detector_id": "security:bug_bounty", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "ontrols include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 309, "end_offset": 319, "confidence": 96, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched bug bounty evidence for Bug Bounty via Some(\"security_practices\")", "matched_terms": [ "bug bounty" ], "score_dimensions": [ "security_trust", "public_surface" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "encryption_at_rest", "detector_id": "security:encryption_at_rest", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "tomer and user data, models, and products. Business data is not used for training by default. Security controls include encryption at rest and in transit, retention controls, data residency options, a security portal, and a bug bounty path.", "start_offset": 205, "end_offset": 223, "confidence": 96, "evidence_strength": "explicit", "visibility": "public_safe", "public_safe": true, "reason": "Matched encryption at rest evidence for Encryption at Rest via Some(\"security_practices\")", "matched_terms": [ "encryption at rest" ], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "mfa_sso", "detector_id": "security:mfa_sso", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "AI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 229, "end_offset": 232, "confidence": 96, "evidence_strength": "weak", "visibility": "public_safe", "public_safe": true, "reason": "Matched sso evidence for MFA and SSO via Some(\"ai_policy\")", "matched_terms": [ "sso" ], "score_dimensions": [ "security_trust", "consistency" ], "remediation_motion": "security_evidence_review" }, { "artifact_id": "customer_logos", "detector_id": "claims:customer_logos", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business data is not used for training by default. Security controls inclu", "start_offset": 82, "end_offset": 90, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched customer evidence for Customer Logos via Some(\"security_practices\")", "matched_terms": [ "customer" ], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding" }, { "artifact_id": "customer_logos", "detector_id": "claims:customer_logos", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "penAI Organizations own and control business data. OpenAI does not train models on business data by default. Enterprise customers can set retention controls, access controls, SSO, and compliance guardrails.", "start_offset": 174, "end_offset": 182, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched customer evidence for Customer Logos via Some(\"ai_policy\")", "matched_terms": [ "customer" ], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding" }, { "artifact_id": "customer_logos", "detector_id": "claims:customer_logos", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "vacy and compliance Business data privacy, security, and compliance Business data remains confidential and owned by the customer. OpenAI does not train on organization data by default, supports retention controls, and publishes security and", "start_offset": 137, "end_offset": 145, "confidence": 70, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched customer evidence for Customer Logos via Some(\"ai_policy\")", "matched_terms": [ "customer" ], "score_dimensions": [ "consistency", "public_surface" ], "remediation_motion": "claims_grounding" }, { "artifact_id": "trust_center", "detector_id": "surface:trust_center_discoverability", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and produc", "start_offset": 4, "end_offset": 6, "confidence": 98, "evidence_strength": "weak", "visibility": "public_safe", "public_safe": true, "reason": "Matched ai evidence for Trust Center Discoverability via Some(\"security_practices\")", "matched_terms": [ "ai" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "trust_center", "detector_id": "surface:trust_center_discoverability", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train models on business data by default. Enterprise cus", "start_offset": 57, "end_offset": 59, "confidence": 84, "evidence_strength": "weak", "visibility": "public_safe", "public_safe": true, "reason": "Matched ai evidence for Trust Center Discoverability via Some(\"ai_policy\")", "matched_terms": [ "ai" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "trust_center", "detector_id": "surface:trust_center_discoverability", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "Business data privacy and compliance Business data privacy, security, and compliance Business data remains confidential and owned by the customer.", "start_offset": 26, "end_offset": 36, "confidence": 98, "evidence_strength": "strong", "visibility": "public_safe", "public_safe": true, "reason": "Matched compliance evidence for Trust Center Discoverability via Some(\"ai_policy\")", "matched_terms": [ "compliance" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "contact_paths", "detector_id": "surface:contact_paths", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products.", "start_offset": 7, "end_offset": 15, "confidence": 84, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched security evidence for Contact Paths via Some(\"security_practices\")", "matched_terms": [ "security" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "contact_routing" }, { "artifact_id": "contact_paths", "detector_id": "surface:contact_paths", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "mer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and contact routes. It also distinguishes consumer services from business offerings such as the API platform.", "start_offset": 125, "end_offset": 132, "confidence": 96, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched contact evidence for Contact Paths via Some(\"privacy_policy\")", "matched_terms": [ "contact" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "contact_routing" }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "security_practices", "url": "https://openai.com/security-and-privacy", "title": "Security & privacy at OpenAI", "snippet": "OpenAI security and privacy overview Security & privacy at OpenAI OpenAI protects customer and user data, models, and products. Business dat", "start_offset": 20, "end_offset": 27, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"security_practices\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "ai_policy", "url": "https://openai.com/enterprise-privacy", "title": "Enterprise privacy at OpenAI", "snippet": "Enterprise privacy commitments Enterprise privacy at OpenAI Organizations own and control business data. OpenAI does not train mode", "start_offset": 11, "end_offset": 18, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "privacy_policy", "url": "https://openai.com/policies/privacy-policy", "title": "US privacy policy", "snippet": "Consumer privacy policy US privacy policy OpenAI's privacy policy describes personal data processing, retention, rights, and cont", "start_offset": 9, "end_offset": 16, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"privacy_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" }, { "artifact_id": "footer_crosslinks", "detector_id": "surface:footer_crosslinks", "page_role": "ai_policy", "url": "https://openai.com/index/business-data", "title": "Business data privacy, security, and compliance", "snippet": "Business data privacy and compliance Business data privacy, security, and compliance Business data remains confidential and owned by t", "start_offset": 14, "end_offset": 21, "confidence": 98, "evidence_strength": "moderate", "visibility": "public_safe", "public_safe": true, "reason": "Matched privacy evidence for Footer Cross-links via Some(\"ai_policy\")", "matched_terms": [ "privacy" ], "score_dimensions": [ "public_surface", "consistency" ], "remediation_motion": "trust_center_cleanup" } ], "page_roles": [ { "url": "https://openai.com/security-and-privacy", "role": "security_practices", "confidence": 94, "signals": [ "privacy signals", "role_hint", "meta:data_residency", "meta:description:OpenAI security and privacy overview", "meta:pdf", "footer_link:https://openai.com/enterprise-privacy", "footer_link:https://openai.com/policies/privacy-policy" ] }, { "url": "https://openai.com/enterprise-privacy", "role": "ai_policy", "confidence": 94, "signals": [ "privacy signals", "role_hint", "meta:description:Enterprise privacy commitments", "footer_link:https://openai.com/security-and-privacy" ] }, { "url": "https://openai.com/policies/privacy-policy", "role": "privacy_policy", "confidence": 94, "signals": [ "privacy signals", "role_hint", "meta:description:Consumer privacy policy", "footer_link:https://openai.com/enterprise-privacy" ] }, { "url": "https://openai.com/index/business-data", "role": "ai_policy", "confidence": 94, "signals": [ "privacy signals", "role_hint", "meta:description:Business data privacy and compliance", "footer_link:https://openai.com/security-and-privacy", "footer_link:https://openai.com/enterprise-privacy" ] } ], "missing_artifacts": [ "privacy_policy", "cookie_policy", "data_retention_policy", "data_sharing_notice", "cross_border_transfers", "data_breach_notice", "data_residency_policy", "data_processing_addendum", "subprocessors_list", "acceptable_use_policy", "ai_usage_policy", "responsible_ai_principles", "backup_and_recovery", "secure_sdlc_page", "vulnerability_disclosure", "security_contact", "incident_response", "incident_history", "postmortems", "certifications", "attestation_summary", "security_overview", "incident_communication", "status_page", "methodology_page", "scoring_rubric", "score_caveat", "data_sources", "confidence_labels", "endorsement_and_certification", "sponsor_separation", "testimonials", "third_party_validation", "awards", "docs_hub", "public_status_page", "sitemap", "navigation", "responsible_disclosure_contact" ], "evidence_summary": [ "Legal hub completeness: 4 legal-oriented public pages were observed.", "Customer data training policy: Customer data training policy is publicly documented.", "Model provider disclosure: Model provider disclosure is publicly documented.", "Prompt logging policy: Prompt logging policy is publicly documented.", "Human review policy: Human review policy is publicly documented.", "Evals and red teaming: Evals and red teaming is publicly documented.", "Prohibited uses: Prohibited uses is publicly documented.", "Model card or system card: Model card or system card is publicly documented.", "AI evaluation or safety report: AI evaluation or safety report is publicly documented.", "Transparency report: Transparency report is publicly documented.", "Model limitations: Model limitations is publicly documented.", "Output moderation policy: Output moderation policy is publicly documented.", "Feedback and training policy: Feedback and training policy is publicly documented.", "Security practices: Security practices is publicly documented.", "Bug bounty: Bug bounty is publicly documented.", "Encryption at rest: Encryption at rest is publicly documented.", "MFA and SSO: MFA and SSO is publicly documented.", "Security evidence density: 3 pages carry security-oriented evidence language.", "Unsupported maturity phrasing: Public copy avoids broad, unsupported maturity language.", "Customer logos: Customer-logo or customer-name trust language was observed.", "Claim consistency: Cross-page trust language appears coherent.", "Trust center discoverability: A trust-center style public surface is visible.", "Surface coverage: Observed 3 distinct trust-relevant page roles and 3 trust links.", "Footer cross-links: Trust-relevant footer cross-links were observed.", "Public contact paths: 4 pages expose public contact or trust-contact language.", "Public output redaction: Public output does not surface obvious secrets, credentials, or private keys.", "Privacy Center: Privacy Center was observed in the public surface.", "Data Subject Request Portal: Data Subject Request Portal was observed in the public surface.", "Cookie Preferences: Cookie Preferences was observed in the public surface.", "Consent Management: Consent Management was observed in the public surface.", "security.txt: security.txt was observed in the public surface.", "Security Whitepaper: Security Whitepaper was observed in the public surface." ] }