OpenAI GPT models from a Swiss fiduciary perspective: residency, pricing, compliance

What is OpenAI?

OpenAI is a U.S. research lab based in San Francisco that develops and commercialises the GPT model family. Microsoft is its lead investor and exclusive cloud partner. As of May 2026, several lines are in production use (names and prices per the OpenAI price list, verify before use): GPT-4o (multimodal generalist, USD 2.50 / 10.00 per 1M input/output tokens), GPT-4.1 (successor with a 1M-token context, USD 5 / 15 per 1M), and o3-pro (reasoning model, USD 15 / 60 per 1M). On top of that there are embedding models (text-embedding-3-small, USD 0.02 per 1M) and Whisper for speech-to-text.

For Swiss fiduciary offices, three access paths matter: first, the OpenAI API directly (api.openai.com, processing in the U.S., USD billing); second, Azure OpenAI Service (the Microsoft wrapper, EU regions in the Netherlands/Sweden, regionally also CH-North with a restricted model catalogue); third, ChatGPT Enterprise/Team as an end-user product with its own contract layer. The three paths differ substantially in data residency, DPA availability, and model freshness.

Microsoft's CH-North region (Zurich) has offered OpenAI models since May 2025, but with a delayed model rollout: GPT-4.1 and o3 are not consistently available there (as of May 2026), and individual deployment SKUs are adjusted over time (check the Azure status page for details). In practice that means: if you want GPT-4.1/o3 without a U.S. transfer, you usually land in Azure EU regions (Westeurope / Sweden Central), not CH-North.

Why it matters

For a Swiss fiduciary office, OpenAI must be considered in two worlds at once: as a best-of-breed language model that regularly tops MTEB benchmarks and code/reasoning tasks – and as a U.S. provider with all the implications under Art. 16-19 revDSG, Art. 6 revFADP, and the U.S. CLOUD Act.

The concrete implications: direct API use via api.openai.com means third-country transfer to the U.S. Without supplementary measures (pseudonymising client data before the call, a Transfer Impact Assessment, EU SCCs in the DPA), this is not defensible for professional-secrecy data (Art. 321 SCC). With Azure OpenAI Service the picture improves: data is processed in the chosen region, Microsoft signs standardised DPAs on an EU-SCC basis, and CH-North hosting is possible for some models.

The second point: model freshness vs. region. If you want client data to stay in Switzerland, you must accept model trade-offs. If you want GPT-4.1 with its 1M context, you go through EU or U.S. regions. That decision does not belong to gut feeling; it belongs in a documented data-class matrix (see Multi-LLM Routing). Third, the price picture: USD 5 / 15 per 1M sounds cheap, but for a 50-person fiduciary with 200k tokens per person per day this quickly hits USD 800-1500 per month – prompt caching (up to 90% savings) and the Batch API (50% off) are not extras, they are mandatory.

How it works

OpenAI offers three contract tiers with different data postures. On Free/Plus (ChatGPT consumer), conversations are used by default for model training; that is out for professional data. On the API tier (api.openai.com), training has been OFF by default since March 2023; inputs/outputs are kept up to 30 days for abuse detection, then deleted. Zero Data Retention (ZDR, no storage at all) is available on request, but only for qualifying use-cases with OpenAI sales approval and on selected endpoints. On Enterprise/Team (ChatGPT Enterprise, OpenAI Business), a contractual DPA with EU SCCs applies, no training, and ZDR depending on configuration.

Azure OpenAI Service is a separate contract stack: Microsoft Customer Agreement plus Azure Service Terms plus Online Services DPA. Data is processed in the booked region (not replicated to the U.S. by default), and the standard abuse-monitoring logging can be disabled on request (Abuse Monitoring Opt-Out). Model rollout is delayed: new models typically appear 2-4 weeks after openai.com, in CH-North sometimes months later.

Technically the OpenAI API is REST-based; standard libraries exist for Python/Node/Go/.NET. Authentication via bearer token. Structured outputs (JSON mode, tool calling) are well supported; function calling has been reliable since 2023. For migration to other providers, an LLM gateway (LiteLLM) is recommended; it uses the OpenAI API as a lingua franca, keeping your code portable.

OpenAI decision in 6 steps (fiduciary CIO)

1. 01Define data classes: public / internal / client-related / professional-secrecy. Only the bottom two classes are OpenAI candidates without supplementary measures.
2. 02Choose the contract path: api.openai.com (U.S., USD, fastest model access) vs. Azure OpenAI EU (Netherlands/Sweden, EUR billing) vs. Azure OpenAI CH-North (Zurich, restricted catalogue).
3. 03Sign the DPA plus EU SCCs: with Azure via Microsoft Online Services DPA. With OpenAI directly via the data privacy form. File both contracts.
4. 04Document the TIA: which data goes where? Assess U.S. CLOUD Act risk. Result as a PDF in the client onboarding folder.
5. 05Model mapping: GPT-4o as default, GPT-4.1 for 1M-context cases, o3-pro only for documented reasoning cases (10x cost). Embedding: text-embedding-3-small.
6. 06Activate cost controls: hard spend cap in the OpenAI dashboard, prompt caching in code, Batch API for non-real-time workloads. Monthly cost review.

When to use OpenAI

OpenAI is the right choice when (a) the highest available generalist level is required, (b) client data can be pseudonymised before submission or is uncritical anyway (public research, marketing copy, code generation), and (c) Azure OpenAI Service is accepted as the EU-resident path. Practical use-cases in fiduciary work: plain-text summaries of annual reports, VAT research against public ESTV guidelines, draft client emails (edited before send), code generation for internal scripts (no professional secrecy in the code), o3-pro for complex tax cases where pseudonymisation is feasible.

For RAG pipelines, text-embedding-3-small is a good default: USD 0.02 per 1M tokens, good German quality, 1536 dimensions, Qdrant-compatible. For Multi-LLM routing via LiteLLM, OpenAI is the natural backend: nearly every other API speaks OpenAI schema.

Important: even OpenAI via Azure-EU still has Microsoft as a U.S. parent subject to the U.S. CLOUD Act. For absolute data sovereignty (defence sector, FINMA-relevant personal data), self-hosted (Mistral, Llama, Ollama) or an EU-sovereign provider (Mistral La Plateforme) remains the clean answer. OpenAI is the high-performance layer, not the high-security layer.

When not to use

OpenAI is the wrong choice when (a) client data cannot be pseudonymised and no Azure-EU contract is in place, (b) the use-case would process professional-secrecy data (Art. 321 SCC) without EU-SCC safeguards, (c) FINMA-relevant personal data is involved and the outsourcing circular is read strictly, or (d) a simple use-case (categorisation, basic classification) can be solved by a much cheaper model.

Concretely: original client emails, AML-relevant identification data, payroll records with AHV numbers, legal pleadings – these do NOT belong in a direct api.openai.com call. If OpenAI at all, then via Azure OpenAI Service with a DPA plus documented TIA, or via a Multi-LLM routing layer that sends highly sensitive data to Mistral-EU or self-hosted.

Another case: when the use-case is mere categorisation ("receipt = travel / hospitality / office?"), GPT-4o is overkill. Llama 3.1 8B on your own hardware or Mistral Small 3 (USD 0.20 / 0.60 per 1M) delivers the same quality at a fraction of the cost – and without U.S. transfer. OpenAI is justified when the model level is actually needed.

Trade-offs

FAQ

Related topics

Sources

1. OpenAI API Pricing (offizielle Preisliste) · 2026-05
2. OpenAI Enterprise Privacy (ZDR, DPA, Training-Posture) · 2026-04
3. Azure OpenAI Service – Region Availability (Switzerland North roadmap) · 2026-05
4. Azure OpenAI Service – Pricing & Regions · 2026-05