FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityPII

HR and the Employee Data That Should Never Be Pasted Into a Public Chatbot

By Basel IsmailMay 22, 2026

HR and the Employee Data That Should Never Be Pasted Into a Public Chatbot

A recruiter needs to summarize 40 resumes before a hiring committee meets at 2 PM. A manager wants help drafting a performance improvement plan. An HR generalist is trying to figure out whether a disciplinary record supports termination. All three of them have a browser tab open to ChatGPT, Claude, or Gemini. All three are about to paste employee data into a system their company does not control, has no DPA with, and almost certainly has not vetted for compliance with anything.

This is the HR shadow AI problem, and it is quietly becoming one of the most significant data protection risks in regulated industries.

What Is Actually Getting Pasted

When we talk about employee data in the context of public AI tools, we are not talking about someone asking a chatbot to explain FMLA leave requirements. We are talking about raw, identifiable, sensitive information being uploaded as prompt context. Specifically:

Resumes and cover letters containing full names, addresses, phone numbers, email addresses, education history, and sometimes disability status or veteran status.
Performance reviews with manager assessments, peer feedback, specific behavioral observations, and often references to medical accommodations or leave.
Salary and compensation data, including individual pay rates, bonus structures, equity grants, and pay band placement.
Disciplinary records documenting allegations, investigation findings, witness statements, and corrective actions.
Internal investigation notes related to harassment complaints, ethics violations, or whistleblower reports.

Every one of these categories contains PII. Many contain what the CCPA and its progeny classify as "sensitive personal information." Some contain information protected under specific federal statutes that have nothing to do with general privacy law.

The Regulatory Exposure Is Layered

State Privacy Laws

As of mid-2025, comprehensive state privacy laws are active or taking effect in at least 19 states. The California Privacy Rights Act (CPRA) is the most aggressive on employee data. California extended full CPRA protections to employee and job applicant personal information starting January 1, 2023, after the exemption expired. That means every obligation that applies to consumer data, including purpose limitation, data minimization, and the requirement for reasonable security measures, applies to the resume your recruiter just pasted into a public LLM.

Colorado's CPA, Virginia's VCDPA, and Connecticut's CTDPA all have provisions that touch employee data to varying degrees. Texas's TDPSA, effective July 1, 2024, applies to entities that process personal data and has no revenue threshold, which catches a lot of mid-market employers off guard. Pasting employee PII into a third-party AI tool without a data processing agreement likely violates purpose limitation requirements under most of these statutes.

Title VII and Anti-Discrimination Law

This is where it gets interesting and underappreciated. When HR professionals use public AI tools to screen resumes, draft PIPs, or evaluate disciplinary actions, they are introducing an unvetted algorithmic process into employment decisions. The EEOC's May 2023 guidance on AI and Title VII made clear that employers can be liable for disparate impact caused by AI tools, even tools they did not build, if the output influences hiring, firing, or promotion decisions.

In the EEOC's framework, the employer is on the hook regardless of whether the AI vendor is also liable. If a manager pastes five disciplinary records into ChatGPT and asks "which of these employees should be terminated," and the output correlates with a protected class, the company has a problem it may not even know exists. There is no audit trail. There is no validation of the model's reasoning. There is no adverse impact analysis. The EEOC settled with iTutorGroup for $365,000 in 2023 over age discrimination by an AI hiring tool. That was a tool the company intentionally deployed. Imagine the exposure when the tool was never authorized at all.

New York City's Local Law 144, effective July 5, 2023, requires bias audits for automated employment decision tools. If an HR team in NYC is using a public chatbot to rank candidates, they are almost certainly in violation.

Trade Secrets and Confidential Business Information

Compensation structures, performance management frameworks, internal investigation methodologies, and workforce planning data are often trade secrets or at minimum confidential business information. Under the Defend Trade Secrets Act (DTSA), a trade secret loses protection if the owner does not take "reasonable measures" to keep it secret. Allowing employees to paste compensation data into a public AI tool with no access controls, no contractual protections, and no usage monitoring is a strong argument that reasonable measures were not taken.

OpenAI's terms of service for the free tier of ChatGPT historically allowed use of input data for model training. They have since added opt-out mechanisms and enterprise tiers with different terms, but the default behavior for a free account is not what any compliance officer would consider acceptable for sensitive HR data. And most shadow AI usage happens on free accounts.

Why This Is Harder to Catch Than Other Shadow IT

Traditional shadow IT, like an unauthorized SaaS tool, usually leaves traces. There is a subscription charge, an SSO bypass, network traffic to a new domain. Shadow AI usage through a public chatbot leaves almost nothing. The data goes out through a browser on a corporate laptop, or worse, a personal device. There is no file transfer to flag. No API call to log. The employee copies text from an HRIS, pastes it into a browser window, gets a response, and copies the output back. The entire interaction is invisible to most DLP tools unless the organization has specifically configured browser-level monitoring for generative AI domains.

A 2024 study by Cyberhaven found that 27.4% of data pasted into ChatGPT by corporate employees was sensitive, and HR data was among the most common categories. A separate survey by Gartner in late 2023 indicated that 55% of organizations had no policy specifically addressing generative AI use by employees.

What a Reasonable Response Looks Like

Banning AI outright does not work. HR teams are under real pressure to do more with less, and generative AI is genuinely useful for drafting, summarizing, and analyzing text. The practical response involves several things working together:

Acceptable use policies that specifically name generative AI tools and define what categories of data may never be used as input. Generic "confidential information" language is not sufficient; HR staff need concrete examples.
Technical controls that prevent or detect the pasting of PII into unauthorized AI tools. This means browser extensions, endpoint DLP, or DNS-level blocking for consumer AI domains.
Approved alternatives that give HR teams the AI capabilities they need within a controlled environment. If you do not give people a compliant path, they will keep using the non-compliant one.
Training tied to specific roles. A recruiter's risk profile with AI is different from a benefits administrator's. Generic AI training misses the mark.

How FirmAdapt Addresses This

FirmAdapt provides a compliance-first AI environment where HR teams can use generative AI capabilities without sending employee data to public models. Data stays within an architecture designed around PII handling requirements, with configurable guardrails that can prevent specific data categories (SSNs, compensation figures, medical information) from being processed in ways that would violate state privacy laws or compromise trade secret protections. Every interaction is logged, creating the audit trail that shadow AI usage inherently lacks.

For organizations concerned about Title VII exposure, FirmAdapt's controlled environment means that AI-assisted HR decisions can be documented, reviewed, and tested for adverse impact in ways that are simply impossible when employees are using consumer chatbots. The platform does not eliminate the need for sound HR judgment, but it does eliminate the regulatory gap between "we told people not to use ChatGPT" and actually having enforceable technical controls in place.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free