GitHub Copilot can be used at work only under specific conditions. Our verdict for a typical 50–500 person company handling client or regulated data: Limited. Fine on Business/Enterprise plans with the public-code filter on — but code context leaves the editor, so repos with secrets or client code need explicit rules. The policy questions are IP hygiene (public-code matching, license contamination) and secrets in code context — not just data training.
| Vendor | GitHub (Microsoft) |
|---|---|
| Category | Code assistant |
| Our tier verdict | Limited — Fine on Business/Enterprise plans with the public-code filter on — but code context leaves the editor, so repos with secrets or client code need explicit rules. |
| Trains on your data? | Depends on plan / settings. GitHub states Copilot Business and Enterprise prompts and suggestions are not retained or used for training. Individual (personal) plans have different telemetry defaults — another reason to ban personal-account use for work code. |
| Data retention | For Business/Enterprise, GitHub documents that prompts and suggestions are discarded after the suggestion is returned; engagement data is retained per its privacy documentation. |
| Admin controls | Org-level policy management on Business/Enterprise: enable/disable, public-code matching filter, content exclusions, audit log. |
| Compliance certifications | GitHub publishes SOC reports and ISO certifications for its platform (per GitHub’s trust documentation) |
| HIPAA / BAA | Not applicable / not publicly documented — GitHub Copilot is not marketed for PHI processing. |
GitHub states Copilot Business and Enterprise prompts and suggestions are not retained or used for training. Individual (personal) plans have different telemetry defaults — another reason to ban personal-account use for work code.
Retention: For Business/Enterprise, GitHub documents that prompts and suggestions are discarded after the suggestion is returned; engagement data is retained per its privacy documentation.
Not applicable / not publicly documented — GitHub Copilot is not marketed for PHI processing. As a rule: no signed Business Associate Agreement means no protected health information (PHI) — regardless of how good the vendor’s general security posture is.
HIPAA is the gate: Not applicable / not publicly documented — GitHub Copilot is not marketed for PHI processing. Until a BAA is confirmed in writing, treat GitHub Copilot as off-limits for anything containing PHI — patient names, appointment details, clinical notes, even "anonymized" summaries that could be re-identified.
For SEC/FINRA-regulated firms the questions are recordkeeping and confidentiality: can communications through GitHub Copilot be captured for books-and-records requirements, and do the data terms hold up in vendor due diligence? Org-level policy management on Business/Enterprise: enable/disable, public-code matching filter, content exclusions, audit log.
The privilege question comes first: entering client-confidential facts into any third-party AI service must be evaluated as a potential disclosure. Because training/retention on GitHub Copilot depends on account type and settings, assume client matter data is off-limits unless your firm controls the account and has verified the terms.
Why the tier verdict is "generic": Limited is the right starting classification for most 50–500 person companies — but a healthcare company, a law firm, and a SaaS startup should not have identical tool lists. The $79 policy kit classifies GitHub Copilot and 24+ other tools specifically for your industry, company size, and the data your team handles.
And it goes stale: vendor data policies change quietly — a terms update can move a tool between tiers overnight. The $149/mo Monitor plan exists precisely because this page is only accurate as of July 2026.
GitHub Copilot can be used at work only under specific conditions. Our verdict for a typical 50–500 person company handling client or regulated data: Limited. Fine on Business/Enterprise plans with the public-code filter on — but code context leaves the editor, so repos with secrets or client code need explicit rules. The policy questions are IP hygiene (public-code matching, license contamination) and secrets in code context — not just data training.
GitHub states Copilot Business and Enterprise prompts and suggestions are not retained or used for training. Individual (personal) plans have different telemetry defaults — another reason to ban personal-account use for work code.
Not applicable / not publicly documented — GitHub Copilot is not marketed for PHI processing. As a rule: no signed Business Associate Agreement means no protected health information (PHI) — regardless of how good the vendor’s general security posture is.
We classify GitHub Copilot as Limited for a typical 50–500 person company. Fine on Business/Enterprise plans with the public-code filter on — but code context leaves the editor, so repos with secrets or client code need explicit rules. Your own classification should reflect your industry, data types, and which plan/account type your company actually uses.
A 4-document AI policy kit — acceptable use policy, tool tier list, acknowledgment form, manager FAQ — that classifies GitHub Copilot and 24+ other tools for your company, industry, and data. Generated in about 10 minutes.
Generate my policy kit →We re-check vendor terms monthly and alert you when GitHub Copilot’s data policy changes — plus regenerate your whole kit so it never goes stale. This directory is a snapshot — Monitor is the live feed.
See Monitor plan →Already have an AI policy? Check it for gaps in 30 seconds →