// Trust & Security Report
GitHub, Inc. (subsidiary of Microsoft)
GitHub Copilot — AI code assistant with multiple tiers (Free, Pro, Pro+, Max for individuals; Business and Enterprise for organizations) including IDE integrations, CLI, cloud agents, and MCP server support.
Certifications held
7
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.github.com“SOC 2, Type 2 certification available for organizations using GitHub Enterprise Cloud. GitHub maintains SOC 2 Type 2 and SOC 1 Type 2 certifications which apply to the GitHub platform and its services.”
Verify on github.com“ISO/IEC 27001:2022 certification available for organizations. The GitHub Data Protection Agreement explicitly lists 'ISO 27001:2013 certifications' as part of security safeguards.”
Verify on docs.github.com“SOC 1, Type 2 certification available for organizations using GitHub Enterprise Cloud.”
Verify on github.com“The GitHub Data Protection Agreement forms part of GitHub Customer Agreement covering legal entity's use of Online Services. GitHub self-certifies compliance with EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF. 'GitHub will implement and maintain appropriate technical and organizational measures and security safeguards' compliant with GDPR (EU Regulation 2016/679), UK GDPR, and Swiss Data Protection Act.”
Verify on docs.github.com“Cloud Security Alliance STAR certification (CSA STAR - Level 2) available for GitHub organizations.”
Verify on docs.github.com“Cloud Security Alliance CAIQ self-assessment (CSA CAIQ - Level 1) available for GitHub organizations.”
Verify on docs.github.com“GitHub PCI DSS Attestation of Compliance available through organization compliance settings.”
> Show 3 unconfirmed / not-held certifications
source: github.comProhibited data categories in DPA explicitly state: 'Do not provide GitHub with...Protected health information (HIPAA)'. GitHub Copilot is not HIPAA-compliant and must not be used with protected health information or in regulated healthcare environments.
source: github.comNo public evidence of ISO 42001 certification for GitHub Copilot. GitHub implements a Responsible AI Standard aligned with NIST AI Risk Management Framework but ISO 42001 certification is not mentioned in trust center or product documentation.
source: docs.github.comNo public evidence of FedRAMP certification mentioned in GitHub Copilot or GitHub platform compliance reports.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
GitHub stores and processes Personal Data in multiple locations including local region, United States, and other countries. International transfers use EU-U.S. Data Privacy Framework, Standard Contractual Clauses, UK Addendum, and Swiss SCCs.
TIER-DEPENDENT: Copilot Free/Pro/Pro+/Max tiers use interactions with GitHub features (inputs, outputs, code snippets) to train and improve AI models as of April 24, 2026 — users can opt out. Copilot Business and Copilot Enterprise explicitly DO NOT train on customer data. Users on Free/Pro/Pro+ can opt out of model training via https://github.com/settings/copilot/features.
// Security controls
Encryption at Rest
Implemented with appropriate security safeguards per SOC 2 Type 2 audit
github.comData Retention (Copilot Business/Enterprise)
Prompts and suggestions retained for 28 days; User Engagement Data retained for 2 years
docs.github.comData Retention (Copilot Free/Pro/Pro+/Max)
Prompts deleted after generation unless retained for model training (with opt-out available)
github.comInstant Deletion (Enterprise)
Prompts and suggestions instantly discarded after processing for Copilot Enterprise accounts
github.comAccess Controls
Least privilege principles, audit logs available for Business/Enterprise, admin configuration of restricted paths and repositories
github.comIncident Response
GitHub notifies customers of security incidents without undue delay and investigates with reasonable mitigation steps
github.comBackup & Continuity
Weekly backup procedures and Services Continuity and Incident Management Plan maintained
github.comResponsible AI Framework
Aligned with Microsoft Responsible AI Standard (six principles: accountability, transparency, fairness, reliability/safety, privacy/security, inclusiveness) and NIST AI Risk Management Framework. Responsible AI Impact Assessment completed.
github.com// Products & data scope
data: Limited to 2,000 completions per month; data may be used for model training with opt-out available
Entry tier for getting started; includes Haiku 4.5, GPT-5 mini; no credit card required
data: Unlimited completions; data may be used for model training with opt-out available; $15 monthly AI credits
$10/month; includes cloud agents, code review, 3rd-party agents (Claude, Codex), model selection
data: Premium models including Opus; data may be used for model training with opt-out available; $70 monthly credits
$39/month; 4x+ included usage vs Pro; premium model access; audit logs
data: Highest volume tier; data may be used for model training with opt-out available; $200 monthly credits
$100/month; priority access to new models; 2.9x+ usage vs Pro+; sustained high-volume workflows
data: NO model training on user data; DPA coverage; 28-day prompt retention, 2-year engagement data retention
For organizations on GitHub Free/Team or GitHub Enterprise Cloud; centralized management; cloud agents; access to model catalog
data: NO model training on user data; instant discarding of prompts after processing; full DPA + compliance report access
GitHub Enterprise Cloud only; priority feature/model access; larger AI credit pools; enterprise audit/governance controls
// What to watch
- HIPAA NOT supported — explicitly prohibited in DPA. GitHub Copilot must not be used with protected health information.
- Data training tier-dependent: Free/Pro/Pro+ users default to model training (with opt-out); Business/Enterprise customers' data is never trained on.
- AI governance certification (ISO 42001) not held. Responsible AI framework implemented (NIST-aligned) but formal ISO 42001 certification not pursued.
- Product-specific terms deprecated March 5, 2026. Current subscriptions/renewals governed by GitHub Generative AI Services Terms.
- Vendor identity: GitHub, Inc. (Microsoft subsidiary). May be purchased through GitHub directly or Microsoft agreements (different legal terms apply).
- Certifications listed (SOC 2, ISO 27001, etc.) are GitHub platform certifications inherited by Copilot, not Copilot-exclusive certifications.
- Prompt retention varies significantly by tier (instant deletion for Enterprise vs. 28 days for Business vs. model training use for Free/Pro).
- Data Privacy Framework certification is self-certification (not binding audit); EU GDPR transfers rely on Standard Contractual Clauses, post-Schrems II.
// At a glance
Pricing model
Freemium (Free/Pro/Pro+/Max for individuals) + B2B organization tiers (Business/Enterprise)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on GitHub, Inc. (subsidiary of Microsoft)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
github.com