Is Claude or ChatGPT as Safe as Microsoft Copilot? What the Commercial Terms Actually Say

TL;DR: On the business and enterprise tiers, the privacy commitments from Microsoft 365 Copilot, Claude, and ChatGPT line up more closely than most people expect. None of the three train their models on your data by default. All three will sign a Data Processing Addendum, encrypt your data, and offer a HIPAA agreement, though only on specific surfaces (more on which ones below). Retention works a little differently at each, but the shape is similar: your data is either controlled by your own admins or deleted on a short cycle. For the most sensitive work, a true zero-retention setup exists, but mostly on the API or by special arrangement, not as a switch you flip in the standard chat apps. The brand on the box matters far less than the contract you’re on and the tier your people are using. The real exposure is someone running client work on a consumer account.

Here’s the question I get, almost word for word, from the IT teams that support law firms and valuation shops:

“We already pay for Microsoft 365 and Copilot. Before we let anyone touch ChatGPT or Claude for client matters, how does their security and confidentiality actually compare to Microsoft?”

It’s a fair question. And it usually carries an unspoken assumption underneath it: that Microsoft, the incumbent the firm already trusts with its email and its documents, must be in a different class than the two AI startups.

So I went and read the terms. Not the marketing pages. The Product Terms, the Data Protection Addendum, the commercial privacy policies, the trust portals, the retention docs. Side by side. Business and enterprise tiers only, because consumer terms are a different animal and no firm should be running client work on a consumer account anyway.

Here’s what I found.

Where Copilot, Claude, and ChatGPT agree

Start with the part that surprises people. On the commercial tiers, the core confidentiality promises line up closely.

They don’t train on your data. This is the one everyone worries about, and on the commercial tiers all three land in the same place. Microsoft is explicit that prompts, responses, and anything Copilot pulls from your Microsoft Graph aren’t used to train the models. Anthropic says the same for its commercial products by default. OpenAI says it for Business, Enterprise, and the API. Three vendors, one position. Feedback is the one place the rules diverge: Microsoft can use it to improve the product but not to train the model, while a thumbs-up or thumbs-down to OpenAI or Anthropic can pull that conversation in. So govern the feedback setting on its own.

You own what you put in and what comes out. All three assign the rights in the output back to you. (Whether a purely machine-generated output can be copyrighted at all is a question for the courts, not the vendor, but that’s true no matter which tool you pick.)

The legal and security plumbing matches. Each one will sign a Data Processing Addendum and act as your processor, supports GDPR through Standard Contractual Clauses, encrypts data in transit and at rest, and has been through independent audits. So on the contract mechanics a security reviewer cares about, you’re not choosing between “serious” and “not serious.” They’re all serious.

One caveat on HIPAA, since healthcare-adjacent matters come up. All three will sign a Business Associate Agreement, but only on certain surfaces, and not the entry-level ones. Microsoft covers Copilot under your commercial tenant’s agreement, with web search queries excluded. Anthropic signs for its first-party API and for sales-assisted Claude Enterprise once an admin opts in, but not for Claude Team, the Console, or Cowork. OpenAI signs for sales-managed ChatGPT Enterprise and the API, but explicitly not for ChatGPT Business. So if protected health information is in play, the tier you pick matters as much as the vendor.

That’s the headline. Now the differences, because they’re real and they shape how you write your policy.

Where they differ: data retention

This is the part worth slowing down on, because “how long do they keep my data” is the question that decides a lot of vendor reviews.

Microsoft keeps your Copilot prompts and responses inside the Microsoft 365 service boundary. Think of it as living in the same place your email and SharePoint files already live, captured as activity history in a hidden folder in each user’s Exchange mailbox, governed by the same compliance and eDiscovery tooling. It’s encrypted, and you decide how long it sticks around with a Purview retention policy: 30 days, a year, seven years, whatever your records schedule already says. Your users can delete their own Copilot history. So with Microsoft, retention isn’t a number Microsoft sets. It’s a dial your admins hold in Purview, and like the dials at the other two, it only does anything once someone actually sets it.

Anthropic splits along how you connect. On the API, Anthropic deletes inputs and outputs within 30 days by default. On Claude for Work and Enterprise, the conversations stay in the product so people can pick up where they left off. Worth calling out for any reviewer: on Enterprise, the default is to keep that history indefinitely until an admin sets a custom retention period, where 30 days is the floor. So retention is yours to control, but you have to actually go set it. For the strictest work, Anthropic offers a Zero Data Retention arrangement, where your inputs and outputs aren’t stored at all beyond what’s needed to screen for abuse. But ZDR isn’t a toggle in the chat app. It applies to the API, products that run on your API key, and Claude Code on Enterprise, and it’s granted by agreement, not switched on per user.

OpenAI lands in the same place. ChatGPT Enterprise and Business put retention in your admins’ hands, and deleted conversations clear OpenAI’s systems within 30 days. The API defaults to 30 days too, with zero retention available on eligible endpoints by approved use case. Same story as Anthropic: zero retention lives on the API, not in the chat app.

Read those three paragraphs again and the pattern jumps out. Two models, really. Either your own administrators control retention (Copilot, Claude Enterprise, ChatGPT Enterprise), or it’s a short auto-delete cycle with a zero-retention escape hatch (the APIs). That’s it. The idea that one of these vendors is quietly hoarding your data while the others don’t isn’t supported by the terms.

And this isn’t a theoretical exercise anymore. The question “how long do you keep AI prompts and outputs” is now showing up in outside counsel guidelines, client security questionnaires, and RFPs. A few years ago it didn’t come up. Now it’s a line item. The retention choice you make isn’t just internal hygiene. It’s something you may have to put in writing and stand behind when a client or insurer asks.

Most IT teams I work with end up screenshotting this exact comparison:

The twist: Copilot runs the same engines

Here’s the part that reframes the whole question.

Microsoft 365 Copilot is built on OpenAI’s models, delivered through Azure rather than the public ChatGPT product. And Microsoft has since made Anthropic’s Claude models available inside Copilot too, in certain surfaces and regions. So when a firm asks me whether they should trust Microsoft over ChatGPT and Claude, the honest answer is that Copilot is running the same model families, wrapped in Microsoft’s contract and held inside Microsoft’s service boundary.

What you’re really choosing between, then, isn’t three different engines so much as three different contracts and three different places your data sits. Microsoft’s pitch is that the data never leaves your service boundary, and that you govern it with tools you already own. OpenAI and Anthropic’s pitch is that they hold the data on their own infrastructure but don’t train on it and delete it on a schedule you can tighten. For a firm that has already standardized on Microsoft, the boundary argument is genuinely worth something. Just know what you’re buying: a wrapper and a boundary, over models you could also reach directly.

One wrinkle worth flagging, because your IT team will ask. When Claude runs inside Copilot, Anthropic operates as a Microsoft subprocessor, Microsoft notes that those Anthropic models currently sit outside its EU Data Boundary commitment, and some preview models run under separate Anthropic terms. If EU data residency is a hard line for you, that’s a detail to check, not assume.

The bigger risk: the wrong tier

Now the thing I care about most, and the reason I tell every firm to read this section twice.

Everything above is true only if your people are on the business or enterprise contract. The consumer versions, ChatGPT’s personal plans, Claude’s Pro plan, the free Copilot you get when you sign in with a personal account, are governed by completely different terms. On the consumer side, the defaults flip. Anthropic now uses consumer chats to train its models unless the user opts out, and retention for opted-in consumer accounts runs to five years. Free and personal ChatGPT can be used for training unless the person turns it off. None of that comes with a Data Processing Addendum, which means no contractual confidentiality protection for your clients’ data at all.

So the dangerous scenario in a law firm isn’t “we picked the wrong vendor.” It’s “an associate pasted a deal document into a personal ChatGPT account at 11pm because it was faster than logging into the firm tool.” That’s the exposure. The vendor choice barely moves the needle next to the tier choice.

This is the line I’d put in bold in any AI policy: client work goes through the firm’s commercial account, on the commercial contract, every time.

The honest tradeoffs

They’re not identical, but the differences are about fit, not safety. Each one has an edge that matters to some firms and not others, and none of them makes the other two a weaker choice for your clients.

If you’re already a Microsoft shop, Copilot’s draw is that it inherits the governance layer you already run: the same data loss prevention rules, sensitivity labels, and eDiscovery console your records team already lives in. You’re extending a control plane you’ve configured rather than standing up a new one. That’s worth something if you’re deep in Microsoft, and not much if you aren’t.

Anthropic’s draw is the clearest language on employee access, staff can’t read your conversations without your consent or a safety flag, plus a separate FedRAMP-authorized product, Claude for Government, if the public sector ever enters the picture. OpenAI’s draw is customer-managed encryption keys and the widest set of data-residency regions, handy if you have specific in-country storage requirements. All three now hold ISO 42001, the AI-specific management standard, so that one’s table stakes across the board. And every copyright indemnity here carries the same fine print: keep the safety features on, don’t knowingly publish infringing output. Read it before you lean on it.

None of those is a safety advantage. They’re preferences. On the questions a managing partner actually asks, do they train on our data, will they sign a DPA, can we control retention, will they stand behind us on copyright, the answer for all three is the same: yes.

What to do Monday morning

1. Write the tier rule, then enforce it technically. Put in writing that all client work runs on the firm’s commercial or enterprise account, and back it up with single sign-on so people can’t easily use personal accounts for firm matters. The policy without the enforcement is just a wish.

2. Pick your retention posture and set it. Decide how long the firm wants to keep prompts and outputs, then actually set it: in Purview for Copilot, in the admin console for Claude or ChatGPT Enterprise, or ask about zero retention for your most sensitive practice groups.

3. Get the paper in the file. Make sure you have the signed DPA, the BAA if you handle health data, and the current audit reports for whichever tools you’ve approved. When a client’s outside counsel guidelines or an insurer asks how you govern AI, you want to answer in an afternoon, not a month.

The vendors are closer than the noise suggests. Your job isn't to find the one safe AI company. It's to make sure your people are on the right contract, with the right settings, each and every time. Get that right, and the brand on the box is almost a footnote.

Share Intelligence by Intent