GitHub updated its GitHub Copilot Business Privacy Statement on June 21, 2026 by adding a date range to one of its compliance certifications. The SOC 3 Report reference now specifies 'April - September 2025' as the reporting period, whereas previously no date range was included. This is a minor clarification to the compliance documentation listed in the statement.
This change adds clarifying information to GitHub's public privacy statement by specifying the reporting period for the SOC 3 audit certification. No new restrictions, requirements, or changes to data practices are introduced. This is a documentation update intended to help readers identify the correct audit timeframe.
The updated statement now specifies the exact audit reporting period for the SOC 3 certification, allowing users and customers to locate and review the correct audit document. This improves clarity of compliance documentation without changing any underlying security practices or policies.
Added date range (April - September 2025) to clarify the audit reporting period.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
GitHub added a date range (April - September 2025) to its SOC 3 Report reference in the Copilot Business Privacy Statement. This is a minor clarification to compliance documentation and does not create new obligations or change the scope of any security certifications. No action is required; the change reflects normal updates to audit period disclosures.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003125.
Introduction of access-gated audit documents indicates GitHub now restricts SOC 1 and SOC 2 Type 2 reports behind authentication/approval mechanisms.
New disclosure of a gated bug bounty program document indicates GitHub is formally documenting and restricting access to security vulnerability disclosure policies.
Removal of this generic provision suggests GitHub consolidated SOC audit document references under the new 'Gated Access to Audit Reports' provision with explicit lock-icon labeling.
Removal of ISO 27001:2013 certification disclosure may indicate GitHub no longer maintains or wishes to highlight this older information security standard certification.
SOC 2 disclosure evolved from simple text reference to a badge-displayed certification with linked resource access.
Certification reference changed from plain text to badge-displayed format, providing visual certification indicator.
TISAX certification changed from text-only reference to badge-displayed format for improved visibility.
CSA STAR Level 2 certification changed from plain text reference to badge-displayed format.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorGitHub updated its Copilot Business Privacy Statement on May 13, 2026 by adding compliance documentation to its public resources section. …
GitHub updated its Privacy Statement on April 28, 2026 to explicitly authorize collection and use of AI outputs from user-provided …
GitHub added a new section titled 'AI Features, Training, and Your Data' to its Terms of Service on April 28, …
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.