// Trust & Security Report

    GitHub, Inc. (subsidiary of Microsoft) logo

    GitHub, Inc. (subsidiary of Microsoft)

    GitHub Copilot — AI code assistant with multiple tiers (Free, Pro, Pro+, Max for individuals; Business and Enterprise for organizations) including IDE integrations, CLI, cloud agents, and MCP server support.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2, Type 2 certification available for organizations using GitHub Enterprise Cloud. GitHub maintains SOC 2 Type 2 and SOC 1 Type 2 certifications which apply to the GitHub platform and its services.

    Verify on docs.github.com
    ISO 27001:2022
    HELD

    ISO/IEC 27001:2022 certification available for organizations. The GitHub Data Protection Agreement explicitly lists 'ISO 27001:2013 certifications' as part of security safeguards.

    Verify on github.com
    SOC 1 Type 2
    HELD

    SOC 1, Type 2 certification available for organizations using GitHub Enterprise Cloud.

    Verify on docs.github.com
    GDPR Compliance
    HELD

    The GitHub Data Protection Agreement forms part of GitHub Customer Agreement covering legal entity's use of Online Services. GitHub self-certifies compliance with EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF. 'GitHub will implement and maintain appropriate technical and organizational measures and security safeguards' compliant with GDPR (EU Regulation 2016/679), UK GDPR, and Swiss Data Protection Act.

    Verify on github.com
    CSA STAR Level 2
    HELD

    Cloud Security Alliance STAR certification (CSA STAR - Level 2) available for GitHub organizations.

    Verify on docs.github.com
    CSA CAIQ Level 1
    HELD

    Cloud Security Alliance CAIQ self-assessment (CSA CAIQ - Level 1) available for GitHub organizations.

    Verify on docs.github.com
    PCI DSS Attestation of Compliance
    HELD

    GitHub PCI DSS Attestation of Compliance available through organization compliance settings.

    Verify on docs.github.com
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Prohibited data categories in DPA explicitly state: 'Do not provide GitHub with...Protected health information (HIPAA)'. GitHub Copilot is not HIPAA-compliant and must not be used with protected health information or in regulated healthcare environments.

    source: github.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification for GitHub Copilot. GitHub implements a Responsible AI Standard aligned with NIST AI Risk Management Framework but ISO 42001 certification is not mentioned in trust center or product documentation.

    source: github.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification mentioned in GitHub Copilot or GitHub platform compliance reports.

    source: docs.github.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    GitHub stores and processes Personal Data in multiple locations including local region, United States, and other countries. International transfers use EU-U.S. Data Privacy Framework, Standard Contractual Clauses, UK Addendum, and Swiss SCCs.

    TIER-DEPENDENT: Copilot Free/Pro/Pro+/Max tiers use interactions with GitHub features (inputs, outputs, code snippets) to train and improve AI models as of April 24, 2026 — users can opt out. Copilot Business and Copilot Enterprise explicitly DO NOT train on customer data. Users on Free/Pro/Pro+ can opt out of model training via https://github.com/settings/copilot/features.

    // Security controls

    Encryption in Transit

    TLS 1.2 or higher

    github.com

    Encryption at Rest

    Implemented with appropriate security safeguards per SOC 2 Type 2 audit

    github.com

    Data Retention (Copilot Business/Enterprise)

    Prompts and suggestions retained for 28 days; User Engagement Data retained for 2 years

    docs.github.com

    Data Retention (Copilot Free/Pro/Pro+/Max)

    Prompts deleted after generation unless retained for model training (with opt-out available)

    github.com

    Instant Deletion (Enterprise)

    Prompts and suggestions instantly discarded after processing for Copilot Enterprise accounts

    github.com

    Access Controls

    Least privilege principles, audit logs available for Business/Enterprise, admin configuration of restricted paths and repositories

    github.com

    Incident Response

    GitHub notifies customers of security incidents without undue delay and investigates with reasonable mitigation steps

    github.com

    Backup & Continuity

    Weekly backup procedures and Services Continuity and Incident Management Plan maintained

    github.com

    Responsible AI Framework

    Aligned with Microsoft Responsible AI Standard (six principles: accountability, transparency, fairness, reliability/safety, privacy/security, inclusiveness) and NIST AI Risk Management Framework. Responsible AI Impact Assessment completed.

    github.com

    // Products & data scope

    Copilot FreeIndividual/Personal Use

    data: Limited to 2,000 completions per month; data may be used for model training with opt-out available

    Entry tier for getting started; includes Haiku 4.5, GPT-5 mini; no credit card required

    Copilot ProIndividual/Power User

    data: Unlimited completions; data may be used for model training with opt-out available; $15 monthly AI credits

    $10/month; includes cloud agents, code review, 3rd-party agents (Claude, Codex), model selection

    Copilot Pro+Individual/Premium

    data: Premium models including Opus; data may be used for model training with opt-out available; $70 monthly credits

    $39/month; 4x+ included usage vs Pro; premium model access; audit logs

    Copilot MaxIndividual/Enterprise-Scale

    data: Highest volume tier; data may be used for model training with opt-out available; $200 monthly credits

    $100/month; priority access to new models; 2.9x+ usage vs Pro+; sustained high-volume workflows

    Copilot BusinessOrganizational

    data: NO model training on user data; DPA coverage; 28-day prompt retention, 2-year engagement data retention

    For organizations on GitHub Free/Team or GitHub Enterprise Cloud; centralized management; cloud agents; access to model catalog

    Copilot EnterpriseEnterprise

    data: NO model training on user data; instant discarding of prompts after processing; full DPA + compliance report access

    GitHub Enterprise Cloud only; priority feature/model access; larger AI credit pools; enterprise audit/governance controls

    // What to watch

    • HIPAA NOT supported — explicitly prohibited in DPA. GitHub Copilot must not be used with protected health information.
    • Data training tier-dependent: Free/Pro/Pro+ users default to model training (with opt-out); Business/Enterprise customers' data is never trained on.
    • AI governance certification (ISO 42001) not held. Responsible AI framework implemented (NIST-aligned) but formal ISO 42001 certification not pursued.
    • Product-specific terms deprecated March 5, 2026. Current subscriptions/renewals governed by GitHub Generative AI Services Terms.
    • Vendor identity: GitHub, Inc. (Microsoft subsidiary). May be purchased through GitHub directly or Microsoft agreements (different legal terms apply).
    • Certifications listed (SOC 2, ISO 27001, etc.) are GitHub platform certifications inherited by Copilot, not Copilot-exclusive certifications.
    • Prompt retention varies significantly by tier (instant deletion for Enterprise vs. 28 days for Business vs. model training use for Free/Pro).
    • Data Privacy Framework certification is self-certification (not binding audit); EU GDPR transfers rely on Standard Contractual Clauses, post-Schrems II.

    // At a glance

    Pricing model

    Freemium (Free/Pro/Pro+/Max for individuals) + B2B organization tiers (Business/Enterprise)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on GitHub, Inc. (subsidiary of Microsoft)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    github.com

    > Browse all vendor trust reports