ChatGPT has three main tiers for business use: Free, Plus, and Enterprise. Security and compliance teams frequently ask which tier is required for their organisation. The short answer: if your employees handle customer data, intellectual property, or regulated information, only ChatGPT Enterprise provides the contractual and technical safeguards needed. Here's the full comparison.
The Fundamental Difference: Data Governance
The performance differences between tiers — context window size, access to GPT-4o, generation speed — are well documented elsewhere. What matters for security teams is the data governance framework that governs what OpenAI does with your employees' inputs.
This difference is profound and has direct regulatory implications under GDPR, HIPAA, SOC 2, and the EU AI Act.
Full Feature Comparison: Security and Compliance
| Feature | Free | Plus | Enterprise |
|---|---|---|---|
| Conversations excluded from training | opt-out | ||
| GDPR Data Processing AgreementEnterprise is the only tier with a signed DPA | |||
| HIPAA Business Associate Agreement | |||
| SOC 2 Type II certification | |||
| Conversation data encrypted at restAll tiers encrypt at rest; Enterprise adds admin key management | |||
| Admin dashboard and usage controls | |||
| SSO / SAML integration | |||
| Conversation export for audit | |||
| Zero data retention optionConversations not stored after session end | |||
| Custom system prompts (org-wide) |
What "Training Opt-Out" Actually Means
On Free and Plus, OpenAI's default is to use conversation history for model training. Users can opt out in settings, but this is a per-user setting that requires each employee to configure it manually — and it can be changed or forgotten.
On Enterprise, conversations are never used for training by default at the organisation level. There is no employee action required and no risk of misconfigured personal settings affecting corporate data. This is the only tier where a security team can provide a blanket assurance that employee inputs are not contributing to model training.
Important nuance
Even on Enterprise, OpenAI retains conversations for a configurable period (default 30 days) for abuse monitoring and safety purposes — unless zero data retention is explicitly configured. For regulated industries (healthcare, financial services), verify that zero retention is enabled and documented.
The GDPR Verdict: Enterprise Is the Only Compliant Tier
Under GDPR Article 28, any vendor processing personal data on your behalf must have a signed Data Processing Agreement. OpenAI only offers a DPA to Enterprise customers.
This means: if your employees use ChatGPT Free or Plus to process any personal data of EU data subjects — customer names, employee records, any identifiable individual's data — your organisation is processing that data without a legal basis. This is a direct GDPR violation, regardless of whether the AI output is used for legitimate purposes.
The fine potential: up to €10 million or 2% of global annual turnover for Article 28 violations. DPAs across the EU (particularly CNIL in France and the Italian Garante) have made AI compliance a priority enforcement area in 2025-2026.
Enterprise Tier Alone Is Not Sufficient
It would be a mistake to conclude that upgrading to ChatGPT Enterprise resolves all security risks. The DPA and training opt-out address the contractual layer — they say nothing about what employees actually submit in their prompts.
An employee on ChatGPT Enterprise can still paste AWS credentials, customer PII, or proprietary source code into a conversation. The Enterprise tier doesn't prevent this; it just means OpenAI won't train on it. The data still transits to OpenAI's servers and is retained for up to 30 days.
The complete enterprise AI security posture requires both:
- ChatGPT Enterprise (or equivalent enterprise tier) for the contractual and governance framework
- On-device DLP (AI-Guardian) for the technical layer that prevents sensitive data from reaching the API in the first place
Think of it this way: the Enterprise DPA is your compliance insurance. On-device DLP is the lock on the door. Insurance doesn't make the lock unnecessary.
If your organisation is evaluating ChatGPT Enterprise and needs help designing the surrounding security controls, get in touch with our team for a no-obligation architecture review.