← Journal
7 min readAI Dev Review

How to evaluate AI coding tool privacy claims

Every vendor says they don't train on your code. Some are telling the truth. Here's how to tell.

SecurityPrivacy

'We don't train on your code' is table stakes marketing. What actually matters is the contractual and technical layers underneath, and most privacy pages hide the details you need.

Questions worth answering

  • Where is inference performed and by which sub-processors?
  • How long is prompt and completion data retained, and can retention be set to zero?
  • Is there a signed DPA available on the plan you're on, not just the enterprise tier?
  • Are model providers isolated per tenant or shared?

Red flags

Vague 'we care about your privacy' copy with no data-flow diagram. Retention buried in a sub-processor's terms. Zero-retention available only on a call with sales.

Green flags

Public SOC 2 or ISO 27001 report. Explicit sub-processor list. Configurable retention on every plan.

Comments

0 replies

Join the conversation

Sign in to leave a comment on "How to evaluate AI coding tool privacy claims".

Loading comments…