
Is It Safe to Put Confidential Deals Into AI? A CRE Data-Security Guide | NextAutomation
What actually happens to your deal data inside AI tools, verified against Anthropic's and OpenAI's own current policies, plus a practical framework for putting confidential CRE deals through AI without giving away your edge.
Is It Safe to Put Confidential Deals Into AI? A CRE Data-Security Guide | NextAutomation
The Real Fear, In Operators' Own Words
Before any of this is a policy question, it is a gut question. In two separate conversations on our site, operators asked, almost word for word, about "liability with sensitive data" and whether we are on the hook if a system mishandles it. That is the honest starting point: a rent roll, an LOI, a seller's financials, and a pipeline of off-market deals are the most confidential things a CRE firm owns, and putting them into a tool you did not build feels like handing them to a stranger.
The sharper version of the fear is not about a hacker. It is about the vendor. The most precise phrasing we have heard came from a real estate technology operator who wanted, in their words, "not just an NDA, but a very strict confidentiality agreement coupled with strong non-competition terms." The worry underneath it: a vendor engages briefly, then leaves carrying accumulated know-how to a competitor, or quietly aggregates what it learns across everyone's deals. That is a legitimate fear, and it is a different animal from encryption. It is about who ends up holding your edge.
There is also a healthy adoption instinct here. The most common safe-rollout pattern operators describe is proving it internally before anything touches the outside world. One put it plainly: "Internal for now, but investor communication could be part of it down the road once the internal side is proven out." That is exactly the right sequence, and this guide is built to support it.
One honest note on how big this objection actually is. When we look across our own operator conversations, data security is a real recurring concern, but it is a smaller one than questions about adoption ("how does this land in my business") or pricing. We are not going to inflate it into the thing everyone loses sleep over. It is one gate among several, and it happens to be one with a clear, verifiable answer. So here is the answer.
What Actually Happens To Your Data Inside An AI Tool
The single biggest source of confusion is that people judge "AI" by their experience with a free consumer chatbot, then assume the same rules apply when a firm builds on the underlying models through a business account or an API. They do not. The consumer tier, the business/API tier, and a self-hosted open model are three genuinely different data regimes. The operator's real questions are always the same four: is my data used to train the model, how long is it kept, who can see it, and where does it live. Here is how the tiers answer each, sourced to the vendors' own current policy pages.
Every claim below is verified against a primary vendor page as of July 2026, with the source named inline. Policies change, so treat the source link as the authority and re-check the date before you rely on it. Where we could not confirm something on a vendor's own page, we left it out rather than repeat a secondhand summary.
Consumer chat tiers (the free or personal-plan chatbot)
This is the tier most people have actually used, and it is the one you should not paste a confidential OM into. Per Anthropic's Commercial Terms of Service, as of July 2026, consumer offerings such as Claude.ai are governed by separate Consumer Terms, not the commercial terms quoted below (source: anthropic.com/legal/commercial-terms). That separation is the point: the no-training and retention commitments in the next section are properties of the business and API tiers, and none of them should be assumed to extend to a personal chatbot account. Check the vendor's own consumer privacy page for its current defaults before anything sensitive goes near one. The fix is not "never use AI." It is "do not run confidential deals through the consumer tier." The business and API tiers below exist precisely for this, and they carry different, stronger contractual commitments.
Business / API / enterprise tiers (how a real firm system is actually built)
Training. Per Anthropic's Commercial Terms of Service, as of July 2026, the terms state plainly: "Anthropic may not train models on Customer Content from Services," where Customer Content means the inputs you submit and the outputs you receive (source: anthropic.com/legal/commercial-terms). OpenAI's platform data documentation states, as of July 2026: "As of March 1, 2023, data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us)" (source: developers.openai.com/api/docs/guides/your-data). On both, no-training is the default for API and business use, and the only path to training is an explicit opt-in an admin has to choose.
Retention. On OpenAI's platform, per the same documentation as of July 2026, "abuse monitoring logs are generated for all API feature usage and retained for up to 30 days, unless longer retention is required by law" (source: developers.openai.com/api/docs/guides/your-data). OpenAI also offers a Zero Data Retention control for eligible endpoints, granted on prior approval for qualifying use cases, which excludes customer content from those logs. For Anthropic, data submitted through the Services is processed under the Anthropic Data Processing Addendum, which the Commercial Terms incorporate by reference (source: anthropic.com/legal/commercial-terms); the DPA is where the specific retention and processing commitments live, so read it directly for the current window rather than trusting a number from a blog.
Where it lives. Per OpenAI's platform data-controls documentation, as of July 2026, when data residency is enabled you can set a region for new projects, and for the supported endpoints and models your customer content for that project is stored at rest in the selected region; regions that support regional processing perform inference there as well (source: developers.openai.com/api/docs/guides/your-data). If European servers are a hard requirement for you, and for some CRE firms it is a genuine compliance line, that is a specific thing to get in writing before you commit, not to assume.
Who can see it. Per Anthropic's Commercial Terms of Service, as of July 2026, the customer retains all rights to its inputs and owns its outputs, and Anthropic disclaims any rights it receives to that content (source: anthropic.com/legal/commercial-terms). OpenAI's platform data documentation opens with the same commitment for API data, in its words "Your data is your data," as of July 2026 (source: developers.openai.com/api/docs/guides/your-data). That is a contractual answer, not a technical guarantee about every subprocessor, which is exactly why the data-processing addendum and the list of subprocessors matter and are worth reading before you sign.
Self-hosted open-source models (the weights run on your infrastructure)
There is a third regime that changes the question entirely. Open-weight models can be downloaded and run on hardware you control, whether that is a private cloud account or a machine in your own environment. This is a structural fact rather than a policy promise: when a model runs on infrastructure you control and you do not send the prompt to an outside API, there is no external provider receiving your inputs to train on, log, or retain. The trade is real. You take on the hosting, the security hardening, the maintenance, and usually a capability gap versus the top frontier models. But for the most sensitive data, the ability to say "this deal never left our environment" is sometimes worth exactly that trade, and it is a legitimate option to have on the table for a subset of your data.
A De-Risk Framework For Confidential Deal Data
The policy facts above are necessary but not sufficient. "The API does not train on my data" does not by itself tell you how to run a firm. Here is the framework we actually use, built to support the prove-it-internally-first instinct operators already have.
- 1. Tier your data before you tier your tools. Not every document carries the same risk. A public zoning code, a marketed listing, and a sensitivity-tested public dataset are low-stakes. A seller's private financials, an off-market pipeline, and LP communications are high-stakes. Sort your data first, then match each tier to a regime: low-stakes can run on standard business-tier AI, high-stakes goes to enterprise terms with retention controls, and the most sensitive category is a candidate for self-hosting. Most firms skip this step and end up applying either too little caution everywhere or too much caution everywhere.
- 2. Use the business or API tier, never the consumer defaults, for anything confidential. This is the single highest-leverage move, and it is free. The no-training commitment and the retention controls quoted above are properties of the commercial and API tiers, not the consumer chatbot. If confidential deals are going through AI, they go through a business account with the enterprise terms in force, full stop.
- 3. Put confidentiality terms on any vendor, not just the model provider. The vendor fear is the real one. The pattern the operator above described is the right template: not just an NDA, but a strict confidentiality agreement paired with non-competition terms that stop a vendor from carrying your accumulated know-how or aggregating across your deals to a competitor. If a vendor will not sign confidentiality and non-compete language, that tells you something before you have shared a single file. This is a contract question you control, independent of any model provider's policy.
- 4. Self-host where the data warrants it. For the top sensitivity tier, run an open-weight model on infrastructure you control so the data never leaves the building. You do not have to self-host everything, and for most workflows you should not, given the maintenance cost and capability gap. Reserve it for the category of data where "it never left our environment" is worth the overhead.
- 5. Keep a human owning whatever leaves the building. Data security is not only about ingestion; it is about egress. A person should own and approve anything an AI system produces that goes to an outside party, an LP, a lender, a counterparty. That is the same human-at-the-gate discipline that keeps a hallucinated number out of an investment memo, applied to confidentiality: nothing sensitive goes out without a person deciding it should.
Run that sequence and the fear resolves into a set of decisions you actually control: which data goes where, on whose terms, kept for how long, with which contract, and with a human on the exit. That is a governable system, not a leap of faith.
How This Connects To The Rest Of The Decision
Data security is one of a handful of gates operators weigh before adopting AI, and it rarely travels alone. The reliability question, whether the model invents numbers, is its close cousin, and we treat it in depth in whether AI hallucinates on real estate underwriting numbers. Whether to build a system in-house or buy one shapes which of the data regimes above you even have access to, which we cover in build vs buy AI for commercial real estate. The rollout question, how a traditional firm actually adopts this without disruption, is in how a traditional CRE firm adopts AI. And for the wider field context, see the state of AI in commercial real estate.
The Bottom Line
Is it safe to put confidential deals into AI? On the consumer chatbot, treat the answer as no. On the business and API tiers, the vendors' own current terms say your data is not used to train models by default (Anthropic's Commercial Terms and OpenAI's platform data documentation, both verified July 2026, sources above). Retention has stated bounds and controls: on OpenAI's platform, abuse-monitoring logs are kept up to 30 days by default with Zero Data Retention available on prior approval, and Anthropic's retention commitments live in the Data Processing Addendum its Commercial Terms incorporate (same sources, as of July 2026). OpenAI's data-residency control lets you pin where customer content is stored at rest for supported endpoints. For the most sensitive category, a self-hosted open model keeps the data in your environment entirely. The remaining risk, the vendor carrying your edge elsewhere, is answered with a contract, not a setting: confidentiality plus non-compete terms you insist on. Tier your data, use the right tier of tool, sign the right terms, and keep a human owning what leaves the building. Done that way, confidential deal data and AI are not in conflict.
Get a straight read on your AI data risk
If you want your actual data-security posture assessed against your actual deal flow, not a generic checklist, we run it as a paid audit: we tier your data, map which tools and terms each tier belongs on, and tell you where self-hosting is worth it and where it is overkill. Firms that want the capability and the governance built in-house pair it with our AI Team Program. Book the paid AI audit to start.
Related Articles
Adopt AI Without Looking Like a Tech Company: A Guide for Traditional CRE Firms | NextAutomation
You do not have to become a technology company to use AI. This is the guide for the traditional CRE operator who wants the workflow output without the identity change, the circus, or scaring their team.
Does AI Hallucinate on Real Estate Numbers? How to Keep AI Underwriting Accurate | NextAutomation
Yes, a raw chat LLM can hallucinate numbers on a deal. Here is why that happens, and how a production CRE underwriting system is architected so a made-up figure gets caught before it ever reaches your investment committee, plus the questions to verify it in any vendor or DIY setup.
Should a CRE Firm Build Its Own AI or Buy a Tool? A 2026 Decision Framework | NextAutomation
Should a CRE Firm Build Its Own AI or Buy a Tool? A 2026 Decision Framework | NextAutomation
An honest build-vs-buy-or-wait framework for CRE operators weighing AI tools for real estate investors against a custom build. When buying a vertical tool wins, when building your own is worth it, and when waiting is the right call, drawn from the real reasoning we hear from investors, family offices, and acquisitions leads.
