Is it safe to put company data into AI?

It depends on the tool and the data. Safe practice means using a model with training opt-out and an enterprise data processing agreement, checking data residency and compliance (GDPR, HIPAA, SOC2), and never pasting secrets, regulated personal data or client confidential information into a consumer chatbot.

Does AI train on my data?

Consumer tiers sometimes do unless you opt out. Enterprise and API tiers from major providers generally do not train on your inputs and offer a data processing agreement. Always confirm the training opt-out before sending business data.

Which AI models are GDPR compliant?

Anthropic Claude, OpenAI (enterprise), Google Gemini, Microsoft Copilot and self-hosted Llama can all be operated in GDPR-compliant ways with the right tier and agreement. Models such as DeepSeek, operated from China, do not offer GDPR or HIPAA and should not handle regulated EU data.

AI Data Privacy Checklist

The rule of thumb: never paste secrets, regulated personal data, or client-confidential information into a consumer chatbot. For business data, use a tier with training opt-out and a data processing agreement, and confirm where the data is stored.

The checklist

Training opt-out. Confirm the provider does not train on your inputs. Enterprise and API tiers usually don't; consumer tiers sometimes do unless you switch it off.
Data processing agreement (DPA). For any personal data, you need a DPA in place with the provider.
Data residency. Know which country your data is processed and stored in. EU personal data generally needs to stay in an approved region.
Compliance certifications. Check for the ones your sector needs: GDPR (EU personal data), HIPAA (US health data), SOC 2 (security controls), ISO 27001.
Retention. Find out how long inputs and outputs are kept, and whether you can request deletion.
Sub-processors. Check who else touches the data downstream (cloud hosts, analytics) and whether that's acceptable.
Access controls. Limit who in your team can send what. Not everyone needs to paste customer records into a model.
Logging. Keep a record of what categories of data go into which tool, so you can answer an audit.
Redaction. Strip names, account numbers and identifiers before sending where the task doesn't need them.
Incident path. Decide in advance who is told and what happens if sensitive data is sent to the wrong tool.

Compliance by model

A quick reference from our model data — always confirm the current tier with the provider.

Model	GDPR	HIPAA	SOC 2	Residency
Claude (Anthropic)	Yes	Yes	Yes	US, EU
GPT (OpenAI enterprise)	Yes	Yes	Yes	US, EU
Microsoft Copilot	Yes	Yes	Yes	EU, US, UK, AU
Gemini (Google)	Yes	Varies by tier	Yes	US, EU, APAC
Llama 4 (self-hosted)	Yes*	Yes*	n/a	Your own infra
DeepSeek V3	No	No	No	China

*Self-hosted compliance depends on your own deployment and controls. DeepSeek is operated from China with no GDPR/HIPAA — do not use it for regulated or sensitive EU data.

What never to paste into a consumer chatbot

Passwords, API keys, access tokens or other secrets
Customer personal data without a lawful basis and the right tier
Health, financial or other special-category data
Unreleased financials, contracts or trade secrets
Anything you'd be uncomfortable seeing in a future training set

What changed in June 2026

Enterprise data boundaries (EU-resident processing) became standard across major providers.
Training opt-out moved to default-on for most business and API tiers.
Scrutiny of non-Western models for regulated data sharpened, widening the compliance gap.

Setting guardrails? Pair this with governance basics and our own privacy policy for how a no-data-collection site works.

Before you put company data into AI

The checklist

Compliance by model

What never to paste into a consumer chatbot

What changed in June 2026