Security
Where your data goes when an AI agent touches it
Last updated: 14 July 2026
Before you let an AI agent read your invoices, your contracts, or a folder of customer records, there is one question that matters more than any demo: where does that data actually go, and who can see it? It is the right question to ask, and most vendors answer it with a shrug and the word "secure," which tells you nothing.
The honest answer has moving parts, but none of them are mysterious. When an agent processes a document, the relevant text is sent over an encrypted connection to a model provider's API, the model reads it, a result comes back, and the request is done. The questions worth pinning down are narrow and answerable: whose account does that call run on, is the provider allowed to train on your data, how long is anything kept, who holds the keys, and can you shut it all off tomorrow.
This piece walks the real path a document takes, quotes the current 2025 and 2026 terms from the major model providers, and covers the parts of GDPR and Singapore's PDPA that a small business actually needs to understand. The goal is not to scare you. It is to let you make this decision with the same clarity you would apply to picking a bank.
The short version
- When an agent processes a document, the relevant text is sent to a model provider's API over an encrypted connection, read, and returned. Nothing magical happens in between.
- On the paid API tiers of OpenAI, Anthropic, and Google, your inputs and outputs are not used to train their models by default. This is a contractual commitment, not a setting you hope is on.
- Retention is short and getting shorter: OpenAI defaults to 30 days of abuse-monitoring logs, Anthropic dropped API log retention to 7 days in September 2025, and zero-retention options exist.
- The real leak risk is not the API. It is shadow AI: staff pasting sensitive data into personal free-tier accounts, which one 2025 report tied to 20 percent of breaches.
- Running on your own provider accounts and keys means you control access, you can revoke it in minutes, and the system keeps working even if your integrator disappears.
- GDPR and Singapore's PDPA both expect a written data processing agreement, clear purpose limits, and the ability to delete. These are checkable, not vague.
The real data path, step by step
Strip away the marketing and an AI agent is a program that reads some of your data, sends the relevant part to a large language model to interpret, and acts on what comes back. Say the agent's job is to match incoming invoices to purchase orders. When an invoice arrives, the agent pulls the fields that matter (vendor, amounts, line items, dates), packages them into a request, and sends that request over a TLS-encrypted connection to the model provider's API endpoint. The model reads the text, returns a structured answer, and the connection closes. The rest of the invoice, and every other document you own, never went anywhere.
Two things follow from this that are worth holding onto. First, the model does not "keep learning" from your invoice in the background; on the paid API tiers it processes your request and forgets it, subject to the retention windows below. Second, the amount of data that leaves your systems is only the slice the agent needs for that task, not your whole database. A well-built agent is deliberate about what it sends, which is both a privacy property and a cost property, since providers bill by the token.
Whose account the calls run on
This is the single most important structural choice, and most buyers never think to ask about it. There are two ways to wire an agent to a model. In the first, the vendor puts your data through the vendor's own API account, so the vendor sits between you and the model, holds the keys, sees the traffic, and owns the relationship. In the second, the agent runs on your own provider accounts, under your own API keys, billed to you, governed by the terms you agreed to directly with OpenAI, Anthropic, or Google.
Passcut builds the second way, on purpose. Your keys live in your accounts. The data-processing terms that govern your data are the ones you signed, not ones we negotiated on your behalf and could change. You can open the provider's dashboard and see every call. And if you ever want to end the relationship, you rotate one set of keys and the agent goes dark, with nothing stranded inside a vendor you no longer trust. The system is yours, which also means it survives us: if Passcut vanished tomorrow, your accounts, code, and data would keep running exactly as they are.
What the model providers actually promise in 2025 and 2026
The fear that a provider will train its next model on your contracts is reasonable but, on the paid API tiers, contractually addressed. The wording differs by vendor, so here is where each one stands as of 2026, and the distinction that trips people up: the paid API is governed by different terms than the free consumer chat app.
- OpenAI: data sent through the API has not been used to train models by default since March 2023. Abuse-monitoring logs are kept for up to 30 days and then deleted, and a Zero Data Retention option removes even that for eligible use. The court order from the New York Times case that had forced OpenAI to preserve API and ChatGPT content was lifted in late September 2025.
- Anthropic: the Commercial Terms state Anthropic does not train on your inputs and outputs when you use the API or its business products. As of mid-September 2025, default API log retention was cut from 30 days to 7 days, with a zero-retention addendum available. Note that Anthropic's separate consumer-chat opt-in for training, reported in August 2025, does not apply to API or business use.
- Google: on the paid Gemini API and Vertex AI, Google commits not to use your prompts or responses to improve its products, with zero-retention terms available to eligible enterprise customers. The important catch: the unpaid tier, including Google AI Studio and free Gemini API quota, is used to develop Google's products. Free is not the same product as paid here.
The practical takeaway: run on paid API tiers with the no-training terms in force, never the free consumer tools, and the training question is largely settled by contract. Treat any provider number as directional and confirm the current terms at signing, because these policies have moved more than once in the last two years.
The risk that is actually biting businesses: shadow AI
Here is the part the API-security debate tends to miss. The documented data leaks are mostly not sophisticated attacks on model providers. They are ordinary staff pasting sensitive material into personal free-tier AI accounts that nobody sanctioned. Security researchers have taken to calling this "shadow AI," and the 2025 numbers are not comfortable. One widely cited enterprise report found that roughly three quarters of employees have shared sensitive company data through AI tools, and that around 70 percent of generative-AI access happens through non-corporate accounts that sit entirely outside a company's identity controls.
The cost shows up in the breach data. IBM's 2025 Cost of a Data Breach report attributed about 20 percent of breaches to shadow AI and put the average premium for those incidents in the hundreds of thousands of dollars above a standard breach. The most famous example remains Samsung engineers pasting proprietary source code into ChatGPT in 2023. The lesson is not that AI is dangerous. It is that unmanaged, unlogged, personal-account AI is dangerous. A governed agent running on approved accounts with an audit trail is the opposite of shadow AI: it is the sanctioned path that makes the unsanctioned one unnecessary.
Retention, encryption, and access control, the unglamorous parts
Three technical properties do most of the real protection, and all three are checkable rather than matters of trust. Retention is how long anyone keeps a copy: on the paid tiers this is now days, not forever, and zero-retention is available where you need it. Encryption is table stakes but worth confirming: reputable providers encrypt data in transit with TLS and at rest with strong algorithms, so a copy sitting in a short-lived log is not readable by whoever stumbles across the disk.
Access control is where most small-business risk actually lives, and it has little to do with the model provider. It is about who inside the system can trigger the agent, who can read what it produced, and whether every action is recorded. Passcut's answer is narrow, per-workflow permissions and a full audit trail: every action the agent takes is logged, so you can answer "what did it touch, when, and why" after the fact. Anything sensitive (moving money, changing customer records, touching the books) waits for a human to approve it until the agent has earned autonomy on that specific task. The agent gets exactly the access its one job requires and no more.
GDPR, in plain terms
If you handle data on people in the EU or UK, GDPR frames this in two roles. You are the data controller: you decide why the data is processed. Anyone processing it on your instructions, including an AI integrator and the model provider, is a processor. The regulation expects a written data processing agreement between controller and processor, and Article 28 spells out roughly nine things that agreement must cover: purpose limits, security measures, deletion and return of data, disclosure of any sub-processors, breach notification, and cooperation with audits, among others.
For an AI agent, "processing" is not just storage. It covers sending the data to the model, the inference itself, any caching, and any logging along the way, so the agreement has to reflect the whole path rather than generic software boilerplate. This is not optional fine print: a January 2026 industry survey put cumulative GDPR fines above 7 billion euros since the law took effect, and regulators have penalized companies specifically for missing or inadequate processor agreements. Running on your own accounts helps here, because you hold the direct controller relationship and the provider's own data-processing terms apply to you directly.
Singapore's PDPA, and why the principle travels
Singapore's Personal Data Protection Act runs on a similar spine, built around consent, notification, and accountability. In March 2024 the PDPC issued advisory guidelines on using personal data in AI systems that make recommendations and decisions. They are not law in themselves, but the regulator has signaled it will enforce in line with them, so treating them as binding is the safe posture. They lean hard on data minimisation: use the least personal data the task needs, and prefer pseudonymised or anonymised data where you can.
The guidelines also put obligations on service providers directly, including protecting the data they process and notifying you promptly if they suspect a breach. The through-line across GDPR and PDPA is the same, and it is not exotic: know what data you are using and why, use no more than you need, keep it protected, be able to delete it, and keep a clear record. An agent built to those principles is compliant almost as a side effect, rather than bolting compliance on later.
The right to revoke, and why ownership is the real safeguard
Every protection above is stronger when you own the accounts underneath it. Because your data runs on your provider accounts under your keys, you are not asking a vendor's permission to leave or to cut off access. You rotate the keys, you change the permissions, you export or delete, all on your own timetable. Consent under both GDPR and PDPA can be withdrawn, and your architecture should make honoring that a quick operational step rather than a support ticket to a company that has no incentive to hurry.
This is why Passcut treats client ownership as the foundation rather than a feature. The code, the configuration, the keys, and the data all sit in your accounts. We prove an agent works on your own data with a paid prototype and a baseline you can see, we run one workflow at a time so the blast radius is always small and understood, and a human stays in the loop on anything sensitive until the numbers earn more autonomy. None of that requires you to trust a slogan. It is arranged so you can verify it, revoke it, and outlast us if you ever need to.
Common questions
Does the AI provider keep a copy of my documents?
On the paid API tiers, only briefly and for a narrow reason. OpenAI keeps abuse-monitoring logs for up to 30 days by default, Anthropic cut its API log retention to 7 days in September 2025, and Google logs paid-tier requests for a limited period only to police misuse. Zero-retention options exist across all three where you need nothing kept at all. The whole document is never sent in any case, only the slice the task requires, and on the paid tiers none of it is used to train their models.
Will my data be used to train the next version of the model?
Not on the paid API tiers, by contract. OpenAI has not trained on API data by default since March 2023, Anthropic's Commercial Terms exclude training on your API and business content, and Google's paid Gemini API and Vertex AI commit not to train on your prompts or responses. The important exception is free consumer tools: Google's unpaid tier, for instance, does feed product development. This is exactly why a governed agent should run on paid API accounts and never on someone's personal free login.
What happens to my data if I stop working with you?
Nothing gets stranded, because it was never held hostage. The accounts, keys, code, and data live in your systems from day one. If you end the relationship you rotate your keys and revoke access, and the agent stops immediately. If you want to keep running it yourself or hand it to someone else, you can, because you already own every piece. The system is built to survive our absence, not to depend on it.
Is an AI agent riskier than what my team already does?
Usually it is the safer option, because the honest comparison is not agent-versus-nothing. It is a governed agent on approved accounts versus staff quietly pasting sensitive data into personal AI apps, which 2025 research links to a large and growing share of breaches. A Passcut agent runs on sanctioned accounts, sends only what a task needs, logs every action, and keeps a human approving anything sensitive. That is more control and more visibility than most manual workflows have today, not less.
Related: How we work · About Passcut · Stopping hallucinations
Start with a free workflow audit
A 45-minute call. We map three processes agents can take over, estimate what each would save, and quote what it would cost. No obligation.