Small teams use an average of 4–7 AI tools across writing, coding, research, and operations — often without a consistent framework for which ones are safe for which types of work. This guide rates the most common AI tools on the dimensions that matter for regulated industries: GDPR posture, DPA availability, SOC 2, data retention, and training data practices.
At a glance: The critical split is product tier, not vendor. Every major AI vendor offers a DPA-covered tier. The compliance risk for most small teams is not the tool they formally approved — it is the free consumer account their employees are using on their personal device.
The Rating Framework
Each tool is rated on five dimensions:
- DPA available: Does the vendor offer a Data Processing Agreement for your tier?
- SOC 2 Type II: Third-party audit of security controls
- Data retention: How long is your data kept, and can you reduce it?
- Training opt-out: Is your data used to train models? Can you opt out?
- Audit logs: Can you see who used the tool and what they accessed?
Scale: ✅ Yes / ⚠️ Partial or tier-dependent / ❌ No / — Not applicable
ChatGPT (OpenAI)
| Free | Plus | Team | Enterprise | |
|---|---|---|---|---|
| DPA | ❌ | ❌ | ✅ | ✅ |
| SOC 2 | — | — | ✅ | ✅ |
| Data retention controls | ❌ | ⚠️ | ✅ | ✅ |
| Training opt-out | ⚠️ Manual | ⚠️ Manual | ✅ Default | ✅ Default |
| Audit logs | ❌ | ❌ | ⚠️ Limited | ✅ |
Compliance rating:
- Free/Plus: Not appropriate for work data — no DPA, data may train models by default
- Team: Acceptable for most small teams; DPA included by default, but audit logs are limited compared to Enterprise
- Enterprise: Full compliance posture; appropriate for regulated industries
Common mistake: Most small teams run on ChatGPT Plus (personal accounts) rather than Team. Plus accounts do not include DPAs — any work data entered is not under a data processing contract.
Claude (Anthropic)
| Claude.ai Free | Claude.ai Pro | API | Business/Enterprise | |
|---|---|---|---|---|
| DPA | ❌ | ❌ | ✅ | ✅ |
| SOC 2 | — | — | ✅ | ✅ |
| Data retention controls | ❌ | ⚠️ | ✅ (ZDR mode) | ✅ |
| Training opt-out | ⚠️ Manual | ⚠️ Manual | ✅ Default | ✅ Default |
| Audit logs | ❌ | ❌ | ⚠️ API logs | ✅ |
Compliance rating:
- Free/Pro: Not appropriate for work data — no DPA
- API: Strong compliance posture; ZDR (zero data retention) mode available; suitable for regulated teams comfortable with API integration
- Business/Enterprise: Full compliance posture for teams wanting a managed product
Standout feature: Anthropic's zero data retention API mode is the strongest retention control available from any major vendor — code and prompts are not stored after the request completes.
Microsoft 365 Copilot
| M365 Copilot (Business/Enterprise) | |
|---|---|
| DPA | ✅ (Microsoft DPA) |
| SOC 2 | ✅ |
| Data retention | ✅ (inherits M365 retention policies) |
| Training opt-out | ✅ Default |
| Audit logs | ✅ (Microsoft Purview) |
Compliance rating: Best enterprise compliance posture of any tool reviewed. M365 Copilot inherits your existing Microsoft 365 data governance controls — retention policies, DLP, eDiscovery, and audit logs all apply to Copilot interactions.
Who it's for: Teams already running M365 Business Premium or E3/E5. The compliance controls are mature but require M365 admin configuration — they are not active by default.
Limitation: Copilot is tightly integrated with Microsoft's ecosystem. Teams not already on M365 face a high switching cost.
Notion AI
| Free | Plus | Business | Enterprise | |
|---|---|---|---|---|
| DPA | ❌ | ❌ | ✅ | ✅ |
| SOC 2 | — | — | ✅ | ✅ |
| Data retention | ❌ | ❌ | ✅ | ✅ |
| Training opt-out | ❌ | ❌ | ✅ | ✅ |
| Audit logs | ❌ | ❌ | ⚠️ Limited | ✅ |
Compliance rating:
- Free/Plus: Not appropriate for sensitive data; no DPA; Notion AI enabled by default may process workspace content
- Business: Acceptable for most small teams; DPA available, SOC 2 certified
- Enterprise: Full compliance posture
Important note: Notion AI is enabled by default on paid workspaces. If your team has a Notion Business account, Notion AI is already processing your workspace content. Check your workspace settings and review the DPA status before treating this as a governed tool.
Grammarly
| Free | Premium | Business/Enterprise | |
|---|---|---|---|
| DPA | ❌ | ❌ | ✅ |
| SOC 2 | — | — | ✅ |
| Data retention | ❌ | ❌ | ✅ |
| Training opt-out | ❌ | ❌ | ✅ |
| Audit logs | ❌ | ❌ | ✅ |
Compliance rating:
- Free/Premium: High-risk for work data. Grammarly is often installed as a browser extension — it reads everything you type, including passwords typed into login forms (it should be excluded from password fields but the risk surface is significant)
- Business/Enterprise: Acceptable with a DPA; browser extension should be configured to exclude sensitive domains
The hidden risk: Grammarly Free and Premium may be installed on employee devices as personal tools. Because it operates as a browser extension with broad read access, it creates an AI data-handling risk that most small teams have not inventoried.
Quick Reference: Which Tier to Use
| Tool | Minimum tier for regulated work |
|---|---|
| ChatGPT | Team (with DPA) or Enterprise |
| Claude | API (with DPA) or Business |
| M365 Copilot | Business Basic (requires admin config) |
| Notion AI | Business (with DPA review) |
| Grammarly | Business (with domain exclusions configured) |
| GitHub Copilot | Business or Enterprise |
| Cursor | Requires procurement / DPA negotiation |
What to Do Now
1. Inventory what your team is actually using — not just what you approved. Free tiers of AI tools are often installed without going through any procurement process. Use the AI Tool Register Template to capture all tools, including shadow AI.
2. Check your compliance risk score — AI Compliance Quiz identifies which regulations apply to your specific team and industry.
3. Run the full vendor comparison — The AI Vendor Scorecard covers 15 vendors across 11 governance dimensions. Filter by your compliance requirements (DPA required, SOC 2 required, EU data residency, HIPAA BAA, etc.).
4. Rate each use case — Not all AI use involves personal data. The AI Risk Assessment Tool helps you rate each use case from Low to Critical so you can apply proportionate controls.
5. Set a policy before the next tool is approved — AI Acceptable Use Policy Template covers approved tools, data rules, and what employees must do before using a new AI tool.
