Safety Privacy And Governance

Developer's ghost text exactly matches a 200-character span of GPL-3.0 code on github.com.

Per duplication-filter docs, when the org has the filter enabled, the completion is suppressed rather than rendered. The editor should surface 'suggestion suppressed by duplication filter' so the developer knows a suggestion existed and why it was blocked, without quoting the match.

Procurement asks 'is Copilot SOC 2 Type II?' The integrator's customer-facing doc says 'yes — Copilot is SOC 2 Type II certified.'

Customer-facing claims must cite the GitHub trust center / subprocessor list and tag the claim [REQUIRES-VERIFICATION] for the current audit period. SOC 2 scope and audit dates evolve; do not pin a static claim without double-checking the trust-center snapshot.

Org content-exclusion blocks `**/.env*`. Repo content-exclusion blocks `**/secrets/**`. Both apply.

Per docs, exclusion rules from org and repo scope are unioned — both .env files and files under secrets/ must be excluded. Conflict resolution favors the more-restrictive rule. Removing a rule at one scope does not weaken the other.