AI Vendor Security & Compliance Brief
GitHub Copilot
Independent due-diligence summary · every fact links to the vendor's official source
93/100
AI Governance Readiness
Enterprise-Ready
This vendor is rated Enterprise-Ready with a score of 93 out of 100. Key strengths include confirmed SOC 2 Type 2 and ISO 27001 certifications via their trust portal, and a commitment not to train on customer data under enterprise terms. However, MICROSOFT CORP disclosed a material cybersecurity incident to the SEC (Form 8-K, Item 1.05) on 2024-01-19. As a next step, treat this as a confirmed security event: ask for the incident scope and remediation status, and check your contract's breach-notification and liability terms.
Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 7 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items
are shown but never silently counted against the vendor.
Ask This in Your Security Review 1 open items
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| GDPR | Stated by vendor | https://docs.github.com/en/site-policy/privacy-policies |
| ISO 27001 | Stated by vendor | https://github.com/security |
| SOC 2 | Stated by vendor | https://github.com/security |
| HIPAA | Not publicly verified | — |
| BAA Available (HIPAA) | Not publicly verified | — |
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Sub-processors (published list) | View document → | https://docs.github.com/en/site-policy/privacy-policies/github-subprocessors-and-cookies |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Copilot Free/Pro/Pro+: interaction data may be used to train models unless you opt out (policy updated April 2026).
cited →
Enterprise:
does not train
Copilot Business/Enterprise: interaction data is contractually exempt from model training.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Known Vulnerabilities (CVE / CISA KEV)
Could not verify
A source could not be queried; this is NOT a clean result.
⚠ could not query — nvd: nvd_error: github:copilot-cli: 503 Server Error: Service Unavailable for url: https://services.nvd.nist.gov/res
Vulnerability Disclosure Policy (security.txt)
Found
1
Email Spoofing Protection (DMARC)
Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate
Valid
Data Breach History
None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard)
Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening
None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05)
Found
1
Security & Compliance Timeline authoritative · dated
Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.
- 2024-01-19 SEC 8-K Material cybersecurity incident disclosed to SEC by MICROSOFT CORP
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://github.com/security |
| SOC2 TYPE2 | Available via Trust Center | https://github.com/security |
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
5 legal & policy documents under change-monitoring since 2026-05-31. 7 tracked changes detected since baseline.
Ai PolicyDpaPrivacySubprocessorsTos
| Detected | Change | Detail |
|---|---|---|
| 2026-06-17 | CVE / Security Incident |
1 new CVE (published from 2026-05-13): CVE-2026-45033. A fix is available from the vendor for all of these.
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.
|
| 2026-06-17 | ToS Clause Change |
The Privacy Policy changed — 1 removed passage. Review the current version.
What this means: The Privacy Policy text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Privacy Policy to confirm.
Show exact changed textIn plain terms — verify against the exact changed text below: The text "GitHub General Privacy Statement - GitHub Docs" and "Skip to main content" were removed. @@ -1,4 +1,2 @@-GitHub General Privacy Statement - GitHub Docs -Skip to main content GitHub General Privacy Statement In this article |
| 2026-06-16 | SEC Cyber Incident (8-K 1.05) |
MICROSOFT CORP disclosed a material cybersecurity incident to the SEC (Form 8-K, Item 1.05) on 2024-01-19.
What this means: This vendor told the SEC it suffered a material cybersecurity incident (Form 8-K, Item 1.05) — treat it as a confirmed security event: ask for the incident scope and remediation status, and check your contract's breach-notification and liability terms.
|
| 2026-06-16 | CVE / Security Incident |
1 new CVE (published from 2026-05-13): CVE-2026-45033. A fix is available from the vendor for all of these.
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.
|
| 2026-06-15 | CVE / Security Incident |
1 new CVE (published from 2026-05-13): CVE-2026-45033. A fix is available from the vendor for all of these.
What this means: Disclosed and already fixed by the vendor — no action needed beyond confirming you run a current version. Tracked as part of the vendor's security-response cadence, not an active exposure.
|
Ask the Legal Documents grounded · cited
Ask a question about GitHub Copilot's captured Terms, DPA, Privacy Policy or sub-processor list. Answers are read only from the actual document text and always shown with the exact clause. If the documents don't cover it, we say so — we never guess.
The summary only restates the clauses below it and is verified against them — the verbatim clause is always the source of truth.
Monitor GitHub Copilot — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment GitHub Copilot changes something that affects your risk. Built for procurement & security teams.
Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal
pages and links to its source. This brief contains no scraped sentiment, forum chatter, or
AI-inferred opinion — only verifiable, deterministic facts. Verify each source before
procurement decisions.