4.1. Data Handling and Flow
💡 First Principle: Copilot is a round trip: your editor's context is packaged into a prompt, sent over an encrypted channel to GitHub-owned infrastructure, screened, completed by a model, screened again, and returned. Knowing what happens at each hop tells you exactly what is shared, what is filtered, and what is not.
Why this matters: privacy and data questions on the exam ("is my code used for training?", "what does the proxy do?", "is sensitive data sent?") all resolve if you hold the flow in your head. Vague intuitions produce wrong answers; the pipeline produces right ones.
The mental model: a secured mail pipeline. Your request is sealed (HTTPS), routed through a checkpoint (the proxy) that inspects it going out and coming back, processed at a facility (the model in GitHub-owned Azure), and delivered — with nothing retained along the way for the real-time flow.
⚠️ Common Misconception: "Copilot trains its models on my private code on every plan." On paid plans (Pro, Pro+, Business, Enterprise), your code and prompts are not used to train the underlying models, and business/enterprise data is excluded from training. Free-tier handling differs and should be checked.