Ask HN: How companies are protecting Claude Code from reading IP and PII data
2•pradeep1177•1h ago
Recently I was baffled when Claude code read the customer table data from a production environment, while triaging an issue, and that made me wonder. Sure you should NOT give the access to read the prod data but does it sounds practical in the real time debugging session?
Comments
snailshare•1h ago
Our take has been that if you are working with one of these large companies, you cannot expect anything to be private. We've worked with a smaller more focused product where we were able to negotiate the necessary controls
pradeep1177•59m ago
And what are those necessary controls?
toomuchtodo•1h ago
Sign an enterprise agreement that speaks to data retention and destruction requirements. Part of what you pay for is to shift the liability to the inference vendor.
pradeep1177•59m ago
These data retention contracts are black boxes; you never know how your IP was leaked, and it could end up in the model's training data. It's like trusting META with your privacy settings.
toomuchtodo•54m ago
A contract satisfies our infosec program and cyber insurance requirements, confirmed by a corporate legal team. Our role is to manage risk within our risk appetite, not eliminate it.
(already minimizing sensitive data storage and transit whenever possible, as an entity operating in a regulated industry)
snailshare•1h ago
pradeep1177•59m ago