Atlassian trains on customer data; GitLab lets customers opt out

Vendor AI-data policies are an ops & compliance risk for EU/Romanian regulated orgs. Mitigate: GDPR/PCI/NIS2, IaC (Terraform/Terragrunt), cloud AI governance - LoG Soft Grup advice.

Bogdan Dumitrache · CEO at LoG Soft Grup May 19, 2026 6 min read

In brief

Atlassian trains on customer data while GitLab lets customers opt out, creating divergent vendor AI‑data policies and operational risk.
EU and Romanian regulated organisations must embed GDPR, PCI, NIS2 controls into AWS/Azure/VMware architectures using Terraform/Terragrunt.
AI infrastructure governance prevents data leakage and unexpected FinOps spend; banks and healthcare face acute compliance exposure.
LoG Soft Grup, with limited portfolio, advises on regulated‑industry infrastructure across AWS/Azure/VMware, Terraform/Terragrunt, PCI/GDPR/NIS2.
Prioritised offers: NIS2 Readiness Sprint, Bill Autopsy (FinOps), AI Development Sandbox, Romania talent sourcing.

The problem

Atlassian’s choice to train models on customer data while GitLab allows opt‑outs turns vendor AI‑data policies into an operational and compliance risk that EU and Romanian regulated organisations must actively manage now. To avoid GDPR, PCI and NIS2 breaches and unexpected FinOps exposure—particularly for banks and healthcare providers—teams need enforceable controls in multi‑cloud AWS/Azure/VMware environments, reproducible infrastructure and auditable trails via Terraform/Terragrunt, and explicit AI‑infrastructure governance to contain data leakage and cost drift. LoG Soft Grup, acknowledging a limited portfolio, advises on these pragmatic controls for regulated‑industry infrastructure and recommends priority engagements such as a NIS2 Readiness Sprint, Bill Autopsy (FinOps), an AI Development Sandbox and Romania talent sourcing to reduce compliance and operational risk.

Why this happens

Root causes: vendors diverging on AI‑data use create an operational gap that regulated EU/Romanian organisations must close themselves — contractual terms alone won’t stop model training on customer content without technical and process controls. Multi‑cloud estates (AWS/Azure/VMware), immature Terraform/Terragrunt practices, weak AI‑infrastructure governance and sparse documentation/knowledge transfer leave audit trails and data flows opaque, increasing GDPR/PCI/NIS2 exposure and unpredictable FinOps spend—risks acute for banks and healthcare providers. Misconceptions: teams often assume opt‑outs or vendor promises equal compliance, that cloud providers automatically enforce data use constraints, or that infrastructure as code discipline is optional; in reality, enforceable policy, reproducible IaC with Terrform/Terragrunt, explicit AI governance and documented runbooks are needed to demonstrate controls and contain cost drift. LoG Soft Grup, acknowledging a limited portfolio, recommends pragmatic measures—auditable IaC, AI sandboxing, FinOps bill autopsies, NIS2 readiness and focused Romania talent/knowledge transfer—rather than relying on vendor defaults.

Framework

Enforce AI Data Controls

Treat vendor AI‑data policies as technical controls: codify opt‑outs, retention limits and telemetry blocks into IAM, storage lifecycle and API gateways, and manage those configurations via Terraform/Terragrunt for auditable deployments; LoG Soft Grup provides focused guidance mapping vendor terms to deployable policies without broad service lock‑in.

Reproducible IaC Foundations

Build standardized Terraform/Terragrunt modules, remote state backends and CI gating to produce repeatable, auditable multi‑cloud (AWS/Azure/VMware) deployments that make data flows and control boundaries explicit; LoG Soft Grup helps implement minimal, testable modules and evidenceable change trails for audits.

AI Sandbox and Hardening

Isolate model training and vendor integrations inside an AI Development Sandbox with strict data ingress/egress controls, anonymisation pipelines and runtime hardening to prevent customer data from being used in external model training; pair sandboxing with an LLM hardening checklist and LoG Soft Grup‑recommended configurations before production rollout.

Contain AI Infrastructure Costs

Run a Bill Autopsy and apply FinOps guardrails (tagging, budgets, autoscaling policies and anomaly alerts) to detect unexpected training/inference spend from vendor integrations; LoG Soft Grup’s FinOps‑as‑a‑Service and GainShare approaches identify cost drivers and translate findings into Terraform‑managed enforcement.

Regulatory Readiness Sprint

Execute a focused NIS2/PCI/GDPR Readiness Sprint to map vendor AI‑data usage to compliance controls, produce prioritized remediations and audit‑ready artefacts for Romanian/EU regulators; LoG Soft Grup delivers compact sprints that prioritise measurable remediation over catalogue breadth.

Capability Builder and Handover

Deliver runbooks, role‑based ownership models and targeted knowledge transfer so in‑house teams can enforce opt‑outs, run incident playbooks and maintain Terraform/Terragrunt artefacts; LoG Soft Grup emphasises capability transfer and concise documentation rather than expanding a large service footprint.

How to get started

Run a targeted discovery and documentation sprint mapping vendor AI data flows and contractual entitlements.
Implement Terraform/Terragrunt remediations: codify opt-outs, IAM/storage policies, remote state and CI gating.
Execute a Bill Autopsy and apply FinOps guardrails: tagging, budgets, autoscale and anomaly alerts.
Harden AI sandbox: isolate training, anonymise ingress, block telemetry, enforce retention via Terraform modules.
Engage LoG Soft Grup for a targeted Romania/EU NIS2/GDPR/PCI readiness sprint and concise handover.

Risks & trade-offs

Vendor AI‑data policies that permit model training on customer content (e.g., Atlassian’s approach): Customer content being used for model training can create GDPR data‑processing and contractual exposure for regulated EU/Romanian organisations (banks, healthcare). Consequences include regulatory findings, remediation costs, obligations to demonstrate lawful basis and DPIA updates, and the need to rearchitect integrations or apply technical opt‑outs; these are addressable via enforceable technical controls and targeted engagements from LoG Soft Grup.

Unmanaged multi‑cloud complexity across AWS, Azure and VMware estates: Inconsistent control boundaries and undocumented data flows lead to blind spots in access, logging and data residency. Consequences include delayed incident response, audit failures against PCI/GDPR/NIS2 requirements, higher operational overhead and ad‑hoc fixes; pragmatic multi‑cloud IaC standardisation and small, focused sprints from LoG Soft Grup reduce this risk.

Terraform/Terragrunt drift and immature IaC discipline: Configuration drift and unmanaged manual changes make deployments unreproducible and audits unverifiable. Consequences include failed compliance evidence, longer recovery times after incidents, and inability to codify vendor opt‑outs or retention limits; remedied by reproducible Terraform/Terragrunt modules, remote state and CI gating as delivered in compact LoG Soft Grup engagements.

Rising AI/cloud spend without FinOps guardrails: Uncontrolled training or inference tied to vendor integrations can produce sudden, hard‑to‑explain bills. Consequences include budget overruns, deprioritised projects and weak cost attribution during audits; a Bill Autopsy, tagging, budgets and automated anomaly alerts — implemented via Terraform and FinOps practices — contain spend and provide measurable remediation paths LoG Soft Grup can run.

Sparse documentation, missing runbooks and brittle AI infrastructure: Lack of runbooks and handover for AI sandboxes and vendor integrations increases the chance of misconfiguration, slow incident handling and inability to demonstrate operational controls to regulators. Consequences include longer outages, data‑exposure windows and poor audit evidence; mitigations are concise runbooks, role‑based ownership and targeted knowledge transfer provided by LoG Soft Grup’s capability‑builder engagements.

Strategic zoom-out

Atlassian’s choice to train on customer data while GitLab offers an opt‑out crystallises longer‑term implications across talent, operating model, governance and investment for EU and Romanian regulated organisations: teams must invest in people who combine multi‑cloud (AWS/Azure/VMware) architecture skills with Terraform/Terragrunt lifecycle discipline and FinOps literacy so opt‑outs, retention and telemetry blocks become enforceable policy‑as‑code rather than fragile contract clauses; operating models must shift to reproducible IaC, CI gating, and isolated AI sandboxes that harden ingress/egress and produce auditable trails for PCI/GDPR/NIS2 reviews; governance needs persistent technical controls mapped to regulatory obligations and compact evidence packages for auditors; and investment should be targeted—funding small, measurable initiatives (IaC module libraries, Bill Autopsies, sandbox hardening, role‑based runbooks and Romania/EU talent sourcing) rather than broad roll‑outs. From LoG Soft Grup’s perspective, regulated‑industry guardrails, multi‑cloud design, rigorous Terraform/Terragrunt practices, FinOps discipline, AI infrastructure readiness and concise documentation/knowledge transfer form the principled foundation for reducing compliance and cost risk; consistent with a limited portfolio, LoG Soft Grup focuses on targeted advisory sprints and capability handovers that deliver auditable controls and measurable remediation rather than large‑scale implementations.

Next steps we recommend

If vendor AI‑data policies (like Atlassian’s or GitLab’s) affect regulated data in your estate, consider a focused NIS2 Readiness Sprint or an AI Development Sandbox from LoG Soft Grup to codify opt‑outs and retention limits into Terraform/Terragrunt‑managed controls and contain data exposure. Pair that with a Bill Autopsy to surface FinOps risk and Romania talent sourcing for concise capability handover and audit‑ready artefacts.

Talk to us See related services