Security, Trust & Compliance¶
Is GitHub Copilot safe to use on client projects?¶
GitHub Copilot Business and Enterprise can be used for professional work when accessed through AFRY-managed accounts and in line with AFRY and client data-handling rules. The enterprise agreement with GitHub provides contractual data protection - not just a policy promise.
Key protections under the agreement:
- AFRY-managed identity and access - accounts are provisioned through AFRY IT; access is controlled via SSO, with no personal accounts
- No model training on your code or prompts - GitHub states that Business and Enterprise customer data is not used to train AI models, under the Data Processing Agreement
- All data is encrypted in transit and at rest
- Covered by a Data Processing Agreement (DPA) with GitHub, including EU Standard Contractual Clauses
Copilot prompts and context are processed by GitHub Copilot and its model-hosting infrastructure. Where configured, GitHub Copilot data residency can keep supported processing within the selected EU or US geography - but this is not the same as data staying inside AFRY's own environment.
Certifications¶
GitHub Copilot has its own compliance reports and certifications, separate from Azure or Microsoft 365.
| Certification | What it covers |
|---|---|
| SOC 2 Type II | Security, availability, and confidentiality controls - externally audited |
| ISO 27001:2022 | International standard for information security management |
| ISO 42001:2023 | AI-specific management standard - relevant to EU AI Act readiness |
| GDPR / DPA | EU Standard Contractual Clauses for cross-border data transfers; EU data residency available |
Compliance reports and certificates are available at copilot.github.trust.page and from your GitHub enterprise settings under Compliance.
What the enterprise agreement gives you¶
The agreement is what separates GitHub Copilot from personal or free-tier AI tools. In practice it means:
- AFRY controls which features are enabled and for whom - governance is built in from day one
- Centralised audit log - governance events, policy changes, and agent activity are recorded
- SSO managed by AFRY IT - no personal accounts, no blurring between personal and professional use
- Data deletion on request - subject to GitHub DPA terms
- Single point of accountability - GitHub under a signed contract
The Copilot audit log records governance and agent events (policy changes, seat assignments, agent activity). It does not include the content of local Copilot prompts or coding sessions.