FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityInformation governance

Why Training a Model on Your Proprietary Data Is a Bigger Decision Than Most CISOs Realize

By Basel IsmailMay 23, 2026

Why Training a Model on Your Proprietary Data Is a Bigger Decision Than Most CISOs Realize

A vendor pitches you on fine-tuning a large language model with your proprietary data. Better outputs, domain-specific accuracy, competitive advantage. The deck looks great. Your innovation team is excited. And somewhere in the procurement flow, someone asks the CISO to sign off.

Here is what often gets missed in that conversation: fine-tuning is not like granting database access. It is not like sharing files via API. When your proprietary data is used to train or fine-tune a model, that data becomes part of the model's weights. It is absorbed, distributed across billions of parameters, and effectively irretrievable. You cannot delete it. You cannot recall it. You cannot audit what the model "learned" from your inputs versus someone else's. The operation is, for all practical purposes, irreversible.

And that irreversibility has consequences that ripple across trade secret law, regulatory compliance, contractual obligations, and information governance in ways that deserve much more scrutiny than they typically get.

The Trade Secret Problem Is Real and Immediate

Under the Defend Trade Secrets Act of 2016 (18 U.S.C. 1836), trade secret protection requires that the holder take "reasonable measures" to keep the information secret. Courts have been consistent on this. In Compulife Software Inc. v. Newman (11th Cir., 2020), the court emphasized that once a trade secret holder fails to control dissemination, protection can evaporate, sometimes permanently.

Now think about what happens when you fine-tune a vendor's model with your proprietary underwriting algorithms, your clinical decision frameworks, or your defense logistics data. That information is encoded into a model that the vendor controls. Depending on the agreement, the vendor may use that model (or a derivative) for other customers. Even if they promise not to, the technical architecture of neural networks makes it nearly impossible to prove isolation.

If a competitor later produces suspiciously similar outputs, your litigation position is compromised. You voluntarily handed your data to a third party and allowed it to be transformed into a form where extraction, attribution, and containment are all technically infeasible. A court could reasonably ask whether that constitutes "reasonable measures" to protect secrecy. The honest answer is uncomfortable.

The "Reasonable Measures" Bar Is Getting Higher

Courts have been raising expectations around what constitutes reasonable protection. In Turret Labs USA, Inc. v. CargoSprint, LLC (E.D.N.Y., 2021), the court scrutinized specific technical safeguards, not just contractual ones. NDAs alone were not sufficient; the court wanted to see access controls, encryption, and meaningful technical barriers to dissemination. Sending your data into a fine-tuning pipeline you do not control, hosted on infrastructure you cannot audit, is a hard sell under that standard.

The Decision Tree You Should Be Running

Before any proprietary data enters a training or fine-tuning pipeline, there are a series of questions that need real answers, not hand-waving from the vendor's sales engineer.

Where does training occur? On your infrastructure, in a dedicated tenant, or in a shared environment? If the model weights are stored on the vendor's infrastructure, you need to understand exactly who else can access or benefit from those weights.
Who owns the resulting model? Many vendor agreements are ambiguous on this. The base model is theirs. The fine-tuned weights are... whose? If the contract says "jointly developed IP" or is silent on the question, you have a problem.
Can the vendor use the fine-tuned model, or derivatives, for other customers? Read the terms carefully. Some agreements grant the vendor a broad license to use "aggregated" or "de-identified" learnings. In the context of model weights, those terms are nearly meaningless. There is no reliable way to de-identify learned parameters.
What happens at contract termination? You can delete a database. You can revoke API keys. You cannot "un-train" a model. If the vendor retains the fine-tuned model after your contract ends, your data persists in their system indefinitely.
Does this trigger regulatory notification requirements? Under HIPAA, if protected health information is used in training, the vendor is almost certainly a business associate, and the BAA needs to specifically address model training as a permitted use. Under CMMC 2.0, controlled unclassified information (CUI) used in training could implicate NIST SP 800-171 controls around data flow and boundary protection. Under GLBA and its updated FTC Safeguards Rule (effective June 2023), financial customer information used in training would need to be covered by your information security program.
Have you conducted a data classification review? Not all proprietary data carries the same risk. Training a model on your publicly available marketing copy is different from training it on your M&A pipeline data or your patient treatment protocols. Classification should happen before the conversation with the vendor, not during.

The Contractual Gap Most Companies Miss

Standard data processing agreements were designed for a world where data is stored, processed, and deleted. Fine-tuning breaks that model. The data is not "processed" in the traditional sense; it is transformed into something new. And the resulting artifact, the model, contains your data in a form that cannot be separated, audited, or returned.

This means your DPA, your BAA, your CMMC compliance documentation, and your internal information governance policies all need specific provisions addressing model training. Generic "data processing" language will not cover it. You need clauses that address model ownership, weight isolation, post-termination destruction (including destruction of fine-tuned model variants), restrictions on transfer learning, and audit rights specific to the training pipeline.

The FTC has already signaled that it views model training as a data use that requires specific consent and governance. In its 2023 enforcement action against Rite Aid, the Commission ordered the destruction of AI models built on improperly collected data. In the 2022 action against WW International (formerly Weight Watchers), the FTC required deletion of both the data and the algorithms derived from it. The precedent is clear: regulators view trained models as containing the data that produced them, and they will order destruction of the model itself as a remedy.

The Practical Risk Calculus

None of this means you should never fine-tune a model on proprietary data. The performance gains can be substantial, and there are legitimate architectures that mitigate many of these risks. The point is that this decision belongs in the same category as outsourcing your core IP or moving regulated data to a new jurisdiction. It requires legal review, technical due diligence, and a governance framework that accounts for the unique characteristics of model training.

If your current process for evaluating AI vendor proposals runs through the same checklist as a standard SaaS procurement, you are underestimating the risk surface by a wide margin.

How FirmAdapt Addresses This

FirmAdapt was built around the principle that your proprietary data should never leave your governance perimeter in ways you cannot reverse. The platform's architecture processes and applies your data without incorporating it into shared model weights, which means you retain full control, full auditability, and full ability to revoke access at contract termination. There is no "un-training" problem because there is no training on your data in the first place.

For organizations subject to HIPAA, CMMC, GLBA, or state-level privacy statutes, FirmAdapt's compliance-first design means the information governance questions outlined above are addressed at the architectural level, not patched over with contractual language. Your data stays yours, in a form you can classify, audit, and delete.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free