FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityContract

Confidentiality Obligations to Third Parties When You Use AI on Their Data

By Basel IsmailMay 21, 2026

Confidentiality Obligations to Third Parties When You Use AI on Their Data

You signed an NDA with a customer three years ago. Standard mutual confidentiality agreement, nothing exotic. Now someone on your team pastes that customer's financial projections into ChatGPT to help build a proposal. Or feeds supplier pricing data into an AI tool to run a competitive analysis. Or uploads a partner's technical documentation to get a summary for an internal briefing.

Did you just breach your confidentiality obligations? Probably. And the answer has almost nothing to do with AI regulation. It has everything to do with the contracts you already signed.

The Problem Is Older Than You Think

Confidentiality obligations in commercial contracts typically restrict disclosure of confidential information to third parties and limit use to the purposes contemplated by the agreement. These clauses have been standard for decades. The issue is that most organizations treat AI tools as internal productivity software, like a calculator or a spreadsheet. They are not. When you input data into a third-party AI service, you are, at minimum, transmitting that data to the AI provider. Depending on the provider's terms of service, you may also be granting them a license to use that data for model training.

OpenAI's enterprise terms, as of early 2024, state that they do not train on customer data submitted through the API or ChatGPT Enterprise. But the standard free and Plus tiers? OpenAI's terms historically reserved the right to use inputs for model improvement, though they added opt-out mechanisms in April 2023. Google's Gemini consumer terms are similar. The distinction between enterprise and consumer tiers matters enormously, and most confidentiality agreements do not care which tier your employee happened to be using.

What Your Contracts Actually Say

Pull up a few of your NDAs and MSAs. Look at the confidentiality section. You will almost certainly find language that restricts disclosure to employees and contractors who have a "need to know" and who are bound by confidentiality obligations at least as protective as the agreement itself. Some agreements go further and require prior written consent before any disclosure to third parties, full stop.

Now consider what happens when an employee pastes confidential information into a public AI tool. The AI provider is not your employee. They are not your contractor. They almost certainly have not signed a confidentiality agreement with your counterparty. And their terms of service, which govern what they can do with your inputs, are unlikely to meet the "at least as protective" standard in your NDA.

This is a straightforward breach analysis. You do not need a novel legal theory. The contract says do not disclose to unauthorized third parties. You disclosed to an unauthorized third party.

Customer Data

Customer data tends to carry the heaviest obligations. Beyond NDAs, you likely have data processing agreements, MSA confidentiality provisions, and potentially regulatory overlays like HIPAA BAAs or GLBA requirements. If a customer shared revenue data, patient information, or strategic plans under a confidentiality agreement, running that through a public AI tool is a disclosure event. In healthcare, this could independently trigger a HIPAA breach. In financial services, it could implicate GLBA safeguards requirements or SEC Regulation S-P.

The Clearview AI litigation, while focused on biometric data, highlighted how courts are increasingly willing to scrutinize unauthorized data sharing with technology providers. And in Doe v. GitHub, Inc. (N.D. Cal., filed November 2022), plaintiffs alleged that feeding licensed code into AI training sets violated contractual and statutory obligations. The case is ongoing, but the theory is live.

Partner Data

Joint venture agreements, strategic partnership contracts, and co-development agreements often contain confidentiality provisions that are more restrictive than standard NDAs. They frequently include specific carve-outs about what tools and platforms can be used to process shared information. Some require that all processing occur within approved environments. If your partnership agreement with a defense contractor requires that shared technical data remain within FedRAMP-authorized systems, feeding it into a commercial AI tool is a clear violation, and potentially an ITAR or EAR issue on top of the contract breach.

Supplier Data

Supplier pricing, manufacturing processes, and logistics data often come with confidentiality strings attached. This is the category people forget about most often. Your procurement team gets a supplier's cost breakdown under NDA, then uses an AI tool to compare it against other bids. You have now potentially disclosed one supplier's confidential pricing to a third-party AI provider. If that provider's terms allow use of inputs for training, you have also potentially contributed to a model that could surface similar pricing patterns to your supplier's competitors. The trade secret implications here are real. Under the Defend Trade Secrets Act (18 U.S.C. 1836), a trade secret loses its protected status if the owner fails to take reasonable measures to keep it secret. If your supplier's pricing is a trade secret, and you fed it into a public AI tool, you may have just helped destroy their trade secret protection.

The "But It Is Just a Tool" Defense Does Not Work

Some organizations argue that using an AI tool is no different from using any other software, and that the AI provider is just a "subprocessor" or "service provider." This argument has problems. First, most confidentiality agreements require that subprocessors be bound by equivalent confidentiality obligations, and you need to actually have that contractual chain in place. Second, the AI provider's terms of service are not negotiated by your counterparty and are not designed to protect their interests. Third, many confidentiality agreements predate the widespread use of AI tools and simply do not contemplate this kind of processing.

Samsung learned this lesson publicly in April 2023 when employees fed proprietary source code and internal meeting notes into ChatGPT. Samsung subsequently banned generative AI tools internally. The reputational and legal exposure was significant enough to force an enterprise-wide policy change within weeks.

What You Should Be Doing Right Now

Audit your confidentiality obligations. Pull your top 50 NDAs, MSAs, and partnership agreements. Map which ones restrict disclosure to third parties, which require consent, and which specify approved processing environments.
Classify data before it touches AI. Build a workflow that forces classification of data inputs. If the data originated from a third party under a confidentiality agreement, it should not go into a public AI tool without a specific legal review.
Review AI provider terms carefully. Understand the difference between enterprise tiers (where providers typically disclaim training rights) and consumer tiers (where they often do not). Match the tier to the sensitivity of the data.
Update your confidentiality agreements going forward. Add specific provisions addressing AI tool usage. Define what constitutes permitted processing, whether AI-assisted analysis is within scope, and what safeguards are required.
Train your people. The Samsung incident happened because engineers did not think of ChatGPT as a "third party." Your employees probably do not either.

How FirmAdapt Addresses This

FirmAdapt's architecture is designed so that data submitted to the platform is not sent to third-party AI providers for processing in a way that would constitute disclosure under standard confidentiality agreements. The platform processes data within a compliance-first environment where inputs are not used for model training, are not accessible to other customers, and are not retained beyond the session unless the customer explicitly configures retention. This means organizations can use AI-assisted analysis on third-party confidential data without triggering the disclosure and unauthorized use issues described above.

For organizations operating under strict contractual confidentiality regimes, particularly in defense, financial services, and healthcare, FirmAdapt provides the documentation and audit trail needed to demonstrate that AI usage complies with existing obligations. The platform maps data handling practices against specific contractual requirements, so when a counterparty asks how their data is being processed, you have a concrete answer rather than a vague reference to an AI provider's terms of service.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free