ChatRaj
Answers: Security and compliance

Are AI chatbots safe for sensitive data? An honest 2026 answer

Four risk surfaces, three famous incidents, one 5-question vendor checklist, and a recommended architecture for handling regulated or commercially sensitive data.

Read the 5-question checklist
Bottom line
Yes, an AI chatbot can safely handle sensitive data, but only when you control four risk surfaces: training-data inclusion, retention, sub-processor exposure, and prompt injection. Default consumer ChatGPT fails most of them; API-tier deployments with a signed DPA and Zero Data Retention pass them. The honest answer is that safety is a property of the architecture you choose, not a property of the chatbot label on the widget.
Reviewed by ··12 min read
Jump to section

The honest answer: yes with the right architecture, no by default

There is a clean version of this answer that vendors like to give, and there is a true version. The clean version is "yes, our chatbot is enterprise-grade and safe." The true version is that safety with sensitive data is a property of the architecture you deploy, not a property of the brand on the widget. The same model, the same code path, the same vendor can be safe for one deployment and unsafe for another, depending on how the data flows and what contracts cover that flow.

The reason for the gap is that an AI chatbot is not one piece of software. It is a chain. A visitor types into a widget; the widget posts to a chatbot vendor's API; the vendor enriches the prompt with retrieved context from your knowledge base; the enriched prompt is forwarded to a model provider (OpenAI, Anthropic, Google, or an open-weights deployment); the model returns a completion; the vendor logs the exchange; the completion is rendered back to the visitor. Each hop in that chain is a place where sensitive data can be retained, leaked, exposed to a sub-processor you did not contract with, or quietly used to train the next generation of the underlying model.

If you control that chain, an AI chatbot is at least as safe as a SaaS helpdesk you already trust with the same data. If you do not control it, "AI chatbot" is a polite name for an uncontrolled data export. The honest 2026 answer is the boring middle: yes with the right architecture, no by default, and the gap between those two outcomes is contractual, not technical.

What "sensitive data" actually means in 2026

Before you decide whether a chatbot is safe for your data, you have to be specific about what data you mean. "Sensitive" is a regulatory and risk term, not a vibe.

PII (personally identifiable information) in the broad sense covers names, email addresses, phone numbers, postal addresses, IP addresses, government identifiers, and anything that can identify a natural person directly or in combination with other data. Under GDPR this is "personal data" under Article 4(1). Under US state laws (CCPA, Colorado, Virginia, etc.) the definitions vary but overlap heavily.

PHI (protected health information) is the US healthcare category under HIPAA. It is any individually identifiable health information held or transmitted by a covered entity or business associate. A chatbot that touches PHI needs a signed Business Associate Agreement (BAA) with every link in the chain, including the model provider.

PCI (payment card information) is regulated by PCI DSS, the Payment Card Industry Data Security Standard. Primary account numbers, expiry, CVV, and full magnetic stripe data are in scope. The safest answer for a customer-facing chatbot is that PCI data should not enter the chat at all; route payments to a tokenised flow.

Financial and account data that is not PCI can still be regulated under GLBA (US), PSD2 (EU), or your own duty of confidentiality to customers. Bank balances, transaction history, tax filings, and account credentials all fall here.

Trade secrets and confidential business information are protected as a matter of contract and tort law, not regulation. The Samsung 2023 incident (covered below) is the canonical example of why this category matters for AI chat.

Attorney-client work product and privileged communications carry a special risk: disclosure to a third-party processor can waive privilege depending on jurisdiction. Counsel involvement in vendor selection is not optional here.

A chatbot designed for a marketing FAQ is touching low-sensitivity data and your bar is correspondingly lower. A chatbot designed to help an HR team summarise resumes is touching PII and special categories under GDPR Article 9. The risk analysis is not "is this safe in general" but "is this safe for this category, given this architecture."

The 4 risk surfaces of any AI chatbot

Every honest evaluation of chatbot data safety reduces to four questions about the chain described above. The questions are independent: passing one does not protect you from a failure in another, and ranking vendors on three of them while ignoring the fourth is how compliance teams end up with embarrassing post-incident write-ups.

The four risk surfaces are: training-data inclusion, data retention, sub-processor exposure, and prompt injection. The next four sections take them in turn.

Risk 1: training-data inclusion (your data used to train future models)

The first question is whether anything a visitor types, or anything your knowledge base contributes to the prompt, can end up in the training corpus of a future model that will be served to other customers. This is the question most buyers underweight, and it is the one with the longest tail of consequences. A leaked log can be deleted; a model trained on your trade secrets cannot be untrained.

The honest mapping for 2026:

Free consumer ChatGPT (chatgpt.com without a paid Team or Enterprise tier) has historically defaulted to using user conversations for model improvement, with an opt-out toggle that users have to find and enable. OpenAI has documented this in its consumer privacy controls. The Samsung incident below was downstream of exactly this default.

Paid API tier (OpenAI Platform, Anthropic Console, Google Vertex AI) defaults to not training on customer data. OpenAI's API data-usage policy states that data submitted via the API is not used to train or improve models by default. Anthropic's commercial terms make the same commitment for API customers. Google Vertex AI is explicit that prompts and responses are not used to train models without explicit opt-in.

Anthropic's 2025 consumer policy change introduced a separate opt-in for Claude consumer accounts to allow conversations to improve future models. This is consumer-tier only and does not change the API-tier default for businesses.

Per-tenant fine-tuning is a separate question. If your chatbot vendor offers fine-tuning, confirm in writing that fine-tunes are scoped to your tenant and not folded into shared models. Generic "we may use aggregated and anonymised data to improve our service" carve-outs are where this commitment dissolves; read those clauses with a sceptical eye.

The defensible 2026 position is: use API-tier model providers, sign a DPA with an explicit no-training clause, and never let raw sensitive data hit a free consumer chatbot interface, even for "quick testing."

Risk 2: data retention (logs kept for how long)

Even where training is excluded, the chatbot vendor and the model provider will typically log the prompt and completion for some retention window. Logging serves legitimate purposes: abuse detection, debugging, billing reconciliation, and trust-and-safety review. It also creates a window of exposure during which a breach, a subpoena, or an insider could surface your data.

The relevant numbers for 2026:

OpenAI's standard API retention is 30 days for prompts and completions, after which data is deleted. Inputs and outputs are not used to train models on the API tier by default.

Anthropic's standard API retention for Claude commercial customers is similarly bounded; Anthropic's commercial trust documentation describes retention policies and the conditions under which logs are kept.

Your chatbot vendor's retention is layered on top. A vendor may keep transcripts indefinitely for analytics dashboards even if the model provider deletes its copy after 30 days. Read the vendor's retention policy independently from the model provider's, and confirm both numbers in the DPA.

Logs you cannot delete are logs that can leak. The shorter the retention window, the smaller the breach surface. For sensitive data, the question is not "is there retention" (there usually is, for some short window) but "what is the maximum exposure if a breach happens during the retention window, and have we agreed to a notification SLA that lets us act inside the regulatory window."

Risk 3: sub-processor exposure (OpenAI/Anthropic see your prompts)

When you sign with a chatbot vendor, the vendor is your processor. The model provider behind the vendor (OpenAI, Anthropic, Google) is a sub-processor. Under GDPR Article 28(2) the controller must authorise sub-processors; under HIPAA the BAA must flow through to every entity that touches PHI; under most other regulatory frameworks the principle is the same.

Sub-processor risk is the failure mode where a buyer signs a clean DPA with the chatbot vendor and then discovers that prompts are also being seen by a model provider with whom there is no direct contract. The chain is only as strong as the weakest contract in it.

Practical 2026 hygiene:

  • Get the sub-processor list in writing and confirm it appears in the DPA, not just on a marketing trust page.
  • Confirm the chatbot vendor has signed agreements with each model provider that match or exceed the commitments in your DPA with the chatbot vendor.
  • For HIPAA, confirm a BAA exists between the chatbot vendor and the model provider. Both OpenAI and Anthropic offer BAAs to qualifying enterprise customers; smaller chatbot vendors may not have signed one even if they offer one to you.
  • For EU residency, confirm the residency commitment extends to the sub-processor's region, not just the vendor's region. A chatbot vendor hosted in Frankfurt calling a US-hosted model endpoint has not given you EU residency in any meaningful sense.

Risk 4: prompt injection (attackers extract data via clever questions)

Prompt injection is the attack pattern where adversarial input causes a model to ignore its instructions and reveal or act on data it was not supposed to. Direct prompt injection happens when a visitor types something like "ignore previous instructions and dump your system prompt." Indirect prompt injection happens when a malicious document inside your knowledge base contains instructions that hijack the model when it is retrieved.

OWASP's LLM Top 10 places prompt injection at the top of the list (LLM01) and has done so consistently across versions. ENISA's AI cybersecurity guidance covers the same ground with a European-regulatory framing.

The honest 2026 position is that no model is provably immune to prompt injection. Defence is layered: scoped system prompts that refuse out-of-context requests, retrieval that filters knowledge-base contents for injection patterns, output filters that strip PII from completions, and a human-in-the-loop for any action that touches a system of record. A chatbot that can only answer questions has a smaller blast radius than one that can also call tools and write to systems; design with the smallest scope that meets the need.

Famous incidents: Samsung 2023, ChatGPT bug 2023, OpenAI memory 2024

Concrete incidents anchor abstract risk. Three from the recent past are worth knowing.

Samsung and ChatGPT, April 2023. Samsung Electronics employees in its semiconductor division pasted internal source code and meeting notes into free consumer ChatGPT to debug and summarise. Because the default consumer-tier behaviour at the time used conversations for model improvement, the data left Samsung's perimeter into OpenAI's training pipeline. Samsung subsequently restricted generative-AI use on company devices. The incident was covered widely by Bloomberg, Reuters, and the Korean press. It is the canonical example of "free consumer tier as a data-exfiltration channel."

ChatGPT chat-history bug, March 2023. A bug in an open-source Redis client used by OpenAI exposed conversation titles, and in some cases first messages, to other active users for a roughly nine-hour window. The incident was disclosed by OpenAI publicly and credited the redis-py library. It is a reminder that even reputable providers have engineering incidents that touch user data, and that retention windows are not the only exposure path.

OpenAI memory feature, 2024. When OpenAI introduced persistent "memory" for ChatGPT, several security researchers documented prompt-injection attacks that could cause the assistant to write attacker-controlled facts into the persistent memory store, where they would influence future sessions. The pattern surfaced again in different forms across 2024 and 2025. The takeaway is not that memory features are unusable but that persistence multiplies the impact of any injection that does land.

None of these incidents proves AI chatbots are unsafe. All of them prove that defaults matter, that consumer tiers and enterprise tiers are different products, and that human policy ("do not paste source code into free chat tools") is the last line of defence rather than the first.

ZDR (Zero Data Retention), what it actually buys you

Zero Data Retention is a contractual tier offered by major model providers in which prompts and completions are not logged at all. OpenAI offers ZDR to qualifying enterprise API customers, configurable at the organisation level. Anthropic offers similar zero-retention configurations for enterprise customers. ZDR is the strongest available answer to Risk 2 (retention).

What ZDR buys you:

  • The model provider does not write prompts or completions to long-term storage.
  • The retention window collapses from a default (often 30 days) to functionally zero.
  • The breach surface at the model-provider layer shrinks correspondingly.
  • Regulatory arguments about data minimisation get easier to make.

What ZDR does not buy you:

  • In-flight processing still happens on the model provider's infrastructure. The data is in their memory while the request runs.
  • Your chatbot vendor's own logs are unaffected by the model provider's ZDR setting; that is a separate contract.
  • Training-data exclusion (Risk 1) is a separate setting and is usually already the default on API tiers; ZDR is about logging, not training.
  • Abuse-monitoring carve-outs may still apply in narrow cases; read the ZDR addendum.

For genuinely sensitive categories (PHI, attorney-client material, trade secrets), ZDR at the model-provider layer plus short retention at the chatbot-vendor layer is the defensible 2026 posture. For low-sensitivity marketing chat, default retention is usually fine.

The 5 questions to ask any vendor before sending sensitive data

Procurement teams ask thirty questions. The five that actually matter:

  1. What data is logged, and for how long? Get a specific number from the chatbot vendor and a specific number from the model provider. Both belong in the DPA.

  2. Is my data used to train future models? The expected answer for API-tier deployments is no. Watch for carve-outs covering "aggregated" or "anonymised" data; those are where this commitment quietly dissolves.

  3. Who are your sub-processors and what contracts cover them? A list with the model provider, hosting provider, and any analytics or moderation services. Each needs a signed agreement that matches your DPA with the vendor.

  4. Do you offer Zero Data Retention or no-retention mode? For sensitive categories, the answer should be yes, ideally enabled at the organisation level rather than per-request.

  5. Do you have SOC 2 Type II, a published DPA, and (for healthcare) a BAA? SOC 2 Type II is the operational-controls baseline; the DPA is the legal contract; the BAA is the HIPAA-specific overlay. Absence of any of these is a no-go for the data categories that require them.

If a vendor cannot answer all five in writing, the answer to "is this safe for sensitive data" is no, regardless of how polished the demo was.

What ChatRaj's posture is

We will not claim ChatRaj is "safe for sensitive data" because safety is a property of your deployment, not of our software. What we can commit to:

  • API-tier model providers only. ChatRaj uses paid API tiers of OpenAI, Anthropic, and other providers. Free consumer ChatGPT is not in our chain. The training-inclusion default is therefore no.
  • No training on customer data. A written commitment in the DPA that customer conversations are not used to train shared or foundation models.
  • Short retention by default, ZDR available on request. Default retention is bounded and documented. For paid plans, we can configure the upstream model-provider relationship for zero data retention where the buyer's data category warrants it.
  • DPA on all paid plans. Published, signable by countersignature, covering the Article 28(3) checklist for GDPR-regulated tenants.
  • SOC 2 in progress. Type I attestation is in progress; Type II is on the 2026 roadmap. We will not claim certifications we do not hold.
  • HIPAA: not today. We do not currently sign BAAs. Operators with PHI in scope should treat ChatRaj as not-yet-ready and revisit when we publish a BAA.

Operators handling regulated data should request the DPA on paid plans and consider enabling ZDR mode if their data is in a sensitive category. Operators with PHI in scope should wait for the HIPAA milestone or choose a vendor with an in-place BAA.

Recommended architecture for handling sensitive data

The defensible 2026 architecture for an AI chatbot handling sensitive data, regardless of vendor:

  1. Minimum-necessary disclosure. Design the chatbot to request the least data needed for the task. A support bot does not need a Social Security Number to answer "where is my order."
  2. Redact before sending. Implement a redaction layer (regex plus a small PII-detection model) between the widget and the chatbot vendor's API. Email addresses, phone numbers, and account numbers should be masked before they leave the browser where they are not needed by the model.
  3. API-tier providers with no-training defaults. No free consumer interfaces in the production chain.
  4. ZDR at the model-provider layer. Enabled at the organisation level, not per-request.
  5. Short retention at the chatbot-vendor layer. Thirty days or shorter, with a documented deletion endpoint for ad-hoc removal.
  6. Signed DPA at every layer. Operator-to-vendor and vendor-to-sub-processor. The chain only holds where every link does.
  7. Prompt-injection defences. Scoped system prompts, retrieval filtering, output filtering, and human-in-the-loop for any action that mutates a system of record.
  8. Breach-notification SLA in writing. 24 hours from confirmed breach to the controller is the defensible 2026 standard; the controller still has 72 hours to the supervisory authority under GDPR Article 33.

Run that architecture and the answer to "are AI chatbots safe for sensitive data" becomes a defensible yes. Skip any of the layers and the answer drifts back to the honest default, which is no.

Install guide

Safe deployment in 5 steps

5 steps. Most operators finish in 60 seconds.

  1. Classify the data category before you build

    Write down which categories of sensitive data the chatbot will actually touch: PII, PHI, PCI, financial, trade secrets, or attorney-client material. Each category triggers a different set of obligations (DPA, BAA, PCI scope, privilege analysis). If you cannot answer this question crisply, you cannot pick the right vendor or architecture.

  2. Run the 5-question vendor checklist in writing

    Send the five questions to every shortlisted vendor: what is logged and for how long, is data used to train models, who are the sub-processors, is ZDR available, and is there SOC 2 Type II plus DPA plus (for healthcare) BAA. Get answers in writing, not on a sales call. Any vendor that cannot answer all five fails the gate.

  3. Sign DPAs through the full chain and enable ZDR where relevant

    Sign a Data Processing Agreement with the chatbot vendor. Confirm the chatbot vendor has matching agreements with each model provider sub-processor. For sensitive data categories, enable Zero Data Retention at the model-provider layer through the vendor's organisation settings. Keep the signed PDFs in your evidence repository.

  4. Implement client-side redaction and minimum-necessary prompts

    Add a redaction layer between the widget and the chatbot API: regex plus a small PII-detection model that masks email addresses, phone numbers, account numbers, and government identifiers before they leave the browser unless the model genuinely needs them. Restrict the system prompt to the minimum scope required for the task.

  5. Test prompt-injection defences and document the deletion runbook

    Run the OWASP LLM Top 10 injection patterns against your deployment and confirm the bot refuses out-of-scope requests, does not leak the system prompt, and does not execute tool calls that mutate systems of record without human approval. Document the runbook for visitor-initiated deletion requests with a thirty-day SLA. Test end to end before going live.

ChatRaj on AI chatbot data safety

AI chatbot vendors and model providers: data safety posture

What is logged, what is trained on, and what a Zero Data Retention agreement actually changes.

The plugin approach

Other AI chatbot data safety chatbot tools

Typical when you install a WordPress plugin, Shopify app, or third-party chatbot widget.

  • Free consumer ChatGPT (chatgpt.com): Default uses conversations for model improvement unless the user opts out. Not suitable for sensitive data in any category.
  • OpenAI API (paid): Default: no training on submitted data. Default retention 30 days. ZDR available for qualifying enterprise customers.
  • Anthropic API (Claude commercial): Commercial terms commit to no training on customer data. Retention bounded by published policy. Zero-retention configurations available for enterprise.
  • Google Vertex AI (Gemini): Explicit that prompts and responses are not used to train models without opt-in. Customer-managed encryption keys available.
  • Signed DPA available: Most vendors offer a DPA. Quality varies. Some are generic addenda that do not satisfy Article 28(3).
  • Zero Data Retention mode: Available from major model providers to qualifying enterprise customers. Not all chatbot vendors expose it to operators.
  • SOC 2 Type II: Larger vendors (Intercom Fin, Drift, Ada) publish SOC 2 Type II. Smaller vendors may have only Type I or none.
  • HIPAA BAA: Available from a small subset of vendors (Intercom for some plans, healthcare-specific platforms). Not universal.
  • Sub-processor list published: Best-practice vendors publish a sub-processor list with thirty-day change notification.
  • Prompt-injection defences: Varies widely. Some vendors document their system-prompt hardening; many do not.
  • Breach-notification SLA to the controller: Vendor SLAs vary widely. GDPR Article 33 gives the controller 72 hours to the supervisory authority.
The ChatRaj approach

One script tag. Everything bundled.

Hosted, configured, and maintained by us. You add a single line to your site.

  • Free consumer ChatGPT (chatgpt.com): Not used in the ChatRaj production chain. Operators should never paste sensitive data into free consumer tools.
  • OpenAI API (paid): ChatRaj uses the paid OpenAI API tier with default no-training. ZDR available on request for sensitive-data tenants.
  • Anthropic API (Claude commercial): ChatRaj uses Anthropic commercial API. No training on customer data, zero-retention configuration available on request.
  • Google Vertex AI (Gemini): Supported as an alternative provider with the same no-training default and short retention posture.
  • Signed DPA available: Published DPA covering the Article 28(3) checklist. Signable by countersignature without a sales call.
  • Zero Data Retention mode: Available on request for paid plans. Configured at the model-provider organisation level for the buyer's tenant.
  • SOC 2 Type II: Type I in progress, Type II on the 2026 roadmap. We will not claim what we do not yet hold.
  • HIPAA BAA: Not signed today. Operators with PHI in scope should wait for the HIPAA milestone or choose a BAA-ready vendor.
  • Sub-processor list published: Published on the privacy page with thirty-day notice on additions, in line with Article 28(2).
  • Prompt-injection defences: Scoped system prompts, retrieval filtering, refusal patterns for out-of-context requests. Documented and revisited each release.
  • Breach-notification SLA to the controller: Notification to the controller within 24 hours of confirmed breach, contractual in the DPA.
FAQ: chatbots + sensitive data

Common sensitive-data questions

Free consumer ChatGPT (chatgpt.com without a paid Team or Enterprise tier) is not safe for sensitive data and was not designed to be. The default historically used conversations for model improvement, and even with the opt-out enabled the consumer interface is not covered by an enterprise DPA or BAA. Paid ChatGPT Enterprise and the OpenAI API tier are a different product with different defaults: no training on customer data, signed DPA available, BAA available for qualifying customers, and ZDR available for enterprise. The honest answer is that the product label matters less than the tier and the contract.

Was this helpful?

Sources & further reading

Ship your first chatbot in 60 seconds.

Sign in with Google and you'll be answering visitor questions before your coffee gets cold.

60-second setup · One-line install · Works on any site

Works on any website
SShopify
WWebflow
WPWordPress
SqSquarespace
FFramer
</>Plain HTML