FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityTrade secret

Engineering Teams and the Code Review Habit That Leaks Trade Secrets

By Basel IsmailMay 21, 2026

Engineering Teams and the Code Review Habit That Leaks Trade Secrets

A developer hits a wall on a tricky function. They copy 40 lines of proprietary code, paste it into a public AI chatbot, and ask for a review. They get useful feedback in seconds. The code works better. Everyone is happy. And the company just lost trade secret protection over that code, potentially forever.

This is happening constantly. A 2023 Samsung incident made headlines when engineers pasted proprietary semiconductor source code into ChatGPT on at least three separate occasions within a single month. Samsung responded by banning generative AI tools internally. But Samsung is a company with the resources and visibility to catch the problem. Most organizations have no idea it is happening until it is too late.

Why Pasting Code Into Public AI Is a Trade Secret Problem

Under the Defend Trade Secrets Act of 2016 (DTSA, 18 U.S.C. 1836), and under the Uniform Trade Secrets Act adopted in some form by 48 states, trade secret protection requires that the owner take "reasonable measures" to keep the information secret. That is the threshold. Not perfect measures. Reasonable ones.

When an employee pastes proprietary code into a public AI tool, the analysis gets uncomfortable fast. Most public AI services have terms of service that grant the provider broad rights to use input data for model training, or at minimum to process and store it on infrastructure the company does not control. OpenAI's terms, for instance, were updated in March 2023 to allow users to opt out of training data usage, but the default for free-tier and many API interactions historically did not exclude inputs from training pipelines. Other providers vary. The point is that the code leaves your controlled environment and enters a system governed by someone else's terms.

Courts evaluating trade secret claims look hard at whether the plaintiff maintained secrecy. In Compulife Software Inc. v. Newman (11th Cir., 2020), the court examined whether publicly accessible aspects of software undermined trade secret claims. In Waymo LLC v. Uber Technologies, the strength of Waymo's case rested partly on demonstrating rigorous internal controls over its LiDAR technology files. The pattern is consistent: if you cannot show you controlled access, courts are skeptical that the information qualifies as a trade secret at all.

A single paste into a public AI tool is arguably a voluntary disclosure to a third party without an NDA or confidentiality agreement in place. That is a problem you cannot easily undo.

The Exposure Pattern Is Predictable

This is not a hypothetical edge case. GitHub's 2023 survey found that 92% of developers were already using AI coding tools in some capacity. A Sourcegraph survey from the same year reported that 95% of developers use AI for code-related tasks. The volume of code flowing into these tools is enormous.

The typical exposure pattern looks like this:

Code review requests. A developer pastes a function or module and asks the AI to identify bugs, suggest optimizations, or review for security vulnerabilities. This often includes business logic that constitutes core IP.
Debugging sessions. Error messages get pasted alongside the code that generated them. Stack traces, database schemas, API endpoint structures, and authentication logic all end up in the prompt.
Refactoring help. Entire classes or files get uploaded for restructuring suggestions. These frequently contain proprietary algorithms, data processing pipelines, or integration logic with partner systems.
Documentation generation. Developers paste code and ask for inline comments or README content. The AI now has both the code and a natural language description of what it does.

Each of these feels low-risk to the individual developer. They are just trying to work faster. But aggregated across a team of 20 or 50 or 200 engineers, the cumulative exposure is significant.

The Legal Consequences Are Not Theoretical

If a competitor later develops similar technology and you sue for trade secret misappropriation, their defense team will ask a very simple question: did you maintain reasonable secrecy measures? If discovery reveals that your engineers routinely pasted the code into public AI tools, you have a serious problem. The defendant does not even need to prove they accessed your code through the AI. They just need to show that you did not treat it as secret.

Trade secret litigation is expensive. According to the American Intellectual Property Law Association's 2023 survey, the median cost of trade secret litigation where $1 million to $10 million was at risk exceeded $3 million through trial. Losing on the threshold question of "reasonable measures" before you even get to misappropriation is a painful way to spend that money.

There is also the DTSA's provision for exemplary damages up to two times actual damages in cases of willful misappropriation (18 U.S.C. 1836(b)(3)(C)). If your own sloppy practices contributed to the loss, good luck convincing a jury that the other side's conduct was willful while yours was merely careless.

What Actually Works

Banning AI tools entirely, the Samsung approach, is one option. It is also increasingly impractical. Developers who cannot use AI tools will either use them anyway on personal devices or leave for companies that allow them. Neither outcome is great.

More sustainable approaches include:

Self-hosted or private AI instances. Running code review AI on infrastructure you control, behind your firewall, with no data leaving your environment. Several commercial and open-source options exist for this.
Contractual protections with AI vendors. Enterprise agreements with AI providers that explicitly exclude input data from training, guarantee deletion, and include confidentiality obligations. These need to be reviewed by counsel, not just accepted as defaults.
Technical controls at the network level. DLP (data loss prevention) tools that detect and block code being pasted into unauthorized AI services. This is imperfect but raises the friction enough to catch accidental disclosures.
Clear, specific policies. Not a vague "be careful with AI" memo. A policy that names which tools are approved, what types of code can be submitted, and what the consequences are for violations. Specificity matters here because it is what courts look at when evaluating "reasonable measures."
Training that engineers actually respect. Short, concrete, scenario-based. Show them the Samsung example. Show them what a trade secret defense looks like when opposing counsel pulls up chat logs. Engineers respond to real cases better than abstract compliance lectures.

The goal is not to eliminate AI from the development workflow. It is to keep proprietary code inside environments where you maintain legal control over it.

Do Not Forget Your Contractors

This problem multiplies with contractors and outsourced development teams. If your contract developers are using public AI tools on your codebase and your MSA does not explicitly address it, you have a gap. Update your contractor agreements to include AI tool usage restrictions and require disclosure of which tools are being used. The reasonable measures analysis applies to everyone who touches your code, not just W-2 employees.

How FirmAdapt Addresses This

FirmAdapt is built so that data submitted to the platform stays within a compliance-first architecture. Code, documents, and other sensitive inputs are processed in environments designed to prevent the kind of leakage described above. There is no training on customer data, no sharing across tenants, and the infrastructure is built to satisfy the "reasonable measures" standard that trade secret law requires.

For engineering teams that need AI-assisted code review, FirmAdapt provides a path that does not force a choice between productivity and IP protection. The platform maintains audit logs of interactions, enforces access controls, and operates under contractual terms that support, rather than undermine, your trade secret posture. If your legal team ever needs to demonstrate what measures were in place, the records exist.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free