Data Security with AI Tools
Last Updated: June 1, 2026
The Tools and Use Guidance page provides an overview of AI tools available at Northwestern, including guidance for using them with data across different data classification levels .
| Level | Description | AI Considerations |
|---|---|---|
| 1 | Public data and data with no or low potential impact on the University or affiliates if made public. | Use of publicly available AI tools is permitted. |
| 2 | Sensitive and private data that could have an adverse impact on the University or affiliates if made public. Includes student data subject to FERPA. | Use only Northwestern AI tools approved for use with Level 2 data with caution. See below for additional details. |
| 3 | Data subject to specific agreements, compliance frameworks, or restrictions, such as Protected Health Information (PHI), Controlled Unclassified Information (CUI), and data subject to Data Use Agreements (DUAs). Other data with the potential for serious adverse impact on the University or affiliates if made public. | Use of AI tools depends on the specific restrictions associated with your data. Use only Northwestern AI tools approved for use with Level 3 data when permitted for your data, and possibly with additional security controls. See below for additional details. |
| 4 | Legally restricted data such as government classified data and export-controlled data. | Use of AI tools is not permitted. |
Additional Considerations for Evaluating and Appropriately Using AI Tools with Level 2 and 3 Data
Even when using Northwestern-supported tools and services, best practices for keeping sensitive data protected when working with AI include:
- Limit sensitive data: Avoid sharing potentially sensitive data that is not required to complete your requested task. For example, if your data contains columns with sensitive information that are not required for your analysis, work with a version of that data file that has those columns removed. De-identify data where possible.
- Restrict access: Give AI tools the most restrictive permissions needed to achieve your requested task. For example, do not share an entire directory when a tool only needs access to a single file.
“Maybe” Guidance
The Level 2 and Level 3 data classification levels include wide variance in the types of data included within each level. When the guidance in the Tools and Use Guidance chart indicates “maybe” for a data classification level, it means that the listed tool is appropriate for some data classified at the given level but that it may not be appropriate for other data at the same level. The data owner needs to review the sensitivity of the data, as well as any restrictions or requirements for data handling, storage, and sharing to determine whether a given tool is appropriate to use with the data.
Consider the following, along with additional tool-specific guidance below, when evaluating whether a “maybe” tool is appropriate to use with your data:
- Do any agreements, rules, or laws that apply to your data prohibit the use of AI tools?
- Do any agreements, rules, or laws that apply to your data require data protection measures, including but not limited to encryption, restricted access, or access audit logs? If so, can the AI tool be used in a way that maintains compliance with these requirements?
Types of Level 2 data that warrant specific consideration include FERPA (education records) data, human subject research data subject to IRB protocols, employee records, immigration records, donor and gift records, IT technical information, such as security architecture diagrams, financial records, and anything subject to non-disclosure agreements (NDAs) or confidentiality clauses.
Many types of Level 3 data are subject to compliance frameworks, restrictions, contracts, or other agreements that preclude use of AI tools or require significant additional security controls for any computing or technology systems, laptops and other personal computers, and even physical spaces. These security controls must be satisfied before considering whether AI-related services can be safely introduced into an appropriately secured computing environment.
Contact your local school or unit technology leaders or the Northwestern IT Information Security Office with any questions.
For all Microsoft Copilot Chat, Microsoft 365 Copilot, and Microsoft Copilot for Teams, users must be logged into their Northwestern accounts (netid@ads.northwestern.edu) to ensure that enterprise protections are in place.
Data that is appropriate to store in SharePoint, and that is not otherwise subject to restrictions on use with AI tools, is also generally appropriate to use with Microsoft Copilot.
When using Microsoft Copilot for Teams, Level 2 and 3 data may only be used by Northwestern users signed into their accounts who are collaborating via Teams exclusively with other internal Northwestern users, and not with guests or external parties.
Anthropic Claude
General Access
Free accounts and individual subscription plans (such as Pro and Max) are appropriate to use with Level 1 data only. When using these plans, you can also opt-out of the use of your data for training future models, but this does not change the data classification level guidance.
Claude Team accounts are subject to Anthropic’s Commercial Terms of Service, which include increased data protections appropriate for most Level 2 data. See the “Maybe” guidance section in the General Considerations tab for details on what types of Level 2 data are likely to be inappropriate for use with Claude.
Northwestern University does not have a Claude Education or Claude Enterprise account.
API Access
To access APIs for Anthropic models, including Claude models, the recommended option is to use Amazon Web Services’s (AWS) Amazon Bedrock service as part of a Northwestern-affiliated AWS account. Use of Anthropic models through AWS is subject to Anthropic’s Bedrock-specific terms of service. Data stays within your AWS instance, is not shared with Anthropic, and is not used to train new models. Accessed through Amazon Bedrock, Anthropic APIs may be appropriate to use with Level 2 data and limited Level 3 data with appropriate additional security controls within your AWS account. Many types of Level 3 data, however, are subject to compliance frameworks, restrictions, contracts, or other agreements that preclude use of AWS and/or third-party services like those from Anthropic.
Note that “Claude Platform on AWS” is a different service than Amazon Bedrock. With Claude Platform on AWS, your data does leave your AWS instance and is accessed by Anthropic. The Claude Platform on AWS should only be used if you require features not available through Amazon Bedrock and then only considered for Level 2 data and below.
API access via Claude Console directly from Anthropic, Microsoft Azure, and Google Cloud are all subject to Anthropic’s more general Commercial Terms of Service, which provides data protections appropriate for some Level 2 data but not Level 3 data.
To discuss whether the requirements and restrictions for your specific data are compatible with the terms for API use for Claude and other Anthropic models, contact the Northwestern IT Information Security Office.
OpenAI ChatGPT
General Access
Free accounts and individual subscription plans (such as Go, Plus, and Pro) are appropriate to use with Level 1 data only. When using these plans, you can also opt-out of the use of your data for training future models, but this does not change the data classification level guidance.
ChatGPT Business and Codex accounts are subject to OpenAI’s Business Terms, which include increased data protections appropriate for most Level 2 data. See the “Maybe” guidance section in the General Considerations tab for details on what types of Level 2 data are likely to be inappropriate for use with ChatGPT.
Northwestern University does not have a ChatGPT Education or ChatGPT Enterprise account.
API Access
To access APIs for OpenAI models, including ChatGPT, use Microsoft Azure’s Microsoft Foundry service as part of a Northwestern-affiliated Azure subscription for data protections under the University’s agreement with Microsoft. Accessed through Microsoft Foundry, OpenAI APIs are appropriate to use with Level 2 data and limited Level 3 data with appropriate additional security controls within your Azure account. Many types of Level 3 data, however, are subject to compliance frameworks, restrictions, contracts, or other agreements that preclude use of AI tools or require significant additional security controls to use any cloud services, including Microsoft Azure.
Other Publicly Available AI Tools
Other publicly available AI tools should be used with Level 1 data only. Use of any third-party tools or services, whether AI-related or not, comes with risk of data being compromised by the third-party company and terms of service that may give the third-party company rights to use your data in a wide variety of ways without limit. AI-related services may use your data to train future models, and security experts have shown that private information included in AI model training data can be extracted from AI models.
GitHub Copilot
GitHub Education and individual Pro plans should be used with Level 1 data only. GitHub may use data accessed through Copilot to train future AI models or develop other services, including information in private GitHub repositories. Be aware that when using GitHub Copilot, by default it has access to all files in projects where you use GitHub Copilot, which can include sensitive data files and files with saved credentials. Review your individual GitHub Copilot settings, consider disabling options for GitHub to use your code for product improvements, and use Copilot ignore (.copilotignore) files and repository settings to limit Copilot’s access to particular files. Also review the Copilot security settings in your code editor, such as VS Code or RStudio.
GitHub Copilot can also be used with an API key that you provide, such as from a model deployed through Microsoft Azure. When using GitHub Copilot in this mode, make sure to check the settings to prevent your requests from also being routed through GitHub. When using GitHub Copilot Bring Your Own Key, data security guidance is determined by the security considerations for the source of the API key.
GitHub Copilot Business is available through Northwestern University’s GitHub Enterprise account. GitHub Copilot Business has increased data protections appropriate for use with most Level 2 and some Level 3 data. However, it is still important to be aware of the scope of the files and information to which GitHub Copilot may have access and to limit permissions to prevent access to sensitive information.
When working with Level 2 or Level 3 data with GitHub Copilot Business, Northwestern SSO should be enabled for your GitHub organization. GitHub Copilot Business access and settings are administered at the organization level, where the organization administrators can choose features, models, and settings that apply for users and repositories. Additional security controls are available from GitHub to help protect your data, including Copilot ignore files (.copilotignore) and the ability to exclude files from Copilot through repository settings.
Cloud Platforms
Northwestern has contracts with three cloud platforms: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Each platform has an AI service that offers access to generative AI models. All platforms include:
- Models offered directly by the platform where the University’s contract covers use of the model, your data does not leave the cloud platform, and your data is not used to train new models. Such models are appropriate for most Level 2 and limited Level 3 data with additional security controls in place in the cloud account.
- Models offered by third-parties through partnership agreements, where your use of the models is subject to third-party terms of service. The third-party companies offering these models may have access to your data, your data may leave the cloud platform, and your data could be used in training future models depending on the terms of service. Such models can be used with Level 1 data, but you should closely review the terms of service and security practices of each provider.
These cloud platforms also offer additional AI services outside of their primary generative AI service offering. For example, they may offer AI-enabled data analysis services or audio, video, and image processing services. With these other services, a similar distinction exists between services offered directly by the cloud platform and those offered by third-party partners. Services offered by third-party partners should only be used with Level 1 data unless they have been subject to a specific security review for use with your data.
When using Level 2 or Level 3 data with any cloud computing platform, additional data security policies and practices beyond any AI-specific considerations are required to keep your data properly secured. Many types of Level 3 data are subject to compliance frameworks, restrictions, contracts, or other agreements that preclude use of AI tools or require significant additional security controls to use cloud computing resources. Level 3 data may also require non-technical security controls, such as access controls on physical spaces where data is stored. To discuss whether the requirements and restrictions for your specific data are compatible with the use of cloud computing platforms, contact your local school or unit technology leaders or the Northwestern IT Information Security Office.
AWS: Amazon Bedrock
Within Amazon Bedrock, the distinction is between models “sold by AWS,” which are primarily models created by Amazon, and models sold by other providers. Models sold by other providers are not protected by the University contract with AWS and are subject to provider-specific terms of service and data privacy protections. Outside of Amazon Bedrock, look for a similar distinction between services offered or sold directly by AWS versus those offered through the AWS Marketplace, which are offered by third-parties and subject to separate terms of service.
- Level 1 data: use any model but review the terms of service closely.
- Level 2 and Level 3 data where permitted: use only models sold by AWS along with appropriate security controls in the AWS account. Models offered by Anthropic can also be used with most Level 2 and limited Level 3 data.
Microsoft Azure: Microsoft Foundry
Within Microsoft Foundry, the distinction is between models provided directly by Microsoft Azure and those offered by third-party partner and community organizations. Models offered by partners or the community are not protected by the University contract with Microsoft and are subject to provider-specific terms of service and data privacy protections.
- Level 1 data: use any model but review the terms of service closely.
- Level 2 and Level 3 data where permitted: use only models provided directly by Microsoft along with appropriate security controls in Azure.
Google Cloud: Vertex AI
Within Vertex AI, the distinction is between Google models (such as Gemini, Veo, and Imagen) and all other partner models; models are listed under “Google” and “Partner” categories in the Model Garden. Only Google models are projected by the University contract with Google Cloud. Partner models are subject to provider-specific terms of service and data privacy protections. “Self-deploy” partner models keep data within Google Cloud on your own resources and therefore may be appropriate for use with Level 2 and limited Level 3 data, but the terms of service for each partner model must still be reviewed.
- Level 1 data: use any model but review the terms of service closely.
- Level 2 data and Level 3 data where permitted: use only Google models along with appropriate security controls in Google Cloud.