Skip to content
02Security & Data

The question is never “is AI allowed.” It’s what’s in this prompt — and where it’s going.

We’re an AI-first lab, and we want people building with it. The care we take lives in one place — the data boundary: what leaves our control and reaches a third-party model server. Get that line right, and the rest is just using the tools.

Pillar 02 of 04Data & model vendorsFirst draft for discussion
01The data boundary

It comes down to the data

Most information is fine to put in a prompt. A narrow, well-defined slice isn’t. The skill is knowing which tier you’re holding before you hit send.

The principle is simple: the more harm a leak would cause, the closer it sits to the line. Public and internal material flows freely. Confidential material only goes to retention-safe tiers, and only the part that’s needed. Secrets never cross at all.

Sensitivity tiers
ShareableNever-send
  1. T0Send freely

    Public / Open

    Already public, or meant to be. No exposure to lose.

    • Published marketing
    • Open-source code
    • Public docs
    • General knowledge
  2. T1Send freely

    Internal

    Ours, but low stakes if seen. Fine in normal prompts.

    • Draft copy
    • Meeting notes
    • Non-secret configs
    • Internal process
  3. T2Handle with care

    Confidential

    Real harm if it leaks. Only on retention-safe tiers, minimised.

    • Deal terms
    • Financials
    • Roadmaps
    • Personal data (PII)
  4. T3Never send

    Never-send

    Never goes into a third-party prompt. No tier makes this fine.

    • Passwords & API keys
    • Access tokens
    • Private keys
    • Customer secrets
Four tiers, from freely shareable to never-send. The further right, the more care it takes — and the last column never enters a third-party prompt, on any plan.
02Where your data goes

One prompt, one boundary, one question

When you send a prompt, the words you included leave your control and reach a server you don’t run. So the whole discipline collapses to a single question, asked before send: what’s in this prompt, and where is it going?

Data-flow
Inside our boundary

A teammate assembles a prompt from what they’re working on.

A teammateIn their own instance
The promptTask + context, drafted locally
Before send
The boundary

Allowed through

  • Public & internal context
  • Minimised, need-to-know facts

Held back

  • Secrets & credentials
  • Confidential / PII
Only what passed
Outside our control
Model APIAnthropic · OpenAI · Perplexity
Their serversProcessed — maybe retained

Once it’s in the prompt and sent, it has left our control. The tier and agreement decide what they may keep.

Inside / approved The line / never crossesHeld at the boundary
The boundary is the focal point — it sits on the prompt, before send. Public and minimised context passes through; secrets and confidential data stay inside. Once something is sent, the vendor’s tier and agreement decide what they may keep.
03Vendor posture

An honest read on the three we use

Anthropic, OpenAI, and Perplexity each fit a different job — and each treats your inputs differently depending on the plan. Here’s our current read, kept general on purpose.

Model vendor posture comparison: Anthropic, OpenAI, and Perplexity across data-training defaults, enterprise posture, best fit, and watch-outs.
DimensionAnthropicClaudeOpenAIChatGPT / APIPerplexitySearch + chat
Consumer-tier defaultFree / Pro chat may use conversations to improve models unless you opt out.Free / Plus chat may train on inputs unless you opt out in settings.Consumer tiers are search-led; treat inputs as potentially retained.
Enterprise / API postureBusiness / Enterprise and API: no training on your data by default; retention controls available.Team / Enterprise and API: not used to train by default; zero-retention possible on request.Enterprise tier exists; verify retention + training terms before confidential use.
Best-fit use for usPrimary for drafting, code, and analysis on internal context.Strong general + tooling option; same data rules apply.Fast cited research over public information.
Watch-outsConfirm the plan in use is the no-train tier before T2 data.Default consumer settings can opt you in — check the account.Built to pull from the web; keep confidential context out of it.
Fits our use Conditional — check the tier Keep confidential data out
04A common counter-argument

A better plan changes the protocol

A reasonable view comes up often: once we’re on an enterprise or zero-retention plan, we’re covered, so the protocol can relax. It’s a fair instinct — and it’s mostly right about the part a plan can buy.

A better plan is genuinely better. It closes the retention and training gap — the part this page is most careful about. That’s one risk among several, though, and it’s the one a plan can buy.

The fuller picture

A better tier changes which protocol you need — it doesn’t remove the need for one. Retention is solved; these aren’t:

  • A plan protects the data in transit — it doesn’t decide what an automated tool is allowed to touch. That’s a separate setup.
  • Secrets pasted into a prompt are exposed regardless of retention terms.
  • “Don’t train on it” still means stored — and still reachable by a breach or a subpoena.
  • The plan covers the vendor. It says nothing about what we wire an agent into on our side.

So we keep the protocol and let the plan raise the ceiling. The question is never whether to have one — only which one this tier calls for.

See how this works in the Handbook
05Tooling baseline

Where secrets live

The boundary holds in practice because of one habit: secrets stay in the vault. They’re referenced, never copied — not into a prompt, not into a committed .env.

Secrets live here

1Password

Passwords, API keys, and tokens belong in the shared vault — issued, rotated, and revoked from one place. Never pasted into a prompt, never committed to a repo.

Where we coordinate

Microsoft Teams

Our day-to-day collaboration and the place we raise an integration for review. Keep credentials and confidential exports out of chat threads.

One line, no exceptions

The vault rule

A secret in a prompt is a secret you’ve handed to a third party. A secret in a committed .env is a secret in your git history forever. Reference secrets from the vault — don’t copy them.

Never goes in a prompt

The vault is the only home for these

  • Passwords, API keys, access tokens
  • Customer data & personal information (PII)
  • Private keys, signing material, .env contents