Ask HN: How companies are protecting Claude Code from reading IP and PII data

2 pointsposted 9 hours ago
by pradeep1177

Item id: 48939454

6 Comments

snailshare

9 hours ago

Our take has been that if you are working with one of these large companies, you cannot expect anything to be private. We've worked with a smaller more focused product where we were able to negotiate the necessary controls

pradeep1177

8 hours ago

And what are those necessary controls?

snailshare

7 hours ago

Either it needs to run on our hardware, or we need explicit contractual guardrails around use of the data for their purposes. Obviously anything you give Anthropic etc. is going into their training pipeline for instance, and they change their terms of use every week so it's impossible to work with as a small company with no leverage

toomuchtodo

8 hours ago

Sign an enterprise agreement that speaks to data retention and destruction requirements. Part of what you pay for is to shift the liability to the inference vendor.

pradeep1177

8 hours ago

These data retention contracts are black boxes; you never know how your IP was leaked, and it could end up in the model's training data. It's like trusting META with your privacy settings.

toomuchtodo

8 hours ago

A contract satisfies our infosec program and cyber insurance requirements, confirmed by a corporate legal team. Our role is to manage enterprise risk and potential exposure within our risk appetite, not eliminate it.

(already minimizing sensitive data storage and transit whenever possible, as an entity operating in a regulated industry)