Skip to content
Developer Toolkit

Privacy and Security

AI coding assistants are powerful tools that can dramatically increase productivity. However, their use, particularly in a professional setting with proprietary codebases, requires a clear understanding of the associated privacy and security considerations.

By adopting a security-conscious mindset and following best practices, you can confidently leverage these tools while protecting your intellectual property and maintaining a secure development environment.

1. Understand Your Data and Privacy Modes

Section titled “1. Understand Your Data and Privacy Modes”

When you use a cloud-powered AI assistant, your code snippets and prompts are sent to the AI provider’s servers for processing. It is absolutely critical to understand how this data is handled.

Always Use Privacy Mode

Most professional-grade AI coding tools offer a “Privacy Mode”. When enabled, this feature provides a contractual guarantee that your code will not be stored on the provider’s servers and will never be used to train their models.

For any work on a private, proprietary, or sensitive codebase, enabling Privacy Mode should be considered mandatory.

2. Never Share Secrets in Prompts

Section titled “2. Never Share Secrets in Prompts”

This is a fundamental security hygiene rule that is even more important when working with AI.

  • No API Keys: Never paste API keys, tokens, or passwords into your chat prompts.
  • No Credentials: Do not include database connection strings or other credentials.
  • Use Placeholders: If you need to discuss code that involves a secret, replace the actual secret with a placeholder, like API_KEY_PLACEHOLDER or process.env.MY_SECRET.

Even with Privacy Mode enabled, secrets could be momentarily visible in transit or in ephemeral logs. There is never a good reason to expose them to the AI.

3. Vet Your Third-Party Tools (MCP Servers)

Section titled “3. Vet Your Third-Party Tools (MCP Servers)”

The Model Context Protocol (MCP) allows your AI to connect to other tools, which is incredibly powerful but introduces a new layer to consider in your security model. An MCP server is an executable piece of software.

  • Trust, but Verify: Only install MCP servers from official, trusted sources (e.g., the official servers from GitHub, Atlassian, or Figma).
  • Review Open Source Code: For community-provided servers, take the time to review the source code to understand what it’s doing before you install it.
  • Principle of Least Privilege: When configuring a server to connect to a service (like a database), always use credentials with the minimum permissions necessary. For a database, this almost always means using a read-only user.

4. Human Oversight is Your Best Defense

Section titled “4. Human Oversight is Your Best Defense”

Ultimately, you are the developer. The AI is a tool, and you are responsible for the code that gets committed.

Review All AI-Generated Code

Treat every piece of code generated by the AI as if it were a pull request from a new team member. Review it carefully for not just functional correctness, but also for subtle bugs, performance issues, and security vulnerabilities like SQL injection or improper error handling.

Approve Actions Deliberately

Do not blindly approve file edits or terminal commands that the AI suggests. Take a moment to review the proposed diff and understand exactly what a command will do before you give it the green light. Your critical judgment is the most important safety feature.

By integrating these security-conscious habits into your workflow, you can embrace the power of AI-assisted development with confidence, knowing that you are protecting your work and your organization.