Français
Deutsch
The question every CIO avoids asking
"Does our data go to OpenAI?" It's the question I hear most often in Swiss board rooms when discussing AI assistants. The honest answer: it depends. And "it depends" is not an acceptable answer for a responsible CIO.
Here's the real state of data confidentiality guarantees from the major AI assistants in 2025.
Data practice map by provider
| Provider | Training on your data? | EU hosting? | GDPR? | Enterprise offer? |
|---|---|---|---|---|
| Anthropic (Claude) | No (by default) | US (AWS) | Standard Contractual Clauses | Yes (Claude for Enterprise) |
| OpenAI (GPT-4) | No (API, by default) | US + Azure EU | SCCs available | Yes (ChatGPT Enterprise) |
| Google (Gemini) | No (Workspace Business) | EU available | DPA available | Yes (Gemini for Workspace) |
| Microsoft (Copilot) | No (M365 Copilot) | EU available | M365 DPA | Yes (M365 Copilot) |
Three risk levels
Level 1 — Public or non-sensitive data
Consumer AI assistants acceptable. Examples: writing external communication emails, searching for general information, brainstorming ideas.
Level 2 — Internal non-confidential data
Use an Enterprise offer with contractual commitment against training use. Examples: analysing internal reports, generating project documentation.
Level 3 — Sensitive or regulated data
Three options: on-premise LLM (Ollama + Llama 3 / Mistral), private API in your sovereign cloud, or categorical refusal to use an external LLM. Examples: banking client data, medical records, confidential contractual information.
AI policy recommended for Swiss CIOs
Every Swiss organisation handling personal or confidential data should have a documented AI policy covering: the list of authorised AI tools by data sensitivity level, usage constraints by use case, approval procedure for new AI tools, and mandatory employee training.
"The question isn't 'whether to use AI'. It's 'which AI, for what data, with what guarantees?'"