The correct commitment is Require that the team will configure Copilot to exclude specified sensitive files and folders from the tool's context and prompts.

This directly addresses the bank's concern because Copilot can be configured to ignore sensitive paths so those files are not included in chat or completion context. Excluding credentials and proprietary designs from the model's context reduces the chance of exposure and it is a control the consultancy can implement, document, and audit within the development environment and organization policies.

It is also a practical and enforceable promise since it relies on product capabilities that the team controls. Combined with appropriate organizational privacy settings, this configuration provides concrete safeguards during day to day development and aligns with the vendor's documented privacy features.

Mandate the use of Google Cloud DLP on source repositories and state that this control removes any Copilot privacy risk is incorrect because a repository DLP tool does not control what Copilot sends for inference in the IDE or service. It may complement secure development practices yet it does not provide Copilot specific assurances and it cannot remove all privacy risk from Copilot usage.

Add a clause that GitHub will be liable for any breach or leak that occurs through Copilot use is incorrect because the consultancy cannot impose liability on a third party through its own contract. Only GitHub's terms define GitHub's obligations, so this would be unenforceable and it does not provide a technical mitigation.

Promise that no code or prompts from the engagement will ever be used by Copilot to train models or to inform suggestions for anyone is incorrect because it is an absolute assurance that the consultancy cannot guarantee. While GitHub documents privacy protections for certain plans, the consultancy should not promise vendor behavior that is outside its control.

Full AWS Practitioner Certification Question