Industry
Where your company data goes when you use AI: a clear answer for the board
Vincent Wahidi
When your team uses AI, your data goes to wherever the model runs. With a hosted public service (the consumer version of a chatbot), prompts and any files you paste travel to the vendor's servers, and on consumer tiers they can be retained and used to train future models unless you turn that off. With an enterprise or private deployment, the data stays inside a contracted boundary. It is processed to answer your request, not retained for training, and can be pinned to EU data centres for residency. The single question that decides your exposure is whether the contract says our inputs and outputs will never be used to train the vendor's models, and where they are physically stored. Get that in writing and most board-level concern about AI data privacy resolves into ordinary procurement.
Where does our data actually go when we use AI?
It depends on which of three patterns you are using.
A public consumer service sends your prompt over the internet to the vendor, generates a reply, and returns it. On free and personal tiers, that content may be logged, reviewed by people for quality, and fed into future training unless you opt out.
A business or enterprise tier of the same service sends data to the same kind of infrastructure, but under a contract that typically forbids training on your data, limits retention, and offers a region for storage.
A private or self-hosted deployment runs the model inside your own cloud account or a dedicated tenant. Data does not leave that boundary at all. This is the most controlled option and usually the most expensive to run.
The technology is similar across all three. The contract and the deployment, not the model, decide where your data lives.
What does training on your data mean, and should the board worry?
Training on your data means the vendor keeps your prompts and uploads and uses them as examples to improve the model the rest of the world also uses. The worry is twofold. A future version of the model could surface fragments of sensitive input, and your confidential material has left your control for a purpose you did not intend.
For a single drafted email this is low stakes. For contracts, patient records, payroll, source code, or anything covered by GDPR or a confidentiality clause, it is a real issue, because consent and purpose limitation are legal duties, not preferences.
The answer is not to ban AI. It is to route sensitive work to a tier that contractually excludes training and human review. Reputable enterprise tiers do this by default. Confirm it rather than assume it.
Can our data stay in the EU, and does residency equal compliance?
Yes, residency is available, but it is necessary rather than sufficient.
Most major providers now offer EU data residency, meaning the data is processed and stored in European regions. For a firm handling European personal data, that removes one of the harder GDPR questions, the lawful basis for international transfer, and it sits naturally alongside the obligations the EU AI Act places on businesses shipping AI.
Residency alone does not make you compliant. You still need a data processing agreement, a clear lawful basis, retention limits, and a record of which systems touch personal data. Residency answers where, not whether you were allowed to. Treat it as one control among several, not the whole answer.
What should we ask an AI vendor before signing?
A short list, in writing, settles most of it.
| Question | What a safe answer sounds like |
|---|---|
| Do you train your models on our inputs or outputs? | No, not on business-tier data, by default and in the contract. |
| How long is our data retained? | A stated, short window (often zero to 30 days for abuse monitoring), then deleted. |
| Where is our data processed and stored? | A named region, with EU residency available. |
| Do people review our prompts? | Only with consent, or never on the business tier. |
| Will you sign a DPA and act as processor? | Yes, with sub-processors listed. |
| What happens to our data if we leave? | Deleted on a defined timeline, with confirmation. |
If a vendor cannot answer these plainly, that is itself the answer. The same discipline that keeps hallucinations out of a document pipeline, knowing exactly what the system does and proving it, applies to where the data goes. Working out which tier fits which task, and contracting for the EU residency and no-training terms you need, is part of our AI consulting work.
The practical takeaway for the board
You do not need a deep technical briefing to govern this well. You need to know which tier each AI tool uses, whether its contract excludes training on your data, where that data is stored, and who owns the data processing agreement. Sensitive work belongs on an enterprise or private deployment with EU residency and a no-training clause. Low-stakes work can sit on simpler tiers. Write the inventory down, assign an owner, and revisit it when a new tool appears. Most AI data risk is not a technology problem. It is a procurement and governance problem you already know how to run.

Vincent Wahidi
Author
Vincent Wahidi is the director of Encelyte, a computer engineer who builds production AI, automation, and custom software for enterprises across Cyprus and the wider region. He writes the strategy, cost and decision-maker pieces himself; the practical how-to guides are curated under the five mission-cat bylines below.
Read next
AI governance for mid-market companies: the lightweight version that still holds up
Have a problem worth solving?
Tell us what you're building or fixing. We'll reply within one business day with a clear next step.
