Setting Up the OpenAI API for Businesses: DPA, API Key, Budget -- in 30 Minutes

Grzegorz Olszowka•April 15, 2026•8 min read

OpenAIAPIGDPRDPAAI AgentsSetupTutorial

Step-by-step OpenAI API setup for German businesses: business account, Data Processing Agreement, API key hygiene, budget limits. Including the two settings almost everyone forgets.

Setting Up the OpenAI API for Businesses: DPA, API Key, Budget -- in 30 Minutes

By Grzegorz Olszowka | April 15, 2026
#OpenAI #API #GDPR #DPA #AIAgents #Setup

If you have read the pillar guide on AI agents, you already know: going directly with OpenAI is the fastest way to get a pilot up and running. Thirty minutes. One credit card. One API key.

What most tutorials leave out: two settings that, if missed, will cause you to fail a data protection review. And a budget limit that prevents your first test from costing 800 euros.

This article walks you through the setup we use at kiba for pilot projects. The order matters. Anyone who finalizes the DPA after the first live call already has a data protection incident on their hands.

Before You Click

Three things should be settled before you even open the website:

Who is the contracting party? A company, not an individual. OpenAI offers a Data Processing Agreement (DPA) only for business and API customers, and the DPA is issued to a legal entity. If the API account sits on your private Gmail address, it is dead on arrival in any data protection review.

Who has access to the inbox? Verification emails, billing emails, security alerts -- the inbox should be tied to a function (info@yourcompany.com), not to an employee who might leave tomorrow.

Where does accounting handle this? OpenAI bills in USD and issues invoices monthly. Clarify with your finance team how OpenAI invoices are converted and posted -- it is not always obvious. At many smaller firms, the entry ends up "somewhere on 4980 Miscellaneous Expenses." That is fine, but it should be a deliberate choice.

Step 1: Create the Account (5 Minutes)

Go to platform.openai.com. If you do not have an account yet, register with the functional email address from the previous step. If you already have a personal account and want to make sure you do not use it by accident, create a second account -- that is allowed.

After registration you will be asked whether to create a "Personal" or "Business" organization. Choose Business. This is the critical click. Only Business organizations get access to the DPA.

During setup you provide company name, address, and country. For "Use Case," answer honestly -- if you are automating customer support, say so. OpenAI does not use this information for marketing, but for rate-limit adjustments.

Step 2: Sign the DPA (Before Anything Else)

This is the step almost everyone leaves until last. We do it first. The reason: as soon as the first API call goes out and personal data starts flowing, you need a legal basis. Without a DPA, you do not have one.

Dieses Thema vertiefen? 32 KI-Rezepte mit Kostenrahmen als kostenloses PDF.

PDF holen

In the dashboard: Settings -> Organization -> Data Controls -> Data Processing Addendum. There you will find the DPA as a self-generated PDF. You enter the company name, managing director, and address; OpenAI generates the document. You do not print it -- you accept it with a checkbox.

What the DPA covers and what to watch for:

Sub-processors: OpenAI uses Microsoft Azure as its infrastructure provider. This is disclosed transparently in the DPA. If your data protection officer needs a list of sub-processors, it is linked in the DPA.

Data location: The default is the US. Enterprise customers get an "EU Data Residency" option -- you do not. You operate under Standard Contractual Clauses (SCCs).

Model training: The most important point. By default, API data is not used for model training. This has been the default since March 2023 -- different from ChatGPT for consumers. Even so, you should explicitly verify this in Step 4.

Do not move on without a signed DPA.

Step 3: Set Up Payment + Configure Budget Limits

Settings -> Billing -> Payment methods -> add a credit card. That part is trivial.

Right afterwards -- and this is the step that protects you from unpleasant surprises -- you configure Usage Limits. You will find them under Settings -> Billing -> Limits.

There are two limits:

The Soft Limit triggers an email warning when monthly usage exceeds the threshold. Set this to a number that still lets you sleep at night -- typically 50 to 100 euros for pilot projects.

The Hard Limit blocks API calls as soon as the threshold is reached. This is the real safety net. Set it to a value you could still survive if your code accidentally ran in a loop. For pilot projects, 200 to 500 euros per month is a sensible range.

A practical tip from our own experience: we once had a script that accidentally sent the same request to GPT-4 ten thousand times in a loop. Without a Hard Limit, the damage would have been several hundred euros. With the Hard Limit, the bleeding stopped at 50 euros and the rest were rejected. The Hard Limit is not optional.

Step 4: The Two Privacy Settings Everyone Forgets

Here come the two clicks that make the difference in a data protection review. Settings -> Organization -> Data Controls.

Setting A: "Allow our partners to use your data"

The default is off. Leave it off. If it happens to be on -- uncheck it.

Setting B: "Improve the model for everyone"

For the API, the default has been off since March 2023. Even so: check it once. For some accounts that were migrated from older ChatGPT sign-ins, it can be different. Uncheck it.

Together, these two settings form the "OpenAI does not reuse our data" guarantee. In a data protection audit, the auditor will ask about them specifically. Take a screenshot of both settings and file it in your data protection documentation.

Step 5: Generate the API Key (with Hygiene)

Settings -> API keys -> Create new secret key.

Three rules for API keys:

One key per application. Not "one key for everything." If you have a pre-qualification agent and a newsletter generator, that is two keys. If one is compromised, you only have to revoke that one.

Descriptive names. Not "Key 1." Try "fortuna-prequal-prod-2026-04." Six months from now, you will still know what runs where.

Never in the code. API keys belong in an environment variable or a secrets manager. A key accidentally pushed to GitHub will be abused in under 60 seconds -- we have watched this happen live more than once.

Step 6: First Test (3 Minutes)

Before dropping the key into your production system, run a smoke test in the terminal:

curl https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer YOUR_KEY_HERE" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [
      {"role": "user", "content": "Reply with OK"}
    ]
  }'

If the response contains a JSON structure with "OK," everything is configured correctly. If you get a 401, the key is wrong. If you get a 429, your organization has not been activated yet -- this can take 1 to 2 hours for new accounts.

What to Put in Your Data Protection Documentation

So you do not have to start from scratch in four weeks, here is a mini template for your DPIA entry:

Processor: OpenAI, L.L.C., 1455 3rd Street, San Francisco, CA 94158, USA

Contractual basis: Data Processing Addendum (DPA) dated [date], signed via platform.openai.com

Legal basis: Art. 6(1)(f) GDPR (legitimate interest) OR Art. 6(1)(b) GDPR (contract performance), depending on use case

Data location: USA, safeguarded by Standard Contractual Clauses (SCCs)

Sub-processors: Microsoft Azure (USA)

Retention: API inputs are stored for 30 days (abuse monitoring), then deleted. Exception: zero-data-retention endpoint, when enabled.

Model training: Data is not used for model training (API default since March 2023, confirmed in Settings -> Data Controls)

That is your minimal DPIA scaffold. For standard cases, this is enough. Sensitive data requires the full DPIA and, depending on risk, consultation with the supervisory authority.

When OpenAI Direct Is Not Enough

You now have a fully functional setup. Even so, OpenAI direct is not the right path for every use case. Three situations in which you should move to Azure:

If you process health data, attorney-client information, or other data falling under the special categories of Art. 9 GDPR, US-based data processing is critical for you -- even with SCCs. The Azure setup guide shows how to run the same model in Sweden instead of Texas.

If your client explicitly requires "no US providers" -- which is common in government and research contexts -- Azure is not enough either. In that case, the local route with Ollama is the only option.

If your volume grows so high that token costs exceed the hardware investment, the local route also becomes worthwhile. Rule of thumb: economics tip over at around 3 million tokens per day.

If You Would Rather Not Do This Yourself

The setup itself is mechanical and takes 30 minutes. The DPIA, choosing the right route, and integration into your systems are the actual work. That is exactly what our BAFA-eligible AI consulting is for: we handle the setup, clarify the data protection position, and hand you back a documented system.

Contact: info@kiba.berlin.

Part 2 of the series. Back to the pillar guide | Continue to Setting Up Azure OpenAI in Germany