Security and Summary

Security, Privacy, and Professional Best Practices

Using Copilot in a professional context requires understanding what data leaves your machine, what your employer may or may not allow, and how to use the tool in a way that is sustainable, secure, and effective over the long term.

What data is sent to GitHub

When you use Copilot in your editor, GitHub receives:

  • Your code context: The current file and nearby open files, sent as part of every completion request.
  • Your chat messages: Everything you type in Chat, plus the files you attach.
  • Usage telemetry: Which suggestions you accept or reject (this is used to improve the model).

What GitHub does with this data depends on your plan:

  • Copilot Individual / Free: By default, GitHub may use code snippets to improve Copilot models. You can opt out in your GitHub account settings under Copilot → Policies.
  • Copilot Business / Enterprise: GitHub does not use your code to train models. There is stricter data retention and audit controls.

Always check the current GitHub Copilot privacy policy at docs.github.com for the latest information, as terms can change.

What never to put in Copilot's context

Regardless of your plan, treat Copilot like any other third-party cloud service. These things should not appear in prompts or attached files:

  • Secrets: API keys, OAuth tokens, database passwords, private keys, JWT secrets. Use .env files and add them to your editor's Copilot exclusion settings.
  • Customer PII: Real names, emails, phone numbers, payment card data, health records. Use anonymized test data.
  • Regulated data: HIPAA-covered health data, financial data under PCI DSS, data covered by GDPR that you are not allowed to transfer.
  • Proprietary business logic that is explicitly confidential: Some companies classify certain algorithms or data models as trade secrets.

Your company's policy

Many organizations have policies on AI tool usage. Before using Copilot on work projects:

  1. Check your employee handbook or IT security policy. Some companies prohibit AI coding tools entirely. Some allow specific tools. Some require using enterprise-licensed versions.
  2. If unclear, ask. Email IT security or your manager. "Can I use GitHub Copilot on work code?" is a normal question in 2025. Get the answer in writing.
  3. Use the enterprise plan if required. If your company requires that code not be used for training, the Business/Enterprise plan with appropriate settings is necessary.

Using an unapproved tool and causing a data incident can have serious professional and legal consequences. This is not a risk worth taking.

Evaluating suggestions: a professional checklist

Before committing any AI-generated code, verify:

  • Does it do what you asked? Read it, do not skim it.
  • Are the edge cases handled? Null inputs, empty collections, concurrent access, network failures.
  • Are there security issues? Injection (SQL, command, path traversal), missing input validation, exposed sensitive data in logs or responses.
  • Are new dependencies introduced? An unexpected import from a new library means you need to audit and add a dependency.
  • Does it match your codebase's patterns? Error handling style, naming conventions, logging.
  • Did it change anything you did not ask it to? Copilot sometimes "helpfully" refactors adjacent code.

Sustainable use: keeping your skills sharp

A real risk of heavy AI tool use is atrophy of the skills the AI handles for you. Some engineers find after a year of Copilot that they struggle with tasks they used to do automatically.

Stay intentional: Use AI for tasks where it saves time without costing understanding. Do not use it for tasks where working through the problem yourself is how you build expertise.

Review what you accept: Especially for complex logic, make sure you can explain every line you commit. If you cannot, rewrite it until you understand it.

Use it for learning: Copilot is an excellent study tool. "Explain why this implementation is O(n log n)" or "Show me three different ways to solve this problem" are powerful learning prompts.

Congratulations

You have completed the GitHub Copilot track. You now know how Copilot works, how to use every major feature, how to prompt effectively, how to use it safely and professionally, and how to stay in control of the output it produces. Finish this lesson to earn your certificate.