If you connect Cody to your own AI provider instead of Sourcegraph's partners, Sourcegraph's promises about data retention, training restrictions, and data handling no longer apply.
This analysis describes what Sourcegraph Cody's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Customers using a bring-your-own-LLM configuration lose all of Sourcegraph's data protection commitments regarding Zero Retention and training restrictions, and must rely entirely on their own agreements with their LLM provider.
This provision creates a two-tier data protection posture: customers using Sourcegraph Partner LLMs receive Zero Retention and no-training commitments, while customers using their own LLM configurations do not. The practical scope of data protection for bring-your-own-LLM customers depends entirely on their direct LLM provider agreements.
Cross-platform context
See how other platforms handle Bring-Your-Own-LLM Data Protection Carve-Out and similar clauses.
Compare across platforms →Monitoring
Sourcegraph Cody has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"The following Sourcegraph commitments may not apply if you use your own LLM relationship in conjunction with Cody: Any representations regarding data used to train the LLM; Any representations regarding data retention (including Zero Retention), data collection, or data use by the LLM.— Excerpt from Sourcegraph Cody's Sourcegraph Cody Usage and Privacy
REGULATORY LANDSCAPE: For organizations in the EU and EEA, the carve-out means that GDPR data processing commitments for LLM interactions may be absent when a customer uses their own LLM. Organizations bear sole responsibility for ensuring their LLM provider agreements satisfy GDPR processor requirements. The CCPA service provider framework similarly requires organizations to ensure their LLM provider restricts secondary use of data. GOVERNANCE EXPOSURE: High. Organizations using bring-your-own-LLM configurations are explicitly excluded from Sourcegraph's material data protection commitments. This creates a governance gap that must be addressed through independent due diligence on the customer's LLM provider, including training data practices, retention policies, and data use restrictions. JURISDICTION FLAGS: EU and EEA organizations face the highest exposure because GDPR requires documented processor obligations for any third party processing personal data. California organizations under CCPA must ensure their LLM provider qualifies as a service provider with appropriate use restrictions. Regulated industries including healthcare and financial services face additional compliance obligations if bring-your-own-LLM configurations involve regulated data. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should flag bring-your-own-LLM configurations as requiring independent vendor assessment of the LLM provider. Standard Sourcegraph DPA protections do not extend to these configurations. B2B contracts should clearly document which LLM configuration is in use and which data protection regime applies. COMPLIANCE CONSIDERATIONS: Organizations should maintain an inventory of which teams or instances use Sourcegraph Partner LLMs versus bring-your-own-LLM configurations. Data protection impact assessments and data maps must distinguish between these two deployment types. Legal teams should conduct independent review of any bring-your-own-LLM provider's data processing terms before deployment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Customers using a bring-your-own-LLM configuration lose all of Sourcegraph's data protection commitments regarding Zero Retention and training restrictions, and must rely entirely on their own agreements with their LLM provider.
This provision creates a two-tier data protection posture: customers using Sourcegraph Partner LLMs receive Zero Retention and no-training commitments, while customers using their own LLM configurations do not. The practical scope of data protection for bring-your-own-LLM customers depends entirely on their direct LLM provider agreements.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Sourcegraph Cody.